duplicate fields to log in message. add tests.

Author: zhumin8

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -548,7 +548,7 @@ public AccessToken refreshAccessToken() throws IOException {
 
     HttpResponse response = null;
     try {
-      LoggingUtils.logRequest(request, LOGGER, "Sending auth refresh access token request");
+      LoggingUtils.logRequest(request, LOGGER, "Sending auth request to refresh access token");
       response = request.execute();
       LoggingUtils.logResponse(response, LOGGER, "Received auth response for access token");
     } catch (IOException e) {

oauth2_http/java/com/google/auth/oauth2/LoggingUtils.java

@@ -34,23 +34,41 @@
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.UrlEncodedContent;
+import com.google.api.client.http.json.JsonHttpContent;
 import com.google.api.client.util.GenericData;
+import com.google.gson.Gson;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import org.slf4j.Logger;
 import org.slf4j.MDC;
 
 class LoggingUtils {
 
+  private static final Gson gson = new Gson();
+  private static final Set<String> sensitiveKeys =
+      new HashSet<>(
+          Arrays.asList(
+              "token",
+              "assertion",
+              "access_token",
+              "client_secret",
+              "refresh_token",
+              "signedBlob"));
+
   private LoggingUtils() {}
 
   static void logWithMDC(
       Logger logger, org.slf4j.event.Level level, Map<String, String> contextMap, String message) {
     if (!contextMap.isEmpty()) {
       contextMap.forEach(MDC::put);
+      contextMap.put("message", message);
+      message = gson.toJson(contextMap);
     }
     switch (level) {
       case TRACE:
@@ -100,10 +118,15 @@ static void logRequest(HttpRequest request, Logger logger, String message) {
 
         if (request.getContent() != null && logger.isDebugEnabled()) {
           // are payload always GenericData? If so, can parse and store in json
-          GenericData data = (GenericData) ((UrlEncodedContent) request.getContent()).getData();
-
-          Map<String, String> contextMap = parseGenericData(data);
-          loggingDataMap.put("request.payload", contextMap.toString());
+          if (request.getContent() instanceof UrlEncodedContent) {
+
+            GenericData data = (GenericData) ((UrlEncodedContent) request.getContent()).getData();
+            Map<String, String> contextMap = parseGenericData(data);
+            loggingDataMap.put("request.payload", contextMap.toString());
+          } else if (request.getContent() instanceof JsonHttpContent) {
+            String data = ((JsonHttpContent) request.getContent()).getData().toString();
+            loggingDataMap.put("request.payload", data);
+          }
 
           logWithMDC(logger, org.slf4j.event.Level.DEBUG, loggingDataMap, message);
         } else {
@@ -148,11 +171,7 @@ private static Map<String, String> parseGenericData(GenericData genericData) {
     Map<String, String> contextMap = new HashMap<>();
     genericData.forEach(
         (key, val) -> {
-          if ("token".equals(key)
-              || "assertion".equals(key)
-              || "access_token".equals(key)
-              || "client_secret".equals(key)
-              || "refresh_token".equals(key)) {
+          if (sensitiveKeys.contains(key)) {
             String secretString = String.valueOf(val);
             String hashedVal = calculateSHA256Hash(secretString);
             contextMap.put(key, hashedVal);

oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java

@@ -118,8 +118,8 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
   private static final String PROJECT_ID = "project-id";
   public static final String IMPERSONATED_CLIENT_EMAIL =
       "[email protected]";
-  private static final List<String> IMMUTABLE_SCOPES_LIST = ImmutableList.of("scope1", "scope2");
-  private static final int VALID_LIFETIME = 300;
+  static final List<String> IMMUTABLE_SCOPES_LIST = ImmutableList.of("scope1", "scope2");
+  static final int VALID_LIFETIME = 300;
   private static final int INVALID_LIFETIME = 43210;
   private static JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
 
@@ -162,7 +162,7 @@ public void setup() throws IOException {
     mockTransportFactory = new MockIAMCredentialsServiceTransportFactory();
   }
 
