feat(auth): add universe domain support to credentials/impersonate

auth/auth.go

@@ -196,6 +196,14 @@ func (c *Credentials) UniverseDomain(ctx context.Context) (string, error) {
 	return v, err
 }
 
+// UniverseDomainPropertyProvider returns a [CredentialsPropertyProvider] for
+// the default service domain for a given Cloud universe.
+//
+// To immediately access the universe domain, use [Credentials.UniverseDomain].
+func (c *Credentials) UniverseDomainPropertyProvider() CredentialsPropertyProvider {
+	return c.universeDomain
+}
+
 // CredentialsPropertyProvider provides an implementation to fetch a property
 // value for [Credentials].
 type CredentialsPropertyProvider interface {

auth/credentials/impersonate/impersonate.go

@@ -94,14 +94,7 @@ func NewCredentials(opts *CredentialsOptions) (*auth.Credentials, error) {
 	// If a subject is specified a domain-wide delegation auth-flow is initiated
 	// to impersonate as the provided subject (user).
 	if opts.Subject != "" {
-		gdu, err := isUniverseDomainGDU(universeDomainProvider)
-		if err != nil {
-			return nil, err
-		}
-		if !gdu {
-			return nil, errUniverseNotSupportedDomainWideDelegation
-		}
-		tp, err := user(opts, client, lifetime, isStaticToken)
+		tp, err := user(opts, client, lifetime, isStaticToken, universeDomainProvider)
 		if err != nil {
 			return nil, err
 		}
@@ -156,17 +149,6 @@ func resolveUniverseDomainProvider(opts *CredentialsOptions, creds *auth.Credent
 	return internal.StaticCredentialsProperty(internal.DefaultUniverseDomain)
 }
 
-// isUniverseDomainGDU returns true if the universe domain is the default Google
-// universe or if it is empty.
-func isUniverseDomainGDU(universeDomainProvider auth.CredentialsPropertyProvider) (bool, error) {
-	universeDomain, err := universeDomainProvider.GetProperty(context.Background())
-	if err != nil {
-		return false, err
-	}
-	gdu := universeDomain == internal.DefaultUniverseDomain || universeDomain == ""
-	return gdu, nil
-}
-
 // CredentialsOptions for generating an impersonated credential token.
 type CredentialsOptions struct {
 	// TargetPrincipal is the email address of the service account to

auth/credentials/impersonate/user.go

@@ -30,12 +30,13 @@ import (
 
 // user provides an auth flow for domain-wide delegation, setting
 // CredentialsConfig.Subject to be the impersonated user.
-func user(opts *CredentialsOptions, client *http.Client, lifetime time.Duration, isStaticToken bool) (auth.TokenProvider, error) {
+func user(opts *CredentialsOptions, client *http.Client, lifetime time.Duration, isStaticToken bool, universeDomainProvider auth.CredentialsPropertyProvider) (auth.TokenProvider, error) {
 	u := userTokenProvider{
-		client:          client,
-		targetPrincipal: opts.TargetPrincipal,
-		subject:         opts.Subject,
-		lifetime:        lifetime,
+		client:                 client,
+		targetPrincipal:        opts.TargetPrincipal,
+		subject:                opts.Subject,
+		lifetime:               lifetime,
+		universeDomainProvider: universeDomainProvider,
 	}
 	u.delegates = make([]string, len(opts.Delegates))
 	for i, v := range opts.Delegates {
@@ -84,21 +85,44 @@ type exchangeTokenResponse struct {
 type userTokenProvider struct {
 	client *http.Client
 
-	targetPrincipal string
-	subject         string
-	scopes          []string
-	lifetime        time.Duration
-	delegates       []string
+	targetPrincipal        string
+	subject                string
+	scopes                 []string
+	lifetime               time.Duration
+	delegates              []string
+	universeDomainProvider auth.CredentialsPropertyProvider
 }
 
 func (u userTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
+	// If a subject is specified a domain-wide delegation auth-flow is initiated
+	// to impersonate as the provided subject (user).
+	if u.subject != "" {
+		gdu, err := isUniverseDomainGDU(u.universeDomainProvider)
+		if err != nil {
+			return nil, err
+		}
+		if !gdu {
+			return nil, errUniverseNotSupportedDomainWideDelegation
+		}
+	}
 	signedJWT, err := u.signJWT(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return u.exchangeToken(ctx, signedJWT)
 }
 
