Skip to content

validating url for sso and sts #3610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Nov 6, 2025
Merged

validating url for sso and sts #3610

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
599883a
validating url
pulimsr Nov 5, 2025
2adcf1f
testing url validation
pulimsr Nov 5, 2025
5a0cd86
updating tests
pulimsr Nov 5, 2025
de12417
testing
pulimsr Nov 5, 2025
8859fc1
clean up
sbiscigl Nov 5, 2025
015f4db
sts test for validation
pulimsr Nov 5, 2025
497b371
Merge branch 'main' into sso-sts--url-validation
pulimsr Nov 5, 2025
d8329bc
sts test
pulimsr Nov 5, 2025
b09b9a5
Merge branch 'sso-sts--url-validation' of https://github.com/aws/aws-…
pulimsr Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
#include <aws/core/http/HttpResponse.h>
#include <aws/core/utils/logging/LogMacros.h>
#include <aws/core/utils/ARN.h>
#include <aws/core/utils/DNS.h>
#include <aws/core/utils/StringUtils.h>
#include <aws/core/utils/HashingUtils.h>
#include <aws/core/platform/Environment.h>
Expand Down Expand Up @@ -118,7 +119,6 @@ namespace Aws
}
std::shared_ptr<HttpRequest> request(CreateHttpRequest(ss.str(), HttpMethod::HTTP_GET,
Aws::Utils::Stream::DefaultResponseStreamFactoryMethod));

request->SetUserAgent(m_userAgent);

if (authToken)
Expand All @@ -132,6 +132,11 @@ namespace Aws
AmazonWebServiceResult<Aws::String> AWSHttpResourceClient::GetResourceWithAWSWebServiceResult(const std::shared_ptr<HttpRequest> &httpRequest) const
{
AWS_LOGSTREAM_TRACE(m_logtag.c_str(), "Retrieving credentials from " << httpRequest->GetURIString());
if (!Aws::Utils::IsValidHost(httpRequest->GetUri().GetHost())) {
AWS_LOGSTREAM_FATAL(m_logtag.c_str(), "Invalid endpoint host constructed: " << httpRequest->GetURIString());
return {{}, {}, HttpResponseCode::REQUEST_NOT_MADE};
}

if (!m_httpClient)
{
AWS_LOGSTREAM_FATAL(m_logtag.c_str(), "Unable to get a response: missing http client!");
Expand Down Expand Up @@ -550,6 +555,7 @@ namespace Aws
{
ss << ".cn";
}

m_endpoint = ss.str();

AWS_LOGSTREAM_INFO(STS_RESOURCE_CLIENT_LOG_TAG, "Creating STS ResourceClient with endpoint: " << m_endpoint);
Expand Down Expand Up @@ -685,6 +691,7 @@ namespace Aws
{
ss << ".cn";
}

return ss.str();
}

Expand Down
82 changes: 81 additions & 1 deletion tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
#include <aws/core/auth/AWSCredentialsProvider.h>
#include <aws/core/auth/AWSCredentialsProviderChain.h>
#include <aws/core/auth/SSOCredentialsProvider.h>
#include <aws/core/auth/STSCredentialsProvider.h>
#include <aws/core/client/AWSError.h>
#include <aws/core/client/SpecifiedRetryableErrorsRetryStrategy.h>
#include <aws/core/config/AWSProfileConfigLoader.h>
Expand Down Expand Up @@ -956,6 +955,48 @@ sso_start_url = https://d-92671207e4.awsapps.com/start
ASSERT_TRUE(mockHttpClient->GetAllRequestsMade().empty());
}

