Skip to content

Commit

Permalink
fix(auth/impersonate): properly send default detect params (#9529)
Browse files Browse the repository at this point in the history 
Fixes: #9136
  • Loading branch information
@codyoss
codyoss authored Mar 8, 2024
1 parent 2504e26 commit 5b6b8be
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 33 deletions.
7 changes: 3 additions & 4 deletions auth/impersonate/idtoken.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"time"

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/detect"
"cloud.google.com/go/auth/httptransport"
"cloud.google.com/go/auth/internal"
)
Expand Down Expand Up @@ -88,9 +87,9 @@ func NewIDTokenProvider(opts *IDTokenOptions) (auth.TokenProvider, error) {
if opts.Client == nil && opts.TokenProvider == nil {
var err error
client, err = httptransport.NewClient(&httptransport.Options{
DetectOpts: &detect.Options{
Audience: defaultAud,
Scopes: []string{defaultScope},
InternalOptions: &httptransport.InternalOptions{
DefaultAudience: defaultAud,
DefaultScopes: []string{defaultScope},
},
})
if err != nil {
Expand Down
7 changes: 3 additions & 4 deletions auth/impersonate/impersonate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"time"

"cloud.google.com/go/auth"
"cloud.google.com/go/auth/detect"
"cloud.google.com/go/auth/httptransport"
"cloud.google.com/go/auth/internal"
)
Expand Down Expand Up @@ -57,9 +56,9 @@ func NewCredentialTokenProvider(opts *CredentialOptions) (auth.TokenProvider, er
if opts.Client == nil && opts.TokenProvider == nil {
var err error
client, err = httptransport.NewClient(&httptransport.Options{
DetectOpts: &detect.Options{
Audience: defaultAud,
Scopes: []string{defaultScope},
InternalOptions: &httptransport.InternalOptions{
DefaultAudience: defaultAud,
DefaultScopes: []string{defaultScope},
},
})
if err != nil {
Expand Down
75 changes: 51 additions & 24 deletions auth/impersonate/integration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,14 +72,20 @@ func TestMain(m *testing.M) {
func TestCredentialsTokenSourceIntegration(t *testing.T) {
testutil.IntegrationTestCheck(t)
tests := []struct {
name string
baseKeyFile string
delegates []string
name string
baseKeyFile string
delegates []string
useDefaultCreds bool
}{
{
name: "SA -> SA",
baseKeyFile: readerKeyFile,
},
{
name: "SA -> SA (Default)",
baseKeyFile: readerKeyFile,
useDefaultCreds: true,
},
{
name: "SA -> Delegate -> SA",
baseKeyFile: baseKeyFile,
Expand All @@ -90,19 +96,27 @@ func TestCredentialsTokenSourceIntegration(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := context.Background()
creds, err := detect.DefaultCredentials(&detect.Options{
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
CredentialsFile: tt.baseKeyFile,
})
if err != nil {
t.Fatalf("detect.DefaultCredentials() = %v", err)
var creds *detect.Credentials
if !tt.useDefaultCreds {
var err error
creds, err = detect.DefaultCredentials(&detect.Options{
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
CredentialsFile: tt.baseKeyFile,
})
if err != nil {
t.Fatalf("detect.DefaultCredentials() = %v", err)
}
}
tp, err := impersonate.NewCredentialTokenProvider(&impersonate.CredentialOptions{

opts := &impersonate.CredentialOptions{
TargetPrincipal: writerEmail,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
Delegates: tt.delegates,
TokenProvider: creds,
})
}
if !tt.useDefaultCreds {
opts.TokenProvider = creds
}
tp, err := impersonate.NewCredentialTokenProvider(opts)
if err != nil {
t.Fatalf("failed to create ts: %v", err)
}
Expand All @@ -123,14 +137,20 @@ func TestIDTokenSourceIntegration(t *testing.T) {

ctx := context.Background()
tests := []struct {
name string
baseKeyFile string
delegates []string
name string
baseKeyFile string
delegates []string
useDefaultCreds bool
}{
{
name: "SA -> SA",
baseKeyFile: readerKeyFile,
},

{
name: "SA -> SA (Default)",
useDefaultCreds: true,
},
{
name: "SA -> Delegate -> SA",
baseKeyFile: baseKeyFile,
Expand All @@ -141,21 +161,28 @@ func TestIDTokenSourceIntegration(t *testing.T) {
for _, tt := range tests {
name := tt.name
t.Run(name, func(t *testing.T) {
creds, err := detect.DefaultCredentials(&detect.Options{
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
CredentialsFile: tt.baseKeyFile,
})
if err != nil {
t.Fatalf("detect.DefaultCredentials() = %v", err)
var creds *detect.Credentials
if !tt.useDefaultCreds {
var err error
creds, err = detect.DefaultCredentials(&detect.Options{
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
CredentialsFile: tt.baseKeyFile,
})
if err != nil {
t.Fatalf("detect.DefaultCredentials() = %v", err)
}
}
aud := "http://example.com/"
tp, err := impersonate.NewIDTokenProvider(&impersonate.IDTokenOptions{
opts := &impersonate.IDTokenOptions{
TargetPrincipal: writerEmail,
Audience: aud,
Delegates: tt.delegates,
IncludeEmail: true,
TokenProvider: creds,
})
}
if !tt.useDefaultCreds {
opts.TokenProvider = creds
}
tp, err := impersonate.NewIDTokenProvider(opts)
if err != nil {
t.Fatalf("failed to create ts: %v", err)
}
Expand Down
1 change: 0 additions & 1 deletion auth/internal/transport/s2a.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,6 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
if clientCertSource != nil {
return false
}
log.Println(os.Getenv(googleAPIUseS2AEnv))
// If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A.
if b, err := strconv.ParseBool(os.Getenv(googleAPIUseS2AEnv)); err == nil && !b {
return false
Expand Down

0 comments on commit 5b6b8be

Please sign in to comment.