Merge branch 'main' into id-sign

googleapis · Jan 14, 2025 · 88caa5e · 88caa5e
2 parents e47e4f9 + 634d0ea
commit 88caa5e
Show file tree

Hide file tree

Showing 7 changed files with 234 additions and 9 deletions.
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
@@ -9,6 +9,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-22.04
+    # Sonar Token can't be passed to PRs from forks. Disable Sonar workflow unless PR is from a branch.
+    if: github.event.pull_request.head.repo.full_name == github.repository
     steps:
     - uses: actions/checkout@v4
       with:

diff --git a/.kokoro/presubmit/graalvm-native-a.cfg b/.kokoro/presubmit/graalvm-native-a.cfg
@@ -44,6 +44,6 @@ env_vars: {
 }
 
 container_properties {
-  docker_image: "us-docker.pkg.dev/java-graalvm-ci-prod/graalvm-integration-testing/graalvm_a:1.12.2"
+  docker_image: "us-docker.pkg.dev/java-graalvm-ci-prod/graalvm-integration-testing/graalvm_a:1.13.0"
 }
 
diff --git a/.kokoro/presubmit/graalvm-native-b.cfg b/.kokoro/presubmit/graalvm-native-b.cfg
@@ -44,5 +44,5 @@ env_vars: {
 }
 
 container_properties {
-  docker_image: "us-docker.pkg.dev/java-graalvm-ci-prod/graalvm-integration-testing/graalvm_b:1.12.2"
+  docker_image: "us-docker.pkg.dev/java-graalvm-ci-prod/graalvm-integration-testing/graalvm_b:1.13.0"
 }
diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -106,6 +106,68 @@ public class ComputeEngineCredentials extends GoogleCredentials
   static final int MAX_COMPUTE_PING_TRIES = 3;
   static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500;
 
+  /**
+   * Experimental Feature.
+   *
+   * <p>{@link GoogleAuthTransport} specifies how to authenticate to Google APIs.
+   *
+   * <p>Behavior of setting {@link GoogleAuthTransport} / {@link BindingEnforcement}:
+   *
+   * <p>MTLS-bound token where binding enforcement depends on IAM policy: MTLS / {}, {} /
+   * IAM_POLICY, MTLS / IAM_POLICY
+   *
+   * <p>MTLS-bound token where bindings are always enforced: {} / ON, MTLS / ON
+   *
+   * <p>DirectPath bound token: ALTS / {}
+   */
+  public enum GoogleAuthTransport {
+    // Authenticating to Google APIs via DirectPath
+    ALTS("alts"),
+    // Authenticating to Google APIs via GFE
+    MTLS("mtls");
+
+    private final String label;
+
+    private GoogleAuthTransport(String label) {
+      this.label = label;
+    }
+
+    public String getLabel() {
+      return label;
+    }
+  }
+
+  /**
+   * Experimental Feature.
+   *
+   * <p>{@link BindingEnforcement} specifies how binding info in tokens will be enforced.
+   *
+   * <p>Behavior of setting {@link GoogleAuthTransport} / {@link BindingEnforcement}:
+   *
+   * <p>MTLS-bound token where binding enforcement depends on IAM policy: MTLS / {}, {} /
+   * IAM_POLICY, MTLS / IAM_POLICY
+   *
+   * <p>MTLS-bound token where bindings are always enforced: {} / ON, MTLS / ON
+   *
+   * <p>DirectPath bound token: ALTS / {}
+   */
+  public enum BindingEnforcement {
+    // Binding enforcement will always happen, irrespective of the IAM policy.
+    ON("on"),
+    // Binding enforcement will depend on IAM policy.
+    IAM_POLICY("iam-policy");
+
+    private final String label;
+
+    private BindingEnforcement(String label) {
+      this.label = label;
+    }
+
+    public String getLabel() {
+      return label;
+    }
+  }
+
   private static final String METADATA_FLAVOR = "Metadata-Flavor";
   private static final String GOOGLE = "Google";
   private static final String WINDOWS = "windows";
@@ -119,6 +181,9 @@ public class ComputeEngineCredentials extends GoogleCredentials
 
   private final Collection<String> scopes;
 
+  private final GoogleAuthTransport transport;
+  private final BindingEnforcement bindingEnforcement;
+
   private transient HttpTransportFactory transportFactory;
   private transient String serviceAccountEmail;
 
@@ -149,6 +214,8 @@ private ComputeEngineCredentials(ComputeEngineCredentials.Builder builder) {
       scopeList.removeAll(Arrays.asList("", null));
       this.scopes = ImmutableSet.<String>copyOf(scopeList);
     }
+    this.transport = builder.getGoogleAuthTransport();
+    this.bindingEnforcement = builder.getBindingEnforcement();
   }
 
   @Override
@@ -188,7 +255,10 @@ public final Collection<String> getScopes() {
   }
 
   /**
-   * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
+   * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url. If
+   * transport is specified, add "?transport=xyz" to the token url; xyz is one of "alts" or "mtls".
+   * If bindingEnforcement is specified, add "?binding-enforcement=xyz" to the token url; xyz is one
+   * of "iam-policy" or "on".
    *
    * @return token url with the given scopes
    */
@@ -197,6 +267,12 @@ String createTokenUrlWithScopes() {
     if (!scopes.isEmpty()) {
       tokenUrl.set("scopes", Joiner.on(',').join(scopes));
     }
+    if (transport != null) {
+      tokenUrl.set("transport", transport.getLabel());
+    }
+    if (bindingEnforcement != null) {
+      tokenUrl.set("binding-enforcement", bindingEnforcement.getLabel());
+    }
     return tokenUrl.toString();
   }
 
