From 534794c900025b174825f82feb00671305555c0a Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Mon, 29 Jan 2024 15:43:24 -0800 Subject: [PATCH] feat(cognito): validate oidc provider name (#28802) Closes #28667. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cognito/lib/user-pool-idps/oidc.ts | 9 +++++---- .../aws-cognito/test/user-pool-idps/oidc.test.ts | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts index 3daaf11afccdd..d3018d4584514 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts @@ -107,10 +107,6 @@ export class UserPoolIdentityProviderOidc extends UserPoolIdentityProviderBase { constructor(scope: Construct, id: string, props: UserPoolIdentityProviderOidcProps) { super(scope, id, props); - if (props.name && !Token.isUnresolved(props.name) && (props.name.length < 3 || props.name.length > 32)) { - throw new Error(`Expected provider name to be between 3 and 32 characters, received ${props.name} (${props.name.length} characters)`); - } - const scopes = props.scopes ?? ['openid']; const resource = new CfnUserPoolIdentityProvider(this, 'Resource', { @@ -140,6 +136,11 @@ export class UserPoolIdentityProviderOidc extends UserPoolIdentityProviderBase { if (!Token.isUnresolved(name) && (name.length < 3 || name.length > 32)) { throw new Error(`Expected provider name to be between 3 and 32 characters, received ${name} (${name.length} characters)`); } + // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providername + // u is for unicode + if (!name.match(/^[^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+$/u)) { + throw new Error(`Expected provider name must match [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+, received ${name}`); + } return name; } diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts index e3b13cda4e0f7..9e37c7a02e411 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts @@ -173,6 +173,22 @@ describe('UserPoolIdentityProvider', () => { })).toThrow(/Expected provider name to be between 3 and 32 characters/); }); + test('throws with provider name that doesn\'t match pattern', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + const name = ' thisisabadname'; + + // THEN + expect(() => new UserPoolIdentityProviderOidc(stack, 'userpoolidp', { + userPool: pool, + name, + clientId: 'client-id', + clientSecret: 'client-secret', + issuerUrl: 'https://my-issuer-url.com', + })).toThrow(`Expected provider name must match [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+, received ${name}`); + }); + test('generates a valid name when unique id is too short', () => { // GIVEN const stack = new Stack();