feat: support GDC-H Credentials

gax-java/.gitignore

@@ -15,6 +15,7 @@ target
 
 # IntelliJ
 .idea
+.ijwb
 *.iml
 out
 

gax-java/gax/clirr-ignored-differences.xml

@@ -7,4 +7,16 @@
     <className>com/google/api/gax/paging/Page</className>
     <method>* stream*(*)</method>
   </difference>
+  <difference>
+    <!-- add gdchApiAudience to ClientContext and StubSettings -->
+    <differenceType>7012</differenceType>
+    <className>com/google/api/gax/rpc/ClientContext</className>
+    <method>* gdch*(*)</method>
+  </difference>
+  <difference>
+    <!-- add gdchApiAudience to ClientContext and StubSettings -->
+    <differenceType>7012</differenceType>
+    <className>com/google/api/gax/rpc/StubSettings</className>
+    <method>* gdch*(*)</method>
+  </difference>
 </differences>

gax-java/gax/src/main/java/com/google/api/gax/rpc/ClientContext.java

@@ -40,11 +40,13 @@
 import com.google.api.gax.tracing.ApiTracerFactory;
 import com.google.api.gax.tracing.BaseApiTracerFactory;
 import com.google.auth.Credentials;
+import com.google.auth.oauth2.GdchCredentials;
 import com.google.auto.value.AutoValue;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Sets;
 import java.io.IOException;
+import java.net.URI;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -109,6 +111,9 @@ public abstract class ClientContext {
   @Nonnull
   public abstract ApiTracerFactory getTracerFactory();
 
+  @Nullable
+  public abstract String getGdchApiAudience();
+
   public static Builder newBuilder() {
     return new AutoValue_ClientContext.Builder()
         .setBackgroundResources(Collections.<BackgroundResource>emptyList())
@@ -119,7 +124,8 @@ public static Builder newBuilder() {
         .setStreamWatchdog(null)
         .setStreamWatchdogCheckInterval(Duration.ZERO)
         .setTracerFactory(BaseApiTracerFactory.getInstance())
-        .setQuotaProjectId(null);
+        .setQuotaProjectId(null)
+        .setGdchApiAudience(null);
   }
 
   public abstract Builder toBuilder();
@@ -167,6 +173,23 @@ public static ClientContext create(StubSettings settings) throws IOException {
 
     Credentials credentials = settings.getCredentialsProvider().getCredentials();
 
+    String gdhcApiAudience = settings.getGdchApiAudience();
+    if (gdhcApiAudience != null && credentials instanceof GdchCredentials) {
+      // We recompute the GdchCredentials with the audience
+      URI gdchAudienceUri;
+      try {
+        gdchAudienceUri = URI.create(gdhcApiAudience);
+      } catch (IllegalArgumentException ex) { // thrown when passing a malformed uri string
+        throw new IllegalArgumentException("The GDC-H API audience string is not a valid URI", ex);
+      }
+      credentials =
+          ((GdchCredentials) credentials).toBuilder().setGdchAudience(gdchAudienceUri).build();
+    } else if (gdhcApiAudience != null) {
+      // We have audience set for non-gdch credentials - this is not allowed
+      throw new IllegalArgumentException(
+          "GDC-H API audience can only be set when using GdchCredentials");
+    }
+
     if (settings.getQuotaProjectId() != null) {
       // If the quotaProjectId is set, wrap original credentials with correct quotaProjectId as
       // QuotaProjectIdHidingCredentials.
@@ -325,6 +348,8 @@ public abstract static class Builder {
     @BetaApi("The surface for tracing is not stable yet and may change in the future.")
     public abstract Builder setTracerFactory(ApiTracerFactory tracerFactory);
 
+    public abstract Builder setGdchApiAudience(String credentialsApiAudience);
+
     public abstract ClientContext build();
   }
 }

gax-java/gax/src/main/java/com/google/api/gax/rpc/ClientSettings.java

@@ -111,6 +111,10 @@ public final Duration getWatchdogCheckInterval() {
     return stubSettings.getStreamWatchdogCheckInterval();
   }
 
