Added tests for ExternalAccountCredentials trust boundary. Added comments regarding a separate mock for trust boundary.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -225,7 +225,7 @@ public AccessToken refreshAccessToken() throws IOException {
             .setTokenValue(accessToken)
             .build();
 
-    refreshTrustBoundaries(newAccessToken);
+    refreshTrustBoundary(newAccessToken, transportFactory);
     return newAccessToken;
   }
 
@@ -240,11 +240,6 @@ public String getTrustBoundaryUrl() throws IOException {
     return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
   }
 
-  @Override
-  public HttpTransportFactory getTransportFactory() {
-    return transportFactory;
-  }
-
   @Nullable
   public String getAudience() {
     return audience;

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -543,7 +543,7 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
     if (this.impersonatedCredentials != null) {
       AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
       // After the impersonated credential refreshes, its trust boundary is
-      // also refreshed. We need to get the refreshed trust boundary.
+      // also refreshed. That is the trust boundary we will use.
       setTrustBoundary(this.impersonatedCredentials.getTrustBoundary());
       return accessToken;
     }
@@ -575,7 +575,7 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
 
     StsTokenExchangeResponse response = requestHandler.build().exchangeToken();
     AccessToken accessToken = response.getAccessToken();
-    refreshTrustBoundaries(accessToken);
+    refreshTrustBoundary(accessToken, transportFactory);
     return accessToken;
   }
 
@@ -656,11 +656,6 @@ public String getTrustBoundaryUrl() throws IOException {
     }
   }
 
-  @Override
-  public HttpTransportFactory getTransportFactory() {
-    return transportFactory;
-  }
-
   @Nullable
   public String getClientId() {
     return clientId;

oauth2_http/java/com/google/auth/oauth2/TrustBoundary.java

@@ -184,9 +184,7 @@ static TrustBoundary refresh(
 
     // Add the cached trust boundary header, if available.
     if (cachedTrustBoundary != null) {
-      String headerValue =
-          cachedTrustBoundary.isNoOp() ? "" : cachedTrustBoundary.getEncodedLocations();
-      request.getHeaders().set(TRUST_BOUNDARY_KEY, headerValue);
+      request.getHeaders().set(TRUST_BOUNDARY_KEY, cachedTrustBoundary.getEncodedLocations());
     }
 
     // Add retry logic

oauth2_http/javatests/com/google/auth/TestUtils.java

@@ -42,6 +42,7 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Lists;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -64,6 +65,9 @@ public class TestUtils {
       URI.create("https://auth.cloud.google/authorize");
   public static final URI WORKFORCE_IDENTITY_FEDERATION_TOKEN_SERVER_URI =
       URI.create("https://sts.googleapis.com/v1/oauthtoken");
+  public static final String TRUST_BOUNDARY_ENCODED_LOCATION = "0x800000";
+  public static final List<String> TRUST_BOUNDARY_LOCATIONS =
+      ImmutableList.of("us-central1", "us-central2");
 
   private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
 

oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java

@@ -40,11 +40,8 @@
 import static org.junit.Assert.fail;
 
 import com.google.api.client.json.GenericJson;
-import com.google.api.client.json.Json;
 import com.google.api.client.json.JsonParser;
-import com.google.api.client.testing.http.MockHttpTransport;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
-import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.TestUtils;
 import com.google.auth.oauth2.ExternalAccountCredentialsTest.MockExternalAccountCredentialsTransportFactory;
@@ -1403,8 +1400,8 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
     }
   }
 
-    @Test
-    public void testRefresh_trustBoundarySuccess() throws IOException {
+  @Test
+  public void testRefresh_trustBoundarySuccess() throws IOException {
     TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
     TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
     environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -33,6 +33,7 @@
 
 import static com.google.auth.oauth2.ComputeEngineCredentials.METADATA_RESPONSE_EMPTY_CONTENT_ERROR_MESSAGE;
 import static com.google.auth.oauth2.ImpersonatedCredentialsTest.SA_CLIENT_EMAIL;
+import static com.google.auth.oauth2.TrustBoundary.TRUST_BOUNDARY_KEY;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -1159,15 +1160,17 @@ public void refresh_trustBoundarySuccess() throws IOException {
     String defaultAccountEmail = "[email protected]";
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
     TrustBoundary trustBoundary =
-        new TrustBoundary("0x80000", Collections.singletonList("us-central1"));
+        new TrustBoundary(
+            TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION, TestUtils.TRUST_BOUNDARY_LOCATIONS);
     transportFactory.transport.setTrustBoundary(trustBoundary);
     transportFactory.transport.setServiceAccountEmail(defaultAccountEmail);
 
     ComputeEngineCredentials credentials =
         ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
 
     Map<String, List<String>> headers = credentials.getRequestMetadata();
-    assertEquals(headers.get("x-allowed-locations"), Arrays.asList("0x80000"));
+    assertEquals(
+        headers.get(TRUST_BOUNDARY_KEY), Arrays.asList(TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION));
   }
 
   @Test

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java

@@ -36,10 +36,7 @@
 
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.json.GenericJson;
-import com.google.api.client.json.Json;
-import com.google.api.client.testing.http.MockHttpTransport;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
-import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.TestUtils;
 import com.google.auth.http.AuthHttpConstants;
@@ -1244,26 +1241,27 @@ public void testRefresh_trustBoundarySuccess() throws IOException {
 
   @Test
   public void testRefresh_trustBoundaryFails_incorrectAudience() throws IOException {
-      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
-      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
-      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
-
-      ExternalAccountAuthorizedUserCredentials credentials =
-              ExternalAccountAuthorizedUserCredentials.newBuilder()
-                      .setHttpTransportFactory(transportFactory)
-                      .setAudience("audience")
-                      .setClientId(CLIENT_ID)
-                      .setClientSecret(CLIENT_SECRET)
-                      .setRefreshToken(REFRESH_TOKEN)
-                      .setTokenUrl(TOKEN_URL)
-                      .build();
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+    ExternalAccountAuthorizedUserCredentials credentials =
+        ExternalAccountAuthorizedUserCredentials.newBuilder()
+            .setHttpTransportFactory(transportFactory)
+            .setAudience("audience")
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .setTokenUrl(TOKEN_URL)
+            .build();
 
     try {
       credentials.refresh();
       fail("Expected IOException to be thrown.");
     } catch (IOException e) {
       assertEquals(
-          "Failed to refresh trust boundary and no cached value is available.", e.getMessage());
+          "The provided audience is not in the correct format for a workforce pool.",
+          e.getMessage());
     }
   }