From dd10c2763ea8a97251655f34400cd81106d7e961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Tue, 23 Apr 2024 16:27:21 +0100 Subject: [PATCH] AWS OIDC: validate region param when creating clients (#40188) (#40809) * AWS OIDC: validate region param when creating clients * add green test --- lib/integrations/awsoidc/clients.go | 6 ++- lib/integrations/awsoidc/clients_test.go | 48 ++++++++++++++++++++++++ lib/integrations/awsoidc/clientsv1.go | 5 +++ 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 lib/integrations/awsoidc/clients_test.go diff --git a/lib/integrations/awsoidc/clients.go b/lib/integrations/awsoidc/clients.go index 497d0c77623b4..9704b6f87aa92 100644 --- a/lib/integrations/awsoidc/clients.go +++ b/lib/integrations/awsoidc/clients.go @@ -28,6 +28,8 @@ import ( "github.com/aws/aws-sdk-go-v2/service/rds" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/gravitational/trace" + + awsutils "github.com/gravitational/teleport/api/utils/aws" ) // AWSClientRequest contains the required fields to set up an AWS service client. @@ -62,8 +64,8 @@ func (req *AWSClientRequest) CheckAndSetDefaults() error { return trace.BadParameter("role arn is required") } - if req.Region == "" { - return trace.BadParameter("region is required") + if err := awsutils.IsValidRegion(req.Region); err != nil { + return trace.Wrap(err) } return nil diff --git a/lib/integrations/awsoidc/clients_test.go b/lib/integrations/awsoidc/clients_test.go new file mode 100644 index 0000000000000..26ad5a56221d6 --- /dev/null +++ b/lib/integrations/awsoidc/clients_test.go @@ -0,0 +1,48 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package awsoidc + +import ( + "testing" + + "github.com/gravitational/trace" + "github.com/stretchr/testify/require" +) + +func TestCheckAndSetDefaults(t *testing.T) { + t.Run("invalid regions must return an error", func(t *testing.T) { + err := (&AWSClientRequest{ + IntegrationName: "my-integration", + Token: "token", + RoleARN: "some-arn", + Region: "?", + }).CheckAndSetDefaults() + + require.True(t, trace.IsBadParameter(err)) + }) + t.Run("valid region", func(t *testing.T) { + err := (&AWSClientRequest{ + IntegrationName: "my-integration", + Token: "token", + RoleARN: "some-arn", + Region: "us-east-1", + }).CheckAndSetDefaults() + require.NoError(t, err) + }) +} diff --git a/lib/integrations/awsoidc/clientsv1.go b/lib/integrations/awsoidc/clientsv1.go index aeb1bae73e26c..41615bcf1d13c 100644 --- a/lib/integrations/awsoidc/clientsv1.go +++ b/lib/integrations/awsoidc/clientsv1.go @@ -27,6 +27,7 @@ import ( "github.com/gravitational/trace" "github.com/gravitational/teleport/api/types" + utilsaws "github.com/gravitational/teleport/api/utils/aws" ) // FetchToken returns the token. @@ -49,6 +50,10 @@ type IntegrationTokenGenerator interface { // NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials. // This session is usable for AWS SDK Go V1. func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, integrationName string) (*session.Session, error) { + if err := utilsaws.IsValidRegion(region); err != nil { + return nil, trace.Wrap(err) + } + integration, err := client.GetIntegration(ctx, integrationName) if err != nil { return nil, trace.Wrap(err)