Refactor: make fields private in IdentityPoolCredentialSource

and move the certificate content to a file instead of local variable.

Author: nbayati

oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java

@@ -65,15 +65,14 @@ public class CertificateIdentityPoolSubjectTokenSupplier
     // This check ensures that the credential source was intended for certificate usage.
     // IdentityPoolCredentials logic should guarantee credentialLocation is set in this case.
     checkNotNull(
-        credentialSource.certificateConfig,
+        credentialSource.getCertificateConfig(),
         "credentialSource.certificateConfig cannot be null when creating"
             + " CertificateIdentityPoolSubjectTokenSupplier");
   }
 
   private static X509Certificate loadLeafCertificate(String path)
       throws IOException, CertificateException {
-    byte[] leafCertBytes;
-    leafCertBytes = Files.readAllBytes(Paths.get(path));
+    byte[] leafCertBytes = Files.readAllBytes(Paths.get(path));
     return parseCertificate(leafCertBytes);
   }
 
@@ -104,19 +103,19 @@ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOE
     try {
       // credentialSource.credentialLocation is expected to be non-null here,
       // set during IdentityPoolCredentials construction for certificate type.
-      X509Certificate leafCert = loadLeafCertificate(credentialSource.credentialLocation);
-      String encodedCert = encodeCert(leafCert);
+      X509Certificate leafCert = loadLeafCertificate(credentialSource.getCredentialLocation());
+      String encodedLeafCert = encodeCert(leafCert);
 
       JsonArray certChain = new JsonArray();
-      certChain.add(new JsonPrimitive(encodedCert));
+      certChain.add(new JsonPrimitive(encodedLeafCert));
 
       return GSON.toJson(certChain);
     } catch (CertificateException e) {
       // Catch CertificateException to provide a more specific error message including
       // the path of the file that failed to parse, and re-throw as IOException
       // as expected by the getSubjectToken method signature for I/O related issues.
       throw new IOException(
-          "Failed to parse certificate from: " + credentialSource.credentialLocation, e);
+          "Failed to parse certificate(s) from: " + credentialSource.getCredentialLocation(), e);
     }
   }
 }

oauth2_http/java/com/google/auth/oauth2/FileIdentityPoolSubjectTokenSupplier.java

@@ -37,7 +37,6 @@
 import com.google.common.io.CharStreams;
 import java.io.BufferedReader;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -67,14 +66,15 @@ class FileIdentityPoolSubjectTokenSupplier implements IdentityPoolSubjectTokenSu
 
   @Override
   public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
-    String credentialFilePath = this.credentialSource.credentialLocation;
+    String credentialFilePath = this.credentialSource.getCredentialLocation();
     if (!Files.exists(Paths.get(credentialFilePath), LinkOption.NOFOLLOW_LINKS)) {
       throw new IOException(
           String.format(
               "Invalid credential location. The file at %s does not exist.", credentialFilePath));
     }
     try {
-      return parseToken(new FileInputStream(new File(credentialFilePath)), this.credentialSource);
+      return parseToken(
+          Files.newInputStream(new File(credentialFilePath).toPath()), this.credentialSource);
     } catch (IOException e) {
       throw new IOException(
           "Error when attempting to read the subject token from the credential file.", e);

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentialSource.java

@@ -47,10 +47,41 @@ public class IdentityPoolCredentialSource extends ExternalAccountCredentials.Cre
   private static final long serialVersionUID = -745855247050085694L;
   IdentityPoolCredentialSourceType credentialSourceType;
   CredentialFormatType credentialFormatType;
-  String credentialLocation;
+  private String credentialLocation;
   @Nullable String subjectTokenFieldName;
   @Nullable Map<String, String> headers;
-  @Nullable CertificateConfig certificateConfig;
+  @Nullable private CertificateConfig certificateConfig;
+
+  /**
+   * Gets the location of the credential source. This could be a file path or a URL, depending on
+   * the {@link IdentityPoolCredentialSourceType}.
+   *
+   * @return The location of the credential source.
+   */
+  public String getCredentialLocation() {
+    return credentialLocation;
+  }
+
+  /**
+   * Sets the location of the credential source. This method should be used to update the credential
+   * location.
+   *
+   * @param credentialLocation The new location of the credential source.
+   */
+  public void setCredentialLocation(String credentialLocation) {
+    this.credentialLocation = credentialLocation;
+  }
+
+  /**
+   * Gets the configuration for X.509-based workload credentials (mTLS), if configured.
+   *
+   * @return The {@link CertificateConfig} object, or {@code null} if not configured for
+   *     certificate-based credentials.
+   */
+  @Nullable
+  public CertificateConfig getCertificateConfig() {
+    return certificateConfig;
+  }
 
