chore: Create CLOUD_PLATFORM_SCOPE constant in Oauth2Utils

Author: lqiu96

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -48,8 +48,8 @@
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -68,9 +68,6 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials {
 
   private static final long serialVersionUID = 8049126194174465023L;
 
-  private static final String CLOUD_PLATFORM_SCOPE =
-      "https://www.googleapis.com/auth/cloud-platform";
-
   static final String EXECUTABLE_SOURCE_KEY = "executable";
 
   static final String DEFAULT_TOKEN_URL = "https://sts.{UNIVERSE_DOMAIN}/v1/token";
@@ -200,7 +197,9 @@ protected ExternalAccountCredentials(
     this.clientId = clientId;
     this.clientSecret = clientSecret;
     this.scopes =
-        (scopes == null || scopes.isEmpty()) ? Arrays.asList(CLOUD_PLATFORM_SCOPE) : scopes;
+        (scopes == null || scopes.isEmpty())
+            ? Collections.singletonList(OAuth2Utils.CLOUD_PLATFORM_SCOPE)
+            : scopes;
     this.environmentProvider =
         environmentProvider == null ? SystemEnvironmentProvider.getInstance() : environmentProvider;
     this.workforcePoolUserProject = null;
@@ -245,7 +244,7 @@ protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
 
     this.scopes =
         (builder.scopes == null || builder.scopes.isEmpty())
-            ? Arrays.asList(CLOUD_PLATFORM_SCOPE)
+            ? Collections.singletonList(OAuth2Utils.CLOUD_PLATFORM_SCOPE)
             : builder.scopes;
     this.environmentProvider =
         builder.environmentProvider == null

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -101,14 +101,12 @@ public class ImpersonatedCredentials extends GoogleCredentials
   private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ssX";
   private static final int TWELVE_HOURS_IN_SECONDS = 43200;
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
-  private static final String CLOUD_PLATFORM_SCOPE =
-      "https://www.googleapis.com/auth/cloud-platform";
   private GoogleCredentials sourceCredentials;
-  private String targetPrincipal;
+  private final String targetPrincipal;
   private List<String> delegates;
   private final List<String> scopes;
-  private int lifetime;
-  private String iamEndpointOverride;
+  private final int lifetime;
+  private final String iamEndpointOverride;
   private final String transportFactoryClassName;
   private static final LoggerProvider LOGGER_PROVIDER =
       LoggerProvider.forClazz(ImpersonatedCredentials.class);
@@ -395,7 +393,7 @@ static ImpersonatedCredentials fromJson(
     // This applies to the scopes applied for the impersonated token and not the
     // underlying source credential. Default to empty list to keep the existing
     // behavior (when json file did not populate a scopes field).
-    List<String> scopes = new ArrayList<>();
+    List<String> scopes = ImmutableList.of();
     try {
       serviceAccountImpersonationUrl = (String) json.get("service_account_impersonation_url");
       if (json.containsKey("delegates")) {
@@ -406,7 +404,7 @@ static ImpersonatedCredentials fromJson(
       quotaProjectId = (String) json.get("quota_project_id");
       targetPrincipal = extractTargetPrincipal(serviceAccountImpersonationUrl);
       if (json.containsKey("scopes")) {
-        scopes = (List<String>) json.get("scopes");
+        scopes = ImmutableList.copyOf((List<String>) json.get("scopes"));
       }
     } catch (ClassCastException | NullPointerException | IllegalArgumentException e) {
       throw new CredentialFormatException("An invalid input stream was provided.", e);
@@ -415,7 +413,9 @@ static ImpersonatedCredentials fromJson(
     GoogleCredentials sourceCredentials;
     if (GoogleCredentialsInfo.USER_CREDENTIALS.getFileType().equals(sourceCredentialsType)) {
       sourceCredentials = UserCredentials.fromJson(sourceCredentialsJson, transportFactory);
-    } else if (GoogleCredentialsInfo.SERVICE_ACCOUNT_CREDENTIALS.getFileType().equals(sourceCredentialsType)) {
+    } else if (GoogleCredentialsInfo.SERVICE_ACCOUNT_CREDENTIALS
+        .getFileType()
+        .equals(sourceCredentialsType)) {
       sourceCredentials =
           ServiceAccountCredentials.fromJson(sourceCredentialsJson, transportFactory);
     } else {
@@ -443,7 +443,7 @@ public boolean createScopedRequired() {
 
   @Override
   public GoogleCredentials createScoped(Collection<String> scopes) {
-    return toBuilder().setScopes(new ArrayList<>(scopes)).setAccessToken(null).build();
+    return toBuilder().setScopes(ImmutableList.copyOf(scopes)).setAccessToken(null).build();
   }
 
