fix: Add scope for Credentials (#517)

ttosta-google · web-flow · commit 5268ce3cb8be · 2024-04-19T13:01:50.000-04:00
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/ConstantCredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/ConstantCredentialFactory.java
@@ -18,13 +18,18 @@
 
 import com.google.api.gax.core.FixedCredentialsProvider;
 import com.google.auth.oauth2.GoogleCredentials;
+import java.util.Arrays;
 
 class ConstantCredentialFactory implements CredentialFactory {
 
   private final GoogleCredentials credentials;
 
   public ConstantCredentialFactory(GoogleCredentials credentials) {
-    this.credentials = credentials;
+    if (credentials.createScopedRequired()) {
+      this.credentials = credentials.createScoped(Arrays.asList(SCOPE_CLOUD_PLATFORM));
+    } else {
+      this.credentials = credentials;
+    }
   }
 
   @Override
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/CredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/CredentialFactory.java
@@ -20,6 +20,8 @@
 import com.google.auth.oauth2.GoogleCredentials;
 
 interface CredentialFactory {
+  static final String SCOPE_CLOUD_PLATFORM = "https://www.googleapis.com/auth/cloud-platform";
+
   default FixedCredentialsProvider create() {
     return FixedCredentialsProvider.create(getCredentials());
   }
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/DefaultCredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/DefaultCredentialFactory.java
@@ -18,14 +18,22 @@
 
 import com.google.auth.oauth2.GoogleCredentials;
 import java.io.IOException;
+import java.util.Arrays;
 
 class DefaultCredentialFactory implements CredentialFactory {
   @Override
   public GoogleCredentials getCredentials() {
+    GoogleCredentials credentials;
     try {
-      return GoogleCredentials.getApplicationDefault();
+      credentials = GoogleCredentials.getApplicationDefault();
     } catch (IOException e) {
       throw new RuntimeException("failed to retrieve OAuth2 access token", e);
     }
+
+    if (credentials.createScopedRequired()) {
+      credentials = credentials.createScoped(Arrays.asList(SCOPE_CLOUD_PLATFORM));
+    }
+
+    return credentials;
   }
 }
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/FileCredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/FileCredentialFactory.java
@@ -19,6 +19,7 @@
 import com.google.auth.oauth2.GoogleCredentials;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.util.Arrays;
 
 class FileCredentialFactory implements CredentialFactory {
   private final String path;
@@ -29,10 +30,17 @@ class FileCredentialFactory implements CredentialFactory {
 
   @Override
   public GoogleCredentials getCredentials() {
+    GoogleCredentials credentials;
     try {
-      return GoogleCredentials.fromStream(new FileInputStream(path));
+      credentials = GoogleCredentials.fromStream(new FileInputStream(path));
     } catch (IOException e) {
       throw new IllegalStateException("Unable to load GoogleCredentials from file " + path, e);
     }
+
+    if (credentials.createScopedRequired()) {
+      credentials = credentials.createScoped(Arrays.asList(SCOPE_CLOUD_PLATFORM));
+    }
+
+    return credentials;
   }
 }
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/ServiceAccountImpersonatingCredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/ServiceAccountImpersonatingCredentialFactory.java
@@ -38,8 +38,6 @@
  */
 class ServiceAccountImpersonatingCredentialFactory implements CredentialFactory {
 
-  private static final String CLOUD_PLATFORM = "https://www.googleapis.com/auth/cloud-platform";
-  private static final String ALLOYDB_LOGIN = "https://www.googleapis.com/auth/alloydb.login";
   private final CredentialFactory source;
   private final List<String> delegates;
   private final String targetPrincipal;
@@ -70,7 +68,7 @@ public GoogleCredentials getCredentials() {
             .setSourceCredentials(credentials)
             .setTargetPrincipal(targetPrincipal)
             .setDelegates(this.delegates)
-            .setScopes(Arrays.asList(ALLOYDB_LOGIN, CLOUD_PLATFORM))
+            .setScopes(Arrays.asList(SCOPE_CLOUD_PLATFORM))
             .build();
     return credentials;
   }
diff --git a/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/SupplierCredentialFactory.java b/alloydb-jdbc-connector/src/main/java/com/google/cloud/alloydb/SupplierCredentialFactory.java
@@ -17,6 +17,7 @@
 package com.google.cloud.alloydb;
 
 import com.google.auth.oauth2.GoogleCredentials;
+import java.util.Arrays;
 import java.util.function.Supplier;
 
 class SupplierCredentialFactory implements CredentialFactory {
@@ -29,6 +30,12 @@ public SupplierCredentialFactory(Supplier<GoogleCredentials> supplier) {
 
   @Override
   public GoogleCredentials getCredentials() {
-    return supplier.get();
+    GoogleCredentials credentials = supplier.get();
+
+    if (credentials.createScopedRequired()) {
+      credentials = credentials.createScoped(Arrays.asList(SCOPE_CLOUD_PLATFORM));
+    }
+
+    return credentials;
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@`
`20`	`20`	`import com.google.auth.oauth2.GoogleCredentials;`
`21`	`21`
`22`	`22`	`interface CredentialFactory {`
	`23`	`+ static final String SCOPE_CLOUD_PLATFORM = "https://www.googleapis.com/auth/cloud-platform";`
	`24`	`+`
`23`	`25`	`default FixedCredentialsProvider create() {`
`24`	`26`	`return FixedCredentialsProvider.create(getCredentials());`
`25`	`27`	`}`