diff --git a/vendor.mod b/vendor.mod index 9087bc3af0..2c2e57d27a 100644 --- a/vendor.mod +++ b/vendor.mod @@ -137,7 +137,7 @@ require ( golang.org/x/crypto v0.0.0-20211202192323-5770296d904e // indirect golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect golang.org/x/mod v0.4.2 // indirect - golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a // indirect + golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect golang.org/x/text v0.3.6 // indirect golang.org/x/tools v0.1.5 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect diff --git a/vendor.sum b/vendor.sum index c73f8a85c6..e8f5df79a8 100644 --- a/vendor.sum +++ b/vendor.sum @@ -852,8 +852,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a h1:4Kd8OPUx1xgUwrHDaviWZO8MsgoZTZYC3g+8m16RBww= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f h1:Qmd2pbz05z7z6lm0DrgQVVPuBm92jqujBKMHMOlOQEw= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/vendor/golang.org/x/oauth2/google/google.go b/vendor/golang.org/x/oauth2/google/google.go index 2b631f5223..422ff1fe34 100644 --- a/vendor/golang.org/x/oauth2/google/google.go +++ b/vendor/golang.org/x/oauth2/google/google.go @@ -177,7 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar QuotaProjectID: f.QuotaProjectID, Scopes: params.Scopes, } - return cfg.TokenSource(ctx), nil + return cfg.TokenSource(ctx) case "": return nil, errors.New("missing 'type' field in credentials") default: diff --git a/vendor/golang.org/x/oauth2/google/internal/externalaccount/basecredentials.go b/vendor/golang.org/x/oauth2/google/internal/externalaccount/basecredentials.go index a4d45d9202..dab917f39e 100644 --- a/vendor/golang.org/x/oauth2/google/internal/externalaccount/basecredentials.go +++ b/vendor/golang.org/x/oauth2/google/internal/externalaccount/basecredentials.go @@ -7,10 +7,14 @@ package externalaccount import ( "context" "fmt" - "golang.org/x/oauth2" "net/http" + "net/url" + "regexp" "strconv" + "strings" "time" + + "golang.org/x/oauth2" ) // now aliases time.Now for testing @@ -22,43 +26,101 @@ var now = func() time.Time { type Config struct { // Audience is the Secure Token Service (STS) audience which contains the resource name for the workload // identity pool or the workforce pool and the provider identifier in that pool. - Audience string + Audience string // SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec // e.g. `urn:ietf:params:oauth:token-type:jwt`. - SubjectTokenType string + SubjectTokenType string // TokenURL is the STS token exchange endpoint. - TokenURL string + TokenURL string // TokenInfoURL is the token_info endpoint used to retrieve the account related information ( // user attributes like account identifier, eg. email, username, uid, etc). This is // needed for gCloud session account identification. - TokenInfoURL string + TokenInfoURL string // ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only // required for workload identity pools when APIs to be accessed have not integrated with UberMint. ServiceAccountImpersonationURL string // ClientSecret is currently only required if token_info endpoint also // needs to be called with the generated GCP access token. When provided, STS will be // called with additional basic authentication using client_id as username and client_secret as password. - ClientSecret string + ClientSecret string // ClientID is only required in conjunction with ClientSecret, as described above. - ClientID string + ClientID string // CredentialSource contains the necessary information to retrieve the token itself, as well // as some environmental information. - CredentialSource CredentialSource + CredentialSource CredentialSource // QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries // will set the x-goog-user-project which overrides the project associated with the credentials. - QuotaProjectID string + QuotaProjectID string // Scopes contains the desired scopes for the returned access token. - Scopes []string + Scopes []string +} + +// Each element consists of a list of patterns. validateURLs checks for matches +// that include all elements in a given list, in that order. + +var ( + validTokenURLPatterns = []*regexp.Regexp{ + // The complicated part in the middle matches any number of characters that + // aren't period, spaces, or slashes. + regexp.MustCompile(`(?i)^[^\.\s\/\\]+\.sts\.googleapis\.com$`), + regexp.MustCompile(`(?i)^sts\.googleapis\.com$`), + regexp.MustCompile(`(?i)^sts\.[^\.\s\/\\]+\.googleapis\.com$`), + regexp.MustCompile(`(?i)^[^\.\s\/\\]+-sts\.googleapis\.com$`), + } + validImpersonateURLPatterns = []*regexp.Regexp{ + regexp.MustCompile(`^[^\.\s\/\\]+\.iamcredentials\.googleapis\.com$`), + regexp.MustCompile(`^iamcredentials\.googleapis\.com$`), + regexp.MustCompile(`^iamcredentials\.[^\.\s\/\\]+\.googleapis\.com$`), + regexp.MustCompile(`^[^\.