feat: Support user defined or json defined scopes for impersonated token

Author: lqiu96

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -50,21 +50,16 @@
 import com.google.auth.oauth2.MetricsUtils.RequestType;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 
 /**
  * ImpersonatedCredentials allowing credentials issued to a user or service account to impersonate
@@ -104,7 +99,7 @@ public class ImpersonatedCredentials extends GoogleCredentials
   private GoogleCredentials sourceCredentials;
   private String targetPrincipal;
   private List<String> delegates;
-  private List<String> scopes;
+  private final List<String> scopes;
   private int lifetime;
   private String iamEndpointOverride;
   private final String transportFactoryClassName;
@@ -390,6 +385,10 @@ static ImpersonatedCredentials fromJson(
     String quotaProjectId;
     String targetPrincipal;
     String serviceAccountImpersonationUrl;
+    // This applies to the scopes applied for the impersonated token and not the
+    // underlying source credential. Default to empty list to keep the existing
+    // behavior (when json file did not populate a scopes field).
+    List<String> scopes = new ArrayList<>();
     try {
       serviceAccountImpersonationUrl = (String) json.get("service_account_impersonation_url");
       if (json.containsKey("delegates")) {
@@ -399,18 +398,21 @@ static ImpersonatedCredentials fromJson(
       sourceCredentialsType = (String) sourceCredentialsJson.get("type");
       quotaProjectId = (String) json.get("quota_project_id");
       targetPrincipal = extractTargetPrincipal(serviceAccountImpersonationUrl);
+      if (json.containsKey("scopes")) {
+        scopes = (List<String>) json.get("scopes");
+      }
     } catch (ClassCastException | NullPointerException | IllegalArgumentException e) {
       throw new CredentialFormatException("An invalid input stream was provided.", e);
     }
 
     GoogleCredentials sourceCredentials;
-    if (GoogleCredentialsInfo.USER_CREDENTIALS.getFileType().equals(sourceCredentialsType)) {
+    if (sourceCredentialsType.equals(GoogleCredentialsInfo.USER_CREDENTIALS.getFileType())) {
       sourceCredentials = UserCredentials.fromJson(sourceCredentialsJson, transportFactory);
-    } else if (GoogleCredentialsInfo.SERVICE_ACCOUNT_CREDENTIALS
-        .getFileType()
-        .equals(sourceCredentialsType)) {
+    } else if (sourceCredentialsType.equals(
+        GoogleCredentialsInfo.SERVICE_ACCOUNT_CREDENTIALS.getFileType())) {
       sourceCredentials =
           ServiceAccountCredentials.fromJson(sourceCredentialsJson, transportFactory);
+
     } else {
       throw new IOException(
           String.format(
@@ -421,7 +423,7 @@ static ImpersonatedCredentials fromJson(
         .setSourceCredentials(sourceCredentials)
         .setTargetPrincipal(targetPrincipal)
         .setDelegates(delegates)
-        .setScopes(new ArrayList<>())
+        .setScopes(scopes)
         .setLifetime(DEFAULT_LIFETIME_IN_SECONDS)
         .setHttpTransportFactory(transportFactory)
         .setQuotaProjectId(quotaProjectId)
@@ -468,7 +470,9 @@ private ImpersonatedCredentials(Builder builder) throws IOException {
     this.sourceCredentials = builder.getSourceCredentials();
     this.targetPrincipal = builder.getTargetPrincipal();
     this.delegates = builder.getDelegates();
-    this.scopes = builder.getScopes();
+
+    // Precedence for scopes: 1. User configured scopes 2. Scopes set in the JSON
+    this.scopes = ImmutableList.copyOf(builder.getScopes());
     this.lifetime = builder.getLifetime();
     this.transportFactory =
         firstNonNull(
@@ -480,9 +484,6 @@ private ImpersonatedCredentials(Builder builder) throws IOException {
     if (this.delegates == null) {
       this.delegates = new ArrayList<>();
     }
-    if (this.scopes == null) {
-      throw new IllegalStateException("Scopes cannot be null");
-    }
     if (this.lifetime > TWELVE_HOURS_IN_SECONDS) {
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
@@ -517,7 +518,7 @@ public String getUniverseDomain() throws IOException {
   public AccessToken refreshAccessToken() throws IOException {
     if (this.sourceCredentials.getAccessToken() == null) {
       this.sourceCredentials =
-          this.sourceCredentials.createScoped(Arrays.asList(CLOUD_PLATFORM_SCOPE));
+          this.sourceCredentials.createScoped(Collections.singletonList(CLOUD_PLATFORM_SCOPE));
     }
 
     // skip for SA with SSJ flow because it uses self-signed JWT
@@ -741,12 +742,22 @@ public List<String> getDelegates() {
       return this.delegates;
     }
 
