Responding to comments and updating tests

Author: aeitzman

oauth2_http/java/com/google/auth/mtls/WorkloadCertificateConfiguration.java

@@ -36,10 +36,28 @@ public static WorkloadCertificateConfiguration fromCertificateConfigurationStrea
         parser.parseAndClose(certConfigStream, StandardCharsets.UTF_8, GenericJson.class);
 
     Map<String, Object> certConfigs = (Map<String, Object>) fileContents.get("cert_configs");
+    if (certConfigs == null) {
+      throw new IllegalArgumentException(
+          "The cert_configs object must be provided in the certificate configuration file.");
+    }
+
     Map<String, Object> workloadConfig = (Map<String, Object>) certConfigs.get("workload");
+    if (workloadConfig == null) {
+      throw new IllegalArgumentException(
+          "A workload certificate configuration must be provided in the cert_configs object.");
+    }
 
     String certPath = (String) workloadConfig.get("cert_path");
+    if (certPath.isEmpty() || certPath == null) {
+      throw new IllegalArgumentException(
+          "The cert_path field must be provided in the workload certificate configuration.");
+    }
+
     String privateKeyPath = (String) workloadConfig.get("key_path");
+    if (privateKeyPath.isEmpty() || privateKeyPath == null) {
+      throw new IllegalArgumentException(
+          "The key_path field must be provided in the workload certificate configuration.");
+    }
 
     return new WorkloadCertificateConfiguration(certPath, privateKeyPath);
   }

oauth2_http/java/com/google/auth/mtls/X509Provider.java

@@ -1,6 +1,7 @@
 package com.google.auth.mtls;
 
 import com.google.api.client.util.SecurityUtils;
+import com.google.common.annotations.VisibleForTesting;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
@@ -49,14 +50,16 @@ public KeyStore getKeyStore() throws IOException {
 
   private WorkloadCertificateConfiguration getWorkloadCertificateConfiguration()
       throws IOException {
-    String envCredentialsPath = getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
     File certConfig;
     if (this.certConfigPathOverride != null) {
       certConfig = new File(certConfigPathOverride);
-    } else if (envCredentialsPath != null && envCredentialsPath.length() > 0) {
-      certConfig = new File(envCredentialsPath);
     } else {
-      certConfig = getWellKnownCertificateConfigFile();
+      String envCredentialsPath = getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
+      if (envCredentialsPath != null && !envCredentialsPath.isEmpty()) {
+        certConfig = new File(envCredentialsPath);
+      } else {
+        certConfig = getWellKnownCertificateConfigFile();
+      }
     }
     InputStream certConfigStream = null;
     try {
@@ -82,6 +85,9 @@ private WorkloadCertificateConfiguration getWorkloadCertificateConfiguration()
     }
   }
 
+  /*
+   * Start of methods to allow overriding in the test code to isolate from the environment.
+   */
   boolean isFile(File file) {
     return file.isFile();
   }
@@ -101,8 +107,11 @@ String getOsName() {
   String getProperty(String property, String def) {
     return System.getProperty(property, def);
   }
-
-  File getWellKnownCertificateConfigFile() {
+  /*
+   * End of methods to allow overriding in the test code to isolate from the environment.
+   */
+  
+  private File getWellKnownCertificateConfigFile() {
     File cloudConfigPath;
     String envPath = getEnv("CLOUDSDK_CONFIG");
     if (envPath != null) {

oauth2_http/javatests/com/google/auth/mtls/WorkloadCertificateConfigurationTest.java

