feat: Refactor X509Provider

Author: vverman

oauth2_http/java/com/google/auth/mtls/MtlsUtils.java

@@ -0,0 +1,87 @@
+package com.google.auth.mtls;
+
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import com.google.common.base.Strings;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Locale;
+
+/**
+ * Utility class for mTLS related operations.
+ *
+ * <p>For internal use only.
+ */
+public class MtlsUtils {
+  static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
+  static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
+  static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
+
+  private MtlsUtils() {
+    // Prevent instantiation for Utility class
+  }
+
+  /**
+   * Returns the path to the client certificate file specified by the loaded workload certificate
+   * configuration.
+   *
+   * @return The path to the certificate file.
+   * @throws IOException if the certificate configuration cannot be found or loaded.
+   */
+  public static String getCertificatePath(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    String certPath =
+        getWorkloadCertificateConfiguration(envProvider, propProvider, certConfigPathOverride)
+            .getCertPath();
+    if (Strings.isNullOrEmpty(certPath)) {
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
+    }
+    return certPath;
+  }
+
+  public static WorkloadCertificateConfiguration getWorkloadCertificateConfiguration(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    File certConfig;
+    if (certConfigPathOverride != null) {
+      certConfig = new File(certConfigPathOverride);
+    } else {
+      String envCredentialsPath = envProvider.getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
+      if (!Strings.isNullOrEmpty(envCredentialsPath)) {
+        certConfig = new File(envCredentialsPath);
+      } else {
+        certConfig = getWellKnownCertificateConfigFile(envProvider, propProvider);
+      }
+    }
+
+    if (!certConfig.isFile()) {
+      throw new CertificateSourceUnavailableException("File does not exist.");
+    }
+    try (InputStream certConfigStream = new FileInputStream(certConfig)) {
+      return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
+    }
+  }
+
+  private static File getWellKnownCertificateConfigFile(
+      EnvironmentProvider envProvider, PropertyProvider propProvider) {
+    File cloudConfigPath;
+    String envPath = envProvider.getEnv("CLOUDSDK_CONFIG");
+    if (envPath != null) {
+      cloudConfigPath = new File(envPath);
+    } else {
+      String osName = propProvider.getProperty("os.name", "").toLowerCase(Locale.US);
+      if (osName.indexOf("windows") >= 0) {
+        File appDataPath = new File(envProvider.getEnv("APPDATA"));
+        cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
+      } else {
+        File configPath = new File(propProvider.getProperty("user.home", ""), ".config");
+        cloudConfigPath = new File(configPath, CLOUDSDK_CONFIG_DIRECTORY);
+      }
+    }
+    return new File(cloudConfigPath, WELL_KNOWN_CERTIFICATE_CONFIG_FILE);
+  }
+}

oauth2_http/java/com/google/auth/mtls/X509Provider.java

@@ -31,15 +31,17 @@
 package com.google.auth.mtls;
 
 import com.google.api.client.util.SecurityUtils;
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import com.google.auth.oauth2.SystemEnvironmentProvider;
+import com.google.auth.oauth2.SystemPropertyProvider;
 import com.google.common.base.Strings;
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.SequenceInputStream;
 import java.security.KeyStore;
-import java.util.Locale;
 
 /**
  * This class implements {@link MtlsProvider} for the Google Auth library transport layer via {@link
@@ -48,23 +50,40 @@
  * backwards compatibility.
  */
 public class X509Provider implements MtlsProvider {
-  static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
-  static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
-  static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
-
+  private final EnvironmentProvider envProvider;
+  private final PropertyProvider propProvider;
   private final String certConfigPathOverride;
 
   /**
    * Creates an X509 provider with an override path for the certificate configuration, bypassing the
    * normal checks for the well known certificate configuration file path and environment variable.
    * This is meant for internal Google Cloud usage and behavior may be changed without warning.
    *
+   * @param envProvider environment provider used for environment variables
+   * @param propProvider property provider used for system properties
    * @param certConfigPathOverride the path to read the certificate configuration from.
    */
-  public X509Provider(String certConfigPathOverride) {
+  public X509Provider(
+      EnvironmentProvider envProvider,
+      PropertyProvider propProvider,
+      String certConfigPathOverride) {
+    this.envProvider = envProvider;
+    this.propProvider = propProvider;
     this.certConfigPathOverride = certConfigPathOverride;
   }
 