+    /**
+     * Set the scopes to be applied on the impersonated token and not on the source credential. This
+     * user configuration has precedence over the scopes listed in the source credential json file.
+     *
+     * @param scopes List of scopes to apply to the impersonated token
+     */
     @CanIgnoreReturnValue
     public Builder setScopes(List<String> scopes) {
+      Preconditions.checkNotNull(scopes, "Scopes cannot be null");
       this.scopes = scopes;
       return this;
     }
 
+    /**
+     * @return List of scopes to be applied to the impersonated token.
+     */
     public List<String> getScopes() {
       return this.scopes;
     }

oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java

@@ -619,7 +619,8 @@ public void fromStream_Impersonation_providesToken_WithQuotaProject() throws IOE
         ImpersonatedCredentialsTest.writeImpersonationCredentialsStream(
             ImpersonatedCredentialsTest.IMPERSONATION_OVERRIDE_URL,
             ImpersonatedCredentialsTest.DELEGATES,
-            ImpersonatedCredentialsTest.QUOTA_PROJECT_ID);
+            ImpersonatedCredentialsTest.QUOTA_PROJECT_ID,
+            ImpersonatedCredentialsTest.IMMUTABLE_SCOPES_LIST);
 
     ImpersonatedCredentials credentials =
         (ImpersonatedCredentials)
@@ -649,7 +650,8 @@ public void fromStream_Impersonation_defaultUniverse() throws IOException {
         ImpersonatedCredentialsTest.writeImpersonationCredentialsStream(
             ImpersonatedCredentialsTest.IMPERSONATION_OVERRIDE_URL,
             ImpersonatedCredentialsTest.DELEGATES,
-            ImpersonatedCredentialsTest.QUOTA_PROJECT_ID);
+            ImpersonatedCredentialsTest.QUOTA_PROJECT_ID,
+            ImpersonatedCredentialsTest.IMMUTABLE_SCOPES_LIST);
 
     ImpersonatedCredentials credentials =
         (ImpersonatedCredentials)
@@ -684,7 +686,8 @@ public void fromStream_Impersonation_providesToken_WithoutQuotaProject() throws
         ImpersonatedCredentialsTest.writeImpersonationCredentialsStream(
             ImpersonatedCredentialsTest.IMPERSONATION_OVERRIDE_URL,
             ImpersonatedCredentialsTest.DELEGATES,
-            null);
+            null,
+            ImpersonatedCredentialsTest.IMMUTABLE_SCOPES_LIST);
 
     ImpersonatedCredentials credentials =
         (ImpersonatedCredentials)
@@ -916,7 +919,8 @@ public void getCredentialInfo_impersonatedServiceAccount() throws IOException {
         ImpersonatedCredentialsTest.writeImpersonationCredentialsStream(
             ImpersonatedCredentialsTest.IMPERSONATION_OVERRIDE_URL,
             ImpersonatedCredentialsTest.DELEGATES,
-            null);
+            null,
+            ImpersonatedCredentialsTest.IMMUTABLE_SCOPES_LIST);
 
     ImpersonatedCredentials credentials =
         (ImpersonatedCredentials) GoogleCredentials.fromStream(impersonationCredentialsStream);

oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java

@@ -123,11 +123,10 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
   static final List<String> IMMUTABLE_SCOPES_LIST = ImmutableList.of("scope1", "scope2");
   static final int VALID_LIFETIME = 300;
   private static final int INVALID_LIFETIME = 43210;
-  private static JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
+  private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
 
   private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ssX";
 
