From 05917cba3ba64429aa758d92592495d92c3fbc66 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 16 Mar 2022 16:02:14 +0000 Subject: [PATCH 01/18] chore(main): release 1.6.1-SNAPSHOT (#892) :robot: I have created a release *beep* *boop* --- ### Updating meta-information for bleeding-edge SNAPSHOT release. --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --- appengine/pom.xml | 2 +- bom/pom.xml | 2 +- credentials/pom.xml | 2 +- oauth2_http/pom.xml | 2 +- pom.xml | 2 +- versions.txt | 12 ++++++------ 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/appengine/pom.xml b/appengine/pom.xml index e5154125e..2e0b6fbda 100644 --- a/appengine/pom.xml +++ b/appengine/pom.xml @@ -5,7 +5,7 @@ com.google.auth google-auth-library-parent - 1.6.0 + 1.6.1-SNAPSHOT ../pom.xml diff --git a/bom/pom.xml b/bom/pom.xml index fe9057003..aaf1894ce 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -3,7 +3,7 @@ 4.0.0 com.google.auth google-auth-library-bom - 1.6.0 + 1.6.1-SNAPSHOT pom Google Auth Library for Java BOM diff --git a/credentials/pom.xml b/credentials/pom.xml index e3a3de0b2..2770f4685 100644 --- a/credentials/pom.xml +++ b/credentials/pom.xml @@ -4,7 +4,7 @@ com.google.auth google-auth-library-parent - 1.6.0 + 1.6.1-SNAPSHOT ../pom.xml diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml index d9ab07527..22131c7e6 100644 --- a/oauth2_http/pom.xml +++ b/oauth2_http/pom.xml @@ -5,7 +5,7 @@ com.google.auth google-auth-library-parent - 1.6.0 + 1.6.1-SNAPSHOT ../pom.xml diff --git a/pom.xml b/pom.xml index 02bed18df..18027e07f 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 com.google.auth google-auth-library-parent - 1.6.0 + 1.6.1-SNAPSHOT pom Google Auth Library for Java Client libraries providing authentication and diff --git a/versions.txt b/versions.txt index 93cdd0df7..a41a77a79 100644 --- a/versions.txt +++ b/versions.txt @@ -1,9 +1,9 @@ # Format: # module:released-version:current-version -google-auth-library:1.6.0:1.6.0 -google-auth-library-bom:1.6.0:1.6.0 -google-auth-library-parent:1.6.0:1.6.0 -google-auth-library-appengine:1.6.0:1.6.0 -google-auth-library-credentials:1.6.0:1.6.0 -google-auth-library-oauth2-http:1.6.0:1.6.0 +google-auth-library:1.6.0:1.6.1-SNAPSHOT +google-auth-library-bom:1.6.0:1.6.1-SNAPSHOT +google-auth-library-parent:1.6.0:1.6.1-SNAPSHOT +google-auth-library-appengine:1.6.0:1.6.1-SNAPSHOT +google-auth-library-credentials:1.6.0:1.6.1-SNAPSHOT +google-auth-library-oauth2-http:1.6.0:1.6.1-SNAPSHOT From f04cf11db1153d9954d0343334de16647733efca Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Fri, 25 Mar 2022 17:44:18 +0100 Subject: [PATCH 02/18] chore(deps): update dependency com.google.http-client:google-http-client-bom to v1.41.5 (#896) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![WhiteSource Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.google.http-client:google-http-client-bom](https://togithub.com/googleapis/google-http-java-client) | `1.41.4` -> `1.41.5` | [![age](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.5/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.5/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.5/compatibility-slim/1.41.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.5/confidence-slim/1.41.4)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes

googleapis/google-http-java-client

### [`v1.41.5`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1415-httpsgithubcomgoogleapisgoogle-http-java-clientcomparev1414v1415-2022-03-21) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v1.41.4...v1.41.5)

Handles initializing external credentials, calls to STS, and service account impersonation. + *

