googleapis · aeitzman · Jan 25, 2024 · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import java.io.IOException;
+import java.io.Serializable;
+
+/**
+ * Supplier for retrieving AWS Security credentials for {@Link AwsCredentials} to exchange for GCP
+ * access tokens.
+ */
+public interface AwsSecurityCredentialsSupplier extends Serializable {
+
+  /**
+   * Gets the AWS region to use.
+   *
+   * @return the AWS region that should be used for the credential.
+   * @throws IOException
+   */
+  String getRegion() throws IOException;
+
+  /**
+   * Gets AWS security credentials.
+   *
+   * @return valid AWS security credentials that can be exchanged for a GCP access token.
+   * @throws IOException
+   */
+  AwsSecurityCredentials getCredentials() throws IOException;
+}
@@ -66,22 +66,15 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials {
 
   private static final long serialVersionUID = 8049126194174465023L;
 
-  /** Base credential source class. Dictates the retrieval method of the external credential. */
-  abstract static class CredentialSource implements java.io.Serializable {
-
-    private static final long serialVersionUID = 8204657811562399944L;
-
-    CredentialSource(Map<String, Object> credentialSourceMap) {
-      checkNotNull(credentialSourceMap);
-    }
-  }
-
   private static final String CLOUD_PLATFORM_SCOPE =
       "https://www.googleapis.com/auth/cloud-platform";
 
   static final String EXTERNAL_ACCOUNT_FILE_TYPE = "external_account";
   static final String EXECUTABLE_SOURCE_KEY = "executable";
 
+  static final String DEFAULT_TOKEN_URL = "https://sts.googleapis.com/v1/token";
+  static final String PROGRAMMATIC_METRICS_HEADER_VALUE = "programmatic";
+
   private final String transportFactoryClassName;
   private final String audience;
   private final String subjectTokenType;
@@ -103,11 +96,7 @@ abstract static class CredentialSource implements java.io.Serializable {
 
   protected transient HttpTransportFactory transportFactory;
 
-  @Nullable protected final ImpersonatedCredentials impersonatedCredentials;
-
-  // Internal override for impersonated credentials. This is done to keep
-  // impersonatedCredentials final.
-  @Nullable private ImpersonatedCredentials impersonatedCredentialsOverride;
+  @Nullable protected ImpersonatedCredentials impersonatedCredentials;
 
   private EnvironmentProvider environmentProvider;
 
@@ -223,8 +212,6 @@ protected ExternalAccountCredentials(
     }
 
     this.metricsHandler = new ExternalAccountMetricsHandler(this);
-
-    this.impersonatedCredentials = buildImpersonatedCredentials();
   }
 
   /**
@@ -242,12 +229,12 @@ protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
     this.transportFactoryClassName = checkNotNull(this.transportFactory.getClass().getName());
     this.audience = checkNotNull(builder.audience);
     this.subjectTokenType = checkNotNull(builder.subjectTokenType);
-    this.tokenUrl = checkNotNull(builder.tokenUrl);
-    this.credentialSource = checkNotNull(builder.credentialSource);
+    this.credentialSource = builder.credentialSource;
     this.tokenInfoUrl = builder.tokenInfoUrl;
     this.serviceAccountImpersonationUrl = builder.serviceAccountImpersonationUrl;
     this.clientId = builder.clientId;
     this.clientSecret = builder.clientSecret;
+    this.tokenUrl = builder.tokenUrl == null ? DEFAULT_TOKEN_URL : builder.tokenUrl;
     this.scopes =
         (builder.scopes == null || builder.scopes.isEmpty())
             ? Arrays.asList(CLOUD_PLATFORM_SCOPE)
@@ -276,8 +263,6 @@ protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
         builder.metricsHandler == null
             ? new ExternalAccountMetricsHandler(this)
             : builder.metricsHandler;
-
-    this.impersonatedCredentials = buildImpersonatedCredentials();
   }
 
   ImpersonatedCredentials buildImpersonatedCredentials() {
@@ -315,10 +300,6 @@ ImpersonatedCredentials buildImpersonatedCredentials() {
         .build();
   }
 
-  void overrideImpersonatedCredentials(ImpersonatedCredentials credentials) {
-    this.impersonatedCredentialsOverride = credentials;
-  }
-
   @Override
   public void getRequestMetadata(
       URI uri, Executor executor, final RequestMetadataCallback callback) {
@@ -478,6 +459,10 @@ private static boolean isAwsCredential(Map<String, Object> credentialSource) {
         && ((String) credentialSource.get("environment_id")).startsWith("aws");
   }
 
+  private boolean shouldBuildImpersonatedCredential() {
+    return this.serviceAccountImpersonationUrl != null && this.impersonatedCredentials == null;
+  }
+
   /**
    * Exchanges the external credential for a Google Cloud access token.
    *
@@ -488,11 +473,11 @@ private static boolean isAwsCredential(Map<String, Object> credentialSource) {
   protected AccessToken exchangeExternalCredentialForAccessToken(
       StsTokenExchangeRequest stsTokenExchangeRequest) throws IOException {
     // Handle service account impersonation if necessary.
-    // Internal override takes priority.
-    if (impersonatedCredentialsOverride != null) {
-      return impersonatedCredentialsOverride.refreshAccessToken();
-    } else if (impersonatedCredentials != null) {
-      return impersonatedCredentials.refreshAccessToken();
+    if (this.shouldBuildImpersonatedCredential()) {
+      this.impersonatedCredentials = this.buildImpersonatedCredentials();
+    }
+    if (this.impersonatedCredentials != null) {
+      return this.impersonatedCredentials.refreshAccessToken();
     }
 