-  private static final String DEFAULT_UNIVERSE_DOMAIN = "googleapis.com";
   private static final String TEST_UNIVERSE_DOMAIN = "test.xyz";
   private static final String OLD_IMPERSONATION_URL =
       "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/"
@@ -136,7 +135,7 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
   public static final String DEFAULT_IMPERSONATION_URL =
       String.format(
           IamUtils.IAM_ACCESS_TOKEN_ENDPOINT_FORMAT,
-          DEFAULT_UNIVERSE_DOMAIN,
+          GoogleCredentials.GOOGLE_DEFAULT_UNIVERSE,
           IMPERSONATED_CLIENT_EMAIL);
   private static final String NONGDU_IMPERSONATION_URL =
       String.format(
@@ -190,14 +189,15 @@ public void fromJson_userAsSource_WithQuotaProjectId() throws IOException {
             QUOTA_PROJECT_ID,
             USER_ACCOUNT_CLIENT_ID,
             USER_ACCOUNT_CLIENT_SECRET,
-            REFRESH_TOKEN);
+            REFRESH_TOKEN,
+            IMMUTABLE_SCOPES_LIST);
     ImpersonatedCredentials credentials =
         ImpersonatedCredentials.fromJson(json, mockTransportFactory);
     assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount());
     assertEquals(IMPERSONATION_OVERRIDE_URL, credentials.getIamEndpointOverride());
     assertEquals(QUOTA_PROJECT_ID, credentials.getQuotaProjectId());
     assertEquals(DELEGATES, credentials.getDelegates());
-    assertEquals(new ArrayList<String>(), credentials.getScopes());
+    assertEquals(IMMUTABLE_SCOPES_LIST, credentials.getScopes());
     assertEquals(3600, credentials.getLifetime());
     GoogleCredentials sourceCredentials = credentials.getSourceCredentials();
     assertTrue(sourceCredentials instanceof UserCredentials);
@@ -212,14 +212,15 @@ public void fromJson_userAsSource_WithoutQuotaProjectId() throws IOException {
             null,
             USER_ACCOUNT_CLIENT_ID,
             USER_ACCOUNT_CLIENT_SECRET,
-            REFRESH_TOKEN);
+            REFRESH_TOKEN,
+            IMMUTABLE_SCOPES_LIST);
     ImpersonatedCredentials credentials =
         ImpersonatedCredentials.fromJson(json, mockTransportFactory);
     assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount());
     assertEquals(IMPERSONATION_OVERRIDE_URL, credentials.getIamEndpointOverride());
     assertNull(credentials.getQuotaProjectId());
     assertEquals(DELEGATES, credentials.getDelegates());
-    assertEquals(new ArrayList<String>(), credentials.getScopes());
+    assertEquals(IMMUTABLE_SCOPES_LIST, credentials.getScopes());
     assertEquals(3600, credentials.getLifetime());
     GoogleCredentials sourceCredentials = credentials.getSourceCredentials();
     assertTrue(sourceCredentials instanceof UserCredentials);
@@ -234,15 +235,16 @@ public void fromJson_userAsSource_MissingDelegatesField() throws IOException {
             null,
             USER_ACCOUNT_CLIENT_ID,
             USER_ACCOUNT_CLIENT_SECRET,
-            REFRESH_TOKEN);
+            REFRESH_TOKEN,
+            IMMUTABLE_SCOPES_LIST);
     json.remove("delegates");
     ImpersonatedCredentials credentials =
         ImpersonatedCredentials.fromJson(json, mockTransportFactory);
     assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount());
     assertEquals(IMPERSONATION_OVERRIDE_URL, credentials.getIamEndpointOverride());
     assertNull(credentials.getQuotaProjectId());
     assertEquals(new ArrayList<String>(), credentials.getDelegates());
-    assertEquals(new ArrayList<String>(), credentials.getScopes());
+    assertEquals(IMMUTABLE_SCOPES_LIST, credentials.getScopes());
     assertEquals(3600, credentials.getLifetime());
     GoogleCredentials sourceCredentials = credentials.getSourceCredentials();
     assertTrue(sourceCredentials instanceof UserCredentials);
@@ -251,14 +253,15 @@ public void fromJson_userAsSource_MissingDelegatesField() throws IOException {
   @Test()
   public void fromJson_ServiceAccountAsSource() throws IOException {
     GenericJson json =
-        buildImpersonationCredentialsJson(IMPERSONATION_OVERRIDE_URL, DELEGATES, QUOTA_PROJECT_ID);
+        buildImpersonationCredentialsJson(
+            IMPERSONATION_OVERRIDE_URL, DELEGATES, QUOTA_PROJECT_ID, IMMUTABLE_SCOPES_LIST);
     ImpersonatedCredentials credentials =
         ImpersonatedCredentials.fromJson(json, mockTransportFactory);
     assertEquals(IMPERSONATED_CLIENT_EMAIL, credentials.getAccount());
     assertEquals(IMPERSONATION_OVERRIDE_URL, credentials.getIamEndpointOverride());
     assertEquals(QUOTA_PROJECT_ID, credentials.getQuotaProjectId());
     assertEquals(DELEGATES, credentials.getDelegates());
-    assertEquals(new ArrayList<String>(), credentials.getScopes());
+    assertEquals(IMMUTABLE_SCOPES_LIST, credentials.getScopes());
     assertEquals(3600, credentials.getLifetime());
     GoogleCredentials sourceCredentials = credentials.getSourceCredentials();
     assertTrue(sourceCredentials instanceof ServiceAccountCredentials);
@@ -481,18 +484,11 @@ public void credential_with_invalid_lifetime() throws IOException, IllegalStateE
 