Handles initializing external credentials, calls to the Security Token Service, and service + * account impersonation. */ public abstract class ExternalAccountCredentials extends GoogleCredentials implements QuotaProjectIdProvider { @@ -89,8 +90,9 @@ abstract static class CredentialSource { @Nullable private final String clientId; @Nullable private final String clientSecret; - // This is used for Workforce Pools. It is passed to STS during token exchange in the - // `options` param and will be embedded in the token by STS. + // This is used for Workforce Pools. It is passed to the Security Token Service during token + // exchange in the `options` param and will be embedded in the token by the Security Token + // Service. @Nullable private final String workforcePoolUserProject; protected transient HttpTransportFactory transportFactory; @@ -104,18 +106,17 @@ abstract static class CredentialSource { * workforce credentials. * * @param transportFactory HTTP transport factory, creates the transport used to get access tokens - * @param audience the STS audience which is usually the fully specified resource name of the - * workload/workforce pool provider - * @param subjectTokenType the STS subject token type based on the OAuth 2.0 token exchange spec. - * Indicates the type of the security token in the credential file - * @param tokenUrl the STS token exchange endpoint + * @param audience the Security Token Service audience, which is usually the fully specified + * resource name of the workload/workforce pool provider + * @param subjectTokenType the Security Token Service subject token type based on the OAuth 2.0 + * token exchange spec. Indicates the type of the security token in the credential file + * @param tokenUrl the Security Token Service token exchange endpoint * @param tokenInfoUrl the endpoint used to retrieve account related information. Required for * gCloud session account identification. * @param credentialSource the external credential source * @param serviceAccountImpersonationUrl the URL for the service account impersonation request. - * This is only required for workload identity pools when APIs to be accessed have not - * integrated with UberMint. If this is not available, the STS returned GCP access token is - * directly used. May be null. + * This URL is required for some APIs. If this URL is not available, the access token from the + * Security Token Service is used directly. May be null. * @param quotaProjectId the project used for quota and billing purposes. May be null. * @param clientId client ID of the service account from the console. May be null. * @param clientSecret client secret of the service account from the console. May be null. @@ -395,11 +396,11 @@ private static boolean isAwsCredential(Map credentialSource) { } /** - * Exchanges the external credential for a GCP access token. + * Exchanges the external credential for a Google Cloud access token. * - * @param stsTokenExchangeRequest the STS token exchange request - * @return the access token returned by STS - * @throws OAuthException if the call to STS fails + * @param stsTokenExchangeRequest the Security Token Service token exchange request + * @return the access token returned by the Security Token Service + * @throws OAuthException if the call to the Security Token Service fails */ protected AccessToken exchangeExternalCredentialForAccessToken( StsTokenExchangeRequest stsTokenExchangeRequest) throws IOException { @@ -413,7 +414,8 @@ protected AccessToken exchangeExternalCredentialForAccessToken( tokenUrl, stsTokenExchangeRequest, transportFactory.create().createRequestFactory()); // If this credential was initialized with a Workforce configuration then the - // workforcePoolUserProject must passed to STS via the the internal options param. + // workforcePoolUserProject must be passed to the Security Token Service via the internal + // options param. if (isWorkforcePoolConfiguration()) { GenericJson options = new GenericJson(); options.setFactory(OAuth2Utils.JSON_FACTORY); @@ -431,7 +433,7 @@ protected AccessToken exchangeExternalCredentialForAccessToken( } /** - * Retrieves the external subject token to be exchanged for a GCP access token. + * Retrieves the external subject token to be exchanged for a Google Cloud access token. * *

