AWS OIDC: validate region param when creating clients (#40188) (#40809)

* AWS OIDC: validate region param when creating clients * add green test
gravitational · Apr 23, 2024 · dd10c27 · dd10c27
1 parent 8e07a03
commit dd10c27
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 2 deletions.
diff --git a/lib/integrations/awsoidc/clients.go b/lib/integrations/awsoidc/clients.go
@@ -28,6 +28,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/rds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/gravitational/trace"
+
+	awsutils "github.com/gravitational/teleport/api/utils/aws"
 )
 
 // AWSClientRequest contains the required fields to set up an AWS service client.
@@ -62,8 +64,8 @@ func (req *AWSClientRequest) CheckAndSetDefaults() error {
 		return trace.BadParameter("role arn is required")
 	}
 
-	if req.Region == "" {
-		return trace.BadParameter("region is required")
+	if err := awsutils.IsValidRegion(req.Region); err != nil {
+		return trace.Wrap(err)
 	}
 
 	return nil

diff --git a/lib/integrations/awsoidc/clients_test.go b/lib/integrations/awsoidc/clients_test.go
@@ -0,0 +1,48 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package awsoidc
+
+import (
+	"testing"
+
+	"github.com/gravitational/trace"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckAndSetDefaults(t *testing.T) {
+	t.Run("invalid regions must return an error", func(t *testing.T) {
+		err := (&AWSClientRequest{
+			IntegrationName: "my-integration",
+			Token:           "token",
+			RoleARN:         "some-arn",
+			Region:          "?",
+		}).CheckAndSetDefaults()
+
+		require.True(t, trace.IsBadParameter(err))
+	})
+	t.Run("valid region", func(t *testing.T) {
+		err := (&AWSClientRequest{
+			IntegrationName: "my-integration",
+			Token:           "token",
+			RoleARN:         "some-arn",
+			Region:          "us-east-1",
+		}).CheckAndSetDefaults()
+		require.NoError(t, err)
+	})
+}
diff --git a/lib/integrations/awsoidc/clientsv1.go b/lib/integrations/awsoidc/clientsv1.go
@@ -27,6 +27,7 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/types"
+	utilsaws "github.com/gravitational/teleport/api/utils/aws"
 )
 
 // FetchToken returns the token.
@@ -49,6 +50,10 @@ type IntegrationTokenGenerator interface {
 // NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials.
 // This session is usable for AWS SDK Go V1.
 func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, integrationName string) (*session.Session, error) {
+	if err := utilsaws.IsValidRegion(region); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	integration, err := client.GetIntegration(ctx, integrationName)
 	if err != nil {
 		return nil, trace.Wrap(err)