fix: Allow mtls sts endpoint for external account token urls. (#1185)

* fix: Allow mtls sts endpoint for external account token urls.
googleapis · Nov 16, 2022 · c86dd69 · c86dd69
1 parent fc843cd
commit c86dd69
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/google/auth/external_account.py b/google/auth/external_account.py
@@ -437,11 +437,11 @@ def _initialize_impersonated_credentials(self):
     @staticmethod
     def validate_token_url(token_url, url_type="token"):
         _TOKEN_URL_PATTERNS = [
-            "^[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$",
-            "^sts\\.googleapis\\.com$",
-            "^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
-            "^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$",
-            "^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
+            "^[^\\.\\s\\/\\\\]+\\.sts(?:\\.mtls)?\\.googleapis\\.com$",
+            "^sts(?:\\.mtls)?\\.googleapis\\.com$",
+            "^sts\\.[^\\.\\s\\/\\\\]+(?:\\.mtls)?\\.googleapis\\.com$",
+            "^[^\\.\\s\\/\\\\]+\\-sts(?:\\.mtls)?\\.googleapis\\.com$",
+            "^sts\\-[^\\.\\s\\/\\\\]+\\.p(?:\\.mtls)?\\.googleapis\\.com$",
         ]
 
         if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url):

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/test_external_account.py b/tests/test_external_account.py
@@ -67,23 +67,31 @@
 
 VALID_TOKEN_URLS = [
     "https://sts.googleapis.com",
+    "https://sts.mtls.googleapis.com",
     "https://us-east-1.sts.googleapis.com",
+    "https://us-east-1.sts.mtls.googleapis.com",
     "https://US-EAST-1.sts.googleapis.com",
     "https://sts.us-east-1.googleapis.com",
     "https://sts.US-WEST-1.googleapis.com",
     "https://us-east-1-sts.googleapis.com",
     "https://US-WEST-1-sts.googleapis.com",
+    "https://US-WEST-1-sts.mtls.googleapis.com",
     "https://us-west-1-sts.googleapis.com/path?query",
     "https://sts-us-east-1.p.googleapis.com",
+    "https://sts-us-east-1.p.mtls.googleapis.com",
 ]
 INVALID_TOKEN_URLS = [
     "https://iamcredentials.googleapis.com",
+    "https://mtls.iamcredentials.googleapis.com",
     "sts.googleapis.com",
+    "mtls.sts.googleapis.com",
+    "mtls.googleapis.com",
     "https://",
     "http://sts.googleapis.com",
     "https://st.s.googleapis.com",
     "https://us-eas\t-1.sts.googleapis.com",
     "https:/us-east-1.sts.googleapis.com",
+    "https:/us-east-1.mtls.sts.googleapis.com",
     "https://US-WE/ST-1-sts.googleapis.com",
     "https://sts-us-east-1.googleapis.com",
     "https://sts-US-WEST-1.googleapis.com",
@@ -95,16 +103,20 @@
     "hhttps://us-east-1.sts.googleapis.com",
     "https://us- -1.sts.googleapis.com",
     "https://-sts.googleapis.com",
+    "https://-mtls.googleapis.com",
     "https://us-east-1.sts.googleapis.com.evil.com",
     "https://sts.pgoogleapis.com",
     "https://p.googleapis.com",
     "https://sts.p.com",
+    "https://sts.p.mtls.com",
     "http://sts.p.googleapis.com",
     "https://xyz-sts.p.googleapis.com",
     "https://sts-xyz.123.p.googleapis.com",
     "https://sts-xyz.p1.googleapis.com",
     "https://sts-xyz.p.foo.com",
     "https://sts-xyz.p.foo.googleapis.com",
+    "https://sts-xyz.mtls.p.foo.googleapis.com",
+    "https://sts-xyz.p.mtls.foo.googleapis.com",
 ]
 VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [
     "https://iamcredentials.googleapis.com",