Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: Auth lib: Remove 3PI config url validation (#32450)

Browse Source 
To support TPC feature for BYOID (3PI), we need to remove the validation
the pattern of impersonation endpoints, sts endpoints and token info
endpoints since they are different in TPC regions.

A security review is already passed at b/261634871

<!--

If you know who should review your pull request, please assign it to
that
person, otherwise the pull request would get assigned randomly.

If your pull request is for a specific language, please add the
appropriate
lang label.

-->
pull/32574/head
Jin 2 years ago committed by GitHub
parent 0e38b075ff
commit 89980d01f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 0 additions and 169 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 59
      src/core/lib/security/credentials/google_default/google_default_credentials.cc
  2. 110
      test/core/security/credentials_test.cc

59
src/core/lib/security/credentials/google_default/google_default_credentials.cc
Unescape View File

@ -22,14 +22,12 @@
#include <string.h>
#include <map>
#include <memory>
#include <string>
#include "absl/status/statusor.h"
#include "absl/strings/match.h"
#include "absl/strings/string_view.h"
#include "absl/strings/strip.h"
#include "absl/types/optional.h"
#include <grpc/grpc_security.h> // IWYU pragma: keep
@ -44,7 +42,6 @@
#include "src/core/lib/channel/channel_args.h"
#include "src/core/lib/debug/trace.h"
#include "src/core/lib/gprpp/env.h"
#include "src/core/lib/gprpp/host_port.h"
#include "src/core/lib/gprpp/orphanable.h"
#include "src/core/lib/gprpp/ref_counted_ptr.h"
#include "src/core/lib/gprpp/status_helper.h"
@ -254,57 +251,6 @@ static int is_metadata_server_reachable() {
return detector.success;
}
namespace {
bool ValidateUrlField(const Json& json, const std::string& field) {
auto it = json.object_value().find(field);
if (it == json.object_value().end()) {
return true;
}
if (it->second.type() != Json::Type::STRING ||
it->second.string_value().empty()) {
return false;
}
absl::StatusOr<grpc_core::URI> url =
grpc_core::URI::Parse(it->second.string_value());
if (!url.ok()) return false;
if (!absl::EqualsIgnoreCase(url->scheme(), "https")) {
return false;
}
absl::string_view host;
absl::string_view port;
grpc_core::SplitHostPort(url->authority(), &host, &port);
if (absl::ConsumeSuffix(&host, ".p.googleapis.com")) {
if (absl::StartsWith(host, "sts-") ||
absl::StartsWith(host, "iamcredentials-")) {
return true;
}
} else if (absl::ConsumeSuffix(&host, ".googleapis.com")) {
if (host == "sts" || host == "iamcredentials") {
return true;
} else if (absl::StartsWith(host, "sts.") ||
absl::StartsWith(host, "iamcredentials.")) {
return true;
} else if (absl::EndsWith(host, ".sts") ||
absl::EndsWith(host, ".iamcredentials")) {
return true;
} else if (absl::EndsWith(host, "-sts") ||
absl::EndsWith(host, "-iamcredentials")) {
return true;
}
}
return false;
}
bool ValidateExteralAccountCredentials(const Json& json) {
return json.type() == Json::Type::OBJECT &&
ValidateUrlField(json, "token_url") &&
ValidateUrlField(json, "service_account_impersonation_url") &&
ValidateUrlField(json, "token_info_url");
}
} // namespace
// Takes ownership of creds_path if not NULL.
static grpc_error_handle create_default_creds_from_path(
const std::string& creds_path,
@ -363,11 +309,6 @@ static grpc_error_handle create_default_creds_from_path(
goto end;
}
// Finally try an external account credentials.
if (!ValidateExteralAccountCredentials(json)) {
error = GRPC_ERROR_CREATE("Invalid external account credentials format.");
goto end;
}
result = grpc_core::ExternalAccountCredentials::Create(json, {}, &error);
end:

