Google says token_uri is always https://oauth2.googleapis.com/token

Author: ublubu

src/adapter/src/coord/sequencer/inner.rs

@@ -43,6 +43,7 @@ use mz_repr::{
     CatalogItemId, Datum, Diff, GlobalId, RelationVersion, RelationVersionSelector, Row, RowArena,
     RowIterator, Timestamp,
 };
+use mz_secrets::SecretsReader;
 use mz_sql::ast::{
     AlterSourceAddSubsourceOption, CreateSinkOption, CreateSinkOptionName, CreateSourceOptionName,
     CreateSubsourceOption, CreateSubsourceOptionName, SqlServerConfigOption,
@@ -63,6 +64,7 @@ use mz_sql::plan::{
     StatementContext,
 };
 use mz_sql::pure::{PurifiedSourceExport, generate_subsource_statements};
+use mz_storage_types::connections::gcp::GcpServiceAccountKeyTokenUri;
 use mz_storage_types::sinks::StorageSinkDesc;
 // Import `plan` module, but only import select elements to avoid merge conflicts on use statements.
 use mz_sql::plan::{
@@ -662,6 +664,19 @@ impl Coordinator {
                 }
                 self.caching_secrets_reader.invalidate(connection_id);
             }
+            ConnectionDetails::Gcp(gcp) => {
+                // A service account key defines its own OAuth2 token URI.
+                // We only want to send requests to the actual Google OAuth2 token API,
+                // so we inspect the key as early as we can.
+                if let Err(err) = self
+                    .caching_secrets_reader
+                    .read_string(gcp.credentials_json)
+                    .await
+                    .and_then(|json| GcpServiceAccountKeyTokenUri::validate_json(&json))
+                {
+                    return ctx.retire(Err(err.into()));
+                }
+            }
             _ => (),
         };
 

src/storage-types/src/connections/gcp.rs

@@ -25,6 +25,9 @@ use crate::controller::AlterError;
 /// endpoint without requiring any specific IAM grants on the service account.
 const VALIDATION_SCOPE: &str = "https://www.googleapis.com/auth/cloud-platform";
 
+/// Modern GCP Service Account keys always use the same token URI.
+const OAUTH_TOKEN_URI: &str = "https://oauth2.googleapis.com/token";
+
 /// GCP connection configuration.
 #[derive(Arbitrary, Clone, Debug, Eq, PartialEq, Serialize, Deserialize, Hash)]
 pub struct GcpConnection {
@@ -40,6 +43,28 @@ impl AlterCompatible for GcpConnection {
     }
 }
 
+/// `gcp_auth` parses the Service Account Key JSON into a private type,
+/// so we have to write our own deserializer to check whether it's safe.
+#[derive(Deserialize)]
+pub struct GcpServiceAccountKeyTokenUri {
+    token_uri: String,
+}
+
+impl GcpServiceAccountKeyTokenUri {
+    pub fn validate_json(json: &str) -> Result<(), anyhow::Error> {
+        let k: GcpServiceAccountKeyTokenUri =
+            serde_json::from_str(json).map_err(anyhow::Error::from)?;
+
+        if k.token_uri != OAUTH_TOKEN_URI {
+            return Err(anyhow::Error::msg(format!(
+                "token_uri must be {OAUTH_TOKEN_URI}."
+            )));
+        }
+
+        Ok(())
+    }
+}
+
 impl GcpConnection {
     /// Validates this connection by reading the service-account key out of the
     /// secrets store, parsing it, and exchanging it for an OAuth2 access token
@@ -55,8 +80,10 @@ impl GcpConnection {
             .read_string(self.credentials_json)
             .await
             .map_err(GcpConnectionValidationError::SecretRead)?;
-        let service_account = CustomServiceAccount::from_json(&json)
+        GcpServiceAccountKeyTokenUri::validate_json(&json)
             .map_err(GcpConnectionValidationError::ParseKey)?;
+        let service_account = CustomServiceAccount::from_json(&json)
+            .map_err(|e| GcpConnectionValidationError::ParseKey(anyhow::Error::from(e)))?;
         service_account
             .token(&[VALIDATION_SCOPE])
             .await
@@ -75,7 +102,7 @@ pub enum GcpConnectionValidationError {
     #[error("failed to read service-account key from secret store: {}", .0.display_with_causes())]
     SecretRead(#[source] anyhow::Error),
     #[error("failed to parse service-account key JSON: {}", .0.display_with_causes())]
-    ParseKey(#[source] gcp_auth::Error),
+    ParseKey(#[source] anyhow::Error),
     #[error("failed to obtain access token from Google: {}", .0.display_with_causes())]
     FetchToken(#[source] gcp_auth::Error),
 }

