External Account Initial Changes.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -55,6 +55,8 @@
 import java.util.Date;
 import java.util.Map;
 import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
 /**
@@ -75,12 +77,19 @@
  * }
  * </pre>
  */
-public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials {
+public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials
+    implements TrustBoundaryProvider {
 
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
 
   private static final long serialVersionUID = -2181779590486283287L;
 
+  private static final String WORKFORCE_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
+  private static final Pattern WORKFORCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+
   private final String transportFactoryClassName;
   private final String audience;
   private final String tokenUrl;
@@ -210,10 +219,30 @@ public AccessToken refreshAccessToken() throws IOException {
       this.refreshToken = refreshToken;
     }
 
-    return AccessToken.newBuilder()
-        .setExpirationTime(expiresAtMilliseconds)
-        .setTokenValue(accessToken)
-        .build();
+    AccessToken newAccessToken =
+        AccessToken.newBuilder()
+            .setExpirationTime(expiresAtMilliseconds)
+            .setTokenValue(accessToken)
+            .build();
+
+    refreshTrustBoundaries(newAccessToken);
+    return newAccessToken;
+  }
+
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
+    if (!matcher.matches()) {
+      throw new IOException(
+          "The provided audience is not in the correct format for a workforce pool.");
+    }
+    String poolId = matcher.group("pool");
+    return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
+  }
+
+  @Override
+  public HttpTransportFactory getTransportFactory() {
+    return transportFactory;
   }
 
   @Nullable

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -55,6 +55,7 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.Executor;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
@@ -64,7 +65,8 @@
  * <p>Handles initializing external credentials, calls to the Security Token Service, and service
  * account impersonation.
  */
-public abstract class ExternalAccountCredentials extends GoogleCredentials {
+public abstract class ExternalAccountCredentials extends GoogleCredentials
+    implements TrustBoundaryProvider {
 
   private static final long serialVersionUID = 8049126194174465023L;
 
@@ -98,6 +100,18 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials {
 
   private EnvironmentProvider environmentProvider;
 
+  private static final String WORKFORCE_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
+  private static final String WORKLOAD_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
+
+  private static final Pattern WORKFORCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+  private static final Pattern WORKLOAD_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/projects/(?<project>[^/]+)/locations/(?<location>[^/]+)/workloadIdentityPools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+
   /**
    * Constructor with minimum identifying information and custom HTTP transport. Does not support
    * workforce credentials.
@@ -527,7 +541,11 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
       this.impersonatedCredentials = this.buildImpersonatedCredentials();
     }
     if (this.impersonatedCredentials != null) {
-      return this.impersonatedCredentials.refreshAccessToken();
+      AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
+      // After the impersonated credential refreshes, its trust boundary is
+      // also refreshed. We need to get the refreshed trust boundary.
+      setTrustBoundary(this.impersonatedCredentials.getTrustBoundary());
+      return accessToken;
     }
 
     StsRequestHandler.Builder requestHandler =
@@ -556,7 +574,9 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
     }
 
     StsTokenExchangeResponse response = requestHandler.build().exchangeToken();
-    return response.getAccessToken();
+    AccessToken accessToken = response.getAccessToken();
+    refreshTrustBoundaries(accessToken);
+    return accessToken;
   }
 
   /**
@@ -613,6 +633,34 @@ public String getServiceAccountEmail() {
     return ImpersonatedCredentials.extractTargetPrincipal(serviceAccountImpersonationUrl);
   }
 
+  // todo Add doc comment.
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    if (isWorkforcePoolConfiguration()) {
+      Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
+      if (!matcher.matches()) {
+        throw new IOException(
+            "The provided audience is not in the correct format for a workforce pool.");
+      }
+      String poolId = matcher.group("pool");
+      return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
+    } else {
+      Matcher matcher = WORKLOAD_PATTERN.matcher(getAudience());
+      if (!matcher.matches()) {
+        throw new IOException(
+            "The provided audience is not in the correct format for a workload identity pool.");
+      }
+      String projectNumber = matcher.group("project");
+      String poolId = matcher.group("pool");
+      return String.format(WORKLOAD_POOL_URL_FORMAT, projectNumber, poolId);
+    }
+  }
+
+  @Override
+  public HttpTransportFactory getTransportFactory() {
+    return transportFactory;
+  }
+
   @Nullable
   public String getClientId() {
     return clientId;

