googleapis
diff --git a/‎oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java‎
Lines changed: 31 additions & 101 deletions b/‎oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java‎
Lines changed: 31 additions & 101 deletions
diff --git a/‎oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java‎
Lines changed: 15 additions & 46 deletions b/‎oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java‎
Lines changed: 15 additions & 46 deletions
diff --git a/‎oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java‎
Lines changed: 28 additions & 86 deletions b/‎oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java‎
Lines changed: 28 additions & 86 deletions
@@ -40,8 +40,11 @@
 import static org.junit.Assert.fail;
 
 import com.google.api.client.json.GenericJson;
+import com.google.api.client.json.Json;
 import com.google.api.client.json.JsonParser;
+import com.google.api.client.testing.http.MockHttpTransport;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
+import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.TestUtils;
 import com.google.auth.oauth2.ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory;
@@ -1400,105 +1403,32 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
     }
   }
 
-  //  @Test
-  //  public void testRefresh_trustBoundarySuccess() throws IOException {
-  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-  //
-  //    MockHttpTransport mockHttpTransport =
-  //        new MockHttpTransport.Builder()
-  //            // AWS region call
-  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("us-east-1a"))
-  //            // AWS IAM role name call
-  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("roleName"))
-  //            // AWS credentials call
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContent(
-  //
-  // "{\"Code\":\"Success\",\"AccessKeyId\":\"accessKeyId\",\"SecretAccessKey\":\"secretAccessKey\",\"Token\":\"token\"}"))
-  //            // STS token call
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        String.format(
-  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
-  // \"Bearer\"}",
-  //                            "sts_access_token", 3600)))
-  //            // Trust boundary call
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        "{\"locations\": [\"us-central1\"], \"encodedLocations\": \"0x1\"}"))
-  //            .build();
-  //
-  //    AwsCredentials credentials =
-  //        AwsCredentials.newBuilder()
-  //            .setHttpTransportFactory(() -> mockHttpTransport)
-  //            .setAudience(
-  //
-  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
-  //            .setSubjectTokenType("subjectTokenType")
-  //            .setTokenUrl(STS_URL)
-  //            .setCredentialSource(AWS_CREDENTIAL_SOURCE)
-  //            .build();
-  //
-  //    credentials.refresh();
-  //
-  //    TrustBoundary trustBoundary = credentials.getTrustBoundary();
-  //    assertNotNull(trustBoundary);
-  //    assertEquals("0x1", trustBoundary.getEncodedLocations());
-  //  }
-  //
-  //  @Test
-  //  public void testRefresh_trustBoundaryFails() throws IOException {
-  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-  //
-  //    MockHttpTransport mockHttpTransport =
-  //        new MockHttpTransport.Builder()
-  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("us-east-1a"))
-  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("roleName"))
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContent(
-  //
-  // "{\"Code\":\"Success\",\"AccessKeyId\":\"accessKeyId\",\"SecretAccessKey\":\"secretAccessKey\",\"Token\":\"token\"}"))
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        String.format(
-  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
-  // \"Bearer\"}",
-  //                            "sts_access_token", 3600)))
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setStatusCode(404)
-  //                    .setContent("{\"error\": \"not found\"}"))
-  //            .build();
-  //
-  //    AwsCredentials credentials =
-  //        AwsCredentials.newBuilder()
-  //            .setHttpTransportFactory(() -> mockHttpTransport)
-  //            .setAudience(
-  //
-  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
-  //            .setSubjectTokenType("subjectTokenType")
-  //            .setTokenUrl(STS_URL)
-  //            .setCredentialSource(AWS_CREDENTIAL_SOURCE)
-  //            .build();
-  //
-  //    try {
-  //      credentials.refresh();
-  //      fail("Expected IOException to be thrown.");
-  //    } catch (IOException e) {
-  //      assertEquals(
-  //          "Failed to refresh trust boundary and no cached value is available.", e.getMessage());
-  //    }
-  //  }
+    @Test
+    public void testRefresh_trustBoundarySuccess() throws IOException {
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+    MockExternalAccountCredentialsTransportFactory transportFactory =
+        new MockExternalAccountCredentialsTransportFactory();
+
+    AwsSecurityCredentialsSupplier supplier =
+        new TestAwsSecurityCredentialsSupplier("test", programmaticAwsCreds, null, null);
+
+    AwsCredentials awsCredential =
+        AwsCredentials.newBuilder()
+            .setAwsSecurityCredentialsSupplier(supplier)
+            .setHttpTransportFactory(transportFactory)
+            .setAudience(
+                "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
+            .setTokenUrl(STS_URL)
+            .setSubjectTokenType("subjectTokenType")
+            .build();
+
+    awsCredential.refreshAccessToken();
+
+    TrustBoundary trustBoundary = awsCredential.getTrustBoundary();
+    assertNotNull(trustBoundary);
+    assertEquals("0x800000", trustBoundary.getEncodedLocations());
+  }
 }
@@ -1225,25 +1225,9 @@ public void testRefresh_trustBoundarySuccess() throws IOException {
     TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
     environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
 
-    MockHttpTransport mockHttpTransport =
-        new MockHttpTransport.Builder()
-            .setLowLevelHttpResponse(
-                new MockLowLevelHttpResponse()
-                    .setContentType(Json.MEDIA_TYPE)
-                    .setContent(
-                        String.format(
-                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\": \"Bearer\"}",
-                            "sts_access_token", 3600)))
-            .setLowLevelHttpResponse(
-                new MockLowLevelHttpResponse()
-                    .setContentType(Json.MEDIA_TYPE)
-                    .setContent(
-                        "{\"locations\": [\"us-central1\"], \"encodedLocations\": \"0x1\"}"))
-            .build();
-
     ExternalAccountAuthorizedUserCredentials credentials =
         ExternalAccountAuthorizedUserCredentials.newBuilder()
-            .setHttpTransportFactory(() -> mockHttpTransport)
+            .setHttpTransportFactory(transportFactory)
             .setAudience(AUDIENCE)
             .setClientId(CLIENT_ID)
             .setClientSecret(CLIENT_SECRET)
@@ -1259,35 +1243,20 @@ public void testRefresh_trustBoundarySuccess() throws IOException {
   }
 
   @Test
-  public void testRefresh_trustBoundaryFails() throws IOException {
-    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-
-    MockHttpTransport mockHttpTransport =
-        new MockHttpTransport.Builder()
-            .setLowLevelHttpResponse(
-                new MockLowLevelHttpResponse()
-                    .setContentType(Json.MEDIA_TYPE)
-                    .setContent(
-                        String.format(
-                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\": \"Bearer\"}",
-                            "sts_access_token", 3600)))
-            .setLowLevelHttpResponse(
-                new MockLowLevelHttpResponse()
-                    .setStatusCode(404)
-                    .setContent("{\"error\": \"not found\"}"))
-            .build();
-
-    ExternalAccountAuthorizedUserCredentials credentials =
-        ExternalAccountAuthorizedUserCredentials.newBuilder()
-            .setHttpTransportFactory(() -> mockHttpTransport)
-            .setAudience(AUDIENCE)
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setTokenUrl(TOKEN_URL)
-            .build();
+  public void testRefresh_trustBoundaryFails_incorrectAudience() throws IOException {
+      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+      ExternalAccountAuthorizedUserCredentials credentials =
+              ExternalAccountAuthorizedUserCredentials.newBuilder()
+                      .setHttpTransportFactory(transportFactory)
+                      .setAudience("audience")
+                      .setClientId(CLIENT_ID)
+                      .setClientSecret(CLIENT_SECRET)
+                      .setRefreshToken(REFRESH_TOKEN)
+                      .setTokenUrl(TOKEN_URL)
+                      .build();
 
     try {
       credentials.refresh();
 