+  public final String getGdchApiAudience() {
+    return stubSettings.getGdchApiAudience();
+  }
+
   public String toString() {
     return MoreObjects.toStringHelper(this)
         .add("executorProvider", getExecutorProvider())
@@ -124,6 +128,7 @@ public String toString() {
         .add("quotaProjectId", getQuotaProjectId())
         .add("watchdogProvider", getWatchdogProvider())
         .add("watchdogCheckInterval", getWatchdogCheckInterval())
+        .add("gdchApiAudience", getGdchApiAudience())
         .toString();
   }
 
@@ -255,6 +260,16 @@ public B setWatchdogCheckInterval(@Nullable Duration checkInterval) {
       return self();
     }
 
+    /**
+     * Sets the GDC-H api audience. This is intended only to be used with {@link
+     * com.google.auth.oauth2.GdchCredentials} If this field is set and other type of {@link
+     * com.google.auth.Credentials} is used then an {@link IllegalArgumentException} will be thrown
+     */
+    public B setGdchApiAudience(@Nullable String gdchApiAudience) {
+      stubSettings.setGdchApiAudience(gdchApiAudience);
+      return self();
+    }
+
     /**
      * Gets the ExecutorProvider that was previously set on this Builder. This ExecutorProvider is
      * to use for running asynchronous API call logic (such as retries and long-running operations),
@@ -322,6 +337,11 @@ public Duration getWatchdogCheckInterval() {
       return stubSettings.getStreamWatchdogCheckInterval();
     }
 
+    @Nullable
+    public String getGdchApiAudience() {
+      return stubSettings.getGdchApiAudience();
+    }
+
     /** Applies the given settings updater function to the given method settings builders. */
     protected static void applyToAllUnaryMethods(
         Iterable<UnaryCallSettings.Builder<?, ?>> methodSettingsBuilders,
@@ -344,6 +364,7 @@ public String toString() {
           .add("quotaProjectId", getQuotaProjectId())
           .add("watchdogProvider", getWatchdogProvider())
           .add("watchdogCheckInterval", getWatchdogCheckInterval())
+          .add("gdchApiAudience", getGdchApiAudience())
           .toString();
     }
   }

gax-java/gax/src/main/java/com/google/api/gax/rpc/StubSettings.java

@@ -73,6 +73,7 @@ public abstract class StubSettings<SettingsT extends StubSettings<SettingsT>> {
   private final String endpoint;
   private final String mtlsEndpoint;
   private final String quotaProjectId;
+  @Nullable private final String gdchApiAudience;
   @Nullable private final WatchdogProvider streamWatchdogProvider;
   @Nonnull private final Duration streamWatchdogCheckInterval;
   @Nonnull private final ApiTracerFactory tracerFactory;
@@ -103,6 +104,7 @@ protected StubSettings(Builder builder) {
     this.streamWatchdogCheckInterval = builder.streamWatchdogCheckInterval;
     this.tracerFactory = builder.tracerFactory;
     this.deprecatedExecutorProviderSet = builder.deprecatedExecutorProviderSet;
+    this.gdchApiAudience = builder.gdchApiAudience;
   }
 
   /** @deprecated Please use {@link #getBackgroundExecutorProvider()}. */
@@ -172,6 +174,11 @@ public ApiTracerFactory getTracerFactory() {
     return tracerFactory;
   }
 
+  @Nullable
+  public final String getGdchApiAudience() {
+    return gdchApiAudience;
+  }
+
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)
@@ -188,6 +195,7 @@ public String toString() {
         .add("streamWatchdogProvider", streamWatchdogProvider)
         .add("streamWatchdogCheckInterval", streamWatchdogCheckInterval)
         .add("tracerFactory", tracerFactory)
+        .add("gdchApiAudience", gdchApiAudience)
         .toString();
   }
 
@@ -205,6 +213,7 @@ public abstract static class Builder<
     private String endpoint;
     private String mtlsEndpoint;
     private String quotaProjectId;
+    @Nullable private String gdchApiAudience;
     @Nullable private WatchdogProvider streamWatchdogProvider;
     @Nonnull private Duration streamWatchdogCheckInterval;
     @Nonnull private ApiTracerFactory tracerFactory;
@@ -234,6 +243,7 @@ protected Builder(StubSettings settings) {
       this.streamWatchdogCheckInterval = settings.streamWatchdogCheckInterval;
       this.tracerFactory = settings.tracerFactory;
       this.deprecatedExecutorProviderSet = settings.deprecatedExecutorProviderSet;
+      this.gdchApiAudience = settings.gdchApiAudience;
     }
 
     /** Get Quota Project ID from Client Context * */
@@ -268,6 +278,7 @@ protected Builder(ClientContext clientContext) {
         this.streamWatchdogCheckInterval = Duration.ofSeconds(10);
         this.tracerFactory = BaseApiTracerFactory.getInstance();
         this.deprecatedExecutorProviderSet = false;
+        this.gdchApiAudience = null;
       } else {
         ExecutorProvider fixedExecutorProvider =
             FixedExecutorProvider.create(clientContext.getExecutor());
@@ -289,6 +300,7 @@ protected Builder(ClientContext clientContext) {
         this.streamWatchdogCheckInterval = clientContext.getStreamWatchdogCheckInterval();
         this.tracerFactory = clientContext.getTracerFactory();
         this.quotaProjectId = getQuotaProjectIdFromClientContext(clientContext);
+        this.gdchApiAudience = clientContext.getGdchApiAudience();
       }
     }
 
@@ -435,6 +447,11 @@ public B setStreamWatchdogCheckInterval(@Nonnull Duration checkInterval) {
       return self();
     }
 
+    public B setGdchApiAudience(String gdchApiAudience) {
+      this.gdchApiAudience = gdchApiAudience;
+      return self();
+    }
+
     /**
      * Configures the {@link ApiTracerFactory} that will be used to generate traces.
      *
@@ -513,6 +530,10 @@ public ApiTracerFactory getTracerFactory() {
       return tracerFactory;
     }
 
+    public String getGdchApiAudience() {
+      return gdchApiAudience;
+    }
+
     /** Applies the given settings updater function to the given method settings builders. */
     protected static void applyToAllUnaryMethods(
         Iterable<UnaryCallSettings.Builder<?, ?>> methodSettingsBuilders,
@@ -540,6 +561,7 @@ public String toString() {
           .add("streamWatchdogProvider", streamWatchdogProvider)
           .add("streamWatchdogCheckInterval", streamWatchdogCheckInterval)
           .add("tracerFactory", tracerFactory)
+          .add("gdchApiAudience", gdchApiAudience)
           .toString();
     }
   }

gax-java/gax/src/test/java/com/google/api/gax/rpc/ClientContextTest.java

@@ -30,10 +30,7 @@
 package com.google.api.gax.rpc;
 
 import static com.google.common.truth.Truth.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.Assert.*;
 
