From 988ad224a51a021a3691de02ee964982f141c08c Mon Sep 17 00:00:00 2001
From: Lawrence Qiu <lawrenceqiu@google.com>
Date: Wed, 8 Oct 2025 13:46:36 -0400
Subject: [PATCH 1/4] fix: Migrate away from GoogleCredentials.fromStream()
 usages

---
 .../storage/testing/RemoteStorageHelper.java  | 59 +++++++++++++++----
 1 file changed, 46 insertions(+), 13 deletions(-)

diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
index da4d96a119..5ba46cb81f 100644
--- a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
+++ b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
@@ -16,6 +16,7 @@
 
 package com.google.cloud.storage.testing;
 
+import com.google.api.core.ObsoleteApi;
 import com.google.api.gax.paging.Page;
 import com.google.api.gax.retrying.RetrySettings;
 import com.google.auth.oauth2.GoogleCredentials;
@@ -186,7 +187,27 @@ public static String generateBucketName() {
   }
 
   /**
-   * Creates a {@code RemoteStorageHelper} object for the given project id and JSON key input
+   * This method is obsolete because of a potential security risk. Use the {@link #create(String,
+   * GoogleCredentials)} method instead.
+   *
+   * <p>If you know that you will be loading credential configurations of a specific type, it is
+   * recommended to use a credential-type-specific `fromStream()` method. This will ensure that an
+   * unexpected credential type with potential for malicious intent is not loaded unintentionally.
+   * You might still have to do validation for certain credential types. Please follow the
+   * recommendation for that method.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Creates a {@code RemoteStorageHelper} object for the given project id and JSON key input
    * stream.
    *
    * @param projectId id of the project to be used for running the tests
@@ -195,21 +216,11 @@ public static String generateBucketName() {
    * @throws com.google.cloud.storage.testing.RemoteStorageHelper.StorageHelperException if {@code
    *     keyStream} is not a valid JSON key stream
    */
+  @ObsoleteApi("This method is obsolete because of a potential security risk. Use the create() variant with Credential parameter instead")
   public static RemoteStorageHelper create(String projectId, InputStream keyStream)
       throws StorageHelperException {
     try {
-      HttpTransportOptions transportOptions =
-          HttpStorageOptions.defaults().getDefaultTransportOptions();
-      transportOptions =
-          transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
-      StorageOptions storageOptions =
-          StorageOptions.http()
-              .setCredentials(GoogleCredentials.fromStream(keyStream))
-              .setProjectId(projectId)
-              .setRetrySettings(retrySettings())
-              .setTransportOptions(transportOptions)
-              .build();
-      return new RemoteStorageHelper(storageOptions);
+        return create(projectId, GoogleCredentials.fromStream(keyStream));
     } catch (IOException ex) {
       if (log.isLoggable(Level.WARNING)) {
         log.log(Level.WARNING, ex.getMessage());
@@ -218,6 +229,28 @@ public static RemoteStorageHelper create(String projectId, InputStream keyStream
     }
   }
 
+    /**
+     * Creates a {@code RemoteStorageHelper} object for the given project id and Credential.
+     *
+     * @param projectId id of the project to be used for running the tests
+     * @param credentials GoogleCredential to set to StorageOptions
+     * @return A {@code RemoteStorageHelper} object for the provided options
+     */
+    public static RemoteStorageHelper create(String projectId, GoogleCredentials credentials) {
+        HttpTransportOptions transportOptions =
+                HttpStorageOptions.defaults().getDefaultTransportOptions();
+        transportOptions =
+                transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
+        StorageOptions storageOptions =
+                StorageOptions.http()
+                        .setCredentials(credentials)
+                        .setProjectId(projectId)
+                        .setRetrySettings(retrySettings())
+                        .setTransportOptions(transportOptions)
+                        .build();
+        return new RemoteStorageHelper(storageOptions);
+    }
+
   /**
    * Creates a {@code RemoteStorageHelper} object using default project id and authentication
    * credentials.

