feat(auth): add universe domain support to mTLS (#11159)

* remove runtime error for mTLS usage with non-GDU universe domain
* add UNIVERSE_DOMAIN placeholder support for Options.DefaultMTLSEndpoint

refs: googleapis/google-api-go-client#2880

auth/internal/transport/cba.go

@@ -51,17 +51,13 @@ const (
 	mtlsMDSKey  = "/run/google-mds-mtls/client.key"
 )
 
-var (
-	errUniverseNotSupportedMTLS = errors.New("mTLS is not supported in any universe other than googleapis.com")
-)
-
 // Options is a struct that is duplicated information from the individual
 // transport packages in order to avoid cyclic deps. It correlates 1:1 with
 // fields on httptransport.Options and grpctransport.Options.
 type Options struct {
 	Endpoint                string
-	DefaultMTLSEndpoint     string
 	DefaultEndpointTemplate string
+	DefaultMTLSEndpoint     string
 	ClientCertProvider      cert.Provider
 	Client                  *http.Client
 	UniverseDomain          string
@@ -94,6 +90,16 @@ func (o *Options) defaultEndpoint() string {
 	return strings.Replace(o.DefaultEndpointTemplate, universeDomainPlaceholder, o.getUniverseDomain(), 1)
 }
 
+// defaultMTLSEndpoint returns the DefaultMTLSEndpointTemplate merged with the
+// universe domain if the DefaultMTLSEndpointTemplate is set, otherwise returns an
+// empty string.
+func (o *Options) defaultMTLSEndpoint() string {
+	if o.DefaultMTLSEndpoint == "" {
+		return ""
+	}
+	return strings.Replace(o.DefaultMTLSEndpoint, universeDomainPlaceholder, o.getUniverseDomain(), 1)
+}
+
 // mergedEndpoint merges a user-provided Endpoint of format host[:port] with the
 // default endpoint.
 func (o *Options) mergedEndpoint() (string, error) {
@@ -256,9 +262,6 @@ func getTransportConfig(opts *Options) (*transportConfig, error) {
 	if !shouldUseS2A(clientCertSource, opts) {
 		return &defaultTransportConfig, nil
 	}
-	if !opts.isUniverseDomainGDU() {
-		return nil, errUniverseNotSupportedMTLS
-	}
 
 	s2aAddress := GetS2AAddress()
 	mtlsS2AAddress := GetMTLSS2AAddress()
@@ -270,7 +273,7 @@ func getTransportConfig(opts *Options) (*transportConfig, error) {
 		endpoint:         endpoint,
 		s2aAddress:       s2aAddress,
 		mtlsS2AAddress:   mtlsS2AAddress,
-		s2aMTLSEndpoint:  opts.DefaultMTLSEndpoint,
+		s2aMTLSEndpoint:  opts.defaultMTLSEndpoint(),
 	}, nil
 }
 
@@ -316,24 +319,23 @@ type transportConfig struct {
 // getEndpoint returns the endpoint for the service, taking into account the
 // user-provided endpoint override "settings.Endpoint".
 //
-// If no endpoint override is specified, we will either return the default endpoint or
-// the default mTLS endpoint if a client certificate is available.
+// If no endpoint override is specified, we will either return the default
+// endpoint or the default mTLS endpoint if a client certificate is available.
 //
-// You can override the default endpoint choice (mtls vs. regular) by setting the
-// GOOGLE_API_USE_MTLS_ENDPOINT environment variable.
+// You can override the default endpoint choice (mTLS vs. regular) by setting
+// the GOOGLE_API_USE_MTLS_ENDPOINT environment variable.
 //
 // If the endpoint override is an address (host:port) rather than full base
 // URL (ex. https://...), then the user-provided address will be merged into
 // the default endpoint. For example, WithEndpoint("myhost:8000") and
-// DefaultEndpointTemplate("https://UNIVERSE_DOMAIN/bar/baz") will return "https://myhost:8080/bar/baz"
+// DefaultEndpointTemplate("https://UNIVERSE_DOMAIN/bar/baz") will return
+// "https://myhost:8080/bar/baz". Note that this does not apply to the mTLS
+// endpoint.
 func getEndpoint(opts *Options, clientCertSource cert.Provider) (string, error) {
 	if opts.Endpoint == "" {
 		mtlsMode := getMTLSMode()
 		if mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto) {
-			if !opts.isUniverseDomainGDU() {
-				return "", errUniverseNotSupportedMTLS
-			}
-			return opts.DefaultMTLSEndpoint, nil
+			return opts.defaultMTLSEndpoint(), nil
 		}
 		return opts.defaultEndpoint(), nil
 	}