fix: Remove external account config validation (#427)

lib/googleauth/external_account.rb

@@ -30,22 +30,6 @@ class Credentials
         AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request".freeze
         AWS_SUBJECT_TOKEN_INVALID = "aws is the only currently supported external account type".freeze
 
-        TOKEN_URL_PATTERNS = [
-          /^[^.\s\/\\]+\.sts(?:\.mtls)?\.googleapis\.com$/,
-          /^sts(?:\.mtls)?\.googleapis\.com$/,
-          /^sts\.[^.\s\/\\]+(?:\.mtls)?\.googleapis\.com$/,
-          /^[^.\s\/\\]+-sts(?:\.mtls)?\.googleapis\.com$/,
-          /^sts-[^.\s\/\\]+\.p(?:\.mtls)?\.googleapis\.com$/
-        ].freeze
-
-        SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS = [
-          /^[^.\s\/\\]+\.iamcredentials\.googleapis\.com$/.freeze,
-          /^iamcredentials\.googleapis\.com$/.freeze,
-          /^iamcredentials\.[^.\s\/\\]+\.googleapis\.com$/.freeze,
-          /^[^.\s\/\\]+-iamcredentials\.googleapis\.com$/.freeze,
-          /^iamcredentials-[^.\s\/\\]+\.p\.googleapis\.com$/.freeze
-        ].freeze
-
         # Create a ExternalAccount::Credentials
         #
         # @param json_key_io [IO] an IO from which the JSON key can be read
@@ -56,11 +40,6 @@ def self.make_creds options = {}
           raise "A json file is required for external account credentials." unless json_key_io
           user_creds = read_json_key json_key_io
 
-          raise "The provided token URL is invalid." unless is_token_url_valid? user_creds["token_url"]
-          unless is_service_account_impersonation_url_valid? user_creds["service_account_impersonation_url"]
-            raise "The provided service account impersonation url is invalid."
-          end
-
           # TODO: check for other External Account Credential types. Currently only AWS is supported.
           raise AWS_SUBJECT_TOKEN_INVALID unless user_creds["subject_token_type"] == AWS_SUBJECT_TOKEN_TYPE
 
@@ -85,26 +64,6 @@ def self.read_json_key json_key_io
           end
           json_key
         end
-
-        def self.is_valid_url? url, valid_hostnames
-          begin
-            uri = URI(url)
-          rescue URI::InvalidURIError, ArgumentError
-            return false
-          end
-
-          return false unless uri.scheme == "https"
-
-          valid_hostnames.any? { |hostname| hostname =~ uri.host }
-        end
-
-        def self.is_token_url_valid? url
-          is_valid_url? url, TOKEN_URL_PATTERNS
-        end
-
-        def self.is_service_account_impersonation_url_valid? url
-          !url or is_valid_url? url, SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS
-        end
       end
     end
   end

lib/googleauth/external_account/aws_credentials.rb

@@ -38,11 +38,10 @@ def initialize options = {}
           @audience = options[:audience]
           @credential_source = options[:credential_source] || {}
           @environment_id = @credential_source["environment_id"]
-          @region_url = validate_metadata_server @credential_source["region_url"], "region_url"
-          @credential_verification_url = validate_metadata_server @credential_source["url"], "url"
+          @region_url = @credential_source["region_url"]
+          @credential_verification_url = @credential_source["url"]
           @regional_cred_verification_url = @credential_source["regional_cred_verification_url"]
-          @imdsv2_session_token_url = validate_metadata_server @credential_source["imdsv2_session_token_url"],
-                                                               "imdsv2_session_token_url"
+          @imdsv2_session_token_url = @credential_source["imdsv2_session_token_url"]
 
           # These will be lazily loaded when needed, or will raise an error if not provided
           @region = nil
@@ -105,13 +104,6 @@ def retrieve_subject_token!
 
         private
 
-        def validate_metadata_server url, name
-          return nil if url.nil?
-          host = URI(url).host
-          raise "Invalid host #{host} for #{name}." unless ["169.254.169.254", "[fd00:ec2::254]"].include? host
-          url
-        end
-
         def get_aws_resource url, name, data: nil, headers: {}
           begin
             unless [nil, url].include? @imdsv2_session_token_url

spec/googleauth/external_account/aws_credentials_spec.rb

@@ -418,22 +418,6 @@ def make_auth_stubs opts
     it_behaves_like "apply/apply! are OK"
   end
 
