Merge branch 'main' into main

Author: sjvanrossum

.github/workflows/auto-release.yaml

@@ -1,5 +1,17 @@
 # Changelog
 
+## [1.29.0](https://github.com/googleapis/google-auth-library-java/compare/v1.28.0...v1.29.0) (2024-10-22)
+
+
+### Features
+
+* Service sccount to service account impersonation to support universe domain ([#1528](https://github.com/googleapis/google-auth-library-java/issues/1528)) ([c498ccf](https://github.com/googleapis/google-auth-library-java/commit/c498ccf67755c6ec619cb37962c2c86ae3ec9d4c))
+
+
+### Bug Fixes
+
+* Make some enum fields final ([#1526](https://github.com/googleapis/google-auth-library-java/issues/1526)) ([8920155](https://github.com/googleapis/google-auth-library-java/commit/89201558db913d9a71b3acccbab8eb0045ada6de))
+
 ## [1.28.0](https://github.com/googleapis/google-auth-library-java/compare/v1.27.0...v1.28.0) (2024-10-02)
 
 

CHANGELOG.md

@@ -5,7 +5,7 @@
   <parent>
     <groupId>com.google.auth</groupId>
     <artifactId>google-auth-library-parent</artifactId>
-    <version>1.28.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
+    <version>1.29.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
     <relativePath>../pom.xml</relativePath>
   </parent>
 

appengine/pom.xml

@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.google.auth</groupId>
   <artifactId>google-auth-library-bom</artifactId>
-  <version>1.28.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-bom:current} -->
+  <version>1.29.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-bom:current} -->
   <packaging>pom</packaging>
   <name>Google Auth Library for Java BOM</name>
   <description>
@@ -91,7 +91,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-site-plugin</artifactId>
-        <version>3.20.0</version>
+        <version>3.21.0</version>
         <configuration>
           <skip>true</skip>
         </configuration>

bom/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>com.google.auth</groupId>
     <artifactId>google-auth-library-parent</artifactId>
-    <version>1.28.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
+    <version>1.29.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
     <relativePath>../pom.xml</relativePath>
   </parent>
 

credentials/pom.xml

@@ -507,7 +507,7 @@ public static String getTokenServerEncodedUrl() {
 
   public static String getUniverseDomainUrl() {
     return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
-        + "/computeMetadata/v1/universe/universe_domain";
+        + "/computeMetadata/v1/universe/universe-domain";
   }
 
   public static String getServiceAccountsUrl() {

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -263,11 +263,11 @@ protected boolean isExplicitUniverseDomain() {
   /**
    * Checks if universe domain equals to {@link Credentials#GOOGLE_DEFAULT_UNIVERSE}.
    *
-   * @return true if universeDomain equals to {@link Credentials#GOOGLE_DEFAULT_UNIVERSE}, false
+   * @return true if universe domain equals to {@link Credentials#GOOGLE_DEFAULT_UNIVERSE}, false
    *     otherwise
    */
-  boolean isDefaultUniverseDomain() {
-    return this.universeDomain.equals(Credentials.GOOGLE_DEFAULT_UNIVERSE);
+  boolean isDefaultUniverseDomain() throws IOException {
+    return getUniverseDomain().equals(Credentials.GOOGLE_DEFAULT_UNIVERSE);
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -103,9 +103,6 @@ public class ImpersonatedCredentials extends GoogleCredentials
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
   private static final String CLOUD_PLATFORM_SCOPE =
       "https://www.googleapis.com/auth/cloud-platform";
-  private static final String IAM_ACCESS_TOKEN_ENDPOINT =
-      "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken";
-
   private GoogleCredentials sourceCredentials;
   private String targetPrincipal;
   private List<String> delegates;
@@ -423,14 +420,7 @@ public boolean createScopedRequired() {
 
   @Override
   public GoogleCredentials createScoped(Collection<String> scopes) {
-    return toBuilder()
-        .setScopes(new ArrayList<>(scopes))
-        .setLifetime(this.lifetime)
-        .setDelegates(this.delegates)
-        .setHttpTransportFactory(this.transportFactory)
-        .setQuotaProjectId(this.quotaProjectId)
-        .setIamEndpointOverride(this.iamEndpointOverride)
-        .build();
+    return toBuilder().setScopes(new ArrayList<>(scopes)).setAccessToken(null).build();
   }
 
   @Override
@@ -457,7 +447,7 @@ public ImpersonatedCredentials createWithCustomCalendar(Calendar calendar) {
         .build();
   }
 
-  private ImpersonatedCredentials(Builder builder) {
+  private ImpersonatedCredentials(Builder builder) throws IOException {
     super(builder);
     this.sourceCredentials = builder.getSourceCredentials();
     this.targetPrincipal = builder.getTargetPrincipal();
@@ -472,14 +462,36 @@ private ImpersonatedCredentials(Builder builder) {
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
     this.calendar = builder.getCalendar();
     if (this.delegates == null) {
-      this.delegates = new ArrayList<String>();
+      this.delegates = new ArrayList<>();
     }
     if (this.scopes == null) {
       throw new IllegalStateException("Scopes cannot be null");
     }
     if (this.lifetime > TWELVE_HOURS_IN_SECONDS) {
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
+
+    // Do not expect explicit universe domain, throw exception if the explicit universe domain
+    // does not match the source credential.
+    // Do nothing if it matches the source credential
+    if (isExplicitUniverseDomain()
+        && !this.sourceCredentials.getUniverseDomain().equals(builder.getUniverseDomain())) {
+      throw new IllegalStateException(
+          String.format(
+              "Universe domain %s in source credentials "
+                  + "does not match %s universe domain set for impersonated credentials.",
+              this.sourceCredentials.getUniverseDomain(), builder.getUniverseDomain()));
+    }
+  }
+
+  /**
+   * Gets the universe domain for the credential.
+   *
+   * @return the universe domain from source credentials
+   */
+  @Override
+  public String getUniverseDomain() throws IOException {
+    return this.sourceCredentials.getUniverseDomain();
   }
 
