Remove certificate caching from x509 provider.

Author: nbayati

oauth2_http/java/com/google/auth/mtls/X509Provider.java

@@ -52,7 +52,6 @@ public class X509Provider {
   static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
   static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
   static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
-  private WorkloadCertificateConfiguration loadedConfig;
 
   private final String certConfigPathOverride;
 
@@ -90,12 +89,7 @@ public X509Provider() {
    * @throws CertificateSourceUnavailableException if the configuration file is not found.
    */
   public String getCertificatePath() throws IOException {
-    if (loadedConfig == null) {
-      // Attempt to load the configuration. This call might throw IOException or
-      // CertificateSourceUnavailableException if loading fails.
-      loadedConfig = getWorkloadCertificateConfiguration();
-    }
-    String certPath = loadedConfig.getCertPath();
+    String certPath = getWorkloadCertificateConfiguration().getCertPath();
     if (Strings.isNullOrEmpty(certPath)) {
       // Ensure the loaded configuration actually contains the required path.
       throw new CertificateSourceUnavailableException(
@@ -119,17 +113,14 @@ public String getCertificatePath() throws IOException {
    * @throws IOException if there is an error retrieving the certificate configuration.
    */
   public KeyStore getKeyStore() throws IOException {
-    if (loadedConfig == null) {
-      loadedConfig = getWorkloadCertificateConfiguration();
-    }
-
+    WorkloadCertificateConfiguration workloadCertConfig = getWorkloadCertificateConfiguration();
     InputStream certStream = null;
     InputStream privateKeyStream = null;
     SequenceInputStream certAndPrivateKeyStream = null;
     try {
       // Read the certificate and private key file paths into separate streams.
-      File certFile = new File(loadedConfig.getCertPath());
-      File privateKeyFile = new File(loadedConfig.getPrivateKeyPath());
+      File certFile = new File(workloadCertConfig.getCertPath());
+      File privateKeyFile = new File(workloadCertConfig.getPrivateKeyPath());
       certStream = createInputStream(certFile);
       privateKeyStream = createInputStream(privateKeyFile);
 

oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java

@@ -34,9 +34,6 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.common.annotations.VisibleForTesting;
-import com.google.gson.Gson;
-import com.google.gson.JsonArray;
-import com.google.gson.JsonPrimitive;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -49,15 +46,14 @@
 import java.util.Base64;
 
 /**
- * Provider for retrieving subject tokens for {@link IdentityPoolCredentials} by reading an X.509
- * certificate from the filesystem. The certificate file (e.g., PEM or DER encoded) is read, the
- * leaf certificate is base64-encoded (DER format), wrapped in a JSON array, and used as the subject
- * token for STS exchange.
+ * Provider for retrieving the subject tokens for {@link IdentityPoolCredentials} by reading an
+ * X.509 certificate from the filesystem. The certificate file (e.g., PEM or DER encoded) is read,
+ * the leaf certificate is base64-encoded (DER format), wrapped in a JSON array, and used as the
+ * subject token for STS exchange.
  */
 public class CertificateIdentityPoolSubjectTokenSupplier
     implements IdentityPoolSubjectTokenSupplier {
 
-  private static final Gson GSON = new Gson();
   private final IdentityPoolCredentialSource credentialSource;
 
   CertificateIdentityPoolSubjectTokenSupplier(IdentityPoolCredentialSource credentialSource) {
@@ -118,10 +114,10 @@ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOE
       X509Certificate leafCert = loadLeafCertificate(credentialSource.getCredentialLocation());
       String encodedLeafCert = encodeCert(leafCert);
 
-      JsonArray certChain = new JsonArray();
-      certChain.add(new JsonPrimitive(encodedLeafCert));
+      java.util.List<String> certChain = new java.util.ArrayList<>();
+      certChain.add(encodedLeafCert);
 
-      return GSON.toJson(certChain);
+      return OAuth2Utils.JSON_FACTORY.toString(certChain);
     } catch (CertificateException e) {
       // Catch CertificateException to provide a more specific error message including
       // the path of the file that failed to parse, and re-throw as IOException

oauth2_http/java/com/google/auth/oauth2/FileIdentityPoolSubjectTokenSupplier.java

@@ -46,8 +46,8 @@
 import java.nio.file.Paths;
 
 /**
- * Internal provider for retrieving subject tokens for {@link IdentityPoolCredentials} to exchange
- * for GCP access tokens via a local file.
+ * Internal provider for retrieving the subject tokens for {@link IdentityPoolCredentials} to
+ * exchange for GCP access tokens via a local file.
  */
 class FileIdentityPoolSubjectTokenSupplier implements IdentityPoolSubjectTokenSupplier {
 

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java

@@ -93,7 +93,16 @@ public class IdentityPoolCredentials extends ExternalAccountCredentials {
       this.metricsHeaderValue = URL_METRICS_HEADER_VALUE;
     } else if (credentialSource.credentialSourceType
         == IdentityPoolCredentialSourceType.CERTIFICATE) {
-      this.subjectTokenSupplier = createCertificateSubjectTokenSupplier(builder, credentialSource);
+      try {
+        this.subjectTokenSupplier =
+            createCertificateSubjectTokenSupplier(builder, credentialSource);
+      } catch (IOException e) {
+        throw new RuntimeException(
+            // Wrap IOException in RuntimeException because constructors cannot throw checked
+            // exceptions.
+            "Failed to initialize IdentityPoolCredentials from certificate source due to an I/O error.",
+            e);
+      }
       this.metricsHeaderValue = CERTIFICATE_METRICS_HEADER_VALUE;
     } else {
       throw new IllegalArgumentException("Source type not supported.");
@@ -145,24 +154,15 @@ public static Builder newBuilder(IdentityPoolCredentials identityPoolCredentials
   }
 
   private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
-      Builder builder, IdentityPoolCredentialSource credentialSource) {
-    try {
-      // Configure the mTLS transport with the x509 keystore.
-      X509Provider x509Provider = getX509Provider(builder, credentialSource);
-      KeyStore mtlsKeyStore = x509Provider.getKeyStore();
-      this.transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
-
-      // Initialize the subject token supplier with the certificate path.
-      credentialSource.setCredentialLocation(x509Provider.getCertificatePath());
-      return new CertificateIdentityPoolSubjectTokenSupplier(credentialSource);
-
-    } catch (IOException e) {
-      throw new RuntimeException(
-          // Wrap IOException in RuntimeException because constructors cannot throw checked
-          // exceptions.
-          "Failed to initialize IdentityPoolCredentials from certificate source due to an I/O error.",
-          e);
-    }
+      Builder builder, IdentityPoolCredentialSource credentialSource) throws IOException {
+    // Configure the mTLS transport with the x509 keystore.
+    X509Provider x509Provider = getX509Provider(builder, credentialSource);
+    KeyStore mtlsKeyStore = x509Provider.getKeyStore();
+    this.transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
+
+    // Initialize the subject token supplier with the certificate path.
+    credentialSource.setCredentialLocation(x509Provider.getCertificatePath());
+    return new CertificateIdentityPoolSubjectTokenSupplier(credentialSource);
   }
 
   private X509Provider getX509Provider(

oauth2_http/java/com/google/auth/oauth2/IdentityPoolSubjectTokenSupplier.java

@@ -36,8 +36,8 @@
 
 @FunctionalInterface
 /**
- * Provider for retrieving subject tokens for {@Link IdentityPoolCredentials} to exchange for GCP
- * access tokens.
+ * Provider for retrieving the subject tokens for {@Link IdentityPoolCredentials} to exchange for
+ * GCP access tokens.
  */
 public interface IdentityPoolSubjectTokenSupplier extends Serializable {
 

oauth2_http/java/com/google/auth/oauth2/UrlIdentityPoolSubjectTokenSupplier.java

@@ -42,8 +42,8 @@
 import java.io.IOException;
 
 /**
- * Provider for retrieving subject tokens for {@link IdentityPoolCredentials} to exchange for GCP
- * access tokens. The subject token is retrieved by calling a URL that returns the token.
+ * Provider for retrieving the subject tokens for {@link IdentityPoolCredentials} to exchange for
+ * GCP access tokens. The subject token is retrieved by calling a URL that returns the token.
  */
 class UrlIdentityPoolSubjectTokenSupplier implements IdentityPoolSubjectTokenSupplier {
 

oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java

@@ -1088,7 +1088,8 @@ public void build_withCertificateSourceAndCustomX509Provider_success()
   public void build_withDefaultCertificate_throwsOnTransportInitFailure() {
     // Setup credential source to use default certificate config.
     Map<String, Object> certificateMap = new HashMap<>();
-    certificateMap.put("use_default_certificate_config", true);
+    certificateMap.put("use_default_certificate_config", false);
+    certificateMap.put("certificate_config_location", "/non/existing/path/to/certificate.json");
     Map<String, Object> credentialSourceMap = new HashMap<>();
     credentialSourceMap.put("certificate", certificateMap);
     IdentityPoolCredentialSource credentialSource =