From 00513c8887c588e29c0233ef3a02ccaf9457fe3b Mon Sep 17 00:00:00 2001
From: Chris Smith <chrisdsmith@google.com>
Date: Fri, 29 Mar 2024 16:21:53 -0600
Subject: [PATCH] fix(auth): fix EXPERIMENTAL_GOOGLE_API_USE_S2A detection

fixes: #9670
---
 auth/internal/transport/cba_test.go | 36 ++++++++++++++---------------
 auth/internal/transport/s2a.go      |  8 +++++--
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/auth/internal/transport/cba_test.go b/auth/internal/transport/cba_test.go
index 1f3199e093e7..4da1e8cf5ec6 100644
--- a/auth/internal/transport/cba_test.go
+++ b/auth/internal/transport/cba_test.go
@@ -396,13 +396,13 @@ func setupTest(t *testing.T) func() {
 func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 	testCases := []struct {
 		name         string
-		ds           *Options
+		opts         *Options
 		wantEndpoint string
 		wantErr      error
 	}{
 		{
 			name: "google default universe (GDU), no client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -411,7 +411,7 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "google default universe (GDU), client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -421,7 +421,7 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, no client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -431,7 +431,7 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -444,12 +444,12 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		if tc.ds.ClientCertProvider != nil {
+		if tc.opts.ClientCertProvider != nil {
 			os.Setenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "true")
 		} else {
 			os.Setenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")
 		}
-		config, err := getTransportConfig(tc.ds)
+		config, err := getTransportConfig(tc.opts)
 		if err != nil {
 			if err != tc.wantErr {
 				t.Fatalf("%s: err: %v", tc.name, err)
@@ -465,13 +465,13 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) {
 func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 	testCases := []struct {
 		name         string
-		ds           *Options
+		opts         *Options
 		wantEndpoint string
 		wantErr      error
 	}{
 		{
 			name: "google default universe (GDU), no client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -480,7 +480,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "google default universe (GDU), no client cert, endpoint",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -490,7 +490,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "google default universe (GDU), client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -500,7 +500,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "google default universe (GDU), client cert, endpoint",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -511,7 +511,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, no client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -522,7 +522,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, no client cert, endpoint",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -533,7 +533,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, client cert",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -544,7 +544,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 		},
 		{
 			name: "UniverseDomain, client cert, endpoint",
-			ds: &Options{
+			opts: &Options{
 				DefaultEndpoint:         testRegularEndpoint,
 				DefaultEndpointTemplate: testEndpointTemplate,
 				DefaultMTLSEndpoint:     testMTLSEndpoint,
@@ -557,12 +557,12 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		if tc.ds.ClientCertProvider != nil {
+		if tc.opts.ClientCertProvider != nil {
 			os.Setenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "true")
 		} else {
 			os.Setenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")
 		}
-		_, endpoint, err := GetGRPCTransportCredsAndEndpoint(tc.ds)
+		_, endpoint, err := GetGRPCTransportCredsAndEndpoint(tc.opts)
 		if err != nil {
 			if err != tc.wantErr {
 				t.Fatalf("%s: err: %v", tc.name, err)
diff --git a/auth/internal/transport/s2a.go b/auth/internal/transport/s2a.go
index 45ac578b2653..9614f2224e8a 100644
--- a/auth/internal/transport/s2a.go
+++ b/auth/internal/transport/s2a.go
@@ -18,7 +18,7 @@ import (
 	"encoding/json"
 	"log"
 	"os"
-	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -162,7 +162,7 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
 		return false
 	}
 	// If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A.
-	if b, err := strconv.ParseBool(os.Getenv(googleAPIUseS2AEnv)); err == nil && !b {
+	if !isGoogleS2AEnabled() {
 		return false
 	}
 	// If DefaultMTLSEndpoint is not set and no endpoint override, skip S2A.
@@ -179,3 +179,7 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
 	}
 	return true
 }
+
+func isGoogleS2AEnabled() bool {
+	return strings.ToLower(os.Getenv(googleAPIUseS2AEnv)) == "true"
+}