fix: Migrate away from GoogleCredentials.fromStream() usages (#11765)

lqiu96 · web-flow · commit 6498808675d0 · 2025-10-08T21:07:27.000Z
See b/437991832 for more information
diff --git a/java-translate/google-cloud-translate/src/main/java/com/google/cloud/translate/testing/RemoteTranslateHelper.java b/java-translate/google-cloud-translate/src/main/java/com/google/cloud/translate/testing/RemoteTranslateHelper.java
@@ -16,6 +16,7 @@
 
 package com.google.cloud.translate.testing;
 
+import com.google.api.core.ObsoleteApi;
 import com.google.api.gax.retrying.RetrySettings;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.http.HttpTransportOptions;
@@ -51,7 +52,27 @@ public TranslateOptions getOptions() {
   }
 
   /**
-   * Creates a {@code RemoteTranslateHelper} object for the given project id and JSON key input
+   * This method is obsolete because of a potential security risk. Use the {@link #create(String,
+   * GoogleCredentials)} method instead.
+   *
+   * <p>If you know that you will be loading credential configurations of a specific type, it is
+   * recommended to use a credential-type-specific `fromStream()` method. This will ensure that an
+   * unexpected credential type with potential for malicious intent is not loaded unintentionally.
+   * You might still have to do validation for certain credential types. Please follow the
+   * recommendation for that method.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Creates a {@code RemoteTranslateHelper} object for the given project id and JSON key input
    * stream.
    *
    * @param projectId id of the project to be used for running the tests
@@ -60,20 +81,12 @@ public TranslateOptions getOptions() {
    * @throws com.google.cloud.translate.testing.RemoteTranslateHelper.TranslateHelperException if
    *     {@code keyStream} is not a valid JSON key stream
    */
+  @ObsoleteApi(
+      "This method is obsolete because of a potential security risk. Use the create() variant with Credential parameter instead")
   public static RemoteTranslateHelper create(String projectId, InputStream keyStream)
       throws TranslateHelperException {
     try {
-      HttpTransportOptions transportOptions = TranslateOptions.getDefaultHttpTransportOptions();
-      transportOptions =
-          transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
-      TranslateOptions translateOptions =
-          TranslateOptions.newBuilder()
-              .setCredentials(GoogleCredentials.fromStream(keyStream))
-              .setProjectId(projectId)
-              .setRetrySettings(retryParams())
-              .setTransportOptions(transportOptions)
-              .build();
-      return new RemoteTranslateHelper(translateOptions);
+      return create(projectId, GoogleCredentials.fromStream(keyStream));
     } catch (IOException ex) {
       if (logger.isLoggable(Level.WARNING)) {
         logger.log(Level.WARNING, ex.getMessage());
@@ -82,6 +95,28 @@ public static RemoteTranslateHelper create(String projectId, InputStream keyStre
     }
   }
 
+  /**
+   * Creates a {@code RemoteTranslateHelper} object for the given project id and JSON key input
+   * stream.
+   *
+   * @param projectId id of the project to be used for running the tests
+   * @param credentials GoogleCredential to set to TranslateOptions
+   * @return A {@code RemoteTranslateHelper} object for the provided options
+   */
+  public static RemoteTranslateHelper create(String projectId, GoogleCredentials credentials) {
+    HttpTransportOptions transportOptions = TranslateOptions.getDefaultHttpTransportOptions();
+    transportOptions =
+        transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
+    TranslateOptions translateOptions =
+        TranslateOptions.newBuilder()
+            .setCredentials(credentials)
+            .setProjectId(projectId)
+            .setRetrySettings(retryParams())
+            .setTransportOptions(transportOptions)
+            .build();
+    return new RemoteTranslateHelper(translateOptions);
+  }
+
   /**
    * Creates a {@code RemoteTranslateHelper} object for the given API key.
    *
diff --git a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java
@@ -31,7 +31,6 @@
 import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerClient.ListScanConfigsPagedResponse;
 import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerSettings;
 import com.google.common.collect.Lists;
-import java.io.FileInputStream;
 import java.io.IOException;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
@@ -59,8 +58,6 @@ public class VPCServiceControlNegativeTest {
   private static final String IN_VPCSC_TEST = System.getenv(IN_VPCSC_GOOGLE_CLOUD_TEST_ENV);
   private static final String OUT_VPCSC_PROJECT = System.getenv(OUT_VPCSC_PROJECT_ENV);
   private static final String OUT_VPCSC_HOSTNAME = System.getenv(OUT_VPCSC_HOSTNAME_ENV);
-  private static final String OUT_VPCSC_GOOGLE_CREDENTIAL =
-      System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV);
 
   private String testScanConfigCreationDisplayName;
 
@@ -88,7 +85,7 @@ public static void setUpClass() {
         GOOGLE_CREDENTIAL_DEFAULT_ENV
             + " must be set to google application credentials "
             + "that is outside VPCSC perimeter",
-        isNotEmpty(OUT_VPCSC_GOOGLE_CREDENTIAL));
+        isNotEmpty(System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV)));
   }
 
   @Before
@@ -101,7 +98,7 @@ public void setup() {
 
   private WebSecurityScannerSettings getWssSettingWithCredentials() throws IOException {
     GoogleCredentials credentials =
-        GoogleCredentials.fromStream(new FileInputStream(OUT_VPCSC_GOOGLE_CREDENTIAL))
+        GoogleCredentials.getApplicationDefault()
             .createScoped(Lists.newArrayList(GOOGLE_API_CLOUD_PLATFORM_LINK));
     return WebSecurityScannerSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(credentials))
diff --git a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java
@@ -38,7 +38,6 @@
 import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerClient;
 import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerSettings;
 import com.google.common.collect.Lists;
-import java.io.FileInputStream;
 import java.io.IOException;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
@@ -64,8 +63,6 @@ public class VPCServiceControlPositiveTest {
   private static final String IN_VPCSC_TEST = System.getenv(IN_VPCSC_GOOGLE_CLOUD_TEST_ENV);
   private static final String IN_VPCSC_PROJECT = System.getenv(IN_VPCSC_PROJECT_ENV);
   private static final String IN_VPCSC_HOSTNAME = System.getenv(IN_VPCSC_HOSTNAME_ENV);
-  private static final String IN_VPCSC_GOOGLE_CREDENTIAL =
-      System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV);
 
   private String test0DisplayName;
   private String test1DisplayName;
@@ -97,7 +94,7 @@ public static void setUpClass() {
         GOOGLE_CREDENTIAL_DEFAULT_ENV
             + " environment variable needs to be set to "
             + "google application credentials that resides inside VPCSC",
-        isNotEmpty(IN_VPCSC_GOOGLE_CREDENTIAL));
+        isNotEmpty(System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV)));
   }
 
   @Before
@@ -111,7 +108,7 @@ public void setUp() {
 
   private WebSecurityScannerSettings getWssSettingWithCredentials() throws IOException {
     GoogleCredentials credentials =
-        GoogleCredentials.fromStream(new FileInputStream(IN_VPCSC_GOOGLE_CREDENTIAL))
+        GoogleCredentials.getApplicationDefault()
             .createScoped(Lists.newArrayList(GOOGLE_API_CLOUD_PLATFORM_LINK));
     return WebSecurityScannerSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(credentials))