+// isUniverseDomainGDU returns true if the universe domain is the default Google
+// universe or if it is empty.
+func isUniverseDomainGDU(universeDomainProvider auth.CredentialsPropertyProvider) (bool, error) {
+	universeDomain, err := universeDomainProvider.GetProperty(context.Background())
+	if err != nil {
+		return false, err
+	}
+	gdu := universeDomain == internal.DefaultUniverseDomain || universeDomain == ""
+	return gdu, nil
+}
+
 func (u userTokenProvider) signJWT(ctx context.Context) (string, error) {
 	now := time.Now()
 	exp := now.Add(u.lifetime)

auth/credentials/impersonate/user_test.go

@@ -37,6 +37,7 @@ func TestNewCredentials_user(t *testing.T) {
 		lifetime        time.Duration
 		subject         string
 		wantErr         bool
+		wantTokenErr    bool
 		universeDomain  string
 	}{
 		{
@@ -60,14 +61,13 @@ func TestNewCredentials_user(t *testing.T) {
 			targetPrincipal: "[email protected]",
 			scopes:          []string{"scope"},
 			subject:         "[email protected]",
-			wantErr:         false,
 		},
 		{
 			name:            "universeDomain",
 			targetPrincipal: "[email protected]",
 			scopes:          []string{"scope"},
 			subject:         "[email protected]",
-			wantErr:         true,
+			wantTokenErr:    true,
 			// Non-GDU Universe Domain should result in error if
 			// CredentialsConfig.Subject is present for domain-wide delegation.
 			universeDomain: "example.com",
@@ -152,6 +152,9 @@ func TestNewCredentials_user(t *testing.T) {
 				t.Fatal(err)
 			}
 			tok, err := ts.Token(ctx)
+			if tt.wantTokenErr && err != nil {
+				return
+			}
 			if err != nil {
 				t.Fatal(err)
 			}

auth/httptransport/httptransport.go

@@ -17,7 +17,6 @@
 package httptransport
 
 import (
-	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -171,14 +170,10 @@ func AddAuthorizationMiddleware(client *http.Client, creds *auth.Credentials) er
 			base = http.DefaultTransport
 		}
 	}
-	clientUniverseDomain, err := creds.UniverseDomain(context.Background())
-	if err != nil {
-		return err
-	}
 	client.Transport = &authTransport{
 		creds:                creds,
 		base:                 base,
-		clientUniverseDomain: clientUniverseDomain,
+		clientUniverseDomain: creds.UniverseDomainPropertyProvider(),
 	}
 	return nil
 }

auth/httptransport/transport.go

@@ -90,7 +90,7 @@ func newTransport(base http.RoundTripper, opts *Options) (http.RoundTripper, err
 		trans = &authTransport{
 			base:                 trans,
 			creds:                creds,
-			clientUniverseDomain: opts.UniverseDomain,
+			clientUniverseDomain: internal.StaticCredentialsProperty(opts.UniverseDomain),
 		}
 	}
 	return trans, nil
@@ -187,7 +187,7 @@ func addOCTransport(trans http.RoundTripper, opts *Options) http.RoundTripper {
 type authTransport struct {
 	creds                *auth.Credentials
 	base                 http.RoundTripper
-	clientUniverseDomain string
+	clientUniverseDomain auth.CredentialsPropertyProvider
 }
 
 // getClientUniverseDomain returns the default service domain for a given Cloud
@@ -199,14 +199,20 @@ type authTransport struct {
 //
 // This is the universe domain configured for the client, which will be compared
 // to the universe domain that is separately configured for the credentials.
-func (t *authTransport) getClientUniverseDomain() string {
-	if t.clientUniverseDomain != "" {
-		return t.clientUniverseDomain
+func (t *authTransport) getClientUniverseDomain(ctx context.Context) (string, error) {
+	if t.clientUniverseDomain != nil {
+		clientUD, err := t.clientUniverseDomain.GetProperty(ctx)
+		if err != nil {
+			return "", err
+		}
+		if clientUD != "" {
+			return clientUD, nil
+		}
 	}
 	if envUD := os.Getenv(internal.UniverseDomainEnvVar); envUD != "" {
-		return envUD
+		return envUD, nil
 	}
-	return internal.DefaultUniverseDomain
+	return internal.DefaultUniverseDomain, nil
 }
 
 // RoundTrip authorizes and authenticates the request with an
@@ -231,7 +237,11 @@ func (t *authTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 		if err != nil {
 			return nil, err
 		}
-		if err := transport.ValidateUniverseDomain(t.getClientUniverseDomain(), credentialsUniverseDomain); err != nil {
+		clientUniverseDomain, err := t.getClientUniverseDomain(req.Context())
+		if err != nil {
+			return nil, err
+		}
+		if err := transport.ValidateUniverseDomain(clientUniverseDomain, credentialsUniverseDomain); err != nil {
 			return nil, err
 		}
 	}

auth/httptransport/transport_test.go

@@ -15,6 +15,7 @@
 package httptransport
 
 import (
+	"context"
 	"testing"
 
 	"cloud.google.com/go/auth/internal"
@@ -57,8 +58,8 @@ func TestAuthTransport_GetClientUniverseDomain(t *testing.T) {
 			if tt.envUniverseDomain != "" {
 				t.Setenv(internal.UniverseDomainEnvVar, tt.envUniverseDomain)
 			}
-			at := &authTransport{clientUniverseDomain: tt.clientUniverseDomain}
-			got := at.getClientUniverseDomain()
+			at := &authTransport{clientUniverseDomain: internal.StaticCredentialsProperty(tt.clientUniverseDomain)}
+			got, _ := at.getClientUniverseDomain(context.Background())
 			if got != tt.want {
 				t.Errorf("got %q, want %q", got, tt.want)
 			}