From b37a565c6c1e7acb44baf2307c862c9df8be9345 Mon Sep 17 00:00:00 2001
From: aeitzman <12433791+aeitzman@users.noreply.github.com>
Date: Thu, 6 Oct 2022 10:21:48 -0700
Subject: [PATCH] feat: Adding validation for psc endpoints (#1042)

* feat: Adding validation for psc endpoints

* adding more test cases

* adding more test cases

* escape dash in regex for consistency

Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
---
 .../oauth2/ExternalAccountCredentials.java    |  2 ++
 .../ExternalAccountCredentialsTest.java       | 32 ++++++++++++++++---
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
index b718d3a7a..d08bd132e 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
@@ -583,6 +583,7 @@ static void validateTokenUrl(String tokenUrl) {
     patterns.add(Pattern.compile("^sts\\.googleapis\\.com$"));
     patterns.add(Pattern.compile("^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
     patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$"));
+    patterns.add(Pattern.compile("^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));
 
     if (!isValidUrl(patterns, tokenUrl)) {
       throw new IllegalArgumentException("The provided token URL is invalid.");
@@ -595,6 +596,7 @@ static void validateServiceAccountImpersonationInfoUrl(String serviceAccountImpe
     patterns.add(Pattern.compile("^iamcredentials\\.googleapis\\.com$"));
     patterns.add(Pattern.compile("^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
     patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$"));
+    patterns.add(Pattern.compile("^iamcredentials-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));
 
     if (!isValidUrl(patterns, serviceAccountImpersonationUrl)) {
       throw new IllegalArgumentException(
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
index 5d7d188a2..4fc59596c 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
@@ -965,7 +965,10 @@ public void validateTokenUrl_validUrls() {
             "https://sts.US-WEST-1.googleapis.com",
             "https://us-east-1-sts.googleapis.com",
             "https://US-WEST-1-sts.googleapis.com",
-            "https://us-west-1-sts.googleapis.com/path?query");
+            "https://us-west-1-sts.googleapis.com/path?query",
+            "https://sts-xyz123.p.googleapis.com/path?query",
+            "https://sts-xyz123.p.googleapis.com",
+            "https://sts-xyz-123.p.googleapis.com");
 
     for (String url : validUrls) {
       ExternalAccountCredentials.validateTokenUrl(url);
@@ -995,7 +998,16 @@ public void validateTokenUrl_invalidUrls() {
             "hhttps://us-east-1.sts.googleapis.com",
             "https://us- -1.sts.googleapis.com",
             "https://-sts.googleapis.com",
-            "https://us-east-1.sts.googleapis.com.evil.com");
+            "https://us-east-1.sts.googleapis.com.evil.com",
+            "https://sts.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://sts.p.com",
+            "http://sts.p.googleapis.com",
+            "https://xyz-sts.p.googleapis.com",
+            "https://sts-xyz.123.p.googleapis.com",
+            "https://sts-xyz.p1.googleapis.com",
+            "https://sts-xyz.p.foo.com",
+            "https://sts-xyz.p.foo.googleapis.com");
 
     for (String url : invalidUrls) {
       try {
@@ -1018,7 +1030,10 @@ public void validateServiceAccountImpersonationUrls_validUrls() {
             "https://iamcredentials.US-WEST-1.googleapis.com",
             "https://us-east-1-iamcredentials.googleapis.com",
             "https://US-WEST-1-iamcredentials.googleapis.com",
-            "https://us-west-1-iamcredentials.googleapis.com/path?query");
+            "https://us-west-1-iamcredentials.googleapis.com/path?query",
+            "https://iamcredentials-xyz123.p.googleapis.com/path?query",
+            "https://iamcredentials-xyz123.p.googleapis.com",
+            "https://iamcredentials-xyz-123.p.googleapis.com");
 
     for (String url : validUrls) {
       ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl(url);
@@ -1049,7 +1064,16 @@ public void validateServiceAccountImpersonationUrls_invalidUrls() {
             "hhttps://us-east-1.iamcredentials.googleapis.com",
             "https://us- -1.iamcredentials.googleapis.com",
             "https://-iamcredentials.googleapis.com",
-            "https://us-east-1.iamcredentials.googleapis.com.evil.com");
+            "https://us-east-1.iamcredentials.googleapis.com.evil.com",
+            "https://iamcredentials.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://iamcredentials.p.com",
+            "http://iamcredentials.p.googleapis.com",
+            "https://xyz-iamcredentials.p.googleapis.com",
+            "https://iamcredentials-xyz.123.p.googleapis.com",
+            "https://iamcredentials-xyz.p1.googleapis.com",
+            "https://iamcredentials-xyz.p.foo.com",
+            "https://iamcredentials-xyz.p.foo.googleapis.com");
 
     for (String url : invalidUrls) {
       try {