Skip to content

Commit

Permalink
fix(transport/grpc): add universe domain verification (#2375)
Browse files Browse the repository at this point in the history
  • Loading branch information
quartzmo authored Jan 25, 2024
1 parent b21a1fa commit df17254
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 12 deletions.
11 changes: 11 additions & 0 deletions internal/creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -226,3 +226,14 @@ func baseTransport() *http.Transport {
ExpectContinueTimeout: 1 * time.Second,
}
}

// ErrUniverseNotMatch composes an error string from the provided universe
// domain sources (DialSettings and Credentials, respectively).
func ErrUniverseNotMatch(settingsUD, credsUD string) error {
return fmt.Errorf(
"the configured universe domain (%q) does not match the universe "+
"domain found in the credentials (%q). If you haven't configured "+
"WithUniverseDomain explicitly, \"googleapis.com\" is the default",
settingsUD,
credsUD)
}
7 changes: 7 additions & 0 deletions transport/grpc/dial.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,13 @@ func dial(ctx context.Context, insecure bool, o *internal.DialSettings) (*grpc.C
if err != nil {
return nil, err
}
credsUniverseDomain, err := creds.GetUniverseDomain()
if err != nil {
return nil, err
}
if o.GetUniverseDomain() != credsUniverseDomain {
return nil, internal.ErrUniverseNotMatch(o.GetUniverseDomain(), credsUniverseDomain)
}
grpcOpts = append(grpcOpts, grpc.WithPerRPCCredentials(grpcTokenSource{
TokenSource: oauth.TokenSource{TokenSource: creds.TokenSource},
quotaProject: internal.GetQuotaProject(creds, o.QuotaProject),
Expand Down
12 changes: 1 addition & 11 deletions transport/http/dial.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"context"
"crypto/tls"
"errors"
"fmt"
"net"
"net/http"
"time"
Expand Down Expand Up @@ -94,7 +93,7 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
return nil, err
}
if settings.GetUniverseDomain() != credsUniverseDomain {
return nil, errUniverseNotMatch(settings.GetUniverseDomain(), credsUniverseDomain)
return nil, internal.ErrUniverseNotMatch(settings.GetUniverseDomain(), credsUniverseDomain)
}
paramTransport.quotaProject = internal.GetQuotaProject(creds, settings.QuotaProject)
ts := creds.TokenSource
Expand All @@ -109,15 +108,6 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
return trans, nil
}

func errUniverseNotMatch(settingsUD, credsUD string) error {
return fmt.Errorf(
"the configured universe domain (%q) does not match the universe "+
"domain found in the credentials (%q). If you haven't configured "+
"WithUniverseDomain explicitly, googleapis.com is the default",
settingsUD,
credsUD)
}

func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
var o internal.DialSettings
for _, opt := range opts {
Expand Down
3 changes: 2 additions & 1 deletion transport/http/dial_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"go.opencensus.io/plugin/ochttp"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/internal"
"google.golang.org/api/option"
)

Expand Down Expand Up @@ -45,7 +46,7 @@ func TestNewClient_MismatchedUniverseDomainCreds(t *testing.T) {
universeDomain := "example.com"
universeDomainDefault := "googleapis.com"
creds := &google.Credentials{} // universeDomainDefault
wantErr := errUniverseNotMatch(universeDomain, universeDomainDefault)
wantErr := internal.ErrUniverseNotMatch(universeDomain, universeDomainDefault)
_, _, err := NewClient(context.Background(), option.WithUniverseDomain(universeDomain),
option.WithCredentials(creds), option.WithScopes(rootTokenScope))

Expand Down

0 comments on commit df17254

Please sign in to comment.