-  private GoogleCredentials getSourceCredentials() throws IOException {
+  static GoogleCredentials getSourceCredentials() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     PrivateKey privateKey = OAuth2Utils.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
     ServiceAccountCredentials sourceCredentials =

oauth2_http/javatests/com/google/auth/oauth2/LoggingTest.java

@@ -31,18 +31,33 @@
 
 package com.google.auth.oauth2;
 
+import static com.google.auth.TestUtils.getDefaultExpireTime;
+import static com.google.auth.oauth2.ImpersonatedCredentialsTest.DEFAULT_IMPERSONATION_URL;
+import static com.google.auth.oauth2.ImpersonatedCredentialsTest.IMMUTABLE_SCOPES_LIST;
+import static com.google.auth.oauth2.ImpersonatedCredentialsTest.IMPERSONATED_CLIENT_EMAIL;
+import static com.google.auth.oauth2.ImpersonatedCredentialsTest.TOKEN_WITH_EMAIL;
+import static com.google.auth.oauth2.ImpersonatedCredentialsTest.VALID_LIFETIME;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.ACCESS_TOKEN;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.CALL_URI;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.CLIENT_EMAIL;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.SCOPES;
 import static com.google.auth.oauth2.ServiceAccountCredentialsTest.createDefaultBuilder;
+import static com.google.auth.oauth2.UserCredentialsTest.CLIENT_ID;
+import static com.google.auth.oauth2.UserCredentialsTest.CLIENT_SECRET;
+import static com.google.auth.oauth2.UserCredentialsTest.REFRESH_TOKEN;
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 import com.google.api.client.http.HttpStatusCodes;
+import com.google.api.client.json.webtoken.JsonWebToken.Payload;
 import com.google.auth.TestAppender;
 import com.google.auth.TestUtils;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 import org.junit.Test;
@@ -51,6 +66,8 @@
 
 public class LoggingTest {
 
+  private static final Gson gson = new Gson();
+
   private TestAppender setupTestLogger(Class<?> clazz) {
     TestAppender testAppender = new TestAppender();
     testAppender.start();
@@ -60,7 +77,37 @@ private TestAppender setupTestLogger(Class<?> clazz) {
   }
 
   @Test
-  public void getRequestMetadata_hasAccessToken() throws IOException {
+  public void userCredentials_getRequestMetadata_fromRefreshToken_hasAccessToken()
+      throws IOException {
+    TestAppender testAppender = setupTestLogger(UserCredentials.class);
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
+    UserCredentials userCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .setHttpTransportFactory(transportFactory)
+            .build();
+
+    Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
+
+    TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
+
+    assertEquals(3, testAppender.events.size());
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+
+    assertEquals(
+        "com.google.auth.oauth2.UserCredentials", testAppender.events.get(0).getLoggerName());
+    assertEquals(
+        "Sending auth request to refresh access token", jsonMessage.get("message").getAsString());
+    testAppender.stop();
+  }
+
+  @Test
+  public void serviceAccountCredentials_getRequestMetadata_hasAccessToken() throws IOException {
     TestAppender testAppender = setupTestLogger(ServiceAccountCredentials.class);
     GoogleCredentials credentials =
         ServiceAccountCredentialsTest.createDefaultBuilderWithToken(ACCESS_TOKEN)
@@ -70,14 +117,17 @@ public void getRequestMetadata_hasAccessToken() throws IOException {
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
 
     assertEquals(3, testAppender.events.size());
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+
     assertEquals(
-        "Sending auth request to refresh access token",
-        testAppender.events.get(0).getFormattedMessage());
+        "Sending auth request to refresh access token", jsonMessage.get("message").getAsString());
     testAppender.stop();
   }
 
