use length range and regex to validate access key

hashicorp · Jul 7, 2023 · e27a656 · e27a656
1 parent 82b9dda
commit e27a656
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/internal/credential/attributes.go b/internal/credential/attributes.go
@@ -5,6 +5,7 @@ package credential
 
 import (
 	"fmt"
+	"regexp"
 
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/hashicorp/boundary-plugin-aws/internal/errors"
@@ -22,6 +23,8 @@ type CredentialAttributes struct {
 	DisableCredentialRotation bool
 }
 
+var accessKeyRegex = regexp.MustCompile(`^[\w]+$`)
+
 // GetCredentialsConfig parses values out of a protobuf struct input and returns a
 // CredentialsConfig used for configuring an AWS session. An error is returned if
 // any of the following fields are missing from the protobuf struct input or have
@@ -34,8 +37,10 @@ func GetCredentialsConfig(in *structpb.Struct, region string) (*awsutil.Credenti
 	accessKey, err := values.GetStringValue(in, ConstAccessKeyId, true)
 	if err != nil {
 		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = err.Error()
-	} else if len(accessKey) != 20 {
-		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "value must be 20 characters"
+	} else if len(accessKey) < 16 || len(accessKey) > 128 {
+		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "value must be between 16 and 128 characters"
+	} else if !accessKeyRegex.MatchString(accessKey) {
+		badFields[fmt.Sprintf("secrets.%s", ConstAccessKeyId)] = "value must only contain characters matching [\\w]+"
 	}
 	delete(unknownFields, ConstAccessKeyId)
 

diff --git a/internal/credential/attributes_test.go b/internal/credential/attributes_test.go
@@ -127,7 +127,17 @@ func TestGetCredentialsConfig(t *testing.T) {
 				ConstCredsLastRotatedTime: "2006-01-02T15:04:05+07:00",
 			},
 			region:              "us-west-2",
-			expectedErrContains: "secrets.access_key_id: value must be 20 characters, secrets.secret_access_key: value must be 40 characters",
+			expectedErrContains: "secrets.access_key_id: value must be between 16 and 128 characters, secrets.secret_access_key: value must be 40 characters",
+		},
+		{
+			name: "key contains invalid chars",
+			in: map[string]any{
+				ConstAccessKeyId:          "foobarbazbuzquintile-",
+				ConstSecretAccessKey:      "bazqux-not-thinking-of-40-chars-for-this",
+				ConstCredsLastRotatedTime: "2006-01-02T15:04:05+07:00",
+			},
+			region:              "us-west-2",
+			expectedErrContains: "secrets.access_key_id: value must only contain characters matching [\\w]+",
 		},
 		{
 			name:                "getstring error doesn't trigger char len error",