googleapis · lsirac · Jul 25, 2023 · Jul 12, 2023 · Jul 12, 2023 · Jul 13, 2023
@@ -0,0 +1,98 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/** The AWS credential source. Stores data required to retrieve the AWS credential. */
+public class AwsCredentialSource extends ExternalAccountCredentials.CredentialSource {
+
+  static final String IMDSV2_SESSION_TOKEN_URL_FIELD_NAME = "imdsv2_session_token_url";
+  static final long serialVersionUID = -4180558200808134436L;
+
+  final String regionUrl;
+  final String url;
+  final String regionalCredentialVerificationUrl;
+  final String imdsv2SessionTokenUrl;
+
+  /**
+   * The source of the AWS credential. The credential source map must contain the
+   * `regional_cred_verification_url` field.
+   *
+   * <p>The `regional_cred_verification_url` is the regional GetCallerIdentity action URL, used to
+   * determine the account ID and its roles.
+   *
+   * <p>The `environment_id` is the environment identifier, in the format “aws${version}”. This
+   * indicates whether breaking changes were introduced to the underlying AWS implementation.
+   *
+   * <p>The `region_url` identifies the targeted region. Optional.
+   *
+   * <p>The `url` locates the metadata server used to retrieve the AWS credentials. Optional.
+   */
+  public AwsCredentialSource(Map<String, Object> credentialSourceMap) {
+    super(credentialSourceMap);
+    if (!credentialSourceMap.containsKey("regional_cred_verification_url")) {
+      throw new IllegalArgumentException(
+          "A regional_cred_verification_url representing the"
+              + " GetCallerIdentity action URL must be specified.");
+    }
+
+    String environmentId = (String) credentialSourceMap.get("environment_id");
+
+    // Environment version is prefixed by "aws". e.g. "aws1".
+    Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher(environmentId);
+    if (!matcher.matches()) {
+      throw new IllegalArgumentException("Invalid AWS environment ID.");
+    }
+
+    int environmentVersion = Integer.parseInt(matcher.group(2));
+    if (environmentVersion != 1) {
+      throw new IllegalArgumentException(
+          String.format(
+              "AWS version %s is not supported in the current build.", environmentVersion));
+    }
+
+    this.regionUrl = (String) credentialSourceMap.get("region_url");
+    this.url = (String) credentialSourceMap.get("url");
+    this.regionalCredentialVerificationUrl =
+        (String) credentialSourceMap.get("regional_cred_verification_url");
+
+    if (credentialSourceMap.containsKey(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME)) {
+      this.imdsv2SessionTokenUrl =
+          (String) credentialSourceMap.get(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME);
+    } else {
+      this.imdsv2SessionTokenUrl = null;
+    }
+  }
+}
@@ -50,8 +50,6 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
 /**
@@ -73,71 +71,6 @@ public class AwsCredentials extends ExternalAccountCredentials {
   static final String AWS_IMDSV2_SESSION_TOKEN_TTL = "300";
   private static final long serialVersionUID = -3670131891574618105L;
 
-  /**
-   * The AWS credential source. Stores data required to retrieve the AWS credential from the AWS
-   * metadata server.
-   */
-  static class AwsCredentialSource extends CredentialSource {
-
-    private static final String IMDSV2_SESSION_TOKEN_URL_FIELD_NAME = "imdsv2_session_token_url";
-    private static final long serialVersionUID = -4180558200808134436L;
-
-    private final String regionUrl;
-    private final String url;
-    private final String regionalCredentialVerificationUrl;
-    private final String imdsv2SessionTokenUrl;
-
-    /**
-     * The source of the AWS credential. The credential source map must contain the
-     * `regional_cred_verification_url` field.
-     *
-     * <p>The `regional_cred_verification_url` is the regional GetCallerIdentity action URL, used to
-     * determine the account ID and its roles.
-     *
-     * <p>The `environment_id` is the environment identifier, in the format “aws${version}”. This
-     * indicates whether breaking changes were introduced to the underlying AWS implementation.
-     *
-     * <p>The `region_url` identifies the targeted region. Optional.
-     *
-     * <p>The `url` locates the metadata server used to retrieve the AWS credentials. Optional.
-     */
-    AwsCredentialSource(Map<String, Object> credentialSourceMap) {
-      super(credentialSourceMap);
-      if (!credentialSourceMap.containsKey("regional_cred_verification_url")) {
-        throw new IllegalArgumentException(
-            "A regional_cred_verification_url representing the"
-                + " GetCallerIdentity action URL must be specified.");
-      }
-
-      String environmentId = (String) credentialSourceMap.get("environment_id");
-
-      // Environment version is prefixed by "aws". e.g. "aws1".
-      Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher(environmentId);
-      if (!matcher.matches()) {
-        throw new IllegalArgumentException("Invalid AWS environment ID.");
-      }
-
-      int environmentVersion = Integer.parseInt(matcher.group(2));
-      if (environmentVersion != 1) {
-        throw new IllegalArgumentException(
-            String.format(
-                "AWS version %s is not supported in the current build.", environmentVersion));
-      }
-
-      this.regionUrl = (String) credentialSourceMap.get("region_url");
-      this.url = (String) credentialSourceMap.get("url");
-      this.regionalCredentialVerificationUrl =
-          (String) credentialSourceMap.get("regional_cred_verification_url");
-
-      if (credentialSourceMap.containsKey(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME)) {
-        this.imdsv2SessionTokenUrl =
-            (String) credentialSourceMap.get(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME);
-      } else {
-        this.imdsv2SessionTokenUrl = null;
-      }
-    }
-  }
-
   private final AwsCredentialSource awsCredentialSource;
 
