feat: ImpersonatedCredentials to support universe domain for idtoken and signblob #1566
Conversation
…ests to use assertThrows.
product-auto-label
bot
added
size: l
product-auto-label
bot
added
size: m
product-auto-label
bot
added
size: l
| // Throwing an IOException would be a breaking change, so wrap it here. | ||
| // This should not happen for this credential type. | ||
| throw new IllegalStateException(e); |
There was a problem hiding this comment.
Can we throw a SigningException here for consistency just like ComputeEngineCredentials?
If not, can the IllegalStateException have an error message that is the same as the one in ComputeEngineCredentials for consistency?
Also, I think adding a new runtime exception might be a behavior breaking change. I think we can justify this addition given that signing needs to support Universe Domains. Perhaps we can add a small sentence in the description about this?
There was a problem hiding this comment.
Here is my thought on this, I opted for IlligalStateException similar to ExternalAccountCredentials here
- Currently, unlike
ComputeEngineCredentialswhere IOException can actually be thrown (ref),ImpersonatedCredentialsshould not throw exception ongetUniverseDomain()calls. (this method throws because we do not want breaking changes when introducing the override) Because neither of the allowed source credential types (sa, u, external credentials) throw exception. - We are wrapping this with try-catch block to avoid breaking change. Throwing
SigningExceptionif it can happen for say, future allowed source credentials, it seems to imply a behavior change that should change the method signature. But for now, since we do not expect any of the allowed source credential to be throwing, it is acceptable to wrap and not add exception to method signature. Which IllegalStateException seems more appropriate.
Added message in a8d466f
There was a problem hiding this comment.
ImpersonatedCredentials should not throw exception on getUniverseDomain() calls
IIUC (I may be completely off on this as I don't know Impersonation at all), the sourceCredential in the ImpersonatedCredential could be of any type, right? Unless there is a limitation that the underlying sourceCredential for an ImpersonatedCredential can't be of ComputeEngineCredential. I am assuming that if a user tries to impersonate a ComputeEngineCredential, the call getUniverseDomain() may end up throwing an IOException.
Throwing SigningException if it can happen for say, future allowed source credentials, it seems to imply a behavior change that should change the method signature
I think SigningException is a RuntimeException which shouldn't require adding it as part of the method signature.
There was a problem hiding this comment.
an ImpersonatedCredential can't be of ComputeEngineCredential
This is my understanding. sourceCredential can be user or sa (ref), or a couple of external account types (ref). So ComputeEngineCredential cannot be sourceCredential (and I don't know if impersonate a GCE cred have a use case?).
I think SigningException shouldn't require adding it as part of the method signature.
Right, no signature change required, but I was concerned about behavior change.
There was a problem hiding this comment.
Ah, I was looking at this method which seems to allow any type of credential to be passed in.
I only see this comment that tries to prevent other Credential types:
* @param sourceCredentials the source credential used to acquire the impersonated credentials. It
* should be either a user account credential or a service account credential.
Seems a bit odd that certain static methods are checking for Credential types and others aren't. Maybe there is a reason for this... If not, probably something we can backfill and fix in a different PR.
I'm assuming in some downstream use case, some functionality will fail when using ImpersonatedCredentials with ComputeEngineCredentials as the source. We probably don't have any users that have this setup (Impersonating a Compute Credentials), I just don't know enough about Impersonation to be sure about that. Would you know if this is the case?
Right, no signature change required, but I was concerned about behavior change.
I am just thinking about keeping these consistent. As of now, I think they anything that signs should be either SigningException or IllegalStateException due to getUniverseDomain() call (even if ImpersonatedCredentials may not end up ever throwing it).
There was a problem hiding this comment.
I lean to agree with you on keeping consistent.
On the " using ImpersonatedCredentials with ComputeEngineCredentials as the source", I also find it a bit odd that this method you are quoting only specifies allowed source credential types in javadoc but not enforced. @TimurSadykov By any chance you know any context about it? Was this a miss or intentional? Also, in general, is it fair to assume ComputeEngineCredentials should not be source credential for ImpersonatedCredentials?
There was a problem hiding this comment.
Ok, let do this if this sounds fine:
- Let's have both methods throw a SigningException for an IOException (from retrieving the UD) to keep them consistent.
- Let's create an issue to add validation to ensure ImpersonatedCredential can only be SA or User Credentials and add add it to the backlog. Shouldn't block this PR any more.
There was a problem hiding this comment.
oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java
Show resolved
Hide resolved
|
|
@TimurSadykov can you please also take a look? |
|
@sai-sunder-s If you can take a look. |
| } catch (SigningException ex) { | ||
| throw ex; | ||
| } catch (RuntimeException ex) { | ||
| throw new SigningException("Signing failed", ex); | ||
| } catch (IOException ex) { | ||
| throw new SigningException("Failed to sign: Error obtaining universe domain", ex); |
There was a problem hiding this comment.
What is the guarantee that IO exception can happen only due to universe domain check?
maybe get universe domain separately so that we can be confident in the error messaging?
There was a problem hiding this comment.
The IAMUtils.sign() method catches IOExceptions inside the method and re-throws it as ServiceAccountSigner.SigningException. I believe the only place that can throw IOException is from the getUniverseDomain() call, which should happen before we enter the sign() method.
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
…s.java Co-authored-by: Lawrence Qiu <lawrenceqiu@google.com>
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
| throw new IllegalStateException(e); | ||
| // this should never happen because ImpersonatedCredential can only be SA or User | ||
| // Credentials. | ||
| throw new SigningException("Signing failed", e); |
There was a problem hiding this comment.
Why is the exception type changed here?
There was a problem hiding this comment.
Thanks for capturing this! This is actually a mistake on my side made in 2fec328 trying to address this feedback
The intended change is done in 3dbc8e9. I am reverting this accidental change in 40e2f9e
Co-authored-by: aeitzman <12433791+aeitzman@users.noreply.github.com>
|
follow up to #1528.
idtoken and sign flow are tested E2E according to TPC test guide for sa-to-sa impersonation.