     StsRequestHandler.Builder requestHandler =
@@ -791,6 +776,19 @@ public Builder setSubjectTokenType(String subjectTokenType) {
       return this;
     }
 
+    /**
+     * Sets the Security Token Service subject token type based on the OAuth 2.0 token exchange
+     * spec. Indicates the type of the security token in the credential file.
+     *
+     * @param subjectTokenType the {@code SubjectTokenType} to set
+     * @return this {@code Builder} object
+     */
+    @CanIgnoreReturnValue
+    public Builder setSubjectTokenType(SubjectTokenTypes subjectTokenType) {
+      this.subjectTokenType = subjectTokenType.value;
+      return this;
+    }
+
     /**
      * Sets the Security Token Service token exchange endpoint.
      *
@@ -945,4 +943,30 @@ Builder setEnvironmentProvider(EnvironmentProvider environmentProvider) {
     @Override
     public abstract ExternalAccountCredentials build();
   }
+
+  /**
+   * Enum specifying values for the subjectTokenType field in {@code ExternalAccountCredentials}.
+   */
+  public enum SubjectTokenTypes {
+    AWS4("urn:ietf:params:aws:token-type:aws4_request"),
+    JWT("urn:ietf:params:oauth:token-type:jwt"),
+    SAML2("urn:ietf:params:oauth:token-type:saml2"),
+    ID_TOKEN("urn:ietf:params:oauth:token-type:id_token");
+
+    public final String value;
+
+    private SubjectTokenTypes(String value) {
+      this.value = value;
+    }
+  }
+
+  /** Base credential source class. Dictates the retrieval method of the external credential. */
+  abstract static class CredentialSource implements java.io.Serializable {
+
+    private static final long serialVersionUID = 8204657811562399944L;
+
+    CredentialSource(Map<String, Object> credentialSourceMap) {
+      checkNotNull(credentialSourceMap);
+    }
+  }
 }
@@ -43,7 +43,7 @@ class ExternalAccountMetricsHandler implements java.io.Serializable {
 
   private final boolean configLifetime;
   private final boolean saImpersonation;
-  private String credentialSourceType;
+  private ExternalAccountCredentials credentials;
 
   /**
    * Constructor for the external account metrics handler.
@@ -55,7 +55,7 @@ class ExternalAccountMetricsHandler implements java.io.Serializable {
     this.saImpersonation = creds.getServiceAccountImpersonationUrl() != null;
     this.configLifetime =
         creds.getServiceAccountImpersonationOptions().customTokenLifetimeRequested;
-    this.credentialSourceType = creds.getCredentialSourceType();
+    this.credentials = creds;
   }
 
   /**
@@ -69,7 +69,7 @@ String getExternalAccountMetricsHeader() {
         MetricsUtils.getLanguageAndAuthLibraryVersions(),
         BYOID_METRICS_SECTION,
         SOURCE_KEY,
-        this.credentialSourceType,
+        this.credentials.getCredentialSourceType(),
         IMPERSONATION_KEY,
         this.saImpersonation,
         CONFIG_LIFETIME_KEY,

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import com.google.api.client.json.GenericJson;
+import com.google.api.client.json.JsonObjectParser;
+import com.google.auth.oauth2.IdentityPoolCredentialSource.CredentialFormatType;
+import com.google.common.io.CharStreams;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.LinkOption;
+import java.nio.file.Paths;
+
+/**
+ * Internal provider for retrieving subject tokens for {@Link IdentityPoolCredentials} to exchange
+ * for GCP access tokens via a local file.
+ */
+class FileIdentityPoolSubjectTokenSupplier implements IdentityPoolSubjectTokenSupplier {
+
+  private final long serialVersionUID = 2475549052347431992L;
+
+  private final IdentityPoolCredentialSource credentialSource;
+
+  /**
+   * Constructor for FileIdentitySubjectTokenProvider
+   *
+   * @param credentialSource the credential source to use.
+   */
+  FileIdentityPoolSubjectTokenSupplier(IdentityPoolCredentialSource credentialSource) {
+    this.credentialSource = credentialSource;
+  }
+
+  @Override
+  public String getSubjectToken() throws IOException {
+    String credentialFilePath = this.credentialSource.credentialLocation;
+    if (!Files.exists(Paths.get(credentialFilePath), LinkOption.NOFOLLOW_LINKS)) {
+      throw new IOException(
+          String.format(
+              "Invalid credential location. The file at %s does not exist.", credentialFilePath));
+    }
+    try {
+      return parseToken(new FileInputStream(new File(credentialFilePath)), this.credentialSource);
+    } catch (IOException e) {
+      throw new IOException(
+          "Error when attempting to read the subject token from the credential file.", e);
+    }
+  }
+
+  static String parseToken(InputStream inputStream, IdentityPoolCredentialSource credentialSource)
+      throws IOException {
+    if (credentialSource.credentialFormatType == CredentialFormatType.TEXT) {
+      BufferedReader reader =
+          new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
+      return CharStreams.toString(reader);
+    }
+
+    JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY);
+    GenericJson fileContents =
+        parser.parseAndClose(inputStream, StandardCharsets.UTF_8, GenericJson.class);
+
+    if (!fileContents.containsKey(credentialSource.subjectTokenFieldName)) {
+      throw new IOException("Invalid subject token field name. No subject token was found.");
+    }
+    return (String) fileContents.get(credentialSource.subjectTokenFieldName);
+  }
+}