TEST_F(SSOCredentialsProviderTest, TestInvalidRegionCredentials)
{
AWS_LOGSTREAM_DEBUG("TEST_SSO", "Preparing Test Token file in: " << m_ssoTokenFileName);
Aws::OFStream tokenFile(m_ssoTokenFileName.c_str(), Aws::OFStream::out | Aws::OFStream::trunc);
tokenFile << R"({
"accessToken": "base64string",
"expiresAt": ")";
tokenFile << DateTime::Now().GetYear() + 1;
tokenFile << R"(-01-02T00:00:00Z",
"region": "us-west-2",
"startUrl": "https://d-92671207e4.awsapps.com/start"
})";
tokenFile.close();

Aws::OFStream configFile(m_configFileName.c_str(), Aws::OFStream::out | Aws::OFStream::trunc);
configFile << R"([default]
sso_account_id = 012345678901
sso_region = @amazon.com#
sso_role_name = SampleRole
sso_start_url = https://d-92671207e4.awsapps.com/start
)";
configFile.close();

// Mock DNS/connection failure for invalid region
std::shared_ptr<HttpRequest> requestTmp = CreateHttpRequest(URI("https://[email protected]#.amazonaws.com/federation/credentials"), HttpMethod::HTTP_GET, Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
std::shared_ptr<StandardHttpResponse> dnsFailureResponse = Aws::MakeShared<StandardHttpResponse>(AllocationTag, requestTmp);
dnsFailureResponse->SetResponseCode(HttpResponseCode::REQUEST_NOT_MADE);
mockHttpClient->AddResponseToReturn(dnsFailureResponse);

Aws::Config::ReloadCachedConfigFile();
SSOCredentialsProvider provider;

auto creds = provider.GetAWSCredentials();
ASSERT_TRUE(creds.IsEmpty());

// Check if any requests were made before calling GetMostRecentHttpRequest
if (!mockHttpClient->GetAllRequestsMade().empty()) {
auto request = mockHttpClient->GetMostRecentHttpRequest();
ASSERT_TRUE(request.GetURIString().find("@amazon.com#") != std::string::npos);
}
}

class AWSCredentialsTest : public Aws::Testing::AwsCppSdkGTestSuite
{
};
Expand Down Expand Up @@ -1120,3 +1161,42 @@ TEST_F(AWSCachedCredentialsTest, ShouldCacheCredenitalAsync)
ASSERT_TRUE(containCredentials(creds, {"and", "no", "surprises"}));
ASSERT_FALSE(containCredentials(creds, {"a", "quiet", "life"}));
}

class STSCredentialsProviderTest : public Aws::Testing::AwsCppSdkGTestSuite {
public:
void SetUp() {
mockHttpClient = Aws::MakeShared<MockHttpClient>(AllocationTag);
mockHttpClientFactory = Aws::MakeShared<MockHttpClientFactory>(AllocationTag);
mockHttpClientFactory->SetClient(mockHttpClient);
SetHttpClientFactory(mockHttpClientFactory);
}

void TearDown() {
mockHttpClient = nullptr;
mockHttpClientFactory = nullptr;
CleanupHttp();
InitHttp();
}

std::shared_ptr<MockHttpClient> mockHttpClient;
std::shared_ptr<MockHttpClientFactory> mockHttpClientFactory;
};

TEST_F(STSCredentialsProviderTest, TestInvalidRegionCredentials) {
ClientConfiguration config;
config.region = "@amazon.com#";

Aws::Internal::STSCredentialsClient stsClient(config);
Aws::Internal::STSCredentialsClient::STSAssumeRoleWithWebIdentityRequest request;
request.roleArn = "arn:aws:iam::123456789012:role/TestRole";
request.roleSessionName = "test-session";
request.webIdentityToken = "test-token";

auto result = stsClient.GetAssumeRoleWithWebIdentityCredentials(request);
ASSERT_TRUE(result.creds.IsEmpty());

if (!mockHttpClient ->GetAllRequestsMade().empty()) {
auto httpRequest = mockHttpClient->GetMostRecentHttpRequest();
ASSERT_TRUE(httpRequest.GetURIString().find("@amazon.com#") != std::string::npos);
}
}
Loading