Must be implemented by subclasses as the retrieval method is dependent on the credential * source. @@ -603,8 +605,8 @@ public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) { } /** - * Sets the STS audience which is usually the fully specified resource name of the - * workload/workforce pool provider. + * Sets the Security Token Service audience, which is usually the fully specified resource name + * of the workload/workforce pool provider. */ public Builder setAudience(String audience) { this.audience = audience; @@ -612,15 +614,15 @@ public Builder setAudience(String audience) { } /** - * Sets the STS subject token type based on the OAuth 2.0 token exchange spec. Indicates the - * type of the security token in the credential file. + * Sets the Security Token Service subject token type based on the OAuth 2.0 token exchange + * spec. Indicates the type of the security token in the credential file. */ public Builder setSubjectTokenType(String subjectTokenType) { this.subjectTokenType = subjectTokenType; return this; } - /** Sets the STS token exchange endpoint. */ + /** Sets the Security Token Service token exchange endpoint. */ public Builder setTokenUrl(String tokenUrl) { this.tokenUrl = tokenUrl; return this; @@ -633,9 +635,9 @@ public Builder setCredentialSource(CredentialSource credentialSource) { } /** - * Sets the optional URL used for service account impersonation. This is only required when APIs - * to be accessed have not integrated with UberMint. If this is not available, the STS returned - * GCP access token is directly used. + * Sets the optional URL used for service account impersonation, which is required for some + * APIs. If this URL is not available, the access token from the Security Token Service is used + * directly. */ public Builder setServiceAccountImpersonationUrl(String serviceAccountImpersonationUrl) { this.serviceAccountImpersonationUrl = serviceAccountImpersonationUrl; From e7d5055c102a5bca2685c31c86cd1c3e7f5d537b Mon Sep 17 00:00:00 2001 From: "gcf-owl-bot[bot]" <78513119+gcf-owl-bot[bot]@users.noreply.github.com> Date: Wed, 6 Apr 2022 13:08:11 -0700 Subject: [PATCH 06/18] chore: Enable Size-Label bot in all googleapis Java repositories (#1381) (#905) * chore: Enable Size-Label bot in all googleapis Java repositories Auto-label T-shirt size indicator should be assigned on every new pull request in all googleapis Java repositories * Remove product Remove product since it is by default true * add license header Co-authored-by: Neenu Shaji Source-Link: https://github.com/googleapis/synthtool/commit/54b2c6ac75370a4a3582431b4a3080f777ba1f11 Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-java:latest@sha256:fc52b202aa298a50a12c64efd04fea3884d867947effe2fa85382a246c09e813 Co-authored-by: Owl Bot Co-authored-by: Neenu Shaji --- .github/.OwlBot.lock.yaml | 3 ++- .github/auto-label.yaml | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 .github/auto-label.yaml diff --git a/.github/.OwlBot.lock.yaml b/.github/.OwlBot.lock.yaml index 3473042c0..f60d77493 100644 --- a/.github/.OwlBot.lock.yaml +++ b/.github/.OwlBot.lock.yaml @@ -13,4 +13,5 @@ # limitations under the License. docker: image: gcr.io/cloud-devrel-public-resources/owlbot-java:latest - digest: sha256:df8d7b2cc0dbc65871e7edd86601901a0612b272fa3f7f0eb590c5c53aa5f92e + digest: sha256:fc52b202aa298a50a12c64efd04fea3884d867947effe2fa85382a246c09e813 +# created: 2022-04-06T16:30:03.627422514Z diff --git a/.github/auto-label.yaml b/.github/auto-label.yaml new file mode 100644 index 000000000..4caef688b --- /dev/null +++ b/.github/auto-label.yaml @@ -0,0 +1,15 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +requestsize: + enabled: true From b7b80be40c345b7a17ec31763666f8afc167042b Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Thu, 7 Apr 2022 18:10:15 +0200 Subject: [PATCH 07/18] chore(deps): update dependency com.google.http-client:google-http-client-bom to v1.41.6 (#907) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![WhiteSource Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.google.http-client:google-http-client-bom](https://togithub.com/googleapis/google-http-java-client) | `1.41.5` -> `1.41.6` | [![age](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.6/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.6/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.6/compatibility-slim/1.41.5)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.6/confidence-slim/1.41.5)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes

googleapis/google-http-java-client

### [`v1.41.6`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1416-httpsgithubcomgoogleapisgoogle-http-java-clientcomparev1415v1416-2022-04-06) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v1.41.5...v1.41.6)