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -339,6 +339,10 @@ TrustBoundary getTrustBoundary() {
     return trustBoundary;
   }
 
+  protected void setTrustBoundary(TrustBoundary trustBoundary) {
+    this.trustBoundary = trustBoundary;
+  }
+
   /**
    * Refreshes the trust boundary by making a call to the trust boundary URL.
    *

oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java

@@ -1399,4 +1399,106 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
       return credentials;
     }
   }
+
+  //  @Test
+  //  public void testRefresh_trustBoundarySuccess() throws IOException {
+  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+  //
+  //    MockHttpTransport mockHttpTransport =
+  //        new MockHttpTransport.Builder()
+  //            // AWS region call
+  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("us-east-1a"))
+  //            // AWS IAM role name call
+  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("roleName"))
+  //            // AWS credentials call
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setContent(
+  //
+  // "{\"Code\":\"Success\",\"AccessKeyId\":\"accessKeyId\",\"SecretAccessKey\":\"secretAccessKey\",\"Token\":\"token\"}"))
+  //            // STS token call
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setContentType(Json.MEDIA_TYPE)
+  //                    .setContent(
+  //                        String.format(
+  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
+  // \"Bearer\"}",
+  //                            "sts_access_token", 3600)))
+  //            // Trust boundary call
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setContentType(Json.MEDIA_TYPE)
+  //                    .setContent(
+  //                        "{\"locations\": [\"us-central1\"], \"encodedLocations\": \"0x1\"}"))
+  //            .build();
+  //
+  //    AwsCredentials credentials =
+  //        AwsCredentials.newBuilder()
+  //            .setHttpTransportFactory(() -> mockHttpTransport)
+  //            .setAudience(
+  //
+  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
+  //            .setSubjectTokenType("subjectTokenType")
+  //            .setTokenUrl(STS_URL)
+  //            .setCredentialSource(AWS_CREDENTIAL_SOURCE)
+  //            .build();
+  //
+  //    credentials.refresh();
+  //
+  //    TrustBoundary trustBoundary = credentials.getTrustBoundary();
+  //    assertNotNull(trustBoundary);
+  //    assertEquals("0x1", trustBoundary.getEncodedLocations());
+  //  }
+  //
+  //  @Test
+  //  public void testRefresh_trustBoundaryFails() throws IOException {
+  //      TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+  //      TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+  //      environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+  //
+  //    MockHttpTransport mockHttpTransport =
+  //        new MockHttpTransport.Builder()
+  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("us-east-1a"))
+  //            .setLowLevelHttpResponse(new MockLowLevelHttpResponse().setContent("roleName"))
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setContent(
+  //
+  // "{\"Code\":\"Success\",\"AccessKeyId\":\"accessKeyId\",\"SecretAccessKey\":\"secretAccessKey\",\"Token\":\"token\"}"))
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setContentType(Json.MEDIA_TYPE)
+  //                    .setContent(
+  //                        String.format(
+  //                            "{\"access_token\": \"%s\", \"expires_in\": %s, \"token_type\":
+  // \"Bearer\"}",
+  //                            "sts_access_token", 3600)))
+  //            .setLowLevelHttpResponse(
+  //                new MockLowLevelHttpResponse()
+  //                    .setStatusCode(404)
+  //                    .setContent("{\"error\": \"not found\"}"))
+  //            .build();
+  //
+  //    AwsCredentials credentials =
+  //        AwsCredentials.newBuilder()
+  //            .setHttpTransportFactory(() -> mockHttpTransport)
+  //            .setAudience(
+  //
+  // "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
+  //            .setSubjectTokenType("subjectTokenType")
+  //            .setTokenUrl(STS_URL)
+  //            .setCredentialSource(AWS_CREDENTIAL_SOURCE)
+  //            .build();
+  //
+  //    try {
+  //      credentials.refresh();
+  //      fail("Expected IOException to be thrown.");
+  //    } catch (IOException e) {
+  //      assertEquals(
+  //          "Failed to refresh trust boundary and no cached value is available.", e.getMessage());
+  //    }
+  //  }
 }