   /** Internal constructor. See {@link AwsCredentials.Builder}. */

@@ -38,9 +38,6 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.http.HttpTransportFactory;
-import com.google.auth.oauth2.AwsCredentials.AwsCredentialSource;
-import com.google.auth.oauth2.IdentityPoolCredentials.IdentityPoolCredentialSource;
-import com.google.auth.oauth2.PluggableAuthCredentials.PluggableAuthCredentialSource;
 import com.google.common.base.MoreObjects;
 import java.io.IOException;
 import java.io.InputStream;

@@ -0,0 +1,130 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import javax.annotation.Nullable;
+
+/**
+ * The IdentityPool credential source. Dictates the retrieval method of the external credential,
+ * which can either be through a metadata server or a local file.
+ */
+public class IdentityPoolCredentialSource extends ExternalAccountCredentials.CredentialSource {
+
+  private static final long serialVersionUID = -745855247050085694L;
+  IdentityPoolCredentialSourceType credentialSourceType;
+  CredentialFormatType credentialFormatType;
+  String credentialLocation;
+  @Nullable String subjectTokenFieldName;
+  @Nullable Map<String, String> headers;
+
+  /**
+   * The source of the 3P credential.
+   *
+   * <p>If this is a file based 3P credential, the credentials file can be retrieved using the
+   * `file` key.
+   *
+   * <p>If this is URL-based 3p credential, the metadata server URL can be retrieved using the `url`
+   * key.
+   *
+   * <p>The third party credential can be provided in different formats, such as text or JSON. The
+   * format can be specified using the `format` header, which returns a map with keys `type` and
+   * `subject_token_field_name`. If the `type` is json, the `subject_token_field_name` must be
+   * provided. If no format is provided, we expect the token to be in the raw text format.
+   *
+   * <p>Optional headers can be present, and should be keyed by `headers`.
+   */
+  public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
+    super(credentialSourceMap);
+
+    if (credentialSourceMap.containsKey("file") && credentialSourceMap.containsKey("url")) {
+      throw new IllegalArgumentException(
+          "Only one credential source type can be set, either file or url.");
+    }
+
+    if (credentialSourceMap.containsKey("file")) {
+      credentialLocation = (String) credentialSourceMap.get("file");
+      credentialSourceType = IdentityPoolCredentialSourceType.FILE;
+    } else if (credentialSourceMap.containsKey("url")) {
+      credentialLocation = (String) credentialSourceMap.get("url");
+      credentialSourceType = IdentityPoolCredentialSourceType.URL;
+    } else {
+      throw new IllegalArgumentException(
+          "Missing credential source file location or URL. At least one must be specified.");
+    }
+
+    Map<String, String> headersMap = (Map<String, String>) credentialSourceMap.get("headers");
+    if (headersMap != null && !headersMap.isEmpty()) {
+      headers = new HashMap<>();
+      headers.putAll(headersMap);
+    }
+
+    // If the format is not provided, we expect the token to be in the raw text format.
+    credentialFormatType = CredentialFormatType.TEXT;
+
+    Map<String, String> formatMap = (Map<String, String>) credentialSourceMap.get("format");
+    if (formatMap != null && formatMap.containsKey("type")) {
+      String type = formatMap.get("type");
+
+      if (type != null && "json".equals(type.toLowerCase(Locale.US))) {
+        // For JSON, the subject_token field name must be provided.
+        if (!formatMap.containsKey("subject_token_field_name")) {
+          throw new IllegalArgumentException(
+              "When specifying a JSON credential type, the subject_token_field_name must be set.");
+        }
+        credentialFormatType = CredentialFormatType.JSON;
+        subjectTokenFieldName = formatMap.get("subject_token_field_name");
+      } else if (type != null && "text".equals(type.toLowerCase(Locale.US))) {
+        credentialFormatType = CredentialFormatType.TEXT;
+      } else {
+        throw new IllegalArgumentException(
+            String.format("Invalid credential source format type: %s.", type));
+      }
+    }
+  }
+
+  boolean hasHeaders() {
+    return headers != null && !headers.isEmpty();
+  }
+
+  enum IdentityPoolCredentialSourceType {
+    FILE,
+    URL
+  }
+
+  enum CredentialFormatType {
+    TEXT,
+    JSON
+  }
+}