Error thrown when audience doesn't match pattern is IllegalStateException and format changes.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -31,7 +31,7 @@
 
 package com.google.auth.oauth2;
 
-import static com.google.auth.oauth2.OAuth2Utils.JSON_FACTORY;
+import static com.google.auth.oauth2.OAuth2Utils.*;
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.api.client.http.GenericUrl;
@@ -56,7 +56,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
 /**
@@ -83,13 +82,6 @@ public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
 
   private static final long serialVersionUID = -2181779590486283287L;
-
-  private static final String WORKFORCE_POOL_URL_FORMAT =
-      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
-  private static final Pattern WORKFORCE_PATTERN =
-      Pattern.compile(
-          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
-
   private final String transportFactoryClassName;
   private final String audience;
   private final String tokenUrl;
@@ -231,13 +223,14 @@ public AccessToken refreshAccessToken() throws IOException {
 
   @Override
   public String getTrustBoundaryUrl() throws IOException {
-    Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
+    Matcher matcher = WORKFORCE_AUDIENCE_PATTERN.matcher(getAudience());
     if (!matcher.matches()) {
-      throw new IOException(
+      throw new IllegalStateException(
           "The provided audience is not in the correct format for a workforce pool.");
     }
     String poolId = matcher.group("pool");
-    return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
+    return String.format(
+        IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, getUniverseDomain(), poolId);
   }
 
   @Nullable

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -31,12 +31,15 @@
 
 package com.google.auth.oauth2;
 
+import static com.google.auth.oauth2.OAuth2Utils.WORKFORCE_AUDIENCE_PATTERN;
+import static com.google.auth.oauth2.OAuth2Utils.WORKLOAD_AUDIENCE_PATTERN;
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.api.client.http.HttpHeaders;
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.Data;
+import com.google.api.core.InternalApi;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.MoreObjects;
@@ -100,13 +103,6 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials
 
   private EnvironmentProvider environmentProvider;
 
-  private static final Pattern WORKFORCE_PATTERN =
-      Pattern.compile(
-          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
-  private static final Pattern WORKLOAD_PATTERN =
-      Pattern.compile(
-          "^//iam.googleapis.com/projects/(?<project>[^/]+)/locations/(?<location>[^/]+)/workloadIdentityPools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
-
   /**
    * Constructor with minimum identifying information and custom HTTP transport. Does not support
    * workforce credentials.
@@ -537,8 +533,9 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
     }
     if (this.impersonatedCredentials != null) {
       AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
-      // After the impersonated credential refreshes, its trust boundary is
-      // also refreshed. That is the trust boundary we will use.
+      // We use the impersonated account's credential as the trust boundary
+      // since the regional restriction is bounded by the access that the
+      // impersonated account has.
       setTrustBoundary(this.impersonatedCredentials.getTrustBoundary());
       return accessToken;
     }
@@ -628,29 +625,31 @@ public String getServiceAccountEmail() {
     return ImpersonatedCredentials.extractTargetPrincipal(serviceAccountImpersonationUrl);
   }
 
+  @InternalApi
   @Override
-  public String getTrustBoundaryUrl() throws IOException {
-    Matcher workforceMatcher = WORKFORCE_PATTERN.matcher(getAudience());
-    Matcher workloadMatcher = WORKLOAD_PATTERN.matcher(getAudience());
-
+  public String getTrustBoundaryUrl() {
+    Matcher workforceMatcher = WORKFORCE_AUDIENCE_PATTERN.matcher(getAudience());
     if (workforceMatcher.matches()) {
       String poolId = workforceMatcher.group("pool");
       return String.format(
           OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL,
           getUniverseDomain(),
           poolId);
-    } else if (workloadMatcher.matches()) {
+    }
+
+    Matcher workloadMatcher = WORKLOAD_AUDIENCE_PATTERN.matcher(getAudience());
+    if (workloadMatcher.matches()) {
       String projectNumber = workloadMatcher.group("project");
       String poolId = workloadMatcher.group("pool");
       return String.format(
           OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL,
           getUniverseDomain(),
           projectNumber,
           poolId);
-    } else {
-      throw new IOException(
-          "The provided audience is not in a valid format for either a workload identity pool or a workforce pool.");
     }
+
+    throw new IllegalStateException(
+        "The provided audience is not in a valid format for either a workload identity pool or a workforce pool.");
   }
 
   @Nullable

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -68,6 +68,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 /**
  * Internal utilities for the com.google.auth.oauth2 namespace.
@@ -93,13 +94,6 @@ public class OAuth2Utils {
   static final URI TOKEN_SERVER_URI = URI.create("https://oauth2.googleapis.com/token");
 
   static final URI TOKEN_REVOKE_URI = URI.create("https://oauth2.googleapis.com/revoke");
-
-  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT =
-      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations";
-  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL =
-      "https://iamcredentials.%s/v1/locations/global/workforcePools/%s/allowedLocations";
-  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL =
-      "https://iamcredentials.%s/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
   static final URI USER_AUTH_URI = URI.create("https://accounts.google.com/o/oauth2/auth");
 
   public static final String CLOUD_PLATFORM_SCOPE =
@@ -124,6 +118,22 @@ public class OAuth2Utils {
   static final double RETRY_MULTIPLIER = 2;
   static final int DEFAULT_NUMBER_OF_RETRIES = 3;
 
+  static final Pattern WORKFORCE_AUDIENCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+  static final Pattern WORKLOAD_AUDIENCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/projects/(?<project>[^/]+)/locations/(?<location>[^/]+)/workloadIdentityPools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT =
+      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations";
+
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL =
+      "https://iamcredentials.%s/v1/locations/global/workforcePools/%s/allowedLocations";
+
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL =
+      "https://iamcredentials.%s/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
+
   // Includes expected server errors from Google token endpoint
   // Other 5xx codes are either not used or retries are unlikely to succeed
   public static final Set<Integer> TOKEN_ENDPOINT_RETRYABLE_STATUS_CODES =

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java

@@ -1247,7 +1247,7 @@ public void testRefresh_trustBoundarySuccess() throws IOException {
   }
 
   @Test
-  public void testRefresh_trustBoundaryFails_incorrectAudience() throws IOException {
+  public void testRefresh_trustBoundaryFails_incorrectAudience() {
     TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
     TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
     environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
@@ -1262,9 +1262,9 @@ public void testRefresh_trustBoundaryFails_incorrectAudience() throws IOExceptio
             .setTokenUrl(TOKEN_URL)
             .build();
 
-    IOException exception =
+    IllegalStateException exception =
         assertThrows(
-            IOException.class,
+            IllegalStateException.class,
             () -> {
               credentials.refresh();
             });

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java

@@ -1297,9 +1297,9 @@ public void getTrustBoundaryUrl_invalidAudience_throws() {
             .setCredentialSource(new TestCredentialSource(FILE_CREDENTIAL_SOURCE_MAP))
             .build();
 
-    IOException exception =
+    IllegalStateException exception =
         assertThrows(
-            IOException.class,
+            IllegalStateException.class,
             () -> {
               credentials.getTrustBoundaryUrl();
             });

oauth2_http/javatests/com/google/auth/oauth2/MockExternalAccountCredentialsTransport.java

@@ -199,9 +199,6 @@ public LowLevelHttpResponse execute() throws IOException {
             if (url.contains(IAM_ENDPOINT)) {
 
               if (url.endsWith(TRUST_BOUNDARY_URL_END)) {
-                // Mocking call to refresh trust boundaries.
-                // The lookup endpoint is located in the IAM server which is different from the
-                // token server.
                 GenericJson responseJson = new GenericJson();
                 responseJson.setFactory(OAuth2Utils.JSON_FACTORY);
                 responseJson.put("encodedLocations", TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION);

oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java

@@ -388,9 +388,10 @@ public LowLevelHttpResponse execute() throws IOException {
   }
 
   protected boolean isIamLookupUrl(String url) {
-    // Mocking call to refresh trust boundaries.
-    // The lookup endpoint is located in the IAM server which is different from the
-    // metadata server.
+    // Mocking call to the /allowedLocations endpoint for trust boundary refresh.
+    // For testing convenience, this mock transport handles
+    // the /allowedLocations endpoint. The actual server for this endpoint
+    // will be the IAM Credentials API.
     return url.endsWith("/allowedLocations");
   }
 }

oauth2_http/javatests/com/google/auth/oauth2/MockStsTransport.java

@@ -106,6 +106,9 @@ public LowLevelHttpResponse execute() throws IOException {
             Matcher trustBoundaryMatcher =
                 Pattern.compile(VALID_TRUST_BOUNDARY_PATTERN).matcher(url);
             if (trustBoundaryMatcher.matches()) {
+              // Mocking call to the /allowedLocations endpoint for trust boundary refresh.
+              // For testing convenience, this mock transport handles
+              // the /allowedLocations endpoint.
               GenericJson response = new GenericJson();
               response.put("locations", TestUtils.TRUST_BOUNDARY_LOCATIONS);
               response.put("encodedLocations", TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION);

oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java

@@ -327,9 +327,10 @@ public LowLevelHttpResponse execute() throws IOException {
           };
       return request;
     } else if (urlWithoutQuery.endsWith("/allowedLocations")) {
-      // Mocking call to refresh trust boundaries.
-      // The lookup endpoint is located in the IAM server which is different from the
-      // token server.
+      // Mocking call to the /allowedLocations endpoint for trust boundary refresh.
+      // For testing convenience, this mock transport handles
+      // the /allowedLocations endpoint. The actual server for this endpoint
+      // will be the IAM Credentials API.
       request =
           new MockLowLevelHttpRequest(url) {
             @Override