From d0d06bc1df20e0cd847cd991edc6e417df3cdff5 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Thu, 19 Dec 2024 21:28:45 +0000
Subject: [PATCH] fix: GCECredentials lazily fetches from the metadata server
 to ensure a universe domain is known

---
 lib/googleauth/compute_engine.rb       | 13 +++++++++++++
 spec/googleauth/compute_engine_spec.rb | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/lib/googleauth/compute_engine.rb b/lib/googleauth/compute_engine.rb
index a2464be..4b17c82 100644
--- a/lib/googleauth/compute_engine.rb
+++ b/lib/googleauth/compute_engine.rb
@@ -93,6 +93,19 @@ def initialize options = {}
         super options
       end
 
+      # @private
+      # Overrides universe_domain getter to fetch lazily if it hasn't been
+      # fetched yet. This is necessary specifically for Compute Engine because
+      # the universe comes from the metadata service, and isn't known
+      # immediately on credential construction. All other credential types read
+      # the universe from their json key or other immediate input.
+      def universe_domain
+        value = super
+        return value unless value.nil?
+        fetch_access_token!
+        super
+      end
+
       # Overrides the super class method to change how access tokens are
       # fetched.
       def fetch_access_token _options = {}
diff --git a/spec/googleauth/compute_engine_spec.rb b/spec/googleauth/compute_engine_spec.rb
index 081269c..0968ae8 100644
--- a/spec/googleauth/compute_engine_spec.rb
+++ b/spec/googleauth/compute_engine_spec.rb
@@ -97,6 +97,11 @@ def make_auth_stubs opts
         expect(@client.universe_domain).to eq("googleapis.com")
       end
 
+      it "sets the universe without explicit fetch_access_token" do
+        make_auth_stubs access_token: "1/abcde"
+        expect(@client.universe_domain).to eq("googleapis.com")
+      end
+
       it "returns a consistent expiry using cached data" do
         make_auth_stubs access_token: "1/abcde"
         @client.fetch_access_token!
@@ -121,6 +126,11 @@ def make_auth_stubs opts
         expect(@client.universe_domain).to eq("googleapis.com")
       end
 
+      it "sets the universe without explicit fetch_access_token" do
+        make_auth_stubs access_token: "1/abcde"
+        expect(@client.universe_domain).to eq("googleapis.com")
+      end
+
       it "returns a consistent expiry using cached data" do
         make_auth_stubs access_token: "1/abcde"
         @client.fetch_access_token!
@@ -144,6 +154,11 @@ def make_auth_stubs opts
         expect(@client.universe_domain).to eq("myuniverse.com")
       end
 
+      it "sets the universe without explicit fetch_access_token" do
+        make_auth_stubs access_token: "1/abcde"
+        expect(@client.universe_domain).to eq("myuniverse.com")
+      end
+
       it "supports updating the universe_domain" do
         make_auth_stubs access_token: "1/abcde"
         @client.fetch_access_token!