@@ -1305,90 +1305,32 @@ void setShouldThrowOnGetCertificatePath(boolean shouldThrow) {
     }
   }
 
-  //  @Test
-  //  public void testRefresh_trustBoundarySuccess() throws IOException {
-  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-  //
-  //    MockHttpTransport mockHttpTransport =
-  //        new MockHttpTransport.Builder()
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        String.format(
-  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
-  // \"Bearer\"}",
-  //                            "sts_access_token", 3600)))
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        "{\"locations\": [\"us-central1\"], \"encodedLocations\": \"0x1\"}"))
-  //            .build();
-  //
-  //    HttpTransportFactory testingHttpTransportFactory = () -> mockHttpTransport;
-  //
-  //    IdentityPoolCredentials credentials =
-  //        IdentityPoolCredentials.newBuilder()
-  //            .setHttpTransportFactory(testingHttpTransportFactory)
-  //            .setAudience(
-  //
-  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
-  //            .setSubjectTokenType("subjectTokenType")
-  //            .setTokenUrl(STS_URL)
-  //            .setCredentialSource(createFileCredentialSource())
-  //            .build();
-  //
-  //    credentials.refresh();
-  //
-  //    TrustBoundary trustBoundary = credentials.getTrustBoundary();
-  //    assertNotNull(trustBoundary);
-  //    assertEquals("0x1", trustBoundary.getEncodedLocations());
-  //  }
-  //
-  //  @Test
-  //  public void testRefresh_trustBoundaryFails() throws IOException {
-  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-  //
-  //    MockHttpTransport mockHttpTransport =
-  //        new MockHttpTransport.Builder()
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setContentType(Json.MEDIA_TYPE)
-  //                    .setContent(
-  //                        String.format(
-  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
-  // \"Bearer\"}",
-  //                            "sts_access_token", 3600)))
-  //            .setLowLevelHttpResponse(
-  //                new MockLowLevelHttpResponse()
-  //                    .setStatusCode(404)
-  //                    .setContent("{\"error\": \"not found\"}"))
-  //            .build();
-  //
-  //    HttpTransportFactory testingHttpTransportFactory = () -> mockHttpTransport;
-  //
-  //    IdentityPoolCredentials credentials =
-  //        IdentityPoolCredentials.newBuilder()
-  //            .setHttpTransportFactory(testingHttpTransportFactory)
-  //            .setAudience(
-  //
-  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
-  //            .setSubjectTokenType("subjectTokenType")
-  //            .setTokenUrl(STS_URL)
-  //            .setCredentialSource(createFileCredentialSource())
-  //            .build();
-  //
-  //    try {
-  //      credentials.refresh();
-  //      fail("Expected IOException to be thrown.");
-  //    } catch (IOException e) {
-  //      assertEquals(
-  //          "Failed to refresh trust boundary and no cached value is available.", e.getMessage());
-  //    }
-  //  }
+    @Test
+    public void testRefresh_trustBoundarySuccess() throws IOException {
+        TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+        TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+        environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+      MockExternalAccountCredentialsTransportFactory transportFactory =
+          new MockExternalAccountCredentialsTransportFactory();
+      HttpTransportFactory testingHttpTransportFactory = transportFactory;
+
+      IdentityPoolCredentials credentials =
+          IdentityPoolCredentials.newBuilder()
+                  .setSubjectTokenSupplier(testProvider)
+              .setHttpTransportFactory(testingHttpTransportFactory)
+              .setAudience(
+   "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
+              .setSubjectTokenType("subjectTokenType")
+              .setTokenUrl(STS_URL)
+              .build();
+
+      credentials.refresh();
+
+      TrustBoundary trustBoundary = credentials.getTrustBoundary();
+      assertNotNull(trustBoundary);
+      assertEquals(
+              "0x800000",
+          trustBoundary.getEncodedLocations());
+    }
 }