From aea2a44332d52ae76bac9b61bc9716babd53f0d4 Mon Sep 17 00:00:00 2001
From: Lawrence Qiu <lawrenceqiu@google.com>
Date: Wed, 8 Oct 2025 13:49:47 -0400
Subject: [PATCH 2/4] chore: Fix lint issues

---
 .../storage/testing/RemoteStorageHelper.java  | 47 ++++++++++---------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
index 5ba46cb81f..7b719d778d 100644
--- a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
+++ b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
@@ -216,11 +216,12 @@ public static String generateBucketName() {
    * @throws com.google.cloud.storage.testing.RemoteStorageHelper.StorageHelperException if {@code
    *     keyStream} is not a valid JSON key stream
    */
-  @ObsoleteApi("This method is obsolete because of a potential security risk. Use the create() variant with Credential parameter instead")
+  @ObsoleteApi(
+      "This method is obsolete because of a potential security risk. Use the create() variant with Credential parameter instead")
   public static RemoteStorageHelper create(String projectId, InputStream keyStream)
       throws StorageHelperException {
     try {
-        return create(projectId, GoogleCredentials.fromStream(keyStream));
+      return create(projectId, GoogleCredentials.fromStream(keyStream));
     } catch (IOException ex) {
       if (log.isLoggable(Level.WARNING)) {
         log.log(Level.WARNING, ex.getMessage());
@@ -229,27 +230,27 @@ public static RemoteStorageHelper create(String projectId, InputStream keyStream
     }
   }
 
-    /**
-     * Creates a {@code RemoteStorageHelper} object for the given project id and Credential.
-     *
-     * @param projectId id of the project to be used for running the tests
-     * @param credentials GoogleCredential to set to StorageOptions
-     * @return A {@code RemoteStorageHelper} object for the provided options
-     */
-    public static RemoteStorageHelper create(String projectId, GoogleCredentials credentials) {
-        HttpTransportOptions transportOptions =
-                HttpStorageOptions.defaults().getDefaultTransportOptions();
-        transportOptions =
-                transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
-        StorageOptions storageOptions =
-                StorageOptions.http()
-                        .setCredentials(credentials)
-                        .setProjectId(projectId)
-                        .setRetrySettings(retrySettings())
-                        .setTransportOptions(transportOptions)
-                        .build();
-        return new RemoteStorageHelper(storageOptions);
-    }
+  /**
+   * Creates a {@code RemoteStorageHelper} object for the given project id and Credential.
+   *
+   * @param projectId id of the project to be used for running the tests
+   * @param credentials GoogleCredential to set to StorageOptions
+   * @return A {@code RemoteStorageHelper} object for the provided options
+   */
+  public static RemoteStorageHelper create(String projectId, GoogleCredentials credentials) {
+    HttpTransportOptions transportOptions =
+        HttpStorageOptions.defaults().getDefaultTransportOptions();
+    transportOptions =
+        transportOptions.toBuilder().setConnectTimeout(60000).setReadTimeout(60000).build();
+    StorageOptions storageOptions =
+        StorageOptions.http()
+            .setCredentials(credentials)
+            .setProjectId(projectId)
+            .setRetrySettings(retrySettings())
+            .setTransportOptions(transportOptions)
+            .build();
+    return new RemoteStorageHelper(storageOptions);
+  }
 
   /**
    * Creates a {@code RemoteStorageHelper} object using default project id and authentication

From f2bbf756845ce5282968880342d825df2f497597 Mon Sep 17 00:00:00 2001
From: Lawrence Qiu <lawrenceqiu@google.com>
Date: Wed, 8 Oct 2025 16:56:49 -0400
Subject: [PATCH 3/4] chore: Try to fix javadoc issue

---
 .../com/google/cloud/storage/testing/RemoteStorageHelper.java  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
index 7b719d778d..7c34515d8c 100644
--- a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
+++ b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
@@ -203,8 +203,7 @@ public static String generateBucketName() {
    * <p>Regardless of the method used, it is always your responsibility to validate configurations
    * received from external sources.
    *
-   * <p>See the {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * <p>See the {@link <a href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
    * for more details.
    *
    * <p>Creates a {@code RemoteStorageHelper} object for the given project id and JSON key input

From 1a1a089046787ca116fb754f6f6a1ceee44686f2 Mon Sep 17 00:00:00 2001
From: Lawrence Qiu <lawrenceqiu@google.com>
Date: Wed, 8 Oct 2025 17:03:53 -0400
Subject: [PATCH 4/4] chore: Fix javadoc issue

---
 .../com/google/cloud/storage/testing/RemoteStorageHelper.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
index 7c34515d8c..606ed1226d 100644
--- a/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
+++ b/google-cloud-storage/src/main/java/com/google/cloud/storage/testing/RemoteStorageHelper.java
@@ -203,7 +203,8 @@ public static String generateBucketName() {
    * <p>Regardless of the method used, it is always your responsibility to validate configurations
    * received from external sources.
    *
-   * <p>See the {@link <a href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * <p>See the {@see <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
    * for more details.
    *
    * <p>Creates a {@code RemoteStorageHelper} object for the given project id and JSON key input