Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: makes default token url universe aware #1383

Merged
merged 6 commits into from
Apr 11, 2024

Conversation

aeitzman
Copy link
Contributor

@aeitzman aeitzman commented Apr 9, 2024

Makes the default sts token url logic in external account credentials universe aware.

@aeitzman aeitzman requested review from a team as code owners April 9, 2024 19:54
@product-auto-label product-auto-label bot added the size: s Pull request size is small. label Apr 9, 2024
@product-auto-label product-auto-label bot added size: m Pull request size is medium. and removed size: s Pull request size is small. labels Apr 9, 2024
this.tokenUrl = DEFAULT_TOKEN_URL.replace("{UNIVERSE_DOMAIN}", this.getUniverseDomain());
} catch (IOException e) {
// Throwing an IOException would be a breaking change, so wrap it here.
// This should not happen for this credential type.
Copy link

@westarle westarle Apr 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a place we can read this value for this credential type that doesn't offer an exception (and this dead code)?

Can we override getUniverseDomain() and strip the exception if it is always available?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we could override it, I think we would still have the dead code in the overridden function, but I may be misunderstanding what you mean by strip the exception, do you just mean doing this? -

  @Override
  public String getUniverseDomain() {
    try {
      return super.getUniverseDomain();
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }

The other easier option would be to make universeDomain protected instead of private in GoogleCredentials so the external account credential could just read it directly instead of calling the parent getUniverseDomain() function.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example you put is what I meant -- this implementation has a more precise definition of getUniverseDomain that can embed the fact that it will not throw. This will help this codepath and any other users avoid a hard decision.

universeDomain can't be protected in GoogleCredentials because it isn't usable by subclasses of GCE credential types, and those credential types can't hide it. It probably isn't set until a successful request to MDS.

I understand the override is kind of ugly but it is a consequence of our deep type hierarchy.

@product-auto-label product-auto-label bot added size: s Pull request size is small. and removed size: m Pull request size is medium. labels Apr 11, 2024
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud

@westarle
Copy link

westarle commented Apr 11, 2024

Coverage test is complaining about new getUniverseDomain, where the 2nd branch isn't exercisable by tests. We can ignore for this PR.

@aeitzman aeitzman merged commit e3caf05 into googleapis:main Apr 11, 2024
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size: s Pull request size is small.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants