feat: multi universe support, adding universe_domain field

credentials/java/com/google/auth/Credentials.java

@@ -57,12 +57,13 @@ public abstract class Credentials implements Serializable {
   public abstract String getAuthenticationType();
 
   /**
-   * Returns the universe domain for the credential.
+   * Gets the universe domain for the credential in a blocking manner, refreshing tokens if
+   * required.
    *
    * @return a universe domain value in the format some-domain.xyz. By default, returns the Google
    *     universe domain googleapis.com.
    * @throws IOException extending classes might have to do remote calls to determine the universe
-   *     domain. The exception should implement {@link Retryable} and {@code isRetryable()} will
+   *     domain. The exception must implement {@link Retryable} and {@code isRetryable()} will
    *     return true if the operation may be retried.
    */
   public String getUniverseDomain() throws IOException {

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -41,7 +41,6 @@
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
-import com.google.auth.Credentials;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.VisibleForTesting;
@@ -180,11 +179,6 @@ public final Collection<String> getScopes() {
     return scopes;
   }
 
-  @Override
-  public String getUniverseDomain() throws IOException {
-    return Credentials.GOOGLE_DEFAULT_UNIVERSE;
-  }
-
   /**
    * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
    *

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -413,9 +413,7 @@ static ExternalAccountCredentials fromJson(
     String userProject = (String) json.get("workforce_pool_user_project");
     Map<String, Object> impersonationOptionsMap =
         (Map<String, Object>) json.get("service_account_impersonation");
-
-    GoogleCredentials baseCredential = GoogleCredentials.fromJson(json);
-    String universeDomain = baseCredential.getUniverseDomain();
+    String universeDomain = (String) json.get("universe_domain");
 
     if (impersonationOptionsMap == null) {
       impersonationOptionsMap = new HashMap<String, Object>();
@@ -434,7 +432,7 @@ static ExternalAccountCredentials fromJson(
           .setClientId(clientId)
           .setClientSecret(clientSecret)
           .setServiceAccountImpersonationOptions(impersonationOptionsMap)
-          .setUniverseDomain(baseCredential.getUniverseDomain())
+          .setUniverseDomain(universeDomain)
           .build();
     } else if (isPluggableAuthCredential(credentialSourceMap)) {
       return PluggableAuthCredentials.newBuilder()
@@ -749,11 +747,10 @@ protected Builder(ExternalAccountCredentials credentials) {
       this.serviceAccountImpersonationOptions = credentials.serviceAccountImpersonationOptions;
       this.metricsHandler = credentials.metricsHandler;
       try {
-        universeDomain = credentials.getUniverseDomain();
+        this.universeDomain = credentials.getUniverseDomain();
       } catch (IOException ex) {
         throw new RuntimeException("Unexpected exception while getting universe domain", ex);
       }
-      this.universeDomain = universeDomain;
     }
 
     /**
@@ -928,8 +925,8 @@ public Builder setServiceAccountImpersonationOptions(Map<String, Object> options
     @CanIgnoreReturnValue
     @Override
     public Builder setUniverseDomain(String universeDomain) {
-      this.universeDomain = universeDomain;
       super.setUniverseDomain(universeDomain);
+      this.universeDomain = universeDomain;
       return this;
     }
 

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -37,7 +37,6 @@
 import com.google.api.client.util.Preconditions;
 import com.google.auth.Credentials;
 import com.google.auth.http.HttpTransportFactory;
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.MoreObjects.ToStringHelper;
 import com.google.common.collect.ImmutableList;
@@ -63,6 +62,7 @@ public class GoogleCredentials extends OAuth2Credentials implements QuotaProject
   static final String USER_FILE_TYPE = "authorized_user";
   static final String SERVICE_ACCOUNT_FILE_TYPE = "service_account";
   static final String GDCH_SERVICE_ACCOUNT_FILE_TYPE = "gdch_service_account";
+
   private final String universeDomain;
 
   protected final String quotaProjectId;
@@ -202,7 +202,7 @@ public static GoogleCredentials fromStream(
     throw new IOException(
         String.format(
             "Error reading credentials from stream, 'type' value '%s' not recognized."
-                + " Valid values are '%s', '%s', '%s', '%s', '%s', 's'.",
+                + " Valid values are '%s', '%s', '%s', '%s', '%s', '%s'.",
             fileType,
             USER_FILE_TYPE,
             SERVICE_ACCOUNT_FILE_TYPE,
@@ -212,26 +212,6 @@ public static GoogleCredentials fromStream(
             ImpersonatedCredentials.IMPERSONATED_CREDENTIALS_FILE_TYPE));
   }
 
-  /**
-   * Returns an instance of GoogleCredentials defined by JSON.
-   *
-   * <p>To be used to parse common credentials fields.
-   *
-   * @param json a map from the JSON representing the credentials.
-   * @return the credentials defined by the JSON.
-   * @throws IOException if the credential cannot be created from the JSON.
-   */
-  @VisibleForTesting
-  static GoogleCredentials fromJson(Map<String, Object> json) throws IOException {
-    Builder credentialsBuilder = GoogleCredentials.newBuilder();
-
-    // Parse fields that are common for all the types of GoogleCredentials.
-    String universeDomain = (String) json.get("universe_domain");
-    credentialsBuilder.setUniverseDomain(universeDomain);
-
-    return credentialsBuilder.build();
-  }
-
   /**
    * Creates a credential with the provided quota project.
    *
@@ -315,6 +295,7 @@ protected GoogleCredentials(AccessToken accessToken, String quotaProjectId) {
    *
    * @param accessToken initial or temporary access token
    */
+  @Deprecated
   public GoogleCredentials(AccessToken accessToken) {
     this(accessToken, null);
   }
@@ -328,7 +309,12 @@ public GoogleCredentials(AccessToken accessToken) {
   protected GoogleCredentials(Builder builder) {
     super(builder.getAccessToken());
     this.quotaProjectId = builder.getQuotaProjectId();
-    this.universeDomain = builder.getUniverseDomain();
+
+    if (builder.universeDomain == null || builder.universeDomain.trim().isEmpty()) {
+      this.universeDomain = Credentials.GOOGLE_DEFAULT_UNIVERSE;
+    } else {
+      this.universeDomain = builder.getUniverseDomain();
+    }
   }
 
   /**
@@ -372,13 +358,13 @@ public boolean equals(Object obj) {
       return false;
     }
     GoogleCredentials other = (GoogleCredentials) obj;
-    return Objects.equals(this.getQuotaProjectId(), other.getQuotaProjectId())
+    return Objects.equals(this.quotaProjectId, other.quotaProjectId)
         && Objects.equals(this.universeDomain, other.universeDomain);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(getQuotaProjectId(), this.universeDomain);
+    return Objects.hash(this.quotaProjectId, this.universeDomain);
   }
 
   public static Builder newBuilder() {
@@ -499,10 +485,6 @@ public String getQuotaProjectId() {
     }
 
     public String getUniverseDomain() {
-      if (this.universeDomain == null || this.universeDomain.trim().isEmpty()) {
-        return Credentials.GOOGLE_DEFAULT_UNIVERSE;
-      }
-
       return this.universeDomain;
     }
 

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -166,6 +166,7 @@ static ServiceAccountCredentials fromJson(
     String projectId = (String) json.get("project_id");
     String tokenServerUriStringFromCreds = (String) json.get("token_uri");
     String quotaProjectId = (String) json.get("quota_project_id");
+    String universeDomain = (String) json.get("universe_domain");
     URI tokenServerUriFromCreds = null;
     try {
       if (tokenServerUriStringFromCreds != null) {
@@ -192,10 +193,8 @@ static ServiceAccountCredentials fromJson(
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServerUriFromCreds)
             .setProjectId(projectId)
-            .setQuotaProjectId(quotaProjectId);
-
-    GoogleCredentials baseCredential = GoogleCredentials.fromJson(json);
-    builder.setUniverseDomain(baseCredential.getUniverseDomain());
+            .setQuotaProjectId(quotaProjectId)
+            .setUniverseDomain(universeDomain);
 
     return fromPkcs8(privateKeyPkcs8, builder);
   }

oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java

@@ -33,6 +33,7 @@
 
 import static org.junit.Assert.*;
 
+import com.google.api.client.json.GenericJson;
 import com.google.api.client.util.Clock;
 import com.google.auth.Credentials;
 import com.google.auth.TestUtils;
@@ -104,6 +105,25 @@ public void getApplicationDefault_nullTransport_throws() throws IOException {
     }
   }
 
+  @Test
+  public void fromStream_unknownType_throws() throws IOException {
+    MockHttpTransportFactory transportFactory = new MockHttpTransportFactory();
+    GenericJson json = new GenericJson();
+    json.put("type", "unsupported_credential");
+    InputStream stream = TestUtils.jsonToInputStream(json);
+    try {
+      GoogleCredentials.fromStream(stream, transportFactory);
+      fail("Should throw if type is unknown.");
+    } catch (IOException expected) {
+      String expectedError =
+          "Error reading credentials from stream, 'type' value "
+              + "'unsupported_credential' not recognized. Valid values are 'authorized_user', "
+              + "'service_account', 'gdch_service_account', 'external_account', "
+              + "'external_account_authorized_user', 'impersonated_service_account'.";
+      assertTrue(expected.getMessage().contains(expectedError));
+    }
+  }
+
   @Test
   public void fromStream_nullTransport_throws() throws IOException {
     InputStream stream = new ByteArrayInputStream("foo".getBytes());
@@ -115,6 +135,23 @@ public void fromStream_nullTransport_throws() throws IOException {
     }
   }
 
+  @Test
+  public void fromStream_noType_throws() throws IOException {
+    MockHttpTransportFactory transportFactory = new MockHttpTransportFactory();
+    GenericJson json =
+        ServiceAccountCredentialsTest.writeServiceAccountJson(
+            "project_id", QUOTA_PROJECT, "universe");
+    json.remove("type");
+    InputStream stream = TestUtils.jsonToInputStream(json);
+    try {
+      GoogleCredentials.fromStream(stream, transportFactory);
+      fail("Should throw if type is unknown.");
+    } catch (IOException expected) {
+      String expectedError = "Error reading credentials from stream, 'type' field not specified.";
+      assertEquals(expectedError, expected.getMessage());
+    }
+  }
+
   @Test
   public void fromStream_nullStream_throws() throws IOException {
     MockHttpTransportFactory transportFactory = new MockHttpTransportFactory();
@@ -363,7 +400,7 @@ public void fromStream_gdchServiceAccountInvalidCaCertPath_throws() throws IOExc
   }
 
   @Test
-  public void fromStream_user_providesToken() throws IOException {
+  public void fromStream_userCredentials_providesToken() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     transportFactory.transport.addClient(USER_CLIENT_ID, USER_CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
@@ -379,7 +416,7 @@ public void fromStream_user_providesToken() throws IOException {
   }
 
   @Test
-  public void fromStream_user_defaultUniverse() throws IOException {
+  public void fromStream_userCredentials_defaultUniverse() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     InputStream userStream =
         UserCredentialsTest.writeUserStream(
@@ -391,23 +428,23 @@ public void fromStream_user_defaultUniverse() throws IOException {
   }
 
   @Test
-  public void fromStream_userNoClientId_throws() throws IOException {
+  public void fromStream_userCredentials_NoClientId_throws() throws IOException {
     InputStream userStream =
         UserCredentialsTest.writeUserStream(null, USER_CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
 
     testFromStreamException(userStream, "client_id");
   }
 
   @Test
-  public void fromStream_userNoClientSecret_throws() throws IOException {
+  public void fromStream_userCredentials_NoClientSecret_throws() throws IOException {
     InputStream userStream =
         UserCredentialsTest.writeUserStream(USER_CLIENT_ID, null, REFRESH_TOKEN, QUOTA_PROJECT);
 
     testFromStreamException(userStream, "client_secret");
   }
 
   @Test
-  public void fromStream_userNoRefreshToken_throws() throws IOException {
+  public void fromStream_userCredentials_NoRefreshToken_throws() throws IOException {
     InputStream userStream =
         UserCredentialsTest.writeUserStream(
             USER_CLIENT_ID, USER_CLIENT_SECRET, null, QUOTA_PROJECT);