110
test/core/security/credentials_test.cc
Unescape View File

@ -126,45 +126,6 @@ const char test_refresh_token_str[] =
" \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\","
" \"type\": \"authorized_user\"}";
// Test external account credentials.
const char test_external_account_credentials_str[] =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"https://iamcredentials.googleapis.com:5555/"
"service_account_impersonation_url\",\"token_url\":\"https://"
"sts.googleapis.com:5555/"
"token\",\"token_info_url\":\"https://sts.googleapis.com:5555/"
"token_info\",\"credential_source\":{\"file\":"
"\"credentials_file_path\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char test_external_account_credentials_multi_pattern_sts_str[] =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"https://sts.test.googleapis.com:5555/"
"service_account_impersonation_url\",\"token_url\":\"https://"
"test.sts.googleapis.com:5555/token\",\"token_info_url\":\"https://"
"test-sts.googleapis.com:5555/"
"token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char test_external_account_credentials_multi_pattern_iam_str[] =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
"url\":\"https://iamcredentials.test.googleapis.com:5555/"
"service_account_impersonation_url\",\"token_url\":\"https://"
"test.iamcredentials.googleapis.com:5555/"
"token\",\"token_info_url\":\"https://"
"test-iamcredentials.googleapis.com:5555/"
"token_info\",\"credential_source\":{\"file\":\"credentials_file_path\"},"
"\"quota_project_id\":\"quota_"
"project_id\",\"client_id\":\"client_id\",\"client_secret\":\"client_"
"secret\"}";
const char test_external_account_credentials_psc_sts_str[] =
"{\"type\":\"external_account\",\"audience\":\"audience\",\"subject_"
"token_type\":\"subject_token_type\",\"service_account_impersonation_"
@ -1611,77 +1572,6 @@ TEST(CredentialsTest, TestGoogleDefaultCredsRefreshToken) {
grpc_override_well_known_credentials_path_getter(nullptr);
}
TEST(CredentialsTest, TestGoogleDefaultCredsExternalAccountCredentials) {
ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"google_default_creds_external_account_credentials",
test_external_account_credentials_str);
grpc_override_well_known_credentials_path_getter(
null_well_known_creds_path_getter);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
GPR_ASSERT(default_creds->ssl_creds() != nullptr);
auto* external =
reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
GPR_ASSERT(external != nullptr);
creds->Unref();
SetEnv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); // Reset.
grpc_override_well_known_credentials_path_getter(nullptr);
}
TEST(CredentialsTest,
TestGoogleDefaultCredsExternalAccountCredentialsMultiPatternSts) {
ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"google_default_creds_external_account_credentials_multi_pattern_sts",
test_external_account_credentials_multi_pattern_sts_str);
grpc_override_well_known_credentials_path_getter(
null_well_known_creds_path_getter);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
GPR_ASSERT(default_creds->ssl_creds() != nullptr);
auto* external =
reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
GPR_ASSERT(external != nullptr);
creds->Unref();
SetEnv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); // Reset.
grpc_override_well_known_credentials_path_getter(nullptr);
}
TEST(CredentialsTest,
TestGoogleDefaultCredsExternalAccountCredentialsMultiPatternIam) {
ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;
grpc_flush_cached_google_default_credentials();
set_google_default_creds_env_var_with_file_contents(
"google_default_creds_external_account_credentials_multi_pattern_iam",
test_external_account_credentials_multi_pattern_iam_str);
grpc_override_well_known_credentials_path_getter(
null_well_known_creds_path_getter);
creds = reinterpret_cast<grpc_composite_channel_credentials*>(
grpc_google_default_credentials_create(nullptr));
auto* default_creds =
reinterpret_cast<const grpc_google_default_channel_credentials*>(
creds->inner_creds());
GPR_ASSERT(default_creds->ssl_creds() != nullptr);
auto* external =
reinterpret_cast<const ExternalAccountCredentials*>(creds->call_creds());
GPR_ASSERT(external != nullptr);
creds->Unref();
SetEnv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR, ""); // Reset.
grpc_override_well_known_credentials_path_getter(nullptr);
}
TEST(CredentialsTest, TestGoogleDefaultCredsExternalAccountCredentialsPscSts) {
ExecCtx exec_ctx;
grpc_composite_channel_credentials* creds;

Write Preview
Loading…
Cancel
Save