-  describe 'faulty ipv6 region url' do
-    let(:region_url) { 'http://fd00:ec2::254/latest/meta-data/placement/availability-zone' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/bad URI\(is not URI\?\): \"#{region_url}"/)
-    end
-  end
-
-  describe 'invalid region url' do
-    let(:region_url) { 'http://abc.com/latest/meta-data/placement/availability-zone' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/Invalid host abc\.com for region_url/)
-    end
-  end
-
   describe 'ipv6 cred verification url' do
     let(:security_credential_url) { 'http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials' }
 
@@ -448,22 +432,6 @@ def make_auth_stubs opts
     it_behaves_like "apply/apply! are OK"
   end
 
-  describe 'faulty ipv6 cred verification url' do
-    let(:security_credential_url) { 'http://fd00:ec2::254/latest/meta-data/iam/security-credentials' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/bad URI\(is not URI\?\): \"#{security_credential_url}"/)
-    end
-  end
-
-  describe 'invalid cred verification url' do
-    let(:security_credential_url) { 'http://abc.com/latest/meta-data/iam/security-credentials' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/Invalid host abc\.com for url/)
-    end
-  end
-
   describe 'ipv6 imdsv2 url' do
     let(:imdsv2_url) { 'http://[fd00:ec2::254]/latest/api/token' }
 
@@ -479,22 +447,6 @@ def make_auth_stubs opts
     it_behaves_like "apply/apply! are OK"
   end
 
-  describe 'faulty ipv6 imdsv2 url' do
-    let(:imdsv2_url) { 'http://fd00:ec2::254/latest/api/token' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/bad URI\(is not URI\?\): \"#{imdsv2_url}"/)
-    end
-  end
-
-  describe 'invalid imdsv2 url' do
-    let(:imdsv2_url) { 'http://abc.com/latest/api/token' }
-
-    it 'raises an error' do
-      expect { credentials }.to raise_error(/Invalid host abc\.com for imdsv2_session_token_url/)
-    end
-  end
-
   describe 'regional cred verification url without ssl' do
     let(:regional_cred_verification_url) { 'http://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15' }
 

spec/googleauth/external_account_spec.rb

@@ -19,140 +19,6 @@
 require 'tempfile'
 
