From 5b6b8bef577f82707e51f5cc5d258d5bdf90218f Mon Sep 17 00:00:00 2001 From: Cody Oss <6331106+codyoss@users.noreply.github.com> Date: Fri, 8 Mar 2024 12:26:18 -0600 Subject: [PATCH] fix(auth/impersonate): properly send default detect params (#9529) Fixes: #9136 --- auth/impersonate/idtoken.go | 7 ++- auth/impersonate/impersonate.go | 7 ++- auth/impersonate/integration_test.go | 75 +++++++++++++++++++--------- auth/internal/transport/s2a.go | 1 - 4 files changed, 57 insertions(+), 33 deletions(-) diff --git a/auth/impersonate/idtoken.go b/auth/impersonate/idtoken.go index bac25bd2c84f..6696f5c0a743 100644 --- a/auth/impersonate/idtoken.go +++ b/auth/impersonate/idtoken.go @@ -24,7 +24,6 @@ import ( "time" "cloud.google.com/go/auth" - "cloud.google.com/go/auth/detect" "cloud.google.com/go/auth/httptransport" "cloud.google.com/go/auth/internal" ) @@ -88,9 +87,9 @@ func NewIDTokenProvider(opts *IDTokenOptions) (auth.TokenProvider, error) { if opts.Client == nil && opts.TokenProvider == nil { var err error client, err = httptransport.NewClient(&httptransport.Options{ - DetectOpts: &detect.Options{ - Audience: defaultAud, - Scopes: []string{defaultScope}, + InternalOptions: &httptransport.InternalOptions{ + DefaultAudience: defaultAud, + DefaultScopes: []string{defaultScope}, }, }) if err != nil { diff --git a/auth/impersonate/impersonate.go b/auth/impersonate/impersonate.go index e6bcef078cca..79386b3b6db6 100644 --- a/auth/impersonate/impersonate.go +++ b/auth/impersonate/impersonate.go @@ -24,7 +24,6 @@ import ( "time" "cloud.google.com/go/auth" - "cloud.google.com/go/auth/detect" "cloud.google.com/go/auth/httptransport" "cloud.google.com/go/auth/internal" ) @@ -57,9 +56,9 @@ func NewCredentialTokenProvider(opts *CredentialOptions) (auth.TokenProvider, er if opts.Client == nil && opts.TokenProvider == nil { var err error client, err = httptransport.NewClient(&httptransport.Options{ - DetectOpts: &detect.Options{ - Audience: defaultAud, - Scopes: []string{defaultScope}, + InternalOptions: &httptransport.InternalOptions{ + DefaultAudience: defaultAud, + DefaultScopes: []string{defaultScope}, }, }) if err != nil { diff --git a/auth/impersonate/integration_test.go b/auth/impersonate/integration_test.go index e93c93d49132..be4d240508f8 100644 --- a/auth/impersonate/integration_test.go +++ b/auth/impersonate/integration_test.go @@ -72,14 +72,20 @@ func TestMain(m *testing.M) { func TestCredentialsTokenSourceIntegration(t *testing.T) { testutil.IntegrationTestCheck(t) tests := []struct { - name string - baseKeyFile string - delegates []string + name string + baseKeyFile string + delegates []string + useDefaultCreds bool }{ { name: "SA -> SA", baseKeyFile: readerKeyFile, }, + { + name: "SA -> SA (Default)", + baseKeyFile: readerKeyFile, + useDefaultCreds: true, + }, { name: "SA -> Delegate -> SA", baseKeyFile: baseKeyFile, @@ -90,19 +96,27 @@ func TestCredentialsTokenSourceIntegration(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { ctx := context.Background() - creds, err := detect.DefaultCredentials(&detect.Options{ - Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, - CredentialsFile: tt.baseKeyFile, - }) - if err != nil { - t.Fatalf("detect.DefaultCredentials() = %v", err) + var creds *detect.Credentials + if !tt.useDefaultCreds { + var err error + creds, err = detect.DefaultCredentials(&detect.Options{ + Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, + CredentialsFile: tt.baseKeyFile, + }) + if err != nil { + t.Fatalf("detect.DefaultCredentials() = %v", err) + } } - tp, err := impersonate.NewCredentialTokenProvider(&impersonate.CredentialOptions{ + + opts := &impersonate.CredentialOptions{ TargetPrincipal: writerEmail, Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"}, Delegates: tt.delegates, - TokenProvider: creds, - }) + } + if !tt.useDefaultCreds { + opts.TokenProvider = creds + } + tp, err := impersonate.NewCredentialTokenProvider(opts) if err != nil { t.Fatalf("failed to create ts: %v", err) } @@ -123,14 +137,20 @@ func TestIDTokenSourceIntegration(t *testing.T) { ctx := context.Background() tests := []struct { - name string - baseKeyFile string - delegates []string + name string + baseKeyFile string + delegates []string + useDefaultCreds bool }{ { name: "SA -> SA", baseKeyFile: readerKeyFile, }, + + { + name: "SA -> SA (Default)", + useDefaultCreds: true, + }, { name: "SA -> Delegate -> SA", baseKeyFile: baseKeyFile, @@ -141,21 +161,28 @@ func TestIDTokenSourceIntegration(t *testing.T) { for _, tt := range tests { name := tt.name t.Run(name, func(t *testing.T) { - creds, err := detect.DefaultCredentials(&detect.Options{ - Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, - CredentialsFile: tt.baseKeyFile, - }) - if err != nil { - t.Fatalf("detect.DefaultCredentials() = %v", err) + var creds *detect.Credentials + if !tt.useDefaultCreds { + var err error + creds, err = detect.DefaultCredentials(&detect.Options{ + Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, + CredentialsFile: tt.baseKeyFile, + }) + if err != nil { + t.Fatalf("detect.DefaultCredentials() = %v", err) + } } aud := "http://example.com/" - tp, err := impersonate.NewIDTokenProvider(&impersonate.IDTokenOptions{ + opts := &impersonate.IDTokenOptions{ TargetPrincipal: writerEmail, Audience: aud, Delegates: tt.delegates, IncludeEmail: true, - TokenProvider: creds, - }) + } + if !tt.useDefaultCreds { + opts.TokenProvider = creds + } + tp, err := impersonate.NewIDTokenProvider(opts) if err != nil { t.Fatalf("failed to create ts: %v", err) } diff --git a/auth/internal/transport/s2a.go b/auth/internal/transport/s2a.go index 6abafeca1b37..45ac578b2653 100644 --- a/auth/internal/transport/s2a.go +++ b/auth/internal/transport/s2a.go @@ -161,7 +161,6 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool { if clientCertSource != nil { return false } - log.Println(os.Getenv(googleAPIUseS2AEnv)) // If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A. if b, err := strconv.ParseBool(os.Getenv(googleAPIUseS2AEnv)); err == nil && !b { return false