@@ -647,6 +723,9 @@ public static class Builder extends GoogleCredentials.Builder {
     private Collection<String> scopes;
     private Collection<String> defaultScopes;
 
+    private GoogleAuthTransport transport;
+    private BindingEnforcement bindingEnforcement;
+
     protected Builder() {
       setRefreshMargin(COMPUTE_REFRESH_MARGIN);
       setExpirationMargin(COMPUTE_EXPIRATION_MARGIN);
@@ -688,6 +767,28 @@ public Builder setQuotaProjectId(String quotaProjectId) {
       return this;
     }
 
+    /**
+     * Set the {@code GoogleAuthTransport} type.
+     *
+     * @param transport the transport type over which to authenticate to Google APIs
+     */
+    @CanIgnoreReturnValue
+    public Builder setGoogleAuthTransport(GoogleAuthTransport transport) {
+      this.transport = transport;
+      return this;
+    }
+
+    /**
+     * Set the {@code BindingEnforcement} type.
+     *
+     * @param bindingEnforcement the token binding enforcement policy.
+     */
+    @CanIgnoreReturnValue
+    public Builder setBindingEnforcement(BindingEnforcement bindingEnforcement) {
+      this.bindingEnforcement = bindingEnforcement;
+      return this;
+    }
+
     public HttpTransportFactory getHttpTransportFactory() {
       return transportFactory;
     }
@@ -700,6 +801,24 @@ public Collection<String> getDefaultScopes() {
       return defaultScopes;
     }
 
+    /**
+     * Get the {@code GoogleAuthTransport} type.
+     *
+     * @return the transport type over which to authenticate to Google APIs
+     */
+    public GoogleAuthTransport getGoogleAuthTransport() {
+      return transport;
+    }
+
+    /**
+     * Get the {@code BindingEnforcement} type.
+     *
+     * @return the token binding enforcement policy.
+     */
+    public BindingEnforcement getBindingEnforcement() {
+      return bindingEnforcement;
+    }
+
     @Override
     public ComputeEngineCredentials build() {
       return new ComputeEngineCredentials(this);

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -191,6 +191,110 @@ public void buildTokenUrlWithScopes_defaultScopes() {
     assertEquals("bar", scopes.toArray()[1]);
   }
 
+  @Test
+  public void buildTokenUrl_nullTransport() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(null)
+            .setBindingEnforcement(ComputeEngineCredentials.BindingEnforcement.ON)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?binding-enforcement=on", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrl_nullBindingEnforcement() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(ComputeEngineCredentials.GoogleAuthTransport.MTLS)
+            .setBindingEnforcement(null)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?transport=mtls", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrl_nullTransport_nullBindingEnforcement() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(null)
+            .setBindingEnforcement(null)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL, softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlSoftMtlsBound_mtls_transport() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(ComputeEngineCredentials.GoogleAuthTransport.MTLS)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?transport=mtls", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlSoftMtlsBound_iam_enforcement() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setBindingEnforcement(ComputeEngineCredentials.BindingEnforcement.IAM_POLICY)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?binding-enforcement=iam-policy", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlSoftMtlsBound_mtls_transport_iam_enforcement() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(ComputeEngineCredentials.GoogleAuthTransport.MTLS)
+            .setBindingEnforcement(ComputeEngineCredentials.BindingEnforcement.IAM_POLICY)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?transport=mtls&binding-enforcement=iam-policy", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlHardMtlsBound_always_enforced() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setBindingEnforcement(ComputeEngineCredentials.BindingEnforcement.ON)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?binding-enforcement=on", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlHardMtlsBound_mtls_transport_always_enforced() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(ComputeEngineCredentials.GoogleAuthTransport.MTLS)
+            .setBindingEnforcement(ComputeEngineCredentials.BindingEnforcement.ON)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?transport=mtls&binding-enforcement=on", softBoundTokenUrl);
+  }
+
+  @Test
+  public void buildTokenUrlHardDirectPathBound_alts_transport() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setGoogleAuthTransport(ComputeEngineCredentials.GoogleAuthTransport.ALTS)
+            .build();
+    String softBoundTokenUrl = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?transport=alts", softBoundTokenUrl);
+  }
+
   @Test
   public void buildScoped_scopesPresent() throws IOException {
     ComputeEngineCredentials credentials =

diff --git a/pom.xml b/pom.xml
@@ -16,7 +16,7 @@
   <parent>
     <groupId>com.google.cloud</groupId>
     <artifactId>google-cloud-shared-config</artifactId>
-    <version>1.12.2</version>
+    <version>1.13.0</version>
   </parent>
 
   <distributionManagement>
@@ -69,9 +69,9 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <project.google.http.version>1.45.2</project.google.http.version>
+    <project.google.http.version>1.45.3</project.google.http.version>
     <project.junit.version>4.13.2</project.junit.version>
-    <project.guava.version>33.3.1-android</project.guava.version>
+    <project.guava.version>33.4.0-android</project.guava.version>
     <project.appengine.version>2.0.31</project.appengine.version>
     <project.findbugs.version>3.0.2</project.findbugs.version>
     <deploy.autorelease>false</deploy.autorelease>

diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
@@ -30,7 +30,7 @@
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>libraries-bom</artifactId>
-        <version>26.51.0</version>
+        <version>26.52.0</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -43,14 +43,14 @@
     <dependency>
       <groupId>com.google.auth</groupId>
       <artifactId>google-auth-library-oauth2-http</artifactId>
-      <version>1.30.0</version>
+      <version>1.30.1</version>
     </dependency>
 
 <!--    IAM dependency-->
     <dependency>
       <groupId>com.google.cloud</groupId>
       <artifactId>google-iam-admin</artifactId>
-      <version>3.49.0</version>
+      <version>3.51.0</version>
     </dependency>
 
 <!--    GCloud dependency-->