 describe Google::Auth::ExternalAccount::Credentials do
-  describe :is_token_url_valid? do
-    VALID_URLS = [
-      "https://sts.googleapis.com",
-      "https://sts.mtls.googleapis.com",
-      "https://us-east-1.sts.googleapis.com",
-      "https://us-east-1.sts.mtls.googleapis.com",
-      "https://US-EAST-1.sts.googleapis.com",
-      "https://sts.us-east-1.googleapis.com",
-      "https://sts.US-WEST-1.googleapis.com",
-      "https://us-east-1-sts.googleapis.com",
-      "https://US-WEST-1-sts.googleapis.com",
-      "https://US-WEST-1-sts.mtls.googleapis.com",
-      "https://us-west-1-sts.googleapis.com/path?query",
-      "https://sts-us-east-1.p.googleapis.com",
-      "https://sts-us-east-1.p.mtls.googleapis.com",
-    ]
-
-    INVALID_URLS = [
-      nil,
-      "https://iamcredentials.googleapis.com",
-      "https://mtls.iamcredentials.googleapis.com",
-      "sts.googleapis.com",
-      "mtls.sts.googleapis.com",
-      "mtls.googleapis.com",
-      "https://",
-      "http://sts.googleapis.com",
-      "https://st.s.googleapis.com",
-      "https://us-eas\t-1.sts.googleapis.com",
-      "https:/us-east-1.sts.googleapis.com",
-      "https:/us-east-1.mtls.sts.googleapis.com",
-      "https://US-WE/ST-1-sts.googleapis.com",
-      "https://sts-us-east-1.googleapis.com",
-      "https://sts-US-WEST-1.googleapis.com",
-      "testhttps://us-east-1.sts.googleapis.com",
-      "https://us-east-1.sts.googleapis.comevil.com",
-      "https://us-east-1.us-east-1.sts.googleapis.com",
-      "https://us-ea.s.t.sts.googleapis.com",
-      "https://sts.googleapis.comevil.com",
-      "hhttps://us-east-1.sts.googleapis.com",
-      "https://us- -1.sts.googleapis.com",
-      "https://-sts.googleapis.com",
-      "https://-mtls.googleapis.com",
-      "https://us-east-1.sts.googleapis.com.evil.com",
-      "https://sts.pgoogleapis.com",
-      "https://p.googleapis.com",
-      "https://sts.p.com",
-      "https://sts.p.mtls.com",
-      "http://sts.p.googleapis.com",
-      "https://xyz-sts.p.googleapis.com",
-      "https://sts-xyz.123.p.googleapis.com",
-      "https://sts-xyz.p1.googleapis.com",
-      "https://sts-xyz.p.foo.com",
-      "https://sts-xyz.p.foo.googleapis.com",
-      "https://sts-xyz.mtls.p.foo.googleapis.com",
-      "https://sts-xyz.p.mtls.foo.googleapis.com",
-    ]
-
-    VALID_URLS.each do |token_url|
-      describe token_url do
-        it 'is valid' do
-          expect(Google::Auth::ExternalAccount::Credentials.is_token_url_valid?(token_url)).to be(true)
-        end
-      end
-    end
-
-    INVALID_URLS.each do |token_url|
-      describe token_url do
-        it 'is invalid' do
-          expect(Google::Auth::ExternalAccount::Credentials.is_token_url_valid?(token_url)).to be(false)
-        end
-      end
-    end
-  end
-
-  describe :is_service_account_impersonation_url_valid? do
-    VALID_URLS = [
-      nil,
-      "https://iamcredentials.googleapis.com",
-      "https://us-east-1.iamcredentials.googleapis.com",
-      "https://US-EAST-1.iamcredentials.googleapis.com",
-      "https://iamcredentials.us-east-1.googleapis.com",
-      "https://iamcredentials.US-WEST-1.googleapis.com",
-      "https://us-east-1-iamcredentials.googleapis.com",
-      "https://US-WEST-1-iamcredentials.googleapis.com",
-      "https://us-west-1-iamcredentials.googleapis.com/path?query",
-      "https://iamcredentials-us-east-1.p.googleapis.com",
-    ]
-    INVALID_URLS = [
-      "https://sts.googleapis.com",
-      "iamcredentials.googleapis.com",
-      "https://",
-      "http://iamcredentials.googleapis.com",
-      "https://iamcre.dentials.googleapis.com",
-      "https://us-eas\t-1.iamcredentials.googleapis.com",
-      "https:/us-east-1.iamcredentials.googleapis.com",
-      "https://US-WE/ST-1-iamcredentials.googleapis.com",
-      "https://iamcredentials-us-east-1.googleapis.com",
-      "https://iamcredentials-US-WEST-1.googleapis.com",
-      "testhttps://us-east-1.iamcredentials.googleapis.com",
-      "https://us-east-1.iamcredentials.googleapis.comevil.com",
-      "https://us-east-1.us-east-1.iamcredentials.googleapis.com",
-      "https://us-ea.s.t.iamcredentials.googleapis.com",
-      "https://iamcredentials.googleapis.comevil.com",
-      "hhttps://us-east-1.iamcredentials.googleapis.com",
-      "https://us- -1.iamcredentials.googleapis.com",
-      "https://-iamcredentials.googleapis.com",
-      "https://us-east-1.iamcredentials.googleapis.com.evil.com",
-      "https://iamcredentials.pgoogleapis.com",
-      "https://p.googleapis.com",
-      "https://iamcredentials.p.com",
-      "http://iamcredentials.p.googleapis.com",
-      "https://xyz-iamcredentials.p.googleapis.com",
-      "https://iamcredentials-xyz.123.p.googleapis.com",
-      "https://iamcredentials-xyz.p1.googleapis.com",
-      "https://iamcredentials-xyz.p.foo.com",
-      "https://iamcredentials-xyz.p.foo.googleapis.com",
-    ]
-
-    VALID_URLS.each do |impersonation_url|
-      describe impersonation_url do
-        it 'is valid' do
-          expect(Google::Auth::ExternalAccount::Credentials.is_service_account_impersonation_url_valid?(impersonation_url)).to be(true)
-        end
-      end
-    end
-
-    INVALID_URLS.each do |impersonation_url|
-      describe impersonation_url do
-        it 'is invalid' do
-          expect(Google::Auth::ExternalAccount::Credentials.is_service_account_impersonation_url_valid?(impersonation_url)).to be(false)
-        end
-      end
-    end
-  end
 
   describe :make_creds do
     it 'should be able to make aws credentials' do