   @Override
@@ -489,10 +501,18 @@ public AccessToken refreshAccessToken() throws IOException {
           this.sourceCredentials.createScoped(Arrays.asList(CLOUD_PLATFORM_SCOPE));
     }
 
-    try {
-      this.sourceCredentials.refreshIfExpired();
-    } catch (IOException e) {
-      throw new IOException("Unable to refresh sourceCredentials", e);
+    // skip for SA with SSJ flow because it uses self-signed JWT
+    // and will get refreshed at initialize request step
+    // run for other source credential types or SA with GDU assert flow
+    if (!(this.sourceCredentials instanceof ServiceAccountCredentials)
+        || (isDefaultUniverseDomain()
+            && ((ServiceAccountCredentials) this.sourceCredentials)
+                .shouldUseAssertionFlowForGdu())) {
+      try {
+        this.sourceCredentials.refreshIfExpired();
+      } catch (IOException e) {
+        throw new IOException("Unable to refresh sourceCredentials", e);
+      }
     }
 
     HttpTransport httpTransport = this.transportFactory.create();
@@ -504,7 +524,11 @@ public AccessToken refreshAccessToken() throws IOException {
     String endpointUrl =
         this.iamEndpointOverride != null
             ? this.iamEndpointOverride
-            : String.format(IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal);
+            : String.format(
+                OAuth2Utils.IAM_ACCESS_TOKEN_ENDPOINT_FORMAT,
+                getUniverseDomain(),
+                this.targetPrincipal);
+
     GenericUrl url = new GenericUrl(endpointUrl);
 
     Map<String, Object> body =
@@ -603,6 +627,9 @@ public boolean equals(Object obj) {
     if (!(obj instanceof ImpersonatedCredentials)) {
       return false;
     }
+    if (!super.equals(obj)) {
+      return false;
+    }
     ImpersonatedCredentials other = (ImpersonatedCredentials) obj;
     return Objects.equals(this.sourceCredentials, other.sourceCredentials)
         && Objects.equals(this.targetPrincipal, other.targetPrincipal)
@@ -616,7 +643,7 @@ public boolean equals(Object obj) {
 
   @Override
   public Builder toBuilder() {
-    return new Builder(this.sourceCredentials, this.targetPrincipal);
+    return new Builder(this);
   }
 
   public static Builder newBuilder() {
@@ -636,11 +663,29 @@ public static class Builder extends GoogleCredentials.Builder {
 
     protected Builder() {}
 
+    /**
+     * @param sourceCredentials The source credentials to use for impersonation.
+     * @param targetPrincipal The service account to impersonate.
+     * @deprecated Use {@link #Builder(ImpersonatedCredentials)} instead. This constructor will be
+     *     removed in a future release.
+     */
+    @Deprecated
     protected Builder(GoogleCredentials sourceCredentials, String targetPrincipal) {
       this.sourceCredentials = sourceCredentials;
       this.targetPrincipal = targetPrincipal;
     }
 
+    protected Builder(ImpersonatedCredentials credentials) {
+      super(credentials);
+      this.sourceCredentials = credentials.sourceCredentials;
+      this.targetPrincipal = credentials.targetPrincipal;
+      this.delegates = credentials.delegates;
+      this.scopes = credentials.scopes;
+      this.lifetime = credentials.lifetime;
+      this.transportFactory = credentials.transportFactory;
+      this.iamEndpointOverride = credentials.iamEndpointOverride;
+    }
+
     @CanIgnoreReturnValue
     public Builder setSourceCredentials(GoogleCredentials sourceCredentials) {
       this.sourceCredentials = sourceCredentials;
@@ -726,7 +771,13 @@ public Calendar getCalendar() {
 
     @Override
     public ImpersonatedCredentials build() {
-      return new ImpersonatedCredentials(this);
+      try {
+        return new ImpersonatedCredentials(this);
+      } catch (IOException e) {
+        // throwing exception would be breaking change. catching instead.
+        // this should never happen.
+        throw new IllegalStateException(e);
+      }
     }
   }
 

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -81,6 +81,11 @@ class OAuth2Utils {
   static final String IAM_ID_TOKEN_ENDPOINT_FORMAT =
       "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:generateIdToken";
 
+  static final String IAM_ACCESS_TOKEN_ENDPOINT_FORMAT =
+      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:generateAccessToken";
+  static final String SIGN_BLOB_ENDPOINT_FORMAT =
+      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:signBlob";
+
   static final URI TOKEN_SERVER_URI = URI.create("https://oauth2.googleapis.com/token");
 
   static final URI TOKEN_REVOKE_URI = URI.create("https://oauth2.googleapis.com/revoke");