   /**
    * Extracts and configures the {@link CertificateConfig} from the provided credential source.
@@ -60,7 +91,8 @@ public class IdentityPoolCredentialSource extends ExternalAccountCredentials.Cre
    * @throws IllegalArgumentException if the 'certificate' entry is not a Map or if required fields
    *     within the certificate configuration have invalid types.
    */
-  private CertificateConfig getCertificateConfig(Map<String, Object> credentialSourceMap) {
+  private CertificateConfig certificateConfigFromSourceMap(
+      Map<String, Object> credentialSourceMap) {
     Object certValue = credentialSourceMap.get("certificate");
     if (!(certValue instanceof Map)) {
       throw new IllegalArgumentException(
@@ -242,7 +274,7 @@ public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
       credentialSourceType = IdentityPoolCredentialSourceType.URL;
     } else if (certificatePresent) {
       credentialSourceType = IdentityPoolCredentialSourceType.CERTIFICATE;
-      this.certificateConfig = getCertificateConfig(credentialSourceMap);
+      this.certificateConfig = certificateConfigFromSourceMap(credentialSourceMap);
     } else {
       throw new IllegalArgumentException(
           "Missing credential source file location, URL, or certificate. At least one must be specified.");

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java

@@ -153,7 +153,7 @@ private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
       this.transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
 
       // Initialize the subject token supplier with the certificate path.
-      credentialSource.credentialLocation = x509Provider.getCertificatePath();
+      credentialSource.setCredentialLocation(x509Provider.getCertificatePath());
       return new CertificateIdentityPoolSubjectTokenSupplier(credentialSource);
 
     } catch (IOException e) {
@@ -168,7 +168,7 @@ private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
   private X509Provider getX509Provider(
       Builder builder, IdentityPoolCredentialSource credentialSource) {
     final IdentityPoolCredentialSource.CertificateConfig certConfig =
-        credentialSource.certificateConfig;
+        credentialSource.getCertificateConfig();
 
     // Use the provided X509Provider if available, otherwise initialize a default one.
     X509Provider x509Provider = builder.x509Provider;

oauth2_http/java/com/google/auth/oauth2/UrlIdentityPoolSubjectTokenSupplier.java

@@ -70,7 +70,7 @@ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOE
         transportFactory
             .create()
             .createRequestFactory()
-            .buildGetRequest(new GenericUrl(credentialSource.credentialLocation));
+            .buildGetRequest(new GenericUrl(credentialSource.getCredentialLocation()));
     request.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY));
 
     if (credentialSource.hasHeaders()) {

oauth2_http/javatests/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplierTest.java

@@ -32,6 +32,7 @@
 package com.google.auth.oauth2;
 
 import static org.junit.Assert.*;
+import static org.mockito.Mockito.when;
 
 import com.google.auth.oauth2.IdentityPoolCredentialSource.CertificateConfig;
 import com.google.gson.Gson;
@@ -40,16 +41,18 @@
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
-import org.junit.rules.TemporaryFolder;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 import org.mockito.Mock;
@@ -61,7 +64,6 @@
 public class CertificateIdentityPoolSubjectTokenSupplierTest {
 
   @Rule public MockitoRule mockitoRule = MockitoJUnit.rule();
-  @Rule public TemporaryFolder tempFolder = new TemporaryFolder();
 
   @Mock private IdentityPoolCredentialSource mockCredentialSource;
   @Mock private CertificateConfig mockCertificateConfig;
@@ -70,40 +72,33 @@ public class CertificateIdentityPoolSubjectTokenSupplierTest {
   private CertificateIdentityPoolSubjectTokenSupplier supplier;
   private static final Gson GSON = new Gson();
 
