fix(auth): check compute cred type before non-default flag for DP (go…

…ogleapis#11255) We need to first ensure a token is a compute type before we enforce the option to allow for a non-default service account. This was leading to a strange XDS error if say a user credential was supplied and this option was enabled.
codyoss · Dec 10, 2024 · 4347ca1 · 4347ca1
1 parent 798c7e6
commit 4347ca1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/auth/grpctransport/directpath.go b/auth/grpctransport/directpath.go
@@ -66,12 +66,12 @@ func isTokenProviderDirectPathCompatible(tp auth.TokenProvider, o *Options) bool
 	if tok == nil {
 		return false
 	}
-	if o.InternalOptions != nil && o.InternalOptions.EnableNonDefaultSAForDirectPath {
-		return true
-	}
 	if tok.MetadataString("auth.google.tokenSource") != "compute-metadata" {
 		return false
 	}
+	if o.InternalOptions != nil && o.InternalOptions.EnableNonDefaultSAForDirectPath {
+		return true
+	}
 	if tok.MetadataString("auth.google.serviceAccount") != "default" {
 		return false
 	}

diff --git a/auth/grpctransport/directpath_test.go b/auth/grpctransport/directpath_test.go
@@ -41,14 +41,28 @@ func TestIsTokenProviderDirectPathCompatible(t *testing.T) {
 		},
 		{
 			name: "EnableNonDefaultSAForDirectPath",
-			tp:   &staticTP{tok: &auth.Token{Value: "fakeToken"}},
+			tp: &staticTP{
+				tok: token(map[string]interface{}{
+					"auth.google.tokenSource": "compute-metadata",
+				}),
+			},
 			opts: &Options{
 				InternalOptions: &InternalOptions{
 					EnableNonDefaultSAForDirectPath: true,
 				},
 			},
 			want: true,
 		},
+		{
+			name: "EnableNonDefaultSAForDirectPathButNotCompute",
+			tp:   &staticTP{},
+			opts: &Options{
+				InternalOptions: &InternalOptions{
+					EnableNonDefaultSAForDirectPath: true,
+				},
+			},
+			want: false,
+		},
 		{
 			name: "non-compute token source",
 			tp:   &staticTP{tok: token(map[string]interface{}{"auth.google.tokenSource": "NOT-compute-metadata"})},