feat: Add additional credential info for ADC Credentials

Author: lqiu96

oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java

@@ -125,6 +125,7 @@ private void init() throws IOException {
       this.signForApp = serviceClass.getMethod(SIGN_FOR_APP_METHOD, byte[].class);
       Class<?> signingResultClass = forName(SIGNING_RESULT_CLASS);
       this.getSignature = signingResultClass.getMethod(GET_SIGNATURE_METHOD);
+      this.type = "App Engine Credentials";
     } catch (ClassNotFoundException
         | NoSuchMethodException
         | IllegalAccessException

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -220,6 +220,7 @@ private ComputeEngineCredentials(ComputeEngineCredentials.Builder builder) {
     }
     this.transport = builder.getGoogleAuthTransport();
     this.bindingEnforcement = builder.getBindingEnforcement();
+    this.type = "Compute Engine Credentials";
   }
 
   @Override
@@ -691,6 +692,7 @@ public String getAccount() {
     if (serviceAccountEmail == null) {
       try {
         serviceAccountEmail = getDefaultServiceAccount();
+        this.principal = serviceAccountEmail;
       } catch (IOException ex) {
         throw new RuntimeException("Failed to get service account", ex);
       }

oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java

@@ -145,7 +145,10 @@ private final GoogleCredentials getDefaultCredentialsUnsynchronized(
           throw new IOException("File does not exist.");
         }
         credentialsStream = readStream(credentialsFile);
-        credentials = GoogleCredentials.fromStream(credentialsStream, transportFactory);
+        credentials =
+            GoogleCredentials.fromStream(credentialsStream, transportFactory)
+                .withSource(
+                    String.format("Env Var %s set to %s", CREDENTIAL_ENV_VAR, credentialsPath));
       } catch (IOException e) {
         // Although it is also the cause, the message of the caught exception can have very
         // important information for diagnosing errors, so include its message in the
@@ -176,7 +179,11 @@ private final GoogleCredentials getDefaultCredentialsUnsynchronized(
                   "Attempting to load credentials from well known file: %s",
                   wellKnownFileLocation.getCanonicalPath()));
           credentialsStream = readStream(wellKnownFileLocation);
-          credentials = GoogleCredentials.fromStream(credentialsStream, transportFactory);
+          credentials =
+              GoogleCredentials.fromStream(credentialsStream, transportFactory)
+                  .withSource(
+                      String.format(
+                          "Well Known File at %s", wellKnownFileLocation.getCanonicalPath()));
         }
       } catch (IOException e) {
         throw new IOException(
@@ -210,6 +217,14 @@ private final GoogleCredentials getDefaultCredentialsUnsynchronized(
     if (credentials == null) {
       LOGGER.log(Level.FINE, "Attempting to load credentials from GCE");
       credentials = tryGetComputeCredentials(transportFactory);
+      // tryGetComputeCredentials can return a null value. This check won't set the source
+      // if the ComputeEngineCredentials fails (prevents a NPE)
+      if (credentials != null) {
+        credentials =
+            credentials.withSource(
+                String.format(
+                    "Metadata Server URL set to %s", System.getenv(GCE_METADATA_HOST_ENV_VAR)));
+      }
     }
 
     if (credentials != null) {

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -117,6 +117,8 @@ private ExternalAccountAuthorizedUserCredentials(Builder builder) {
     this.clientId = builder.clientId;
     this.clientSecret = builder.clientSecret;
 
+    this.type = "External Account Authorized User Credentials";
+
     Preconditions.checkState(
         getAccessToken() != null || canRefresh(),
         "ExternalAccountAuthorizedUserCredentials must be initialized with "

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -214,6 +214,7 @@ protected ExternalAccountCredentials(
     }
 
     this.metricsHandler = new ExternalAccountMetricsHandler(this);
+    this.type = "External Account Credentials";
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java