jacoco/jacoco

### [`v0.8.8`](https://togithub.com/jacoco/jacoco/releases/v0.8.8) [Compare Source](https://togithub.com/jacoco/jacoco/compare/v0.8.7...v0.8.8) ##### New Features - JaCoCo now officially supports Java 17 and 18 (GitHub [#1282](https://togithub.com/jacoco/jacoco/issues/1282), [#1198](https://togithub.com/jacoco/jacoco/issues/1198)). - Experimental support for Java 19 class files (GitHub [#1264](https://togithub.com/jacoco/jacoco/issues/1264)). - Part of bytecode generated by the Java compilers for assert statement is filtered out during generation of report (GitHub [#1196](https://togithub.com/jacoco/jacoco/issues/1196)). - Branch added by the Kotlin compiler version 1.6.0 and above for "unsafe" cast operator is filtered out during generation of report (GitHub [#1266](https://togithub.com/jacoco/jacoco/issues/1266)). - Improved support for multiple JaCoCo runtimes in the same VM (GitHub [#1057](https://togithub.com/jacoco/jacoco/issues/1057)). ##### Fixed bugs - Fixed `NullPointerException` during filtering (GitHub [#1189](https://togithub.com/jacoco/jacoco/issues/1189)). - Fix range for debug symbols of method parameters (GitHub [#1246](https://togithub.com/jacoco/jacoco/issues/1246)). ##### Non-functional Changes - JaCoCo now depends on ASM 9.2 (GitHub [#1206](https://togithub.com/jacoco/jacoco/issues/1206)). - Messages of exceptions occurring during analysis or instrumentation now include JaCoCo version (GitHub [#1217](https://togithub.com/jacoco/jacoco/issues/1217)).

googleapis/google-http-java-client

### [`v1.41.7`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1417-httpsgithubcomgoogleapisgoogle-http-java-clientcomparev1416v1417-2022-04-11) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v1.41.6...v1.41.7)

sonatype/nexus-maven-plugins

### [`v1.6.13`](https://togithub.com/sonatype/nexus-maven-plugins/compare/release-1.6.12...release-1.6.13) [Compare Source](https://togithub.com/sonatype/nexus-maven-plugins/compare/release-1.6.12...release-1.6.13)