   @Test
-  public void idTokenWithAudience_iamFlow_targetAudienceMatchesAudClaim() throws IOException {
+  public void serviceAccountCredentials_idTokenWithAudience_iamFlow_targetAudienceMatchesAudClaim()
+      throws IOException {
     TestAppender testAppender = setupTestLogger(ServiceAccountCredentials.class);
     String nonGDU = "test.com";
     MockIAMCredentialsServiceTransportFactory transportFactory =
@@ -108,11 +158,139 @@ public void idTokenWithAudience_iamFlow_targetAudienceMatchesAudClaim() throws I
         tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
 
     assertEquals(2, testAppender.events.size());
+
+    JsonObject jsonMessage1 =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+    JsonObject jsonMessage2 =
+        gson.fromJson(testAppender.events.get(1).getFormattedMessage(), JsonObject.class);
     assertEquals(
         "Sending Auth request to get id token via Iam Endpoint",
-        testAppender.events.get(0).getFormattedMessage());
-    assertEquals("Auth response payload", testAppender.events.get(1).getFormattedMessage());
+        jsonMessage1.get("message").getAsString());
+    assertEquals("Auth response payload", jsonMessage2.get("message").getAsString());
+
+    testAppender.stop();
+  }
+
+  @Test()
+  public void impersonatedCredentials_refreshAccessToken_success()
+      throws IOException, IllegalStateException {
+    TestAppender testAppender = setupTestLogger(ImpersonatedCredentials.class);
+    MockIAMCredentialsServiceTransportFactory mockTransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mockTransportFactory.getTransport().setAccessToken(ACCESS_TOKEN);
+    mockTransportFactory.getTransport().setExpireTime(getDefaultExpireTime());
+    mockTransportFactory.getTransport().addStatusCodeAndMessage(HttpStatusCodes.STATUS_CODE_OK, "");
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            ImpersonatedCredentialsTest.getSourceCredentials(),
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            IMMUTABLE_SCOPES_LIST,
+            VALID_LIFETIME,
+            mockTransportFactory);
 
+    assertEquals(ACCESS_TOKEN, targetCredentials.refreshAccessToken().getTokenValue());
+    assertEquals(
+        DEFAULT_IMPERSONATION_URL, mockTransportFactory.getTransport().getRequest().getUrl());
+
+    // verify metrics header added and authorization header intact
+    Map<String, List<String>> requestHeader =
+        mockTransportFactory.getTransport().getRequest().getHeaders();
+    com.google.auth.oauth2.TestUtils.validateMetricsHeader(requestHeader, "at", "imp");
+    assertTrue(requestHeader.containsKey("authorization"));
+
+    assertEquals(3, testAppender.events.size());
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+
+    assertEquals(
+        "com.google.auth.oauth2.ImpersonatedCredentials",
+        testAppender.events.get(0).getLoggerName());
+    assertEquals(
+        "Sending auth request to refresh access token", jsonMessage.get("message").getAsString());
+    assertEquals(4, testAppender.events.get(0).getMDCPropertyMap().size());
+    testAppender.stop();
+  }
+
+  @Test
+  public void idTokenWithAudience_withEmail() throws IOException {
+    TestAppender testAppender = setupTestLogger(IamUtils.class);
+    MockIAMCredentialsServiceTransportFactory mockTransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mockTransportFactory.getTransport().setAccessToken(ACCESS_TOKEN);
+    mockTransportFactory.getTransport().setExpireTime(getDefaultExpireTime());
+    mockTransportFactory.getTransport().addStatusCodeAndMessage(HttpStatusCodes.STATUS_CODE_OK, "");
+
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            ImpersonatedCredentialsTest.getSourceCredentials(),
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            IMMUTABLE_SCOPES_LIST,
+            VALID_LIFETIME,
+            mockTransportFactory);
+
+    mockTransportFactory.getTransport().setIdToken(TOKEN_WITH_EMAIL);
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(targetCredentials)
+            .setTargetAudience(targetAudience)
+            .setOptions(Arrays.asList(IdTokenProvider.Option.INCLUDE_EMAIL))
+            .build();
+    tokenCredential.refresh();
+    assertEquals(TOKEN_WITH_EMAIL, tokenCredential.getAccessToken().getTokenValue());
+    Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
+    assertTrue(p.containsKey("email"));
+
+    assertEquals(3, testAppender.events.size());
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+
+    assertEquals("com.google.auth.oauth2.IamUtils", testAppender.events.get(0).getLoggerName());
+    assertEquals("Sending auth request to get id token", jsonMessage.get("message").getAsString());
+    assertEquals(4, testAppender.events.get(0).getMDCPropertyMap().size());
+    testAppender.stop();
+  }
+
+  @Test
+  public void sign_sameAs() throws IOException {
+    TestAppender testAppender = setupTestLogger(IamUtils.class);
+    MockIAMCredentialsServiceTransportFactory mockTransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mockTransportFactory.getTransport().setAccessToken(ACCESS_TOKEN);
+    mockTransportFactory.getTransport().setExpireTime(getDefaultExpireTime());
+    mockTransportFactory.getTransport().addStatusCodeAndMessage(HttpStatusCodes.STATUS_CODE_OK, "");
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            ImpersonatedCredentialsTest.getSourceCredentials(),
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            IMMUTABLE_SCOPES_LIST,
+            VALID_LIFETIME,
+            mockTransportFactory);
+
+    byte[] expectedSignature = {0xD, 0xE, 0xA, 0xD};
+
+    mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mockTransportFactory.getTransport().setSignedBlob(expectedSignature);
+
+    assertArrayEquals(expectedSignature, targetCredentials.sign(expectedSignature));
+
+    assertEquals(3, testAppender.events.size());
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+
+    assertEquals("com.google.auth.oauth2.IamUtils", testAppender.events.get(0).getLoggerName());
+    assertEquals(
+        "Sending auth request to get signature to sign the blob",
+        jsonMessage.get("message").getAsString());
+    assertEquals(4, testAppender.events.get(0).getMDCPropertyMap().size());
+    assertEquals(1, testAppender.events.get(2).getMDCPropertyMap().size());
     testAppender.stop();
   }
 }

oauth2_http/javatests/com/google/auth/oauth2/LoggingUtilsTest.java

@@ -36,6 +36,8 @@
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import com.google.api.client.util.GenericData;
 import com.google.auth.TestAppender;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
 import java.util.HashMap;
 import java.util.Map;
 import org.junit.Test;
@@ -46,6 +48,7 @@
 
 public class LoggingUtilsTest {
   private static final Logger LOGGER = LoggerFactory.getLogger(LoggingUtilsTest.class);
+  private static final Gson gson = new Gson();
 
   private TestAppender setupTestLogger() {
     TestAppender testAppender = new TestAppender();
@@ -65,7 +68,12 @@ public void testLogWithMDC_slf4jLogger() {
     LoggingUtils.logWithMDC(LOGGER, Level.DEBUG, contextMap, "test message");
 
     assertEquals(1, testAppender.events.size());
-    assertEquals("test message", testAppender.events.get(0).getFormattedMessage());
+
+    JsonObject jsonMessage =
+        gson.fromJson(testAppender.events.get(0).getFormattedMessage(), JsonObject.class);
+    assertEquals("test message", jsonMessage.get("message").getAsString());
+    assertEquals("value1", jsonMessage.get("key1").getAsString());
+    assertEquals("value2", jsonMessage.get("key2").getAsString());
 
     // Verify MDC content
     ILoggingEvent event = testAppender.events.get(0);

oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java

@@ -70,9 +70,9 @@
 @RunWith(JUnit4.class)
 public class UserCredentialsTest extends BaseSerializationTest {
 
-  private static final String CLIENT_SECRET = "jakuaL9YyieakhECKL2SwZcu";
-  private static final String CLIENT_ID = "ya29.1.AADtN_UtlxN3PuGAxrN2XQnZTVRvDyVWnYq4I6dws";
-  private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
+  static final String CLIENT_SECRET = "jakuaL9YyieakhECKL2SwZcu";
+  static final String CLIENT_ID = "ya29.1.AADtN_UtlxN3PuGAxrN2XQnZTVRvDyVWnYq4I6dws";
+  static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");