@@ -96,6 +96,7 @@ public class GdchCredentials extends GoogleCredentials {
     this.caCertPath = builder.caCertPath;
     this.apiAudience = builder.apiAudience;
     this.lifetime = builder.lifetime;
+    this.type = "GDCH Credentials";
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -40,6 +40,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.MoreObjects.ToStringHelper;
+import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.io.IOException;
@@ -64,6 +65,14 @@ public class GoogleCredentials extends OAuth2Credentials implements QuotaProject
   static final String SERVICE_ACCOUNT_FILE_TYPE = "service_account";
   static final String GDCH_SERVICE_ACCOUNT_FILE_TYPE = "gdch_service_account";
 
+  /* The following package-private fields provide additional info for errors message */
+  // Source of the credential (e.g. env var value or well know file location)
+  String source;
+  // User-friendly name of actual Credential class
+  String type;
+  // Identity of the credential (not all credentials will have this)
+  String principal;
+
   private final String universeDomain;
   private final boolean isExplicitUniverseDomain;
 
@@ -359,6 +368,8 @@ protected GoogleCredentials(Builder builder) {
       this.universeDomain = builder.getUniverseDomain();
       this.isExplicitUniverseDomain = true;
     }
+
+    this.source = builder.source;
   }
 
   /**
@@ -497,9 +508,40 @@ public GoogleCredentials createDelegated(String user) {
     return this;
   }
 
+  /**
+   * Internal method meant to help provide information for how certain Credential objects loaded by
+   * ADC were initialized
+   */
+  GoogleCredentials withSource(String source) {
+    return toBuilder().setSource(source).build();
+  }
+
+  /**
+   * Provides additional information regarding credential initialization source - Initialized via
+   * the GOOGLE_APPLICATION_CREDENTIALS env var or well known file type - The type of credential
+   * created principal - Identity used for the credential These fields are populated on a
+   * best-effort basis and may be null or missing
+   *
+   * @return Map of information regarding how the Credential was initialized
+   */
+  public Map<String, String> getCredentialInfo() {
+    Map<String, String> infoMap = new HashMap<>();
+    if (!Strings.isNullOrEmpty(source)) {
+      infoMap.put("Credential Source", source);
+    }
+    if (!Strings.isNullOrEmpty(type)) {
+      infoMap.put("Credential Type", type);
+    }
+    if (!Strings.isNullOrEmpty(principal)) {
+      infoMap.put("Principal", principal);
+    }
+    return infoMap;
+  }
+
   public static class Builder extends OAuth2Credentials.Builder {
     @Nullable protected String quotaProjectId;
     @Nullable protected String universeDomain;
+    String source;
 
     protected Builder() {}
 
@@ -541,6 +583,11 @@ public String getUniverseDomain() {
       return this.universeDomain;
     }
 
+    Builder setSource(String source) {
+      this.source = source;
+      return this;
+    }
+
     @Override
     @CanIgnoreReturnValue
     public Builder setAccessToken(AccessToken token) {

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -480,6 +480,9 @@ private ImpersonatedCredentials(Builder builder) throws IOException {
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
 
+    this.type = "Impersonated Credentials";
+    this.principal = builder.targetPrincipal;
+
     // Do not expect explicit universe domain, throw exception if the explicit universe domain
     // does not match the source credential.
     // Do nothing if it matches the source credential

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -150,6 +150,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
     this.lifetime = builder.lifetime;
     this.useJwtAccessWithScope = builder.useJwtAccessWithScope;
     this.defaultRetriesEnabled = builder.defaultRetriesEnabled;
+    this.type = "Service Account Credentials";
+    this.principal = builder.clientEmail;
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

@@ -96,6 +96,9 @@ private UserCredentials(Builder builder) {
     this.tokenServerUri =
         (builder.tokenServerUri == null) ? OAuth2Utils.TOKEN_SERVER_URI : builder.tokenServerUri;
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
+
+    this.type = "User Credentials";
+
     Preconditions.checkState(
         builder.getAccessToken() != null || builder.refreshToken != null,
         "Either accessToken or refreshToken must not be null");