test/testdrive/connection-create-external.td

@@ -231,18 +231,18 @@ $ set gcp-ssrf-key="-----BEGIN PRIVATE KEY-----\\nMIIEvAIBADANBgkqhkiG9w0BAQEFAA
 # IP, and testdrive stops at the first failure.
 > CREATE SECRET gcp_ssrf_private AS '{"type":"service_account","project_id":"x","client_email":"a@b.com","private_key":"${gcp-ssrf-key}","token_uri":"http://127.0.0.1:1/token"}'
 ! CREATE CONNECTION gcp_ssrf_private_conn TO GCP (SERVICE ACCOUNT KEY = SECRET gcp_ssrf_private) WITH (VALIDATE = true);
-contains:disallowed token_uri
+contains:token_uri must be https://oauth2.googleapis.com/token
 
 # Correct host, but plaintext HTTP -- the scheme must be HTTPS.
 > CREATE SECRET gcp_ssrf_scheme AS '{"type":"service_account","project_id":"x","client_email":"a@b.com","private_key":"${gcp-ssrf-key}","token_uri":"http://oauth2.googleapis.com/token"}'
 ! CREATE CONNECTION gcp_ssrf_scheme_conn TO GCP (SERVICE ACCOUNT KEY = SECRET gcp_ssrf_scheme) WITH (VALIDATE = true);
-contains:disallowed token_uri
+contains:token_uri must be https://oauth2.googleapis.com/token
 
 # Public host that merely ends in the allowlisted suffix -- only a host allowlist,
 # not a private-IP check, rejects this.
 > CREATE SECRET gcp_ssrf_host AS '{"type":"service_account","project_id":"x","client_email":"a@b.com","private_key":"${gcp-ssrf-key}","token_uri":"https://oauth2.googleapis.com.evil.com/token"}'
 ! CREATE CONNECTION gcp_ssrf_host_conn TO GCP (SERVICE ACCOUNT KEY = SECRET gcp_ssrf_host) WITH (VALIDATE = true);
-contains:disallowed token_uri
+contains:token_uri must be https://oauth2.googleapis.com/token
 
 $ postgres-execute connection=postgres://mz_system:materialize@${testdrive.materialize-internal-sql-addr}
 ALTER SYSTEM SET storage_enforce_external_addresses = false
@@ -258,4 +258,8 @@ contains:Connection refused
 # it does not consult storage_enforce_external_addresses. With enforcement now
 # off, the malicious token_uri is still rejected.
 ! CREATE CONNECTION gcp_ssrf_private_conn TO GCP (SERVICE ACCOUNT KEY = SECRET gcp_ssrf_private) WITH (VALIDATE = true);
-contains:disallowed token_uri
+contains:token_uri must be https://oauth2.googleapis.com/token
+
+# In fact, the GCP allowlist should even apply when VALIDATE = false.
+! CREATE CONNECTION gcp_ssrf_private_conn TO GCP (SERVICE ACCOUNT KEY = SECRET gcp_ssrf_private) WITH (VALIDATE = false);
+contains:token_uri must be https://oauth2.googleapis.com/token