From 11625ccb95ae1d99393185eb6eb10d6a5157e711 Mon Sep 17 00:00:00 2001
From: Chris Smith <chrisdsmith@google.com>
Date: Mon, 2 Oct 2023 12:57:29 -0600
Subject: [PATCH] google: add authorized_user conditional to
 Credentials.UniverseDomain

Return default universe domain if credentials type is authorized_user.

Change-Id: I20a9b5fafa562fcec84717914a236d081f630591
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/532196
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 google/default.go      |  8 +++-
 google/default_test.go | 87 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/google/default.go b/google/default.go
index 1d69bf79f..12b12a30c 100644
--- a/google/default.go
+++ b/google/default.go
@@ -216,6 +216,12 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params
 		return nil, err
 	}
 
+	universeDomain := f.UniverseDomain
+	// Authorized user credentials are only supported in the googleapis.com universe.
+	if f.Type == userCredentialsKey {
+		universeDomain = universeDomainDefault
+	}
+
 	ts, err := f.tokenSource(ctx, params)
 	if err != nil {
 		return nil, err
@@ -225,7 +231,7 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params
 		ProjectID:      f.ProjectID,
 		TokenSource:    ts,
 		JSON:           jsonData,
-		universeDomain: f.UniverseDomain,
+		universeDomain: universeDomain,
 	}, nil
 }
 
diff --git a/google/default_test.go b/google/default_test.go
index 5425e358d..1f76bae08 100644
--- a/google/default_test.go
+++ b/google/default_test.go
@@ -9,7 +9,20 @@ import (
 	"testing"
 )
 
-var jwtJSONKeyUniverseDomain = []byte(`{
+var saJSONJWT = []byte(`{
+  "type": "service_account",
+  "project_id": "fake_project",
+  "private_key_id": "268f54e43a1af97cfc71731688434f45aca15c8b",
+  "private_key": "super secret key",
+  "client_email": "gopher@developer.gserviceaccount.com",
+  "client_id": "gopher.apps.googleusercontent.com",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/gopher%40fake_project.iam.gserviceaccount.com"
+}`)
+
+var saJSONJWTUniverseDomain = []byte(`{
   "type": "service_account",
   "project_id": "fake_project",
   "universe_domain": "example.com",
@@ -23,13 +36,49 @@ var jwtJSONKeyUniverseDomain = []byte(`{
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/gopher%40fake_project.iam.gserviceaccount.com"
 }`)
 
-func TestCredentialsFromJSONWithParams_UniverseDomain(t *testing.T) {
+var userJSON = []byte(`{
+  "client_id": "abc123.apps.googleusercontent.com",
+  "client_secret": "shh",
+  "refresh_token": "refreshing",
+  "type": "authorized_user",
+  "quota_project_id": "fake_project2"
+}`)
+
+var userJSONUniverseDomain = []byte(`{
+  "client_id": "abc123.apps.googleusercontent.com",
+  "client_secret": "shh",
+  "refresh_token": "refreshing",
+  "type": "authorized_user",
+  "quota_project_id": "fake_project2",
+  "universe_domain": "example.com"
+}`)
+
+func TestCredentialsFromJSONWithParams_SA(t *testing.T) {
+	ctx := context.Background()
+	scope := "https://www.googleapis.com/auth/cloud-platform"
+	params := CredentialsParams{
+		Scopes: []string{scope},
+	}
+	creds, err := CredentialsFromJSONWithParams(ctx, saJSONJWT, params)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if want := "fake_project"; creds.ProjectID != want {
+		t.Fatalf("got %q, want %q", creds.ProjectID, want)
+	}
+	if want := "googleapis.com"; creds.UniverseDomain() != want {
+		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
+	}
+}
+
+func TestCredentialsFromJSONWithParams_SA_UniverseDomain(t *testing.T) {
 	ctx := context.Background()
 	scope := "https://www.googleapis.com/auth/cloud-platform"
 	params := CredentialsParams{
 		Scopes: []string{scope},
 	}
-	creds, err := CredentialsFromJSONWithParams(ctx, jwtJSONKeyUniverseDomain, params)
+	creds, err := CredentialsFromJSONWithParams(ctx, saJSONJWTUniverseDomain, params)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -41,3 +90,35 @@ func TestCredentialsFromJSONWithParams_UniverseDomain(t *testing.T) {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
 }
+
+func TestCredentialsFromJSONWithParams_User(t *testing.T) {
+	ctx := context.Background()
+	scope := "https://www.googleapis.com/auth/cloud-platform"
+	params := CredentialsParams{
+		Scopes: []string{scope},
+	}
+	creds, err := CredentialsFromJSONWithParams(ctx, userJSON, params)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if want := "googleapis.com"; creds.UniverseDomain() != want {
+		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
+	}
+}
+
+func TestCredentialsFromJSONWithParams_User_UniverseDomain(t *testing.T) {
+	ctx := context.Background()
+	scope := "https://www.googleapis.com/auth/cloud-platform"
+	params := CredentialsParams{
+		Scopes: []string{scope},
+	}
+	creds, err := CredentialsFromJSONWithParams(ctx, userJSONUniverseDomain, params)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if want := "googleapis.com"; creds.UniverseDomain() != want {
+		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
+	}
+}