--- ### Configuration 📅 **Schedule**: At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#github/googleapis/google-auth-library-java). --- bom/pom.xml | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bom/pom.xml b/bom/pom.xml index c8ce5bc31..bb219824f 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -72,7 +72,7 @@ org.sonatype.plugins nexus-staging-maven-plugin - 1.6.12 + 1.6.13 true ossrh diff --git a/pom.xml b/pom.xml index a8674fad6..81fae72ff 100644 --- a/pom.xml +++ b/pom.xml @@ -142,7 +142,7 @@ org.sonatype.plugins nexus-staging-maven-plugin - 1.6.12 + 1.6.13 true ossrh From 97bfc4c8ceb199e775784ac3ed4fa992d4d2dcbf Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Tue, 26 Apr 2022 17:22:00 +0000 Subject: [PATCH 15/18] feat: Add iam endpoint override to ImpersonatedCredentials (#910) * feat: Added iam endpoint override to ImpersonatedCredentials * fix: Fixed GoogleCredentialsTests that were broken by regional impersonated credential url change * fix: Addressed code review comments * fix: fixed createScoped method in impersonatedCredentials to use override endpoint correctly and added test * fix: fixed linter errors Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- .../oauth2/ExternalAccountCredentials.java | 1 + .../auth/oauth2/ImpersonatedCredentials.java | 84 +++++++++++++++++-- .../auth/oauth2/GoogleCredentialsTest.java | 4 + .../oauth2/ImpersonatedCredentialsTest.java | 52 +++++++++++- .../MockIAMCredentialsServiceTransport.java | 11 ++- 5 files changed, 144 insertions(+), 8 deletions(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java index 4dd02861c..379e2a1cf 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java @@ -265,6 +265,7 @@ private ImpersonatedCredentials initializeImpersonatedCredentials() { .setTargetPrincipal(targetPrincipal) .setScopes(new ArrayList<>(scopes)) .setLifetime(3600) // 1 hour in seconds + .setIamEndpointOverride(serviceAccountImpersonationUrl) .build(); } diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java index 962c105cd..9694619df 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java @@ -105,6 +105,7 @@ public class ImpersonatedCredentials extends GoogleCredentials private List scopes; private int lifetime; private String quotaProjectId; + private String iamEndpointOverride; private final String transportFactoryClassName; private transient HttpTransportFactory transportFactory; @@ -192,6 +193,54 @@ public static ImpersonatedCredentials create( .build(); } + /** + * @param sourceCredentials the source credential used to acquire the impersonated credentials. It + * should be either a user account credential or a service account credential. + * @param targetPrincipal the service account to impersonate + * @param delegates the chained list of delegates required to grant the final access_token. If + * set, the sequence of identities must have "Service Account Token Creator" capability + * granted to the preceding identity. For example, if set to [serviceAccountB, + * serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. + * serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token + * Creator on target_principal. If unset, sourceCredential must have that role on + * targetPrincipal. + * @param scopes scopes to request during the authorization grant + * @param lifetime number of seconds the delegated credential should be valid. By default this + * value should be at most 3600. However, you can follow these + * instructions to set up the service account and extend the maximum lifetime to 43200 (12 + * hours). If the given lifetime is 0, default value 3600 will be used instead when creating + * the credentials. + * @param transportFactory HTTP transport factory that creates the transport used to get access + * tokens. + * @param quotaProjectId the project used for quota and billing purposes. Should be null unless + * the caller wants to use a project different from the one that owns the impersonated + * credential for billing/quota purposes. + * @param iamEndpointOverride The full IAM endpoint override with the target_principal embedded. + * This is useful when supporting impersonation with regional endpoints. + * @return new credentials + */ + public static ImpersonatedCredentials create( + GoogleCredentials sourceCredentials, + String targetPrincipal, + List delegates, + List scopes, + int lifetime, + HttpTransportFactory transportFactory, + String quotaProjectId, + String iamEndpointOverride) { + return