+  /**
+   * Creates an X509 provider with an override path for the certificate configuration.
+   *
+   * @param certConfigPathOverride the path to read the certificate configuration from.
+   */
+  public X509Provider(String certConfigPathOverride) {
+    this(
+        SystemEnvironmentProvider.getInstance(),
+        SystemPropertyProvider.getInstance(),
+        certConfigPathOverride);
+  }
+
   /**
    * Creates a new X.509 provider that will check the environment variable path and the well known
    * Gcloud certificate configuration location. This is meant for internal Google Cloud usage and
@@ -78,23 +97,15 @@ public X509Provider() {
    * Returns the path to the client certificate file specified by the loaded workload certificate
    * configuration.
    *
-   * <p>If the configuration has not been loaded yet (e.g., if {@link #getKeyStore()} has not been
-   * called), this method will attempt to load it first by searching the override path, environment
-   * variable, and well-known locations.
+   * <p>If the configuration has not been loaded yet, this method will attempt to load it first by
+   * searching the override path, environment variable, and well-known locations.
    *
    * @return The path to the certificate file.
    * @throws IOException if the certificate configuration cannot be found or loaded, or if the
    *     configuration file does not specify a certificate path.
-   * @throws CertificateSourceUnavailableException if the configuration file is not found.
    */
   public String getCertificatePath() throws IOException {
-    String certPath = getWorkloadCertificateConfiguration().getCertPath();
-    if (Strings.isNullOrEmpty(certPath)) {
-      // Ensure the loaded configuration actually contains the required path.
-      throw new CertificateSourceUnavailableException(
-          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
-    }
-    return certPath;
+    return MtlsUtils.getCertificatePath(envProvider, propProvider, certConfigPathOverride);
   }
 
   /**
@@ -115,12 +126,14 @@ public String getCertificatePath() throws IOException {
    */
   @Override
   public KeyStore getKeyStore() throws CertificateSourceUnavailableException, IOException {
-    WorkloadCertificateConfiguration workloadCertConfig = getWorkloadCertificateConfiguration();
+    WorkloadCertificateConfiguration workloadCertConfig =
+        MtlsUtils.getWorkloadCertificateConfiguration(
+            envProvider, propProvider, certConfigPathOverride);
 
     // Read the certificate and private key file paths into streams.
-    try (InputStream certStream = createInputStream(new File(workloadCertConfig.getCertPath()));
+    try (InputStream certStream = new FileInputStream(new File(workloadCertConfig.getCertPath()));
         InputStream privateKeyStream =
-            createInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
+            new FileInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
         SequenceInputStream certAndPrivateKeyStream =
             new SequenceInputStream(certStream, privateKeyStream)) {
 
@@ -150,73 +163,5 @@ public boolean isAvailable() throws IOException {
     return true;
   }
 
-  private WorkloadCertificateConfiguration getWorkloadCertificateConfiguration()
-      throws IOException {
-    File certConfig;
-    if (this.certConfigPathOverride != null) {
-      certConfig = new File(certConfigPathOverride);
-    } else {
-      String envCredentialsPath = getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
-      if (!Strings.isNullOrEmpty(envCredentialsPath)) {
-        certConfig = new File(envCredentialsPath);
-      } else {
-        certConfig = getWellKnownCertificateConfigFile();
-      }
-    }
-    InputStream certConfigStream = null;
-    try {
-      if (!isFile(certConfig)) {
-        // Path will be put in the message from the catch block below
-        throw new CertificateSourceUnavailableException("File does not exist.");
-      }
-      certConfigStream = createInputStream(certConfig);
-      return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
-    } finally {
-      if (certConfigStream != null) {
-        certConfigStream.close();
-      }
-    }
-  }
 
-  /*
-   * Start of methods to allow overriding in the test code to isolate from the environment.
-   */
-  boolean isFile(File file) {
-    return file.isFile();
-  }
-
-  InputStream createInputStream(File file) throws FileNotFoundException {
-    return new FileInputStream(file);
-  }
-
-  String getEnv(String name) {
-    return System.getenv(name);
-  }
-
-  String getOsName() {
-    return getProperty("os.name", "").toLowerCase(Locale.US);
-  }
-
-  String getProperty(String property, String def) {
-    return System.getProperty(property, def);
-  }
-
-  /*
-   * End of methods to allow overriding in the test code to isolate from the environment.
-   */
-
-  private File getWellKnownCertificateConfigFile() {
-    File cloudConfigPath;
-    String envPath = getEnv("CLOUDSDK_CONFIG");
-    if (envPath != null) {
-      cloudConfigPath = new File(envPath);
-    } else if (getOsName().indexOf("windows") >= 0) {
-      File appDataPath = new File(getEnv("APPDATA"));
-      cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
-    } else {
-      File configPath = new File(getProperty("user.home", ""), ".config");
-      cloudConfigPath = new File(configPath, CLOUDSDK_CONFIG_DIRECTORY);
-    }
-    return new File(cloudConfigPath, WELL_KNOWN_CERTIFICATE_CONFIG_FILE);
-  }
 }

oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java

@@ -196,10 +196,6 @@ String getRegionalCredentialVerificationUrl() {
     return this.regionalCredentialVerificationUