Skip to content

fix: Add basic AWS url validation #660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
busunkim96 merged 31 commits into from
Jan 8, 2021
Merged

fix: Add basic AWS url validation #660

busunkim96 merged 31 commits into from
Jan 8, 2021

Conversation

@bojeil-google
Copy link
Contributor

@bojeil-google bojeil-google commented Jan 8, 2021

Recommended by the security reviewer, this change adds basic scheme/hostname validation to the AWS request URL.
This is auto-generated as part of the configuration file for external accounts. In case, the URL is manually modified to an invalid field, this should help catch that.

busunkim96 and others added 30 commits September 2, 2020 14:55
@busunkim96 @tseaver
refactor: split 'with_quota_project' into separate base class (#561)
41599ae 
Co-authored-by: Tres Seaver <[email protected]>
@arithmetic1728
fix: dummy commit to trigger a auto release (#597)
d32f7df
@release-please
chore: release 1.21.1 (#599)
892dc37 
* chore: updated CHANGELOG.md [ci skip]

* chore: updated setup.cfg [ci skip]

* chore: updated setup.py

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@busunkim96
fix: migrate signBlob to iamcredentials.googleapis.com (#600)
694d83f 
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.

This API is deprecated and will be shutdown in one year.

This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.
@release-please
chore: release 1.21.2 (#601)
b921a0a 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@wescpy
fix: fix expiry for to_json() (#589)
d0e0aba 
* This patch for </issues/501> includes the following fixes:

- The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file.
- For refresh needs, `expiry` also needs to be saved via `to_json()`.
    - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency.
    - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported.
    - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place.
- Minor `scopes` updates
    - DUMP: Add property for `scopes` so `to_json()` can grab it
    - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.
@busunkim96
chore: add default CODEOWNERS (#609)
da3526f
@release-please
chore: release 1.21.3 (#607)
cc91e75
@crwilcox @anibadde
feat: add asyncio based auth flow (#612)
7e15258 
* feat: asyncio http request logic and asynchronous credentials logic  (#572)

Co-authored-by: Anirudh Baddepudi <[email protected]>
@release-please
chore: release 1.22.0 (#615)
ee5617c 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@crwilcox
fix: move aiohttp to extra as it is currently internal surface (#619)
a924011 
Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth.

This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.
@release-please
chore: release 1.22.1 (#620)
7f957ba 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@akx
fix: remove checks for ancient versions of Cryptography (#596)
6407258 
Refs #595 (comment) 

I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.
@tseaver
tests: fix unit tests on python 3.6 / 3.7 (#630)
3b3172e
@davidwtbuxton
Change metadata service helper to work with any query parameters (#588)
5906c85 
Part of #579 

This helper is used with '?recursive=true' in one place, and can now be used by
IDTokenCredentials for requests with query parameters to the metadata identity
end-point.

This change will allow making requests to the token end-point with '?scopes=..'
query parameters.
@tseaver
fix: pin 'aoihttp < 3.7.0dev' (#634)
05f9524 
Working around breaking change in 3.7.0.  See:

pnuckowski/aioresponses#173
@yoshi-automation @tseaver
chore: add infrastructure to support docs-presubmit build (via synt…
755e702 
…h) (#578)

* feat(python-library): changes to docs job

* feat(python-library): changes to docs job

* migrate to Trampoline V2
* add docs-presubmit job
* create docfx yaml files and upload them to another bucket

* remove redundant envvars

* add a failing test first

* fix TemplateSyntaxError: Missing end of comment tag

* serving_path is not needed any more

* use `raw` to make jinja happy

Source-Author: Takashi Matsuo <[email protected]>
Source-Date: Thu Jul 30 12:44:02 2020 -0700
Source-Repo: googleapis/synthtool
Source-Sha: 5dfda5621df45b71b6e88544ebbb53b1a8c90214
Source-Link: googleapis/synthtool@5dfda56

* fix(python-library): add missing changes

Source-Author: Takashi Matsuo <[email protected]>
Source-Date: Thu Jul 30 18:26:35 2020 -0700
Source-Repo: googleapis/synthtool
Source-Sha: 39b527a39f5cd56d4882b3874fc08eed4756cebe
Source-Link: googleapis/synthtool@39b527a

Co-authored-by: Tres Seaver <[email protected]>
@matthewhughes934
Update example in oauth2.id_token docs (#624)
9c4200d 
Since c05b8b5 oauth2.id_token.verify_oauth2_token handles the issuer
check itself, so remove this redundant check from the docs.
@yoshi-automation
build: use pypi secret from secret manager (#639)
d0a47c1
@davidwtbuxton @tseaver @busunkim96
feat: Add custom scopes for access tokens from the metadata service (#…
0323cf3 
…633)

This works for App Engine, Cloud Run and Flex. On Compute Engine you
can request custom scopes, but they are ignored.