-  // Certificate data from X509ProviderTest
-  private static final String TEST_CERT_PEM =
-      "-----BEGIN CERTIFICATE-----\n"
-          + "MIICGzCCAYSgAwIBAgIIWrt6xtmHPs4wDQYJKoZIhvcNAQEFBQAwMzExMC8GA1UE\n"
-          + "AxMoMTAwOTEyMDcyNjg3OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbTAeFw0x\n"
-          + "MjEyMDExNjEwNDRaFw0yMjExMjkxNjEwNDRaMDMxMTAvBgNVBAMTKDEwMDkxMjA3\n"
-          + "MjY4NzguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20wgZ8wDQYJKoZIhvcNAQEB\n"
-          + "BQADgY0AMIGJAoGBAL1SdY8jTUVU7O4/XrZLYTw0ON1lV6MQRGajFDFCqD2Fd9tQ\n"
-          + "GLW8Iftx9wfXe1zuaehJSgLcyCxazfyJoN3RiONBihBqWY6d3lQKqkgsRTNZkdFJ\n"
-          + "Wdzl/6CxhK9sojh2p0r3tydtv9iwq5fuuWIvtODtT98EgphhncQAqkKoF3zVAgMB\n"
-          + "AAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQM\n"
-          + "MAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAD8XQEqzGePa9VrvtEGpf+R4\n"
-          + "fkxKbcYAzqYq202nKu0kfjhIYkYSBj6gi348YaxE64yu60TVl42l5HThmswUheW4\n"
-          + "uQIaq36JvwvsDP5Zoj5BgiNSnDAFQp+jJFBRUA5vooJKgKgMDf/r/DCOsbO6VJF1\n"
-          + "kWwa9n19NFiV0z3m6isj\n"
-          + "-----END CERTIFICATE-----\n";
-
-  private static final byte[] TEST_CERT_BYTES = TEST_CERT_PEM.getBytes(StandardCharsets.UTF_8);
   private static final byte[] INVALID_CERT_BYTES =
       "invalid certificate data".getBytes(StandardCharsets.UTF_8);
 
+  private byte[] testCertBytesFromFile;
+
   @Before
-  public void setUp() throws IOException {
-    File testCertFile = tempFolder.newFile("certificate.pem");
-    Files.write(testCertFile.toPath(), TEST_CERT_BYTES);
-    mockCredentialSource.certificateConfig = mockCertificateConfig;
-    mockCredentialSource.credentialLocation = testCertFile.getAbsolutePath();
+  public void setUp() throws IOException, URISyntaxException {
+    ClassLoader classLoader = getClass().getClassLoader();
+    URL leafCertUrl = classLoader.getResource("x509_leaf_certificate.pem");
+    assertNotNull("Test leaf certificate file not found!", leafCertUrl);
+    File testCertFile = new File(leafCertUrl.getFile());
+
+    when(mockCertificateConfig.useDefaultCertificateConfig()).thenReturn(false);
+    when(mockCertificateConfig.getCertificateConfigLocation())
+        .thenReturn(testCertFile.getAbsolutePath());
+
+    when(mockCredentialSource.getCertificateConfig()).thenReturn(mockCertificateConfig);
+    when(mockCredentialSource.getCredentialLocation()).thenReturn(testCertFile.getAbsolutePath());
+
     supplier = new CertificateIdentityPoolSubjectTokenSupplier(mockCredentialSource);
+    testCertBytesFromFile = Files.readAllBytes(Paths.get(leafCertUrl.toURI()));
   }
 
   @Test
   public void parseCertificate_validData_returnsCertificate() throws Exception {
     X509Certificate cert =
-        CertificateIdentityPoolSubjectTokenSupplier.parseCertificate(TEST_CERT_BYTES);
+        CertificateIdentityPoolSubjectTokenSupplier.parseCertificate(testCertBytesFromFile);
     assertNotNull(cert);
   }
 
@@ -136,10 +131,10 @@ public void parseCertificate_invalidData_throwsCertificateException() {
 
   @Test
   public void getSubjectToken_success() throws Exception {
-    // Calculate expected result
+    // Calculate expected result based on the file content.
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     X509Certificate expectedCert =
-        (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(TEST_CERT_BYTES));
+        (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(testCertBytesFromFile));
     String expectedEncodedDer = Base64.getEncoder().encodeToString(expectedCert.getEncoded());
     JsonArray expectedJsonArray = new JsonArray();
     expectedJsonArray.add(new JsonPrimitive(expectedEncodedDer));