   @Test()
   public void credential_with_invalid_scope() throws IOException, IllegalStateException {
-
-    try {
-      ImpersonatedCredentials targetCredentials =
-          ImpersonatedCredentials.create(
-              sourceCredentials, IMPERSONATED_CLIENT_EMAIL, null, null, VALID_LIFETIME);
-      targetCredentials.refreshAccessToken().getTokenValue();
-      fail(
-          String.format(
-              "Should throw exception with message containing '%s'", "Scopes cannot be null"));
-    } catch (IllegalStateException expected) {
-      assertTrue(expected.getMessage().contains("Scopes cannot be null"));
-    }
+    assertThrows(
+        NullPointerException.class,
+        () ->
+            ImpersonatedCredentials.create(
+                sourceCredentials, IMPERSONATED_CLIENT_EMAIL, null, null, VALID_LIFETIME));
   }
 
   @Test()
@@ -1221,6 +1217,42 @@ public void universeDomain_whenExplicit_AllowedIfMatchesSourceUD() throws IOExce
     assertTrue(impersonatedCredentials.isExplicitUniverseDomain());
   }
 
+  @Test
+  public void scopes_userConfigured() {
+    ImpersonatedCredentials impersonatedCredentials =
+        ImpersonatedCredentials.newBuilder().setScopes(IMMUTABLE_SCOPES_LIST).build();
+    assertArrayEquals(
+        IMMUTABLE_SCOPES_LIST.toArray(), impersonatedCredentials.getScopes().toArray());
+  }
+
+  @Test
+  public void scopes_fromJson() throws IOException {
+    ImpersonatedCredentials impersonatedCredentials =
+        ImpersonatedCredentials.fromJson(
+            buildImpersonationCredentialsJson(
+                DEFAULT_IMPERSONATION_URL, DELEGATES, null, IMMUTABLE_SCOPES_LIST),
+            mockTransportFactory);
+    assertArrayEquals(
+        IMMUTABLE_SCOPES_LIST.toArray(), impersonatedCredentials.getScopes().toArray());
+  }
+
+  // Tests that user configured scopes has precedence over the one in the json.
+  // From the ADC flow, the json is parsed and the credential is returned back
+  // to the user
+  @Test
+  public void scopes_userConfiguredAndFromJson() throws IOException {
+    List<String> userConfiguredScopes = ImmutableList.of("nonsense-scopes");
+    ImpersonatedCredentials impersonatedCredentials =
+        ImpersonatedCredentials.fromJson(
+            buildImpersonationCredentialsJson(
+                DEFAULT_IMPERSONATION_URL, DELEGATES, null, IMMUTABLE_SCOPES_LIST),
+            mockTransportFactory);
+    ImpersonatedCredentials newImpersonatedCredentials =
+        impersonatedCredentials.toBuilder().setScopes(userConfiguredScopes).build();
+    assertArrayEquals(
+        userConfiguredScopes.toArray(), newImpersonatedCredentials.getScopes().toArray());
+  }
+
   @Test
   public void hashCode_equals() throws IOException {
     mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
@@ -1333,7 +1365,8 @@ static GenericJson buildImpersonationCredentialsJson(
       String quotaProjectId,
       String sourceClientId,
       String sourceClientSecret,
-      String sourceRefreshToken) {
+      String sourceRefreshToken,
+      List<String> scopes) {
     GenericJson sourceJson = new GenericJson();
 
     sourceJson.put("client_id", sourceClientId);
@@ -1348,12 +1381,13 @@ static GenericJson buildImpersonationCredentialsJson(
       json.put("quota_project_id", quotaProjectId);
     }
     json.put("source_credentials", sourceJson);
+    json.put("scopes", scopes);
     json.put("type", "impersonated_service_account");
     return json;
   }
 
   static GenericJson buildImpersonationCredentialsJson(
-      String impersonationUrl, List<String> delegates, String quotaProjectId) {
+      String impersonationUrl, List<String> delegates, String quotaProjectId, List<String> scopes) {
     GenericJson sourceJson = new GenericJson();
     sourceJson.put("type", "service_account");
     sourceJson.put("project_id", PROJECT_ID);
@@ -1375,6 +1409,7 @@ static GenericJson buildImpersonationCredentialsJson(
     if (quotaProjectId != null) {
       json.put("quota_project_id", quotaProjectId);
     }
+    json.put("scopes", scopes);
     json.put("type", "impersonated_service_account");
     return json;
   }
@@ -1386,9 +1421,10 @@ static GenericJson buildInvalidCredentialsJson() {
   }
 
   static InputStream writeImpersonationCredentialsStream(
-      String impersonationUrl, List<String> delegates, String quotaProjectId) throws IOException {
+      String impersonationUrl, List<String> delegates, String quotaProjectId, List<String> scopes)
+      throws IOException {
     GenericJson json =
-        buildImpersonationCredentialsJson(impersonationUrl, delegates, quotaProjectId);
+        buildImpersonationCredentialsJson(impersonationUrl, delegates, quotaProjectId, scopes);
     return TestUtils.jsonToInputStream(json);
   }
 }