\s\/\\]+-iamcredentials\.googleapis\.com$`), + } +) + +func validateURL(input string, patterns []*regexp.Regexp, scheme string) bool { + parsed, err := url.Parse(input) + if err != nil { + return false + } + if !strings.EqualFold(parsed.Scheme, scheme) { + return false + } + toTest := parsed.Host + + for _, pattern := range patterns { + + if valid := pattern.MatchString(toTest); valid { + return true + } + } + return false } // TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials. -func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource { +func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error) { + return c.tokenSource(ctx, validTokenURLPatterns, validImpersonateURLPatterns, "https") +} + +// tokenSource is a private function that's directly called by some of the tests, +// because the unit test URLs are mocked, and would otherwise fail the +// validity check. +func (c *Config) tokenSource(ctx context.Context, tokenURLValidPats []*regexp.Regexp, impersonateURLValidPats []*regexp.Regexp, scheme string) (oauth2.TokenSource, error) { + valid := validateURL(c.TokenURL, tokenURLValidPats, scheme) + if !valid { + return nil, fmt.Errorf("oauth2/google: invalid TokenURL provided while constructing tokenSource") + } + + if c.ServiceAccountImpersonationURL != "" { + valid := validateURL(c.ServiceAccountImpersonationURL, impersonateURLValidPats, scheme) + if !valid { + return nil, fmt.Errorf("oauth2/google: invalid ServiceAccountImpersonationURL provided while constructing tokenSource") + } + } + ts := tokenSource{ ctx: ctx, conf: c, } if c.ServiceAccountImpersonationURL == "" { - return oauth2.ReuseTokenSource(nil, ts) + return oauth2.ReuseTokenSource(nil, ts), nil } scopes := c.Scopes ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"} @@ -68,7 +130,7 @@ func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource { scopes: scopes, ts: oauth2.ReuseTokenSource(nil, ts), } - return oauth2.ReuseTokenSource(nil, imp) + return oauth2.ReuseTokenSource(nil, imp), nil } // Subject token file types. @@ -78,9 +140,9 @@ const ( ) type format struct { - // Type is either "text" or "json". When not provided "text" type is assumed. + // Type is either "text" or "json". When not provided "text" type is assumed. Type string `json:"type"` - // SubjectTokenFieldName is only required for JSON format. This would be "access_token" for azure. + // SubjectTokenFieldName is only required for JSON format. This would be "access_token" for azure. SubjectTokenFieldName string `json:"subject_token_field_name"` } @@ -128,7 +190,7 @@ type baseCredentialSource interface { subjectToken() (string, error) } -// tokenSource is the source that handles external credentials. It is used to retrieve Tokens. +// tokenSource is the source that handles external credentials. It is used to retrieve Tokens. type tokenSource struct { ctx context.Context conf *Config diff --git a/vendor/golang.org/x/oauth2/google/internal/externalaccount/clientauth.go b/vendor/golang.org/x/oauth2/google/internal/externalaccount/clientauth.go index 62c2e36cc1..99987ce294 100644 --- a/vendor/golang.org/x/oauth2/google/internal/externalaccount/clientauth.go +++ b/vendor/golang.org/x/oauth2/google/internal/externalaccount/clientauth.go @@ -6,9 +6,10 @@ package externalaccount import ( "encoding/base64" - "golang.org/x/oauth2" "net/http" "net/url" + + "golang.org/x/oauth2" ) // clientAuthentication represents an OAuth client ID and secret and the mechanism for passing these credentials as stated in rfc6749#2.3.1. diff --git a/vendor/golang.org/x/oauth2/google/internal/externalaccount/impersonate.go b/vendor/golang.org/x/oauth2/google/internal/externalaccount/impersonate.go index 1f6009b38f..64edb56001 100644 --- a/vendor/golang.org/x/oauth2/google/internal/externalaccount/impersonate.go +++ b/vendor/golang.org/x/oauth2/google/internal/externalaccount/impersonate.go @@ -9,11 +9,12 @@ import ( "context" "encoding/json" "fmt" - "golang.org/x/oauth2" "io" "io/ioutil" "net/http" "time" + + "golang.org/x/oauth2" ) // generateAccesstokenReq is used for service account impersonation diff --git a/vendor/golang.org/x/oauth2/google/internal/externalaccount/sts_exchange.go b/vendor/golang.org/x/oauth2/google/internal/externalaccount/sts_exchange.go index a8a704bb41..e6fcae5fcb 100644 --- a/vendor/golang.org/x/oauth2/google/internal/externalaccount/sts_exchange.go +++ b/vendor/golang.org/x/oauth2/google/internal/externalaccount/sts_exchange.go @@ -65,6 +65,9 @@ func exchangeToken(ctx context.Context, endpoint string, request *stsTokenExchan defer resp.Body.Close() body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20)) + if err != nil { + return nil, err + } if c := resp.StatusCode; c < 200 || c > 299 { return nil, fmt.Errorf("oauth2/google: status code %d: %s", c, body) } diff --git a/vendor/golang.org/x/oauth2/google/internal/externalaccount/urlcredsource.go b/vendor/golang.org/x/oauth2/google/internal/externalaccount/urlcredsource.go index 91b8f2002a..16dca6541d 100644 --- a/vendor/golang.org/x/oauth2/google/internal/externalaccount/urlcredsource.go +++ b/vendor/golang.org/x/oauth2/google/internal/externalaccount/urlcredsource.go @@ -9,10 +9,11 @@ import ( "encoding/json" "errors" "fmt" - "golang.org/x/oauth2" "io" "io/ioutil" "net/http" + + "golang.org/x/oauth2" ) type urlCredentialSource struct { diff --git a/vendor/modules.txt b/vendor/modules.txt index a15070c6d1..26b3d7af0f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -829,7 +829,7 @@ golang.org/x/net/ipv6 golang.org/x/net/proxy golang.org/x/net/trace golang.org/x/net/websocket -# golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a +# golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f ## explicit; go 1.11 golang.org/x/oauth2 golang.org/x/oauth2/authhandler