   @Override
@@ -520,8 +520,10 @@ public String getUniverseDomain() throws IOException {
   @Override
   public AccessToken refreshAccessToken() throws IOException {
     if (this.sourceCredentials.getAccessToken() == null) {
+      // Apply the `CLOUD_PLATFORM_SCOPE` to access the iamcredentials endpoint
       this.sourceCredentials =
-          this.sourceCredentials.createScoped(Collections.singletonList(CLOUD_PLATFORM_SCOPE));
+          this.sourceCredentials.createScoped(
+              Collections.singletonList(OAuth2Utils.CLOUD_PLATFORM_SCOPE));
     }
 
     // skip for SA with SSJ flow because it uses self-signed JWT
@@ -555,7 +557,7 @@ public AccessToken refreshAccessToken() throws IOException {
     GenericUrl url = new GenericUrl(endpointUrl);
 
     Map<String, Object> body =
-        ImmutableMap.<String, Object>of(
+        ImmutableMap.of(
             "delegates", this.delegates, "scope", this.scopes, "lifetime", this.lifetime + "s");
 
     HttpContent requestContent = new JsonHttpContent(parser.getJsonFactory(), body);

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -95,6 +95,9 @@ public class OAuth2Utils {
   static final URI TOKEN_REVOKE_URI = URI.create("https://oauth2.googleapis.com/revoke");
   static final URI USER_AUTH_URI = URI.create("https://accounts.google.com/o/oauth2/auth");
 
+  public static final String CLOUD_PLATFORM_SCOPE =
+      "https://www.googleapis.com/auth/cloud-platform";
+
   static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
 
   public static final HttpTransportFactory HTTP_TRANSPORT_FACTORY =

oauth2_http/javatests/com/google/auth/oauth2/DownscopedCredentialsTest.java

@@ -236,7 +236,7 @@ public void builder_noTransport_defaults() throws IOException {
             .build();
 
     GoogleCredentials scopedSourceCredentials =
-        sourceCredentials.createScoped("https://www.googleapis.com/auth/cloud-platform");
+        sourceCredentials.createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
     assertEquals(scopedSourceCredentials, credentials.getSourceCredentials());
     assertEquals(CREDENTIAL_ACCESS_BOUNDARY, credentials.getCredentialAccessBoundary());
     assertEquals(OAuth2Utils.HTTP_TRANSPORT_FACTORY, credentials.getTransportFactory());
@@ -254,7 +254,7 @@ public void builder_noUniverseDomain_defaults() throws IOException {
             .build();
 
     GoogleCredentials scopedSourceCredentials =
-        sourceCredentials.createScoped("https://www.googleapis.com/auth/cloud-platform");
+        sourceCredentials.createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
     assertEquals(OAuth2Utils.HTTP_TRANSPORT_FACTORY, credentials.getTransportFactory());
     assertEquals(scopedSourceCredentials, credentials.getSourceCredentials());
     assertEquals(CREDENTIAL_ACCESS_BOUNDARY, credentials.getCredentialAccessBoundary());
@@ -320,7 +320,7 @@ private static GoogleCredentials getServiceAccountSourceCredentials(boolean canR
       transportFactory.transport.setError(new IOException());
     }
 
-    return sourceCredentials.createScoped("https://www.googleapis.com/auth/cloud-platform");
+    return sourceCredentials.createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
   }
 
   private static GoogleCredentials getUserSourceCredentials() {

oauth2_http/javatests/com/google/auth/oauth2/ITDownscopingTest.java

@@ -102,7 +102,7 @@ public AccessToken refreshAccessToken() throws IOException {
             ServiceAccountCredentials credentials =
                 (ServiceAccountCredentials)
                     GoogleCredentials.getApplicationDefault()
-                        .createScoped("https://www.googleapis.com/auth/cloud-platform");
+                        .createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
 
             DownscopedCredentials downscopedCredentials =
                 DownscopedCredentials.newBuilder()

oauth2_http/javatests/com/google/auth/oauth2/ITWorkloadIdentityFederationTest.java

@@ -408,8 +408,7 @@ private void callGcs(GoogleCredentials credentials) throws IOException {
    */
   private String generateGoogleIdToken(String audience) throws IOException {
     GoogleCredentials googleCredentials =
-        GoogleCredentials.getApplicationDefault()
-            .createScoped("https://www.googleapis.com/auth/cloud-platform");
+        GoogleCredentials.getApplicationDefault().createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
 
