feat: adds universe domain support for compute credentials (#1346)

* feat: adds universe domain suppor for compute credentials * fix: make universe domain field access synchronized * fix: more tests for getUniverseDomain and updates to metadata mock * fix: new create() signature with universe_domain and more tests Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: Timur Sadykov

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -41,11 +41,13 @@
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
+import com.google.auth.Credentials;
+import com.google.auth.Retryable;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Joiner;
-import com.google.common.base.MoreObjects;
+import com.google.common.base.MoreObjects.ToStringHelper;
 import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.io.BufferedReader;
@@ -79,12 +81,12 @@ public class ComputeEngineCredentials extends GoogleCredentials
  implements ServiceAccountSigner, IdTokenProvider {
 
  // Decrease timing margins on GCE.
- // This is needed because GCE VMs maintain their own OAuth cache that expires T-5mins, attempting
+ // This is needed because GCE VMs maintain their own OAuth cache that expires T-4 mins, attempting
  // to refresh a token before then, will yield the same stale token. To enable pre-emptive
  // refreshes, the margins must be shortened. This shouldn't cause problems since the clock skew
  // on the VM and metadata proxy should be non-existent.
  static final Duration COMPUTE_EXPIRATION_MARGIN = Duration.ofMinutes(3);
- static final Duration COMPUTE_REFRESH_MARGIN = Duration.ofMinutes(4);
+ static final Duration COMPUTE_REFRESH_MARGIN = Duration.ofMinutes(3).plusSeconds(45);
 
  private static final Logger LOGGER = Logger.getLogger(ComputeEngineCredentials.class.getName());
 
@@ -120,34 +122,31 @@ public class ComputeEngineCredentials extends GoogleCredentials
  private transient HttpTransportFactory transportFactory;
  private transient String serviceAccountEmail;
 
+ private String universeDomainFromMetadata = null;
+
  /**
- * Constructor with overridden transport.
+ * An internal constructor
  *
- * @param transportFactory HTTP transport factory, creates the transport used to get access
- * tokens.
- * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
- * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
- * collection. Default scopes are ignored if scopes are provided.
+ * @param builder A builder for {@link ComputeEngineCredentials} See {@link
+ * ComputeEngineCredentials.Builder}
  */
- private ComputeEngineCredentials(
- HttpTransportFactory transportFactory,
- Collection<String> scopes,
- Collection<String> defaultScopes) {
- super(/* accessToken= */ null, COMPUTE_REFRESH_MARGIN, COMPUTE_EXPIRATION_MARGIN);
+ private ComputeEngineCredentials(ComputeEngineCredentials.Builder builder) {
+ super(builder);
 
  this.transportFactory =
  firstNonNull(
- transportFactory,
+ builder.getHttpTransportFactory(),
  getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
  this.transportFactoryClassName = this.transportFactory.getClass().getName();
  // Use defaultScopes only when scopes don't exist.
- if (scopes == null || scopes.isEmpty()) {
- scopes = defaultScopes;
+ Collection<String> scopesToUse = builder.scopes;
+ if (scopesToUse == null || scopesToUse.isEmpty()) {
+ scopesToUse = builder.getDefaultScopes();
  }
- if (scopes == null) {
+ if (scopesToUse == null) {
  this.scopes = ImmutableSet.<String>of();
  } else {
- List<String> scopeList = new ArrayList<String>(scopes);
+ List<String> scopeList = new ArrayList<String>(scopesToUse);
  scopeList.removeAll(Arrays.asList("", null));
  this.scopes = ImmutableSet.<String>copyOf(scopeList);
  }
@@ -156,14 +155,21 @@ private ComputeEngineCredentials(
  /** Clones the compute engine account with the specified scopes. */
  @Override
  public GoogleCredentials createScoped(Collection<String> newScopes) {
- return new ComputeEngineCredentials(this.transportFactory, newScopes, null);
+ ComputeEngineCredentials.Builder builder =
+ this.toBuilder().setHttpTransportFactory(transportFactory).setScopes(newScopes);
+ return new ComputeEngineCredentials(builder);
  }
 
- /** Clones the compute engine account with the specified scopes. */
+ /** Clones the compute engine account with the specified scopes and default scopes. */
  @Override
  public GoogleCredentials createScoped(
  Collection<String> newScopes, Collection<String> newDefaultScopes) {
- return new ComputeEngineCredentials(this.transportFactory, newScopes, newDefaultScopes);
+ ComputeEngineCredentials.Builder builder =
+ ComputeEngineCredentials.newBuilder()
+ .setHttpTransportFactory(transportFactory)
+ .setScopes(newScopes)
+ .setDefaultScopes(newDefaultScopes);
+ return new ComputeEngineCredentials(builder);
  }
 
  /**
@@ -172,7 +178,7 @@ public GoogleCredentials createScoped(
  * @return new ComputeEngineCredentials
  */
  public static ComputeEngineCredentials create() {
- return new ComputeEngineCredentials(null, null, null);
+ return new ComputeEngineCredentials(ComputeEngineCredentials.newBuilder());
  }
 
  public final Collection<String> getScopes() {
@@ -192,6 +198,66 @@ String createTokenUrlWithScopes() {
  return tokenUrl.toString();
  }
 