ImpersonatedCredentials.newBuilder() + .setSourceCredentials(sourceCredentials) + .setTargetPrincipal(targetPrincipal) + .setDelegates(delegates) + .setScopes(scopes) + .setLifetime(lifetime) + .setHttpTransportFactory(transportFactory) + .setQuotaProjectId(quotaProjectId) + .setIamEndpointOverride(iamEndpointOverride) + .build(); + } + /** * @param sourceCredentials the source credential used to acquire the impersonated credentials. It * should be either a user account credential or a service account credential. @@ -257,6 +306,11 @@ public String getQuotaProjectId() { return this.quotaProjectId; } + @VisibleForTesting + String getIamEndpointOverride() { + return this.iamEndpointOverride; + } + @VisibleForTesting List getDelegates() { return delegates; @@ -320,9 +374,9 @@ static ImpersonatedCredentials fromJson( String sourceCredentialsType; String quotaProjectId; String targetPrincipal; + String serviceAccountImpersonationUrl; try { - String serviceAccountImpersonationUrl = - (String) json.get("service_account_impersonation_url"); + serviceAccountImpersonationUrl = (String) json.get("service_account_impersonation_url"); if (json.containsKey("delegates")) { delegates = (List) json.get("delegates"); } @@ -354,6 +408,7 @@ static ImpersonatedCredentials fromJson( .setLifetime(DEFAULT_LIFETIME_IN_SECONDS) .setHttpTransportFactory(transportFactory) .setQuotaProjectId(quotaProjectId) + .setIamEndpointOverride(serviceAccountImpersonationUrl) .build(); } @@ -370,6 +425,7 @@ public GoogleCredentials createScoped(Collection scopes) { .setDelegates(this.delegates) .setHttpTransportFactory(this.transportFactory) .setQuotaProjectId(this.quotaProjectId) + .setIamEndpointOverride(this.iamEndpointOverride) .build(); } @@ -393,6 +449,7 @@ private ImpersonatedCredentials(Builder builder) { builder.getHttpTransportFactory(), getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY)); this.quotaProjectId = builder.quotaProjectId; + this.iamEndpointOverride = builder.iamEndpointOverride; this.transportFactoryClassName = this.transportFactory.getClass().getName(); if (this.delegates == null) { this.delegates = new ArrayList(); @@ -424,7 +481,10 @@ public AccessToken refreshAccessToken() throws IOException { HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(sourceCredentials); HttpRequestFactory requestFactory = httpTransport.createRequestFactory(); - String endpointUrl = String.format(IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal); + String endpointUrl = + this.iamEndpointOverride != null + ? this.iamEndpointOverride + : String.format(IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal); GenericUrl url = new GenericUrl(endpointUrl); Map body = @@ -489,7 +549,13 @@ public IdToken idTokenWithAudience(String targetAudience, List(), credentials.getScopes()); @@ -201,6 +206,7 @@ void fromJson_userAsSource_WithoutQuotaProjectId() throws IOException { ImpersonatedCredentials credentials = ImpersonatedCredentials.fromJson(json, mockTransportFactory); assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount()); + assertEquals(IMPERSONATION_URL, credentials.getIamEndpointOverride()); assertNull(credentials.getQuotaProjectId()); assertEquals(DELEGATES, credentials.getDelegates()); assertEquals(new ArrayList(), credentials.getScopes()); @@ -223,6 +229,7 @@ void fromJson_userAsSource_MissingDelegatesField() throws IOException { ImpersonatedCredentials credentials = ImpersonatedCredentials.fromJson(json, mockTransportFactory); assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount()); + assertEquals(IMPERSONATION_URL, credentials.getIamEndpointOverride()); assertNull(credentials.getQuotaProjectId()); assertEquals(new ArrayList(), credentials.getDelegates()); assertEquals(new ArrayList(), credentials.getScopes()); @@ -238,6 +245,7 @@ void fromJson_ServiceAccountAsSource() throws IOException { ImpersonatedCredentials credentials = ImpersonatedCredentials.fromJson(json, mockTransportFactory); assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount()); + assertEquals(IMPERSONATION_URL, credentials.getIamEndpointOverride()); assertEquals(QUOTA_PROJECT_ID, credentials.getQuotaProjectId()); assertEquals(DELEGATES, credentials.getDelegates()); assertEquals(new ArrayList(), credentials.getScopes()); @@ -329,6 +337,25 @@ void createScopedWithImmutableScopes() { assertEquals(Arrays.asList("scope1", "scope2"), scoped_credentials.getScopes()); } + @Test + void createScopedWithIamEndpointOverride() { + ImpersonatedCredentials targetCredentials = + ImpersonatedCredentials.create( + sourceCredentials, + IMPERSONATED_CLIENT_EMAIL, + DELEGATES, + IMMUTABLE_SCOPES_LIST, + VALID_LIFETIME, + mockTransportFactory, + QUOTA_PROJECT_ID, + IMPERSONATION_URL); + + ImpersonatedCredentials scoped_credentials = + (ImpersonatedCredentials) targetCredentials.createScoped(IMMUTABLE_SCOPES_SET); + assertEquals( + targetCredentials.getIamEndpointOverride(), scoped_credentials.getIamEndpointOverride()); + } + @Test void refreshAccessToken_unauthorized() throws IOException { @@ -449,6 +476,29 @@ void refreshAccessToken_success() throws IOException, IllegalStateException { mockTransportFactory); assertEquals(ACCESS_TOKEN, targetCredentials.refreshAccessToken().getTokenValue()); + assertEquals(DEFAULT_IMPERSONATION_URL, mockTransportFactory.transport.getRequest().getUrl()); + } + + @Test + void refreshAccessToken_endpointOverride() throws IOException, IllegalStateException { + mockTransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL); + mockTransportFactory.transport.setAccessToken(ACCESS_TOKEN); + mockTransportFactory.transport.setExpireTime(getDefaultExpireTime()); + mockTransportFactory.transport.setAccessTokenEndpoint(IMPERSONATION_URL); + + ImpersonatedCredentials targetCredentials = + ImpersonatedCredentials.create( + sourceCredentials, + IMPERSONATED_CLIENT_EMAIL, + null, + IMMUTABLE_SCOPES_LIST, + VALID_LIFETIME, + mockTransportFactory, + QUOTA_PROJECT_ID, + IMPERSONATION_URL); + + assertEquals(ACCESS_TOKEN, targetCredentials.refreshAccessToken().getTokenValue()); + assertEquals(IMPERSONATION_URL, mockTransportFactory.transport.getRequest().getUrl()); } @Test diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java index dcf1ef950..d3da05aa2 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java @@ -46,7 +46,7 @@ /** Transport that simulates the IAMCredentials server for access tokens. */ public class MockIAMCredentialsServiceTransport extends MockHttpTransport { - private static final String IAM_ACCESS_TOKEN_ENDPOINT = + private static final String DEFAULT_IAM_ACCESS_TOKEN_ENDPOINT = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken"; private static final String IAM_ID_TOKEN_ENDPOINT = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateIdToken"; @@ -58,6 +58,7 @@ public class MockIAMCredentialsServiceTransport extends MockHttpTransport { private byte[] signedBlob; private int responseCode = HttpStatusCodes.STATUS_CODE_OK; private String errorMessage; + private String iamAccessTokenEndpoint; private String accessToken; private String expireTime; @@ -101,6 +102,10 @@ public void setIdToken(String idToken) { this.idToken = idToken; } + public void setAccessTokenEndpoint(String accessTokenEndpoint) { + this.iamAccessTokenEndpoint = accessTokenEndpoint; + } + public MockLowLevelHttpRequest getRequest() { return request; } @@ -109,7 +114,9 @@ public MockLowLevelHttpRequest getRequest() { public LowLevelHttpRequest buildRequest(String method, String url) throws IOException { String iamAccesssTokenformattedUrl = - String.format(IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal); + iamAccessTokenEndpoint != null + ? iamAccessTokenEndpoint + : String.format(DEFAULT_IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal); String iamSignBlobformattedUrl = String.format(IAM_SIGN_ENDPOINT, this.targetPrincipal); String iamIdTokenformattedUrl = String.format(IAM_ID_TOKEN_ENDPOINT, this.targetPrincipal); if (url.equals(iamAccesssTokenformattedUrl)) { From b00c29476ac494636ba2eecebb9f1714d694b706 Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Mon, 9 May 2022 22:32:31 +0200 Subject: [PATCH 16/18] chore(deps): update dependency com.google.http-client:google-http-client-bom to v1.41.8 (#918) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![WhiteSource Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.google.http-client:google-http-client-bom](https://togithub.com/googleapis/google-http-java-client) | `1.41.7` -> `1.41.8` | [![age](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.8/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.8/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.8/compatibility-slim/1.41.7)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/maven/com.google.http-client:google-http-client-bom/1.41.8/confidence-slim/1.41.7)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes

googleapis/google-http-java-client

### [`v1.41.8`](https://togithub.com/googleapis/google-http-java-client/releases/v1.41.8) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v1.41.7...v1.41.8) ##### [1.41.8](https://togithub.com/googleapis/google-http-java-client/compare/v1.41.7...v1.41.8) (2022-04-29) ##### Dependencies - downgrade appengine to 1.9.X ([#1645](https://togithub.com/googleapis/google-http-java-client/issues/1645)) ([da9dd8b](https://togithub.com/googleapis/google-http-java-client/commit/da9dd8bca97cc10712ce24054d2edd3d5ac2e571))