Move ClientSideCredentialAccessBoundaryFactory to its own module and some minor refactoring.

Author: nbayati

cab-token-generator/pom.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.google.auth</groupId>
+    <artifactId>google-auth-library-parent</artifactId>
+    <version>1.29.1-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>cab-token-generator</artifactId>
+
+  <properties>
+    <maven.compiler.source>22</maven.compiler.source>
+    <maven.compiler.target>22</maven.compiler.target>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+  <dependencies>
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>

…SideCredentialAccessBoundaryFactory.java …SideCredentialAccessBoundaryFactory.javaoauth2_http/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java renamed to cab-token-generator/src/main/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java oauth2_http/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java renamed to cab-token-generator/src/main/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

@@ -1,7 +1,38 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 package com.google.auth.credentialaccessboundary;
 
 import static com.google.auth.oauth2.OAuth2Credentials.getFromServiceLoader;
-import static com.google.common.base.MoreObjects.firstNonNull;
+import static com.google.auth.oauth2.OAuth2Utils.TOKEN_EXCHANGE_URL_FORMAT;
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.auth.Credentials;
@@ -12,6 +43,7 @@
 import com.google.auth.oauth2.StsRequestHandler;
 import com.google.auth.oauth2.StsTokenExchangeRequest;
 import com.google.auth.oauth2.StsTokenExchangeResponse;
+import com.google.common.base.Strings;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.io.IOException;
 
@@ -23,46 +55,20 @@ public final class ClientSideCredentialAccessBoundaryFactory {
   private AccessToken intermediaryAccessToken;
 
   private ClientSideCredentialAccessBoundaryFactory(Builder builder) {
-    this.transportFactory =
-        firstNonNull(
-            builder.transportFactory,
-            getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
-    this.sourceCredential = checkNotNull(builder.sourceCredential);
-
-    // Default to GDU when not supplied.
-    String universeDomain;
-    if (builder.universeDomain == null || builder.universeDomain.trim().isEmpty()) {
-      universeDomain = Credentials.GOOGLE_DEFAULT_UNIVERSE;
-    } else {
-      universeDomain = builder.universeDomain;
-    }
-
-    // Ensure source credential's universe domain matches.
-    try {
-      if (!universeDomain.equals(sourceCredential.getUniverseDomain())) {
-        throw new IllegalArgumentException(
-            "The client side access boundary credential's universe domain must be the same as the source "
-                + "credential.");
-      }
-    } catch (IOException e) {
-      // Throwing an IOException would be a breaking change, so wrap it here.
-      throw new IllegalStateException(
-          "Error occurred when attempting to retrieve source credential universe domain.", e);
-    }
-    String TOKEN_EXCHANGE_URL_FORMAT = "https://sts.{universe_domain}/v1/token";
-    this.tokenExchangeEndpoint =
-        TOKEN_EXCHANGE_URL_FORMAT.replace("{universe_domain}", universeDomain);
+    this.transportFactory = builder.transportFactory;
+    this.sourceCredential = builder.sourceCredential;
+    this.tokenExchangeEndpoint = builder.tokenExchangeEndpoint;
   }
 
-  public void fetchCredentials() throws IOException {
+  private void fetchCredentials() throws IOException {
     try {
       this.sourceCredential.refreshIfExpired();
     } catch (IOException e) {
       throw new IOException("Unable to refresh the provided source credential.", e);
     }
 
     AccessToken sourceAccessToken = sourceCredential.getAccessToken();
-    if (sourceAccessToken == null || sourceAccessToken.getTokenValue() == null) {
+    if (sourceAccessToken == null || Strings.isNullOrEmpty(sourceAccessToken.getTokenValue())) {
       throw new IOException("The source credential does not have an access token.");
     }
 
@@ -102,6 +108,7 @@ public static class Builder {
     private GoogleCredentials sourceCredential;
     private HttpTransportFactory transportFactory;
     private String universeDomain;
+    private String tokenExchangeEndpoint;
 
     private Builder() {}
 
@@ -141,6 +148,33 @@ public Builder setUniverseDomain(String universeDomain) {
     }
 
     public ClientSideCredentialAccessBoundaryFactory build() {
+      checkNotNull(sourceCredential, "Source credential must not be null.");
+
+      // Use the default HTTP transport factory if none was provided.
+      if (transportFactory == null) {
+        this.transportFactory =
+            getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
+      }
+
+      // Default to GDU when not supplied.
+      if (Strings.isNullOrEmpty(universeDomain)) {
+        this.universeDomain = Credentials.GOOGLE_DEFAULT_UNIVERSE;
+      }
+
+      // Ensure source credential's universe domain matches.
+      try {
+        if (!universeDomain.equals(sourceCredential.getUniverseDomain())) {
+          throw new IllegalArgumentException(
+              "The client side access boundary credential's universe domain must be the same as the source "
+                  + "credential.");
+        }
+      } catch (IOException e) {
+        // Throwing an IOException would be a breaking change, so wrap it here.
+        throw new IllegalStateException(
+            "Error occurred when attempting to retrieve source credential universe domain.", e);
+      }
+
+      this.tokenExchangeEndpoint = String.format(TOKEN_EXCHANGE_URL_FORMAT, universeDomain);
       return new ClientSideCredentialAccessBoundaryFactory(this);
     }
   }

oauth2_http/java/com/google/auth/oauth2/DownscopedCredentials.java

@@ -31,6 +31,7 @@
 
 package com.google.auth.oauth2;
 
+import static com.google.auth.oauth2.OAuth2Utils.TOKEN_EXCHANGE_URL_FORMAT;
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -88,7 +89,6 @@
  */
 public final class DownscopedCredentials extends OAuth2Credentials {
 
-  private final String TOKEN_EXCHANGE_URL_FORMAT = "https://sts.{universe_domain}/v1/token";
   private final GoogleCredentials sourceCredential;
   private final CredentialAccessBoundary credentialAccessBoundary;
   private final String universeDomain;
@@ -125,8 +125,7 @@ private DownscopedCredentials(Builder builder) {
       throw new IllegalStateException(
           "Error occurred when attempting to retrieve source credential universe domain.", e);
     }
-    this.tokenExchangeEndpoint =
-        TOKEN_EXCHANGE_URL_FORMAT.replace("{universe_domain}", universeDomain);
+    this.tokenExchangeEndpoint = String.format(TOKEN_EXCHANGE_URL_FORMAT, universeDomain);
   }
 
   @Override

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -89,6 +89,7 @@ public class OAuth2Utils {
       "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:generateAccessToken";
   static final String SIGN_BLOB_ENDPOINT_FORMAT =
       "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s:signBlob";
+  public static final String TOKEN_EXCHANGE_URL_FORMAT = "https://sts.%s/v1/token";
 
   static final URI TOKEN_SERVER_URI = URI.create("https://oauth2.googleapis.com/token");
 

oauth2_http/javatests/com/google/auth/oauth2/DownscopedCredentialsTest.java

@@ -32,6 +32,7 @@
 package com.google.auth.oauth2;
 
 import static com.google.auth.Credentials.GOOGLE_DEFAULT_UNIVERSE;
+import static com.google.auth.oauth2.OAuth2Utils.TOKEN_EXCHANGE_URL_FORMAT;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
@@ -50,7 +51,6 @@
 @RunWith(JUnit4.class)
 public class DownscopedCredentialsTest {
 
-  private final String TOKEN_EXCHANGE_URL_FORMAT = "https://sts.%s/v1/token";
   private static final String SA_PRIVATE_KEY_PKCS8 =
       "-----BEGIN PRIVATE KEY-----\n"
           + "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALX0PQoe1igW12i"

pom.xml

@@ -58,6 +58,7 @@
     <module>oauth2_http</module>
     <module>appengine</module>
     <module>bom</module>
+    <module>cab-token-generator</module>
   </modules>
 
   <scm>