+ /**
+ * Gets the universe domain from the GCE metadata server.
+ *
+ * <p>Returns an explicit universe domain if it was provided during credential initialization.
+ *
+ * <p>Returns the {@link Credentials#GOOGLE_DEFAULT_UNIVERSE} if universe domain endpoint is not
+ * found (404) or returns an empty string.
+ *
+ * <p>Otherwise, returns universe domain from GCE metadata service.
+ *
+ * <p>Any above value is cached for the credential lifetime.
+ *
+ * @throws IOException if a call to GCE metadata service was unsuccessful. Check if exception
+ * implements the {@link Retryable} and {@code isRetryable()} will return true if the
+ * operation may be retried.
+ * @return string representing a universe domain in the format some-domain.xyz
+ */
+ @Override
+ public String getUniverseDomain() throws IOException {
+ if (isExplicitUniverseDomain()) {
+ return super.getUniverseDomain();
+ }
+
+ synchronized (this) {
+ if (this.universeDomainFromMetadata != null) {
+ return this.universeDomainFromMetadata;
+ }
+ }
+
+ String universeDomainFromMetadata = getUniverseDomainFromMetadata();
+ synchronized (this) {
+ this.universeDomainFromMetadata = universeDomainFromMetadata;
+ }
+ return universeDomainFromMetadata;
+ }
+
+ private String getUniverseDomainFromMetadata() throws IOException {
+ HttpResponse response = getMetadataResponse(getUniverseDomainUrl());
+ int statusCode = response.getStatusCode();
+ if (statusCode == HttpStatusCodes.STATUS_CODE_NOT_FOUND) {
+ return Credentials.GOOGLE_DEFAULT_UNIVERSE;
+ }
+ if (statusCode != HttpStatusCodes.STATUS_CODE_OK) {
+ IOException cause =
+ new IOException(
+ String.format(
+ "Unexpected Error code %s trying to get universe domain"
+ + " from Compute Engine metadata for the default service account: %s",
+ statusCode, response.parseAsString()));
+ throw new GoogleAuthException(true, cause);
+ }
+ String responseString = response.parseAsString();
+
+ /* Earlier versions of MDS that supports universe_domain return empty string instead of GDU. */
+ if (responseString.isEmpty()) {
+ return Credentials.GOOGLE_DEFAULT_UNIVERSE;
+ }
+ return responseString;
+ }
+
  /** Refresh the access token by getting it from the GCE metadata server */
  @Override
  public AccessToken refreshAccessToken() throws IOException {
@@ -420,6 +486,11 @@ public static String getTokenServerEncodedUrl() {
  return getTokenServerEncodedUrl(DefaultCredentialsProvider.DEFAULT);
  }
 
+ public static String getUniverseDomainUrl() {
+ return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
+ + "/computeMetadata/v1/universe/universe_domain";
+ }
+
  public static String getServiceAccountsUrl() {
  return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
  + "/computeMetadata/v1/instance/service-accounts/?recursive=true";
@@ -436,20 +507,27 @@ public int hashCode() {
  }
 
  @Override
- public String toString() {
- return MoreObjects.toStringHelper(this)
- .add("transportFactoryClassName", transportFactoryClassName)
- .toString();
+ protected ToStringHelper toStringHelper() {
+ synchronized (this) {
+ return super.toStringHelper()
+ .add("transportFactoryClassName", transportFactoryClassName)
+ .add("scopes", scopes)
+ .add("universeDomainFromMetadata", universeDomainFromMetadata);
+ }
  }
 
  @Override
  public boolean equals(Object obj) {
  if (!(obj instanceof ComputeEngineCredentials)) {
  return false;
  }
+ if (!super.equals(obj)) {
+ return false;
+ }
  ComputeEngineCredentials other = (ComputeEngineCredentials) obj;
  return Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
- && Objects.equals(this.scopes, other.scopes);
+ && Objects.equals(this.scopes, other.scopes)
+ && Objects.equals(this.universeDomainFromMetadata, other.universeDomainFromMetadata);
  }
 
  private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
@@ -542,10 +620,15 @@ private String getDefaultServiceAccount() throws IOException {
  public static class Builder extends GoogleCredentials.Builder {
  private HttpTransportFactory transportFactory;
  private Collection<String> scopes;
+ private Collection<String> defaultScopes;
 
- protected Builder() {}
+ protected Builder() {
+ setRefreshMargin(COMPUTE_REFRESH_MARGIN);
+ setExpirationMargin(COMPUTE_EXPIRATION_MARGIN);
+ }
 
  protected Builder(ComputeEngineCredentials credentials) {
+ super(credentials);
  this.transportFactory = credentials.transportFactory;
  this.scopes = credentials.scopes;
  }
@@ -562,6 +645,24 @@ public Builder setScopes(Collection<String> scopes) {
  return this;
  }
 
+ @CanIgnoreReturnValue
+ public Builder setDefaultScopes(Collection<String> defaultScopes) {
+ this.defaultScopes = defaultScopes;
+ return this;
+ }
+
+ @CanIgnoreReturnValue
+ public Builder setUniverseDomain(String universeDomain) {
+ this.universeDomain = universeDomain;
+ return this;
+ }
+
+ @CanIgnoreReturnValue
+ public Builder setQuotaProjectId(String quotaProjectId) {
+ super.quotaProjectId = quotaProjectId;
+ return this;
+ }
+
  public HttpTransportFactory getHttpTransportFactory() {
  return transportFactory;
  }
@@ -570,8 +671,12 @@ public Collection<String> getScopes() {
  return scopes;
  }
 
+ public Collection<String> getDefaultScopes() {
+ return defaultScopes;
+ }
+
  public ComputeEngineCredentials build() {
- return new ComputeEngineCredentials(transportFactory, scopes, null);
+ return new ComputeEngineCredentials(this);
  }
  }
 }