Co-authored-by: Tres Seaver <[email protected]>
Co-authored-by: Bu Sun Kim <[email protected]>
@davidwtbuxton
fix(deps): Revert "fix: pin 'aoihttp < 3.7.0dev' (#634)" (#632) (#640)
b790e65 
This reverts commit 05f9524.

The compatibility bug was fixed in the aioresponses package version 0.7.1 - https://pypi.org/project/aioresponses/

Fixes #632
@release-please
chore: release 1.23.0 (#641)
bc92abb 
🤖 I have created a release \*beep\* \*boop\* 
---
## [1.23.0](https://www.github.com/googleapis/google-auth-library-python/compare/v1.22.1...v1.23.0) (2020-10-29)


### Features

* Add custom scopes for access tokens from the metadata service ([#633](https://www.github.com/googleapis/google-auth-library-python/issues/633)) ([0323cf3](https://www.github.com/googleapis/google-auth-library-python/commit/0323cf390b16e8483660ac88775e8ea4e7f7702d))


### Bug Fixes

* **deps:** Revert "fix: pin 'aoihttp < 3.7.0dev' ([#634](https://www.github.com/googleapis/google-auth-library-python/issues/634))" ([#632](https://www.github.com/googleapis/google-auth-library-python/issues/632)) ([#640](https://www.github.com/googleapis/google-auth-library-python/issues/640)) ([b790e65](https://www.github.com/googleapis/google-auth-library-python/commit/b790e6535cc37591b23866027a426cde312e07c1))
* pin 'aoihttp < 3.7.0dev' ([#634](https://www.github.com/googleapis/google-auth-library-python/issues/634)) ([05f9524](https://www.github.com/googleapis/google-auth-library-python/commit/05f95246fab928fe2f445781117eeac8088497fb))
* remove checks for ancient versions of Cryptography ([#596](https://www.github.com/googleapis/google-auth-library-python/issues/596)) ([6407258](https://www.github.com/googleapis/google-auth-library-python/commit/6407258956ec42e3b722418cb7f366e5ae9272ec)), closes [/github.com//issues/595#issuecomment-683903062](https://www.github.com/googleapis//github.com/googleapis/google-auth-library-python/issues/595/issues/issuecomment-683903062)
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please).
@busunkim96
docs: fix typo in import (#651)
3319ea8 
`service_acccount` -> `service_account`.

Closes #650
@busunkim96
chore: fix comment about clock_skew (#653)
2d3b8d1 
Clock skew was changed in #581
@tseaver
feat: add Python 3.9 support, drop Python 3.5 support (#655)
6de753d 
Closes #654.
@busunkim96
chore: add constraints file (#649)
da922f0 
Add constraints file to test lower bounds
@dgorelik
chore: fix typo (#647)
ec1b688
@pietrodn @tseaver
fix: avoid losing the original '_include_email' parameter in imperson…
fd9b5b1 
…ated credentials (#626)

Co-authored-by: Tres Seaver <[email protected]>
@release-please
chore: release 1.24.0 (#656)
647290a 
🤖 I have created a release \*beep\* \*boop\* 
---
## [1.24.0](https://www.github.com/googleapis/google-auth-library-python/compare/v1.23.0...v1.24.0) (2020-12-11)


### Features

* add Python 3.9 support, drop Python 3.5 support ([#655](https://www.github.com/googleapis/google-auth-library-python/issues/655)) ([6de753d](https://www.github.com/googleapis/google-auth-library-python/commit/6de753d585254c813b3e6cbde27bf5466261ba10)), closes [#654](https://www.github.com/googleapis/google-auth-library-python/issues/654)


### Bug Fixes

* avoid losing the original '_include_email' parameter in impersonated credentials ([#626](https://www.github.com/googleapis/google-auth-library-python/issues/626)) ([fd9b5b1](https://www.github.com/googleapis/google-auth-library-python/commit/fd9b5b10c80950784bd37ee56e32c505acb5078d))


### Documentation

* fix typo in import ([#651](https://www.github.com/googleapis/google-auth-library-python/issues/651)) ([3319ea8](https://www.github.com/googleapis/google-auth-library-python/commit/3319ea8ae876c73a94f51237b3bbb3f5df2aef89)), closes [#650](https://www.github.com/googleapis/google-auth-library-python/issues/650)
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please).
@bojeil-google
Merge remote-tracking branch 'upstream/byoid'
84d4e19
@bojeil-google bojeil-google requested a review from a team as a code owner January 8, 2021 00:55
@google-cla
Copy link

google-cla bot commented Jan 8, 2021

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no This human has *not* signed the Contributor License Agreement. label Jan 8, 2021
@busunkim96 busunkim96 added cla: yes This human has signed the Contributor License Agreement. and removed cla: no This human has *not* signed the Contributor License Agreement. labels Jan 8, 2021
@busunkim96
Copy link
Contributor

busunkim96 commented Jan 8, 2021

CLAs were granted when commits above were merged to master.

@busunkim96 busunkim96 merged commit 079c215 into googleapis:byoid Jan 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@busunkim96 busunkim96 busunkim96 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes This human has signed the Contributor License Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.