googleapis · zhumin8 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
@@ -36,6 +36,7 @@ jobs:
     - run: .kokoro/build.sh
       env:
         JOB_TYPE: test
+        GOOGLE_SDK_JAVA_LOGGING: true
   units-java8:
     # Building using Java 17 and run the tests with Java 8 runtime
     name: "units (8)"
@@ -58,6 +59,7 @@ jobs:
       - run: .kokoro/build.sh
         env:
           JOB_TYPE: test
+          GOOGLE_SDK_JAVA_LOGGING: true
   windows:
     runs-on: windows-latest
     steps:
@@ -72,6 +74,7 @@ jobs:
     - run: .kokoro/build.bat
       env:
         JOB_TYPE: test
+        GOOGLE_SDK_JAVA_LOGGING: true
   dependencies:
     runs-on: ubuntu-latest
     strategy:

@@ -34,6 +34,7 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        GOOGLE_SDK_JAVA_LOGGING: true
       run: |
         mvn -B verify -Dcheckstyle.skip \
             -DenableFullTestCoverage \

@@ -60,6 +60,7 @@ javadoc)
     RETURN_CODE=$?
     ;;
 integration)
+    export GOOGLE_SDK_JAVA_LOGGING=true
     mvn -B ${INTEGRATION_TEST_ARGS} \
       -ntp \
       -Penable-integration-tests \

@@ -92,6 +92,8 @@ public class ComputeEngineCredentials extends GoogleCredentials
   static final Duration COMPUTE_REFRESH_MARGIN = Duration.ofMinutes(3).plusSeconds(45);
 
   private static final Logger LOGGER = Logger.getLogger(ComputeEngineCredentials.class.getName());
+  private static final org.slf4j.Logger SLF4JLOGGER =
+      LoggingConfigs.getLogger(ComputeEngineCredentials.class);
 
   static final String DEFAULT_METADATA_SERVER_URL = "http://metadata.google.internal";
 
@@ -296,11 +298,14 @@ public AccessToken refreshAccessToken() throws IOException {
       throw new IOException("Empty content from metadata token server request.");
     }
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logGenericData(
+        responseData, SLF4JLOGGER, "Auth response from refresh access token payload");
     String accessToken =
         OAuth2Utils.validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
     int expiresInSeconds =
         OAuth2Utils.validateInt32(responseData, "expires_in", PARSE_ERROR_PREFIX);
     long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000;
+
     return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
@@ -361,7 +366,23 @@ private HttpResponse getMetadataResponse(
     request.setThrowExceptionOnExecuteError(false);
     HttpResponse response;
     try {
+      String requestMessage;
+      String responseMessage;
+      if (requestType.equals(RequestType.ID_TOKEN_REQUEST)) {
+        requestMessage = "Auth get metadata sending request for id token";
+        responseMessage = "Auth get metadata received response for id token";
+      } else if (requestType.equals(RequestType.ACCESS_TOKEN_REQUEST)) {
+        requestMessage = "Auth get metadata sending request for access token";
+        responseMessage = "Auth get metadata received response for access token";
+      } else {
+        // TODO: this includes get universe domain and get default sa.
+        // refactor for more clear logging message.
+        requestMessage = "Auth get metadata sending request";
+        responseMessage = "Auth get metadata received response";
+      }
+      LoggingUtils.logRequest(request, SLF4JLOGGER, requestMessage);
       response = request.execute();
+      LoggingUtils.logResponse(response, SLF4JLOGGER, responseMessage);
     } catch (UnknownHostException exception) {
       throw new IOException(
           "ComputeEngineCredentials cannot find the metadata server. This is"
@@ -461,7 +482,11 @@ private static boolean pingComputeEngineMetadata(
             request,
             MetricsUtils.getGoogleCredentialsMetricsHeader(
                 RequestType.METADATA_SERVER_PING, CredentialTypeForMetrics.DO_NOT_SEND));
+
+        LoggingUtils.logRequest(request, SLF4JLOGGER, "Pin auth Metadata Server");
         HttpResponse response = request.execute();
+        LoggingUtils.logResponse(
+            response, SLF4JLOGGER, "Received auth response from Metadata Server");
         try {
           // Internet providers can return a generic response to all requests, so it is necessary
           // to check that metadata header is present also.
@@ -633,6 +658,8 @@ private String getDefaultServiceAccount() throws IOException {
       throw new IOException("Empty content from metadata token server request.");
     }
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logGenericData(
+        responseData, SLF4JLOGGER, "Auth get default service account payload");
     Map<String, Object> defaultAccount =
         OAuth2Utils.validateMap(responseData, "default", PARSE_ERROR_ACCOUNT);
     return OAuth2Utils.validateString(defaultAccount, "email", PARSE_ERROR_ACCOUNT);

@@ -56,6 +56,7 @@
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
+import org.slf4j.Logger;
 
 /**
  * This internal class provides shared utilities for interacting with the IAM API for common
@@ -68,6 +69,7 @@ class IamUtils {
       "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateIdToken";
   private static final String PARSE_ERROR_MESSAGE = "Error parsing error message response. ";
   private static final String PARSE_ERROR_SIGNATURE = "Error parsing signature response. ";
+  private static final Logger LOGGER = LoggingConfigs.getLogger(IamUtils.class);
 
   // Following guidance for IAM retries:
   // https://cloud.google.com/iam/docs/retry-strategy#errors-to-retry
@@ -142,7 +144,11 @@ private static String getSignature(
                     IamUtils.IAM_RETRYABLE_STATUS_CODES.contains(response.getStatusCode())));
     request.setIOExceptionHandler(new HttpBackOffIOExceptionHandler(backoff));
 
+    LoggingUtils.logRequest(
+        request, LOGGER, "Sending auth request to get signature to sign the blob");
     HttpResponse response = request.execute();
+    LoggingUtils.logResponse(
+        response, LOGGER, "Received auth response for signature to sign the blob");
     int statusCode = response.getStatusCode();
     if (statusCode >= 400 && statusCode < HttpStatusCodes.STATUS_CODE_SERVER_ERROR) {
       GenericData responseError = response.parseAs(GenericData.class);
@@ -169,6 +175,7 @@ private static String getSignature(
     }
 
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logGenericData(responseData, LOGGER, "Auth response payload for sign blob");
     return OAuth2Utils.validateString(responseData, "signedBlob", PARSE_ERROR_SIGNATURE);
   }
 
@@ -220,7 +227,10 @@ static IdToken getIdToken(
         MetricsUtils.getGoogleCredentialsMetricsHeader(
             RequestType.ID_TOKEN_REQUEST, credentialTypeForMetrics));
 
+    LoggingUtils.logRequest(request, LOGGER, "Sending auth request to get id token");
     HttpResponse response = request.execute();
+
+    LoggingUtils.logResponse(response, LOGGER, "Received auth response for id token");
     int statusCode = response.getStatusCode();
     if (statusCode >= 400 && statusCode < HttpStatusCodes.STATUS_CODE_SERVER_ERROR) {
       GenericData responseError = response.parseAs(GenericData.class);
@@ -245,6 +255,8 @@ static IdToken getIdToken(
     }
 
     GenericJson responseData = response.parseAs(GenericJson.class);
+    LoggingUtils.logGenericData(
+        responseData, LOGGER, "Auth response data payload for id token request");
     String rawToken = OAuth2Utils.validateString(responseData, "token", PARSE_ERROR_MESSAGE);
     return IdToken.create(rawToken);
   }

@@ -65,6 +65,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import org.slf4j.Logger;
 
 /**
  * ImpersonatedCredentials allowing credentials issued to a user or service account to impersonate
@@ -110,6 +111,7 @@ public class ImpersonatedCredentials extends GoogleCredentials
   private int lifetime;
   private String iamEndpointOverride;
   private final String transportFactoryClassName;
+  private static final Logger LOGGER = LoggingConfigs.getLogger(ImpersonatedCredentials.class);
 
   private transient HttpTransportFactory transportFactory;
 
@@ -546,12 +548,15 @@ public AccessToken refreshAccessToken() throws IOException {
 
     HttpResponse response = null;
     try {
+      LoggingUtils.logRequest(request, LOGGER, "Sending auth request to refresh access token");
       response = request.execute();
+      LoggingUtils.logResponse(response, LOGGER, "Received auth response for access token");
     } catch (IOException e) {
       throw new IOException("Error requesting access token", e);
     }
 
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logGenericData(responseData, LOGGER, "Auth response payload for access token");
     response.disconnect();
 
     String accessToken =

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import org.slf4j.ILoggerFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+class LoggingConfigs {
+
+  private static EnvironmentProvider environmentProvider = SystemEnvironmentProvider.getInstance();
+  private static final Logger NO_OP_LOGGER = org.slf4j.helpers.NOPLogger.NOP_LOGGER;
+  private static boolean loggingEnabled = isLoggingEnabled();
+  // expose this setter only for testing purposes
+  static void setEnvironmentProvider(EnvironmentProvider provider) {
+    environmentProvider = provider;
+    // Recalculate LOGGING_ENABLED after setting the new provider
+    loggingEnabled = isLoggingEnabled();
+  }
+
+  private LoggingConfigs() {}
+
+  static Logger getLogger(Class<?> clazz) {
+    return getLogger(clazz, new DefaultLoggerFactoryProvider());
+  }
+
+  // constructor with LoggerFactoryProvider to make testing easier
+  static Logger getLogger(Class<?> clazz, LoggerFactoryProvider factoryProvider) {
+    if (!loggingEnabled) {
+      //  use SLF4j's NOP logger regardless of bindings
+      return NO_OP_LOGGER;
+    }
+    return factoryProvider.getLoggerFactory().getLogger(clazz.getName());
+  }
+
+  static boolean isLoggingEnabled() {
+    String enableLogging = environmentProvider.getEnv("GOOGLE_SDK_JAVA_LOGGING");
+    return "true".equalsIgnoreCase(enableLogging);
+  }
+
+  interface LoggerFactoryProvider {
+    ILoggerFactory getLoggerFactory();
+  }
+
+  static class DefaultLoggerFactoryProvider implements LoggerFactoryProvider {
+    @Override
+    public ILoggerFactory getLoggerFactory() {
+      return LoggerFactory.getILoggerFactory();
+    }
+  }
+}