From 11625ccb95ae1d99393185eb6eb10d6a5157e711 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Mon, 2 Oct 2023 12:57:29 -0600 Subject: [PATCH] google: add authorized_user conditional to Credentials.UniverseDomain Return default universe domain if credentials type is authorized_user. Change-Id: I20a9b5fafa562fcec84717914a236d081f630591 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/532196 Run-TryBot: Cody Oss Reviewed-by: Cody Oss TryBot-Result: Gopher Robot --- google/default.go | 8 +++- google/default_test.go | 87 ++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 91 insertions(+), 4 deletions(-) diff --git a/google/default.go b/google/default.go index 1d69bf79f..12b12a30c 100644 --- a/google/default.go +++ b/google/default.go @@ -216,6 +216,12 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params return nil, err } + universeDomain := f.UniverseDomain + // Authorized user credentials are only supported in the googleapis.com universe. + if f.Type == userCredentialsKey { + universeDomain = universeDomainDefault + } + ts, err := f.tokenSource(ctx, params) if err != nil { return nil, err @@ -225,7 +231,7 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params ProjectID: f.ProjectID, TokenSource: ts, JSON: jsonData, - universeDomain: f.UniverseDomain, + universeDomain: universeDomain, }, nil } diff --git a/google/default_test.go b/google/default_test.go index 5425e358d..1f76bae08 100644 --- a/google/default_test.go +++ b/google/default_test.go @@ -9,7 +9,20 @@ import ( "testing" ) -var jwtJSONKeyUniverseDomain = []byte(`{ +var saJSONJWT = []byte(`{ + "type": "service_account", + "project_id": "fake_project", + "private_key_id": "268f54e43a1af97cfc71731688434f45aca15c8b", + "private_key": "super secret key", + "client_email": "gopher@developer.gserviceaccount.com", + "client_id": "gopher.apps.googleusercontent.com", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/gopher%40fake_project.iam.gserviceaccount.com" +}`) + +var saJSONJWTUniverseDomain = []byte(`{ "type": "service_account", "project_id": "fake_project", "universe_domain": "example.com", @@ -23,13 +36,49 @@ var jwtJSONKeyUniverseDomain = []byte(`{ "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/gopher%40fake_project.iam.gserviceaccount.com" }`) -func TestCredentialsFromJSONWithParams_UniverseDomain(t *testing.T) { +var userJSON = []byte(`{ + "client_id": "abc123.apps.googleusercontent.com", + "client_secret": "shh", + "refresh_token": "refreshing", + "type": "authorized_user", + "quota_project_id": "fake_project2" +}`) + +var userJSONUniverseDomain = []byte(`{ + "client_id": "abc123.apps.googleusercontent.com", + "client_secret": "shh", + "refresh_token": "refreshing", + "type": "authorized_user", + "quota_project_id": "fake_project2", + "universe_domain": "example.com" +}`) + +func TestCredentialsFromJSONWithParams_SA(t *testing.T) { + ctx := context.Background() + scope := "https://www.googleapis.com/auth/cloud-platform" + params := CredentialsParams{ + Scopes: []string{scope}, + } + creds, err := CredentialsFromJSONWithParams(ctx, saJSONJWT, params) + if err != nil { + t.Fatal(err) + } + + if want := "fake_project"; creds.ProjectID != want { + t.Fatalf("got %q, want %q", creds.ProjectID, want) + } + if want := "googleapis.com"; creds.UniverseDomain() != want { + t.Fatalf("got %q, want %q", creds.UniverseDomain(), want) + } +} + +func TestCredentialsFromJSONWithParams_SA_UniverseDomain(t *testing.T) { ctx := context.Background() scope := "https://www.googleapis.com/auth/cloud-platform" params := CredentialsParams{ Scopes: []string{scope}, } - creds, err := CredentialsFromJSONWithParams(ctx, jwtJSONKeyUniverseDomain, params) + creds, err := CredentialsFromJSONWithParams(ctx, saJSONJWTUniverseDomain, params) if err != nil { t.Fatal(err) } @@ -41,3 +90,35 @@ func TestCredentialsFromJSONWithParams_UniverseDomain(t *testing.T) { t.Fatalf("got %q, want %q", creds.UniverseDomain(), want) } } + +func TestCredentialsFromJSONWithParams_User(t *testing.T) { + ctx := context.Background() + scope := "https://www.googleapis.com/auth/cloud-platform" + params := CredentialsParams{ + Scopes: []string{scope}, + } + creds, err := CredentialsFromJSONWithParams(ctx, userJSON, params) + if err != nil { + t.Fatal(err) + } + + if want := "googleapis.com"; creds.UniverseDomain() != want { + t.Fatalf("got %q, want %q", creds.UniverseDomain(), want) + } +} + +func TestCredentialsFromJSONWithParams_User_UniverseDomain(t *testing.T) { + ctx := context.Background() + scope := "https://www.googleapis.com/auth/cloud-platform" + params := CredentialsParams{ + Scopes: []string{scope}, + } + creds, err := CredentialsFromJSONWithParams(ctx, userJSONUniverseDomain, params) + if err != nil { + t.Fatal(err) + } + + if want := "googleapis.com"; creds.UniverseDomain() != want { + t.Fatalf("got %q, want %q", creds.UniverseDomain(), want) + } +}