Add unit tests for IdentityPoolCredentials.

nbayati · nbayati · commit 82442dcc902d · 2025-04-29T16:37:19.000-07:00
diff --git a/oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java b/oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java
@@ -41,7 +41,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
-import java.nio.file.InvalidPathException;
 import java.nio.file.Paths;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
@@ -74,13 +73,7 @@ public class CertificateIdentityPoolSubjectTokenSupplier
   private static X509Certificate loadLeafCertificate(String path)
       throws IOException, CertificateException {
     byte[] leafCertBytes;
-    try {
-      // IdentityPoolCredentials should have already validated the path exists via X509Provider.
-      leafCertBytes = Files.readAllBytes(Paths.get(path));
-    } catch (InvalidPathException e) {
-      throw new IOException("Invalid certificate file path provided: " + path, e);
-    }
-    // Files.readAllBytes throws IOException for other read errors.
+    leafCertBytes = Files.readAllBytes(Paths.get(path));
     return parseCertificate(leafCertBytes);
   }
 
@@ -95,6 +88,8 @@ static X509Certificate parseCertificate(byte[] certData) throws CertificateExcep
       InputStream certificateStream = new ByteArrayInputStream(certData);
       return (X509Certificate) certificateFactory.generateCertificate(certificateStream);
     } catch (CertificateException e) {
+      // Catch the original exception to add context about the operation being performed.
+      // This helps pinpoint the failure point during debugging.
       throw new CertificateException("Failed to parse X.509 certificate data.", e);
     }
   }
@@ -117,6 +112,9 @@ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOE
 
       return GSON.toJson(certChain);
     } catch (CertificateException e) {
+      // Catch CertificateException to provide a more specific error message including
+      // the path of the file that failed to parse, and re-throw as IOException
+      // as expected by the getSubjectToken method signature for I/O related issues.
       throw new IOException(
           "Failed to parse certificate from: " + credentialSource.credentialLocation, e);
     }
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentialSource.java b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentialSource.java
@@ -174,11 +174,11 @@ public static class CertificateConfig implements java.io.Serializable {
 
       checkArgument(
           (useDefault || locationIsPresent),
-          "credentials: \"certificate\" object must either specify a certificate_config_location or use_default_certificate_config should be true");
+          "Invalid 'certificate' configuration in credential source: Must specify either 'certificate_config_location' or set 'use_default_certificate_config' to true.");
 
       checkArgument(
           !(useDefault && locationIsPresent),
-          "credentials: \"certificate\" object cannot specify both a certificate_config_location and use_default_certificate_config=true");
+          "Invalid 'certificate' configuration in credential source: Cannot specify both 'certificate_config_location' and set 'use_default_certificate_config' to true.");
 
       this.useDefaultCertificateConfig = useDefault;
       this.certificateConfigLocation = certificateConfigLocation;
@@ -245,7 +245,7 @@ public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
       this.certificateConfig = getCertificateConfig(credentialSourceMap);
     } else {
       throw new IllegalArgumentException(
-          "Missing credential source file location or URL. At least one must be specified.");
+          "Missing credential source file location, URL, or certificate. At least one must be specified.");
     }
 
     Map<String, String> headersMap = (Map<String, String>) credentialSourceMap.get("headers");
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
@@ -100,19 +100,19 @@ public class IdentityPoolCredentials extends ExternalAccountCredentials {
         final IdentityPoolCredentialSource.CertificateConfig certConfig =
             credentialSource.certificateConfig;
 
-        // Determine the certificate path based on the configuration.
-        String explicitCertConfigPath = null;
-        if (!certConfig.useDefaultCertificateConfig()) {
-          explicitCertConfigPath = certConfig.getCertificateConfigLocation();
-          if (explicitCertConfigPath == null || explicitCertConfigPath.isEmpty()) {
-            throw new IllegalArgumentException(
-                "certificateConfigLocation must be provided when useDefaultCertificateConfig is false.");
-          }
+        // Use the provided X509Provider if available.
+        X509Provider x509Provider = builder.x509Provider;
+        if (x509Provider == null) {
+          // Determine the certificate path based on the configuration.
+          String explicitCertConfigPath =
+              certConfig.useDefaultCertificateConfig()
+                  ? null
+                  : certConfig.getCertificateConfigLocation();
+
+          // Initialize X509Provider with the explicit path (if provided).
+          x509Provider = new X509Provider(explicitCertConfigPath);
         }
 
-        // Initialize X509Provider with the explicit path (if provided).
-        X509Provider x509Provider = new X509Provider(explicitCertConfigPath);
-
         // Update the transport factory to use a mTLS transport with the provided certificate.
         KeyStore mtlsKeyStore = x509Provider.getKeyStore();
         final NetHttpTransport mtlsTransport =
@@ -129,7 +129,7 @@ public class IdentityPoolCredentials extends ExternalAccountCredentials {
       } catch (GeneralSecurityException | IOException e) {
         // Catch exceptions from X509Provider or transport creation
         throw new RuntimeException(
-            "Failed to initialize mTLS transport for IdentityPoolCredentials using X509Provider",
+            "Failed to initialize mTLS transport for IdentityPoolCredentials using X509Provider.",
             e);
       }
     } else {
@@ -184,6 +184,7 @@ public static Builder newBuilder(IdentityPoolCredentials identityPoolCredentials
   public static class Builder extends ExternalAccountCredentials.Builder {
 
     private IdentityPoolSubjectTokenSupplier subjectTokenSupplier;
+    private X509Provider x509Provider;
 
     Builder() {}
 
@@ -194,6 +195,21 @@ public static class Builder extends ExternalAccountCredentials.Builder {
       }
     }
 
+    /**
+     * Sets a custom {@link X509Provider} to manage the client certificate and private key for mTLS.
+     * If set, this provider will be used instead of the default behavior which initializes an
+     * {@code X509Provider} based on the {@code certificateConfigLocation} or default paths found in
+     * the {@code credentialSource}. This is primarily used for testing.
+     *
+     * @param x509Provider the custom X509 provider to use.
+     * @return this {@code Builder} object
+     */
+    @CanIgnoreReturnValue
+    public Builder setX509Provider(X509Provider x509Provider) {
+      this.x509Provider = x509Provider;
+      return this;
+    }
+
     /**
      * Sets the subject token supplier. The supplier should return a valid subject token string.
      *
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsSourceTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsSourceTest.java
@@ -31,126 +31,122 @@
 
 package com.google.auth.oauth2;
 
-import static com.google.auth.Credentials.GOOGLE_DEFAULT_UNIVERSE;
-import static com.google.auth.oauth2.MockExternalAccountCredentialsTransport.SERVICE_ACCOUNT_IMPERSONATION_URL;
-import static com.google.auth.oauth2.OAuth2Utils.JSON_FACTORY;
 import static org.junit.Assert.*;
 
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.json.GenericJson;
-import com.google.api.client.util.Clock;
-import com.google.auth.TestUtils;
-import com.google.auth.http.HttpTransportFactory;
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
+import com.google.auth.oauth2.IdentityPoolCredentialSource.IdentityPoolCredentialSourceType;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
-import javax.annotation.Nullable;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
-import com.google.auth.oauth2.IdentityPoolCredentialSource.IdentityPoolCredentialSourceType;
-
 /** Tests for {@link IdentityPoolCredentialSource}. */
 @RunWith(JUnit4.class)
 public class IdentityPoolCredentialsSourceTest {
 
   @Test
-  public void constructor_certificateConfig(){
+  public void constructor_certificateConfig() {
     Map<String, Object> certificateMap = new HashMap<>();
     certificateMap.put("certificate_config_location", "/path/to/certificate");
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IdentityPoolCredentialSource credentialSource = new IdentityPoolCredentialSource(credentialSourceMap);
-    assertEquals(IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
+    IdentityPoolCredentialSource credentialSource =
+        new IdentityPoolCredentialSource(credentialSourceMap);
+    assertEquals(
+        IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
     assertNotNull(credentialSource.certificateConfig);
     assertFalse(credentialSource.certificateConfig.useDefaultCertificateConfig());
-    assertEquals("/path/to/certificate", credentialSource.certificateConfig.getCertificateConfigLocation());
+    assertEquals(
+        "/path/to/certificate", credentialSource.certificateConfig.getCertificateConfigLocation());
   }
 
   @Test
-  public void constructor_certificateConfig_useDefault(){
+  public void constructor_certificateConfig_useDefault() {
     Map<String, Object> certificateMap = new HashMap<>();
     certificateMap.put("use_default_certificate_config", true);
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IdentityPoolCredentialSource credentialSource = new IdentityPoolCredentialSource(credentialSourceMap);
-    assertEquals(IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
+    IdentityPoolCredentialSource credentialSource =
+        new IdentityPoolCredentialSource(credentialSourceMap);
+    assertEquals(
+        IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
     assertNotNull(credentialSource.certificateConfig);
     assertTrue(credentialSource.certificateConfig.useDefaultCertificateConfig());
   }
 
   @Test
-  public void constructor_certificateConfig_missingRequiredFields_throws(){
+  public void constructor_certificateConfig_missingRequiredFields_throws() {
     Map<String, Object> certificateMap = new HashMap<>();
-    //Missing both use_default_certificate_config and certificate_config_location
+    // Missing both use_default_certificate_config and certificate_config_location.
     certificateMap.put("trust_chain_path", "path/to/trust/chain");
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IllegalArgumentException exception = assertThrows(
-        IllegalArgumentException.class,
-        () -> new IdentityPoolCredentialSource(credentialSourceMap)
-    );
-    assertTrue(exception.getMessage().contains("must either specify a certificate_config_location or use_default_certificate_config should be true"));
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> new IdentityPoolCredentialSource(credentialSourceMap));
+    assertEquals(
+        "Invalid 'certificate' configuration in credential source: Must specify either 'certificate_config_location' or set 'use_default_certificate_config' to true.",
+        exception.getMessage());
   }
 
   @Test
-  public void constructor_certificateConfig_bothFieldsSet_throws(){
+  public void constructor_certificateConfig_bothFieldsSet_throws() {
     Map<String, Object> certificateMap = new HashMap<>();
     certificateMap.put("use_default_certificate_config", true);
     certificateMap.put("certificate_config_location", "/path/to/certificate");
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IllegalArgumentException exception = assertThrows(
-        IllegalArgumentException.class,
-        () -> new IdentityPoolCredentialSource(credentialSourceMap)
-    );
-    assertTrue(exception.getMessage().contains("cannot specify both a certificate_config_location and use_default_certificate_config=true"));
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> new IdentityPoolCredentialSource(credentialSourceMap));
+
+    assertEquals(
+        "Invalid 'certificate' configuration in credential source: Cannot specify both 'certificate_config_location' and set 'use_default_certificate_config' to true.",
+        exception.getMessage());
   }
 
   @Test
-  public void constructor_certificateConfig_trustChainPath(){
+  public void constructor_certificateConfig_trustChainPath() {
     Map<String, Object> certificateMap = new HashMap<>();
     certificateMap.put("use_default_certificate_config", true);
     certificateMap.put("trust_chain_path", "path/to/trust/chain");
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IdentityPoolCredentialSource credentialSource = new IdentityPoolCredentialSource(credentialSourceMap);
-    assertEquals(IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
+    IdentityPoolCredentialSource credentialSource =
+        new IdentityPoolCredentialSource(credentialSourceMap);
+    assertEquals(
+        IdentityPoolCredentialSourceType.CERTIFICATE, credentialSource.credentialSourceType);
     assertNotNull(credentialSource.certificateConfig);
     assertEquals("path/to/trust/chain", credentialSource.certificateConfig.getTrustChainPath());
   }
 
-
   @Test
-  public void constructor_certificateConfig_invalidType_throws(){
+  public void constructor_certificateConfig_invalidType_throws() {
     Map<String, Object> certificateMap = new HashMap<>();
     certificateMap.put("use_default_certificate_config", "invalid-type");
 
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
 
-    IllegalArgumentException exception = assertThrows(
-        IllegalArgumentException.class,
-        () -> new IdentityPoolCredentialSource(credentialSourceMap)
-    );
-    assertTrue(exception.getMessage().contains("Invalid type for 'use_default_certificate_config' in certificate configuration: expected Boolean"));
-  }
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> new IdentityPoolCredentialSource(credentialSourceMap));
 
+    assertEquals(
+        "Invalid type for 'use_default_certificate_config' in certificate configuration: expected Boolean, got String.",
+        exception.getMessage());
+  }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java
