google/internal/externalaccount: allowing PSC Urls
Change-Id: I46c337f162bf84cbcfa068ce1680e5428c46286a
GitHub-Last-Rev: 4d1190b904b58ab162a398e01fc33398d11e4636
GitHub-Pull-Request: golang/oauth2#596
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/439677
Auto-Submit: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go
index 2bf5391..9fc3553 100644
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@@ -74,12 +74,14 @@
regexp.MustCompile(`(?i)^sts\.googleapis\.com$`),
regexp.MustCompile(`(?i)^sts\.[^\.\s\/\\]+\.googleapis\.com$`),
regexp.MustCompile(`(?i)^[^\.\s\/\\]+-sts\.googleapis\.com$`),
+ regexp.MustCompile(`(?i)^sts-[^\.\s\/\\]+\.p\.googleapis\.com$`),
}
validImpersonateURLPatterns = []*regexp.Regexp{
regexp.MustCompile(`^[^\.\s\/\\]+\.iamcredentials\.googleapis\.com$`),
regexp.MustCompile(`^iamcredentials\.googleapis\.com$`),
regexp.MustCompile(`^iamcredentials\.[^\.\s\/\\]+\.googleapis\.com$`),
regexp.MustCompile(`^[^\.\s\/\\]+-iamcredentials\.googleapis\.com$`),
+ regexp.MustCompile(`^iamcredentials-[^\.\s\/\\]+\.p\.googleapis\.com$`),
}
validWorkforceAudiencePattern *regexp.Regexp = regexp.MustCompile(`//iam\.googleapis\.com/locations/[^/]+/workforcePools/`)
)
diff --git a/google/internal/externalaccount/basecredentials_test.go b/google/internal/externalaccount/basecredentials_test.go
index 5aa0d46..05e0127 100644
--- a/google/internal/externalaccount/basecredentials_test.go
+++ b/google/internal/externalaccount/basecredentials_test.go
@@ -231,6 +231,16 @@
{"https://", false},
{"http://us-east-1.sts.googleapis.com", false},
{"https://us-east-1.sts.googleapis.comevil.com", false},
+ {"https://sts-xyz.p.googleapis.com", true},
+ {"https://sts.pgoogleapis.com", false},
+ {"https://p.googleapis.com", false},
+ {"https://sts.p.com", false},
+ {"http://sts.p.googleapis.com", false},
+ {"https://xyz-sts.p.googleapis.com", false},
+ {"https://sts-xyz.123.p.googleapis.com", false},
+ {"https://sts-xyz.p1.googleapis.com", false},
+ {"https://sts-xyz.p.foo.com", false},
+ {"https://sts-xyz.p.foo.googleapis.com", false},
}
ctx := context.Background()
for _, tt := range urlValidityTests {
@@ -287,6 +297,16 @@
{"https://", false},
{"http://us-east-1.iamcredentials.googleapis.com", false},
{"https://us-east-1.iamcredentials.googleapis.comevil.com", false},
+ {"https://iamcredentials-xyz.p.googleapis.com", true},
+ {"https://iamcredentials.pgoogleapis.com", false},
+ {"https://p.googleapis.com", false},
+ {"https://iamcredentials.p.com", false},
+ {"http://iamcredentials.p.googleapis.com", false},
+ {"https://xyz-iamcredentials.p.googleapis.com", false},
+ {"https://iamcredentials-xyz.123.p.googleapis.com", false},
+ {"https://iamcredentials-xyz.p1.googleapis.com", false},
+ {"https://iamcredentials-xyz.p.foo.com", false},
+ {"https://iamcredentials-xyz.p.foo.googleapis.com", false},
}
ctx := context.Background()
for _, tt := range urlValidityTests {