@@ -0,0 +1,146 @@
+/*
+ * Copyright 2025, Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.mtls;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
+import com.google.api.client.json.GenericJson;
+import com.google.auth.TestUtils;
+import java.io.IOException;
+import java.io.InputStream;
+import org.junit.Test;
+
+public class WorkloadCertificateConfigurationTest {
+
+  @Test
+  public void workloadCertificateConfig_fromStream_Succeeds() throws IOException {
+    String certPath = "cert.crt";
+    String privateKeyPath = "key.crt";
+    InputStream configStream = writeWorkloadCertificateConfigStream(certPath, privateKeyPath);
+
+    WorkloadCertificateConfiguration config =
+        WorkloadCertificateConfiguration.fromCertificateConfigurationStream(configStream);
+    assertNotNull(config);
+  }
+
+  @Test
+  public void workloadCertificateConfig_fromStreamMissingCertPath_Fails() throws IOException {
+    String certPath = "";
+    String privateKeyPath = "key.crt";
+    InputStream configStream = writeWorkloadCertificateConfigStream(certPath, privateKeyPath);
+
+    try {
+      WorkloadCertificateConfiguration config =
+          WorkloadCertificateConfiguration.fromCertificateConfigurationStream(configStream);
+      fail("Expected an error due to missing the certificate path field.");
+    } catch (IllegalArgumentException e) {
+      assertEquals(
+          "The cert_path field must be provided in the workload certificate configuration.",
+          e.getMessage());
+    }
+  }
+
+  @Test
+  public void workloadCertificateConfig_fromStreamMissingPrivateKeyPath_Fails() throws IOException {
+    String certPath = "cert.crt";
+    String privateKeyPath = "";
+    InputStream configStream = writeWorkloadCertificateConfigStream(certPath, privateKeyPath);
+
+    try {
+      WorkloadCertificateConfiguration config =
+          WorkloadCertificateConfiguration.fromCertificateConfigurationStream(configStream);
+      fail("Expected an error due to missing the private key path field.");
+    } catch (IllegalArgumentException e) {
+      assertEquals(
+          "The key_path field must be provided in the workload certificate configuration.",
+          e.getMessage());
+    }
+  }
+
+  @Test
+  public void workloadCertificateConfig_fromStreamMissingWorkload_Fails() throws IOException {
+    GenericJson json = new GenericJson();
+    json.put("cert_configs", new GenericJson());
+    InputStream configStream = TestUtils.jsonToInputStream(json);
+
+    try {
+      WorkloadCertificateConfiguration config =
+          WorkloadCertificateConfiguration.fromCertificateConfigurationStream(configStream);
+      fail("Expected an error due to missing the workload field.");
+    } catch (IllegalArgumentException e) {
+      assertEquals(
+          "A workload certificate configuration must be provided in the cert_configs object.",
+          e.getMessage());
+    }
+  }
+
+  @Test
+  public void workloadCertificateConfig_fromStreamMissingCertConfig_Fails() throws IOException {
+    GenericJson json = new GenericJson();
+    InputStream configStream = TestUtils.jsonToInputStream(json);
+
+    try {
+      WorkloadCertificateConfiguration config =
+          WorkloadCertificateConfiguration.fromCertificateConfigurationStream(configStream);
+      fail("Expected an error due to missing the cert_config field.");
+    } catch (IllegalArgumentException e) {
+      assertEquals(
+          "The cert_configs object must be provided in the certificate configuration file.",
+          e.getMessage());
+    }
+  }
+
+  static InputStream writeWorkloadCertificateConfigStream(String certPath, String privateKeyPath)
+      throws IOException {
+    GenericJson json = writeWorkloadCertificateConfigJson(certPath, privateKeyPath);
+    return TestUtils.jsonToInputStream(json);
+  }
+
+  private static GenericJson writeWorkloadCertificateConfigJson(
+      String certPath, String privateKeyPath) {
+    GenericJson json = new GenericJson();
+    json.put("version", 1);
+    GenericJson certConfigs = new GenericJson();
+    GenericJson workloadConfig = new GenericJson();
+    if (certPath != null) {
+      workloadConfig.put("cert_path", certPath);
+    }
+    if (privateKeyPath != null) {
+      workloadConfig.put("key_path", privateKeyPath);
+    }
+    certConfigs.put("workload", workloadConfig);
+    json.put("cert_configs", certConfigs);
+    return json;
+  }
+}