If you know that you will be loading credential configurations of a specific type, it is + * recommended to use a credential-type-specific `fromStream()` method. This will ensure that an + * unexpected credential type with potential for malicious intent is not loaded unintentionally. + * You might still have to do validation for certain credential types. Please follow the + * recommendation for that method. + * + *
If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *
Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *
See the {@link documentation} + * for more details. + * + *
Creates a {@code RemoteTranslateHelper} object for the given project id and JSON key input * stream. * * @param projectId id of the project to be used for running the tests @@ -60,20 +81,12 @@ public TranslateOptions getOptions() { * @throws com.google.cloud.translate.testing.RemoteTranslateHelper.TranslateHelperException if * {@code keyStream} is not a valid JSON key stream */ + @ObsoleteApi( + "This method is obsolete because of a potential security risk. Use the create() variant with Credential parameter instead") public static RemoteTranslateHelper create(String projectId, InputStream keyStream) throws TranslateHelperException { try { - HttpTransportOptions transportOptions = TranslateOptions.getDefaultHttpTransportOptions(); - transportOptions = - transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build(); - TranslateOptions translateOptions = - TranslateOptions.newBuilder() - .setCredentials(GoogleCredentials.fromStream(keyStream)) - .setProjectId(projectId) - .setRetrySettings(retryParams()) - .setTransportOptions(transportOptions) - .build(); - return new RemoteTranslateHelper(translateOptions); + return create(projectId, GoogleCredentials.fromStream(keyStream)); } catch (IOException ex) { if (logger.isLoggable(Level.WARNING)) { logger.log(Level.WARNING, ex.getMessage()); @@ -82,6 +95,28 @@ public static RemoteTranslateHelper create(String projectId, InputStream keyStre } } + /** + * Creates a {@code RemoteTranslateHelper} object for the given project id and JSON key input + * stream. + * + * @param projectId id of the project to be used for running the tests + * @param credentials GoogleCredential to set to TranslateOptions + * @return A {@code RemoteTranslateHelper} object for the provided options + */ + public static RemoteTranslateHelper create(String projectId, GoogleCredentials credentials) { + HttpTransportOptions transportOptions = TranslateOptions.getDefaultHttpTransportOptions(); + transportOptions = + transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build(); + TranslateOptions translateOptions = + TranslateOptions.newBuilder() + .setCredentials(credentials) + .setProjectId(projectId) + .setRetrySettings(retryParams()) + .setTransportOptions(transportOptions) + .build(); + return new RemoteTranslateHelper(translateOptions); + } + /** * Creates a {@code RemoteTranslateHelper} object for the given API key. * diff --git a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java index 595c7cce06f0..822b69f420ec 100644 --- a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java +++ b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlNegativeTest.java @@ -31,7 +31,6 @@ import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerClient.ListScanConfigsPagedResponse; import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerSettings; import com.google.common.collect.Lists; -import java.io.FileInputStream; import java.io.IOException; import org.joda.time.DateTime; import org.joda.time.DateTimeZone; @@ -59,8 +58,6 @@ public class VPCServiceControlNegativeTest { private static final String IN_VPCSC_TEST = System.getenv(IN_VPCSC_GOOGLE_CLOUD_TEST_ENV); private static final String OUT_VPCSC_PROJECT = System.getenv(OUT_VPCSC_PROJECT_ENV); private static final String OUT_VPCSC_HOSTNAME = System.getenv(OUT_VPCSC_HOSTNAME_ENV); - private static final String OUT_VPCSC_GOOGLE_CREDENTIAL = - System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV); private String testScanConfigCreationDisplayName; @@ -88,7 +85,7 @@ public static void setUpClass() { GOOGLE_CREDENTIAL_DEFAULT_ENV + " must be set to google application credentials " + "that is outside VPCSC perimeter", - isNotEmpty(OUT_VPCSC_GOOGLE_CREDENTIAL)); + isNotEmpty(System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV))); } @Before @@ -101,7 +98,7 @@ public void setup() { private WebSecurityScannerSettings getWssSettingWithCredentials() throws IOException { GoogleCredentials credentials = - GoogleCredentials.fromStream(new FileInputStream(OUT_VPCSC_GOOGLE_CREDENTIAL)) + GoogleCredentials.getApplicationDefault() .createScoped(Lists.newArrayList(GOOGLE_API_CLOUD_PLATFORM_LINK)); return WebSecurityScannerSettings.newBuilder() .setCredentialsProvider(FixedCredentialsProvider.create(credentials)) diff --git a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java index 363e6367163c..f1c8724a15c0 100644 --- a/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java +++ b/java-websecurityscanner/google-cloud-websecurityscanner/src/test/java/com/google/cloud/websecurityscanner/it/v1beta/VPCServiceControlPositiveTest.java @@ -38,7 +38,6 @@ import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerClient; import com.google.cloud.websecurityscanner.v1beta.WebSecurityScannerSettings; import com.google.common.collect.Lists; -import java.io.FileInputStream; import java.io.IOException; import org.joda.time.DateTime; import org.joda.time.DateTimeZone; @@ -64,8 +63,6 @@ public class VPCServiceControlPositiveTest { private static final String IN_VPCSC_TEST = System.getenv(IN_VPCSC_GOOGLE_CLOUD_TEST_ENV); private static final String IN_VPCSC_PROJECT = System.getenv(IN_VPCSC_PROJECT_ENV); private static final String IN_VPCSC_HOSTNAME = System.getenv(IN_VPCSC_HOSTNAME_ENV); - private static final String IN_VPCSC_GOOGLE_CREDENTIAL = - System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV); private String test0DisplayName; private String test1DisplayName; @@ -97,7 +94,7 @@ public static void setUpClass() { GOOGLE_CREDENTIAL_DEFAULT_ENV + " environment variable needs to be set to " + "google application credentials that resides inside VPCSC", - isNotEmpty(IN_VPCSC_GOOGLE_CREDENTIAL)); + isNotEmpty(System.getenv(GOOGLE_CREDENTIAL_DEFAULT_ENV))); } @Before @@ -111,7 +108,7 @@ public void setUp() { private WebSecurityScannerSettings getWssSettingWithCredentials() throws IOException { GoogleCredentials credentials = - GoogleCredentials.fromStream(new FileInputStream(IN_VPCSC_GOOGLE_CREDENTIAL)) + GoogleCredentials.getApplicationDefault() .createScoped(Lists.newArrayList(GOOGLE_API_CLOUD_PLATFORM_LINK)); return WebSecurityScannerSettings.newBuilder() .setCredentialsProvider(FixedCredentialsProvider.create(credentials))