     HttpCredentialsAdapter credentialsAdapter = new HttpCredentialsAdapter(googleCredentials);
     HttpRequestFactory requestFactory =

oauth2_http/javatests/com/google/auth/oauth2/MockExternalAccountCredentialsTransport.java

@@ -62,8 +62,7 @@ public class MockExternalAccountCredentialsTransport extends MockHttpTransport {
 
   private static final String EXPECTED_GRANT_TYPE =
       "urn:ietf:params:oauth:grant-type:token-exchange";
-  private static final String CLOUD_PLATFORM_SCOPE =
-      "https://www.googleapis.com/auth/cloud-platform";
+  private static final String CLOUD_PLATFORM_SCOPE = OAuth2Utils.CLOUD_PLATFORM_SCOPE;
   private static final String ISSUED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
   private static final String AWS_CREDENTIALS_URL = "https://169.254.169.254";
   private static final String AWS_REGION_URL = "https://169.254.169.254/region";

oauth2_http/javatests/com/google/auth/oauth2/StsRequestHandlerTest.java

@@ -56,8 +56,7 @@ public final class StsRequestHandlerTest {
 
   private static final String TOKEN_EXCHANGE_GRANT_TYPE =
       "urn:ietf:params:oauth:grant-type:token-exchange";
-  private static final String CLOUD_PLATFORM_SCOPE =
-      "https://www.googleapis.com/auth/cloud-platform";
+  private static final String CLOUD_PLATFORM_SCOPE = OAuth2Utils.CLOUD_PLATFORM_SCOPE;
   private static final String DEFAULT_REQUESTED_TOKEN_TYPE =
       "urn:ietf:params:oauth:token-type:access_token";
   private static final String TOKEN_URL = "https://sts.googleapis.com/v1/token";

oauth2_http/javatests/com/google/auth/oauth2/UserAuthorizerTest.java

@@ -313,7 +313,7 @@ public void testGetTokenResponseFromAuthCodeExchange_workforceIdentityFederation
     UserAuthorizer authorizer =
         UserAuthorizer.newBuilder()
             .setClientId(CLIENT_ID)
-            .setScopes(Collections.singletonList("https://www.googleapis.com/auth/cloud-platform"))
+            .setScopes(Collections.singletonList(OAuth2Utils.CLOUD_PLATFORM_SCOPE))
             .setTokenServerUri(WORKFORCE_IDENTITY_FEDERATION_TOKEN_SERVER_URI)
             .setUserAuthUri(WORKFORCE_IDENTITY_FEDERATION_AUTH_URI)
             .setClientAuthenticationType(ClientAuthenticationType.CLIENT_SECRET_BASIC)
@@ -354,7 +354,7 @@ public void testGetTokenResponseFromAuthCodeExchange_workforceIdentityFederation
     UserAuthorizer authorizer =
         UserAuthorizer.newBuilder()
             .setClientId(CLIENT_ID)
-            .setScopes(Collections.singletonList("https://www.googleapis.com/auth/cloud-platform"))
+            .setScopes(Collections.singletonList(OAuth2Utils.CLOUD_PLATFORM_SCOPE))
             .setTokenServerUri(WORKFORCE_IDENTITY_FEDERATION_TOKEN_SERVER_URI)
             .setUserAuthUri(WORKFORCE_IDENTITY_FEDERATION_AUTH_URI)
             .setClientAuthenticationType(ClientAuthenticationType.NONE)

oauth2_http/javatests/com/google/auth/oauth2/functional/FTComputeEngineCredentialsTest.java

@@ -44,12 +44,12 @@
 import com.google.auth.oauth2.IdToken;
 import com.google.auth.oauth2.IdTokenCredentials;
 import com.google.auth.oauth2.IdTokenProvider;
+import com.google.auth.oauth2.OAuth2Utils;
 import org.junit.Test;
 
 public final class FTComputeEngineCredentialsTest {
   private final String computeUrl =
       "https://compute.googleapis.com/compute/v1/projects/gcloud-devel/zones/us-central1-a/instances";
-  private final String cloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform";
 
   @Test
   public void RefreshCredentials() throws Exception {
@@ -64,7 +64,7 @@ public void RefreshCredentials() throws Exception {
   @Test
   public void DefaultCredentials() throws Exception {
     final GoogleCredentials defaultCredential =
-        GoogleCredentials.getApplicationDefault().createScoped(cloudPlatformScope);
+        GoogleCredentials.getApplicationDefault().createScoped(OAuth2Utils.CLOUD_PLATFORM_SCOPE);
 
     AccessToken accessToken = defaultCredential.refreshAccessToken();
     assertNotNull(accessToken);