google/internal/external: Adding metadata verification

Author: ScruffyProdigy

google/internal/externalaccount/aws.go

@@ -267,6 +267,29 @@ type awsRequest struct {
 Headers []awsRequestHeader `json:"headers"`
 }
 
+func (cs awsCredentialSource) validateMetadataServers() error {
+if err := cs.validateMetadataServer(cs.RegionURL, "region_url"); err != nil {
+return err
+}
+if err := cs.validateMetadataServer(cs.CredVerificationURL, "url"); err != nil {
+return err
+}
+return cs.validateMetadataServer(cs.IMDSv2SessionTokenURL, "imdsv2_session_token_url")
+}
+
+func (cs awsCredentialSource) validateMetadataServer(metadataUrl, urlName string) error {
+if metadataUrl == "" {
+return nil
+}
+
+u, err := url.Parse(metadataUrl)
+if err == nil && (u.Hostname() == "169.254.169.254" || u.Hostname() == "fd00:ec2::254") {
+return nil
+}
+
+return errors.New("oauth2/google: invalid hostname " + metadataUrl + " for " + urlName)
+}
+
 func (cs awsCredentialSource) doRequest(req *http.Request) (*http.Response, error) {
 if cs.client == nil {
 cs.client = oauth2.NewClient(cs.ctx, nil)

google/internal/externalaccount/aws_test.go

@@ -501,6 +501,7 @@ func (server *testAwsServer) getCredentialSource(url string) CredentialSource {
 RegionURL: url + server.regionURL,
 RegionalCredVerificationURL: server.regionalCredVerificationURL,
 IMDSv2SessionTokenURL: url + server.imdsv2SessionTokenUrl,
+skipValidation: true, // We need to use non-amazon URLs for testing, which will fail validation.
 }
 }
 
@@ -1025,3 +1026,88 @@ func TestAWSCredential_RequestWithBadFinalCredentialURL(t *testing.T) {
 t.Errorf("subjectToken = %q, want %q", got, want)
 }
 }
+
+func TestAWSCredential_Validations(t *testing.T) {
+var metadataServerValidityTests = []struct {
+name string
+credSource CredentialSource
+errText string
+}{
+{
+name: "No Metadata Server URLs",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "",
+URL: "",
+IMDSv2SessionTokenURL: "",
+},
+}, {
+name: "IPv4 Metadata Server URLs",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token",
+},
+}, {
+name: "IPv6 Metadata Server URLs",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone",
+URL: "http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials",
+IMDSv2SessionTokenURL: "http://[fd00:ec2::254]/latest/api/token",
+},
+}, {
+name: "Faulty RegionURL",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "http://abc.com/latest/meta-data/placement/availability-zone",
+URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token",
+},
+errText: "oauth2/google: invalid hostname http://abc.com/latest/meta-data/placement/availability-zone for region_url",
+}, {
+name: "Faulty CredVerificationURL",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+URL: "http://abc.com/latest/meta-data/iam/security-credentials",
+IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token",
+},
+errText: "oauth2/google: invalid hostname http://abc.com/latest/meta-data/iam/security-credentials for url",
+}, {
+name: "Faulty IMDSv2SessionTokenURL",
+credSource: CredentialSource{
+EnvironmentID: "aws1",
+RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+IMDSv2SessionTokenURL: "http://abc.com/latest/api/token",
+},
+errText: "oauth2/google: invalid hostname http://abc.com/latest/api/token for imdsv2_session_token_url",
+},
+}
+
+for _, tt := range metadataServerValidityTests {
+t.Run(tt.name, func(t *testing.T) {
+tfc := testFileConfig
+tfc.CredentialSource = tt.credSource
+
+oldGetenv := getenv
+defer func() { getenv = oldGetenv }()
+getenv = setEnvironment(map[string]string{})
+
+_, err := tfc.parse(context.Background())
+if err != nil {
+if tt.errText == "" {
+t.Errorf("Didn't expect an error, but got %v", err)
+} else if tt.errText != err.Error() {
+t.Errorf("Expected %v, but got %v", tt.errText, err)
+}
+} else {
+if tt.errText != "" {
+t.Errorf("Expected error %v, but got none", tt.errText)
+}
+}
+})
+}
+}

google/internal/externalaccount/basecredentials.go

@@ -185,6 +185,8 @@ type CredentialSource struct {
 CredVerificationURL string `json:"cred_verification_url"`
 IMDSv2SessionTokenURL string `json:"imdsv2_session_token_url"`
 Format format `json:"format"`
+
+skipValidation bool
 }
 
 type ExecutableConfig struct {
@@ -213,6 +215,12 @@ func (c *Config) parse(ctx context.Context) (baseCredentialSource, error) {
 awsCredSource.IMDSv2SessionTokenURL = c.CredentialSource.IMDSv2SessionTokenURL
 }
 
+if !c.CredentialSource.skipValidation {
+if err := awsCredSource.validateMetadataServers(); err != nil {
+return nil, err
+}
+}
+
 return awsCredSource, nil
 }
 } else if c.CredentialSource.File != "" {