 import com.google.api.core.ApiClock;
 import com.google.api.gax.core.BackgroundResource;
@@ -49,10 +46,13 @@
 import com.google.api.gax.rpc.testing.FakeStubSettings;
 import com.google.api.gax.rpc.testing.FakeTransportChannel;
 import com.google.auth.Credentials;
+import com.google.auth.oauth2.ComputeEngineCredentials;
+import com.google.auth.oauth2.GdchCredentials;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.truth.Truth;
 import java.io.IOException;
+import java.net.URI;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -769,4 +769,85 @@ public void testExecutorSettings() throws Exception {
     transportChannel = (FakeTransportChannel) context.getTransportChannel();
     assertThat(transportChannel.getExecutor()).isSameInstanceAs(executorProvider.getExecutor());
   }
+
+  private Credentials getMockGdchCredentials() {
+    Credentials creds = Mockito.mock(GdchCredentials.class);
+
+    // GdchCredentials builder is mocked to accept a well-formed uri
+    GdchCredentials.Builder gdchCredsBuilder = Mockito.mock(GdchCredentials.Builder.class);
+    Mockito.when(gdchCredsBuilder.setGdchAudience(Mockito.any(URI.class)))
+        .thenReturn(gdchCredsBuilder);
+    Mockito.when(gdchCredsBuilder.build()).thenReturn((GdchCredentials) creds);
+    Mockito.when(((GdchCredentials) creds).toBuilder()).thenReturn(gdchCredsBuilder);
+    return creds;
+  }
+
+  private TransportChannelProvider getFakeTransportChannelProvider() {
+    return new FakeTransportProvider(
+        FakeTransportChannel.create(new FakeChannel()), null, true, null, null);
+  }
+
+  @Test
+  public void testGDCHCredentialsNoAudience() throws IOException {}
+
+  @Test
+  public void testGdchCredentialNoAudience_correct() throws IOException {
+    TransportChannelProvider transportChannelProvider = getFakeTransportChannelProvider();
+    Credentials creds = getMockGdchCredentials();
+
+    // it should correctly create a client context with gdch creds and null audience
+    CredentialsProvider provider = FixedCredentialsProvider.create(creds);
+    StubSettings settings = new FakeStubSettings.Builder().setGdchApiAudience(null).build();
+    FakeClientSettings.Builder clientSettingsBuilder = new FakeClientSettings.Builder(settings);
+    clientSettingsBuilder.setCredentialsProvider(provider);
+    clientSettingsBuilder.setTransportChannelProvider(transportChannelProvider);
+    // should not throw
+    ClientContext context = ClientContext.create(clientSettingsBuilder.build());
+    assertThat(context.getCredentials()).isInstanceOf(GdchCredentials.class);
+    assertNull(context.getGdchApiAudience());
+  }
+
+  @Test
+  public void testGdchCredentialInvalidAudience_throws() throws IOException {
+    TransportChannelProvider transportChannelProvider = getFakeTransportChannelProvider();
+    Credentials creds = getMockGdchCredentials();
+    CredentialsProvider provider = FixedCredentialsProvider.create(creds);
+
+    // it should throw if both apiAudience and GDC-H creds are set but apiAudience is not a valid
+    // uri
+    StubSettings settings =
+        new FakeStubSettings.Builder().setGdchApiAudience("$invalid-uri:").build();
+    ClientSettings.Builder clientSettingsBuilder = new FakeClientSettings.Builder(settings);
+    clientSettingsBuilder.setCredentialsProvider(provider);
+    clientSettingsBuilder.setTransportChannelProvider(transportChannelProvider);
+    final ClientSettings withGdchCredentialsAndMalformedApiAudience = clientSettingsBuilder.build();
+    // should throw
+    String exMessage =
+        assertThrows(
+                IllegalArgumentException.class,
+                () -> ClientContext.create(withGdchCredentialsAndMalformedApiAudience))
+            .getMessage();
+    assertThat(exMessage).contains("The GDC-H API audience string is not a valid URI");
+  }
+
+  @Test
+  public void testNonGdchCredentialAnyAudience_throws() throws IOException {
+    TransportChannelProvider transportChannelProvider = getFakeTransportChannelProvider();
+
+    // it should throw if apiAudience is set but not using GDC-H creds
+    StubSettings settings =
+        new FakeStubSettings.Builder().setGdchApiAudience("audience:test").build();
+    Credentials creds = Mockito.mock(ComputeEngineCredentials.class);
+    CredentialsProvider provider = FixedCredentialsProvider.create(creds);
+    ClientSettings.Builder clientSettingsBuilder = new FakeClientSettings.Builder(settings);
+    clientSettingsBuilder.setCredentialsProvider(provider);
+    clientSettingsBuilder.setTransportChannelProvider(transportChannelProvider);
+    final ClientSettings withComputeCredentials = clientSettingsBuilder.build();
+    // should throw
+    String exMessage =
+        assertThrows(
+                IllegalArgumentException.class, () -> ClientContext.create(withComputeCredentials))
+            .getMessage();
+    assertThat(exMessage).contains("GDC-H API audience can only be set when using GdchCredentials");
+  }
 }