From e81012eb9e0e16970c6510c4582603ea1b4c79b3 Mon Sep 17 00:00:00 2001 From: BrennaEpp Date: Tue, 12 Nov 2024 13:18:52 -0800 Subject: [PATCH 1/2] chore(storage): store credentials as auth.Credentials Migrate from google.Credentials to auth.Credentials where posible --- storage/bucket.go | 12 ++++++------ storage/bucket_test.go | 6 ++---- storage/http_client.go | 11 ++++++----- storage/integration_test.go | 16 ++++++++++++---- storage/storage.go | 12 +++++++----- 5 files changed, 33 insertions(+), 24 deletions(-) diff --git a/storage/bucket.go b/storage/bucket.go index 3eded017831e..61971dff96f3 100644 --- a/storage/bucket.go +++ b/storage/bucket.go @@ -200,11 +200,11 @@ func (b *BucketHandle) SignedURL(object string, opts *SignedURLOptions) (string, newopts.GoogleAccessID = id } if newopts.SignBytes == nil && len(newopts.PrivateKey) == 0 { - if b.c.creds != nil && len(b.c.creds.JSON) > 0 { + if b.c.creds != nil && len(b.c.creds.JSON()) > 0 { var sa struct { PrivateKey string `json:"private_key"` } - err := json.Unmarshal(b.c.creds.JSON, &sa) + err := json.Unmarshal(b.c.creds.JSON(), &sa) if err == nil && sa.PrivateKey != "" { newopts.PrivateKey = []byte(sa.PrivateKey) } @@ -248,11 +248,11 @@ func (b *BucketHandle) GenerateSignedPostPolicyV4(object string, opts *PostPolic newopts.GoogleAccessID = id } if newopts.SignBytes == nil && newopts.SignRawBytes == nil && len(newopts.PrivateKey) == 0 { - if b.c.creds != nil && len(b.c.creds.JSON) > 0 { + if b.c.creds != nil && len(b.c.creds.JSON()) > 0 { var sa struct { PrivateKey string `json:"private_key"` } - err := json.Unmarshal(b.c.creds.JSON, &sa) + err := json.Unmarshal(b.c.creds.JSON(), &sa) if err == nil && sa.PrivateKey != "" { newopts.PrivateKey = []byte(sa.PrivateKey) } @@ -270,14 +270,14 @@ func (b *BucketHandle) GenerateSignedPostPolicyV4(object string, opts *PostPolic func (b *BucketHandle) detectDefaultGoogleAccessID() (string, error) { returnErr := errors.New("no credentials found on client and not on GCE (Google Compute Engine)") - if b.c.creds != nil && len(b.c.creds.JSON) > 0 { + if b.c.creds != nil && len(b.c.creds.JSON()) > 0 { var sa struct { ClientEmail string `json:"client_email"` SAImpersonationURL string `json:"service_account_impersonation_url"` CredType string `json:"type"` } - err := json.Unmarshal(b.c.creds.JSON, &sa) + err := json.Unmarshal(b.c.creds.JSON(), &sa) if err != nil { returnErr = err } else { diff --git a/storage/bucket_test.go b/storage/bucket_test.go index 7ae7b06e7e8d..326c79e0f5f9 100644 --- a/storage/bucket_test.go +++ b/storage/bucket_test.go @@ -20,12 +20,12 @@ import ( "testing" "time" + "cloud.google.com/go/auth" "cloud.google.com/go/compute/metadata" "cloud.google.com/go/internal/testutil" "cloud.google.com/go/storage/internal/apiv2/storagepb" "github.com/google/go-cmp/cmp" gax "github.com/googleapis/gax-go/v2" - "golang.org/x/oauth2/google" "google.golang.org/api/googleapi" "google.golang.org/api/option" raw "google.golang.org/api/storage/v1" @@ -1292,9 +1292,7 @@ func TestDetectDefaultGoogleAccessID(t *testing.T) { t.Run(tc.name, func(t *testing.T) { bucket := BucketHandle{ c: &Client{ - creds: &google.Credentials{ - JSON: []byte(tc.creds(tc.serviceAccount)), - }, + creds: auth.NewCredentials(&auth.CredentialsOptions{JSON: []byte(tc.creds(tc.serviceAccount))}), }, name: "my-bucket", } diff --git a/storage/http_client.go b/storage/http_client.go index 221078f3e262..8a0e21ba6cc2 100644 --- a/storage/http_client.go +++ b/storage/http_client.go @@ -31,11 +31,12 @@ import ( "strings" "time" + "cloud.google.com/go/auth" + "cloud.google.com/go/auth/oauth2adapt" "cloud.google.com/go/iam/apiv1/iampb" "cloud.google.com/go/internal/optional" "cloud.google.com/go/internal/trace" "github.com/googleapis/gax-go/v2/callctx" - "golang.org/x/oauth2/google" "google.golang.org/api/googleapi" "google.golang.org/api/iterator" "google.golang.org/api/option" @@ -48,7 +49,7 @@ import ( // httpStorageClient is the HTTP-JSON API implementation of the transport-agnostic // storageClient interface. type httpStorageClient struct { - creds *google.Credentials + creds *auth.Credentials hc *http.Client xmlHost string raw *raw.Service @@ -65,7 +66,7 @@ func newHTTPStorageClient(ctx context.Context, opts ...storageOption) (storageCl o := s.clientOption config := newStorageConfig(o...) - var creds *google.Credentials + var creds *auth.Credentials // In general, it is recommended to use raw.NewService instead of htransport.NewClient // since raw.NewService configures the correct default endpoints when initializing the // internal http client. However, in our case, "NewRangeReader" in reader.go needs to @@ -85,8 +86,8 @@ func newHTTPStorageClient(ctx context.Context, opts ...storageOption) (storageCl // client which does not auth with ADC or other common conventions. c, err := transport.Creds(ctx, o...) if err == nil { - creds = c - o = append(o, internaloption.WithCredentials(creds)) + creds = oauth2adapt.AuthCredentialsFromOauth2Credentials(c) + o = append(o, internaloption.WithCredentials(c)) } } else { var hostURL *url.URL diff --git a/storage/integration_test.go b/storage/integration_test.go index 2ab276ca9560..5d9e032043cb 100644 --- a/storage/integration_test.go +++ b/storage/integration_test.go @@ -43,6 +43,8 @@ import ( "testing" "time" + "cloud.google.com/go/auth" + "cloud.google.com/go/auth/oauth2adapt" "cloud.google.com/go/httpreplay" "cloud.google.com/go/iam" "cloud.google.com/go/iam/apiv1/iampb" @@ -5537,7 +5539,7 @@ func TestIntegration_SignedURL_WithCreds(t *testing.T) { if err := verifySignedURL(url, nil, contents); err != nil { t.Fatalf("problem with the signed URL: %v", err) } - }, option.WithCredentials(creds)) + }, option.WithAuthCredentials(creds)) } func TestIntegration_SignedURL_DefaultSignBytes(t *testing.T) { @@ -5639,7 +5641,7 @@ func TestIntegration_PostPolicyV4_WithCreds(t *testing.T) { } }) } - }, option.WithCredentials(creds)) + }, option.WithAuthCredentials(creds)) } @@ -5880,7 +5882,7 @@ func verifyPostPolicy(pv4 *PostPolicyV4, obj *ObjectHandle, bytesToWrite []byte, }) } -func findTestCredentials(ctx context.Context, envVar string, scopes ...string) (*google.Credentials, error) { +func findTestCredentials(ctx context.Context, envVar string, scopes ...string) (*auth.Credentials, error) { key := os.Getenv(envVar) var opts []option.ClientOption if len(scopes) > 0 { @@ -5889,7 +5891,13 @@ func findTestCredentials(ctx context.Context, envVar string, scopes ...string) ( if key != "" { opts = append(opts, option.WithCredentialsFile(key)) } - return transport.Creds(ctx, opts...) + + c, err := transport.Creds(ctx, opts...) + if err != nil { + return nil, err + } + + return oauth2adapt.AuthCredentialsFromOauth2Credentials(c), nil } type testHelper struct { diff --git a/storage/storage.go b/storage/storage.go index 0c11eb82adc2..963ad369b6e7 100644 --- a/storage/storage.go +++ b/storage/storage.go @@ -38,12 +38,13 @@ import ( "time" "unicode/utf8" + "cloud.google.com/go/auth" + "cloud.google.com/go/auth/oauth2adapt" "cloud.google.com/go/internal/optional" "cloud.google.com/go/internal/trace" "cloud.google.com/go/storage/internal" "cloud.google.com/go/storage/internal/apiv2/storagepb" "github.com/googleapis/gax-go/v2" - "golang.org/x/oauth2/google" "google.golang.org/api/googleapi" "google.golang.org/api/option" "google.golang.org/api/option/internaloption" @@ -112,7 +113,7 @@ type Client struct { // xmlHost is the default host used for XML requests. xmlHost string // May be nil. - creds *google.Credentials + creds *auth.Credentials retry *retryConfig // tc is the transport-agnostic client implemented with either gRPC or HTTP. @@ -129,7 +130,7 @@ type Client struct { // You may configure the client by passing in options from the [google.golang.org/api/option] // package. You may also use options defined in this package, such as [WithJSONReads]. func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error) { - var creds *google.Credentials + var creds *auth.Credentials // In general, it is recommended to use raw.NewService instead of htransport.NewClient // since raw.NewService configures the correct default endpoints when initializing the @@ -151,9 +152,10 @@ func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error // client which does not auth with ADC or other common conventions. c, err := transport.Creds(ctx, opts...) if err == nil { - creds = c - opts = append(opts, internaloption.WithCredentials(creds)) + creds = oauth2adapt.AuthCredentialsFromOauth2Credentials(c) + opts = append(opts, internaloption.WithCredentials(c)) } + } else { var hostURL *url.URL From 9f635fb1199d8b7199eb44e06ed32dd462a1e2ca Mon Sep 17 00:00:00 2001 From: BrennaEpp Date: Tue, 12 Nov 2024 13:32:48 -0800 Subject: [PATCH 2/2] go mod tidy --- storage/go.mod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/storage/go.mod b/storage/go.mod index ef079006a4ce..6923fd00d32d 100644 --- a/storage/go.mod +++ b/storage/go.mod @@ -6,6 +6,8 @@ retract [v1.25.0, v1.27.0] // due to https://github.com/googleapis/google-cloud- require ( cloud.google.com/go v0.116.0 + cloud.google.com/go/auth v0.10.0 + cloud.google.com/go/auth/oauth2adapt v0.2.5 cloud.google.com/go/compute/metadata v0.5.2 cloud.google.com/go/iam v1.2.1 cloud.google.com/go/longrunning v0.6.1 @@ -30,8 +32,6 @@ require ( require ( cel.dev/expr v0.16.1 // indirect - cloud.google.com/go/auth v0.10.0 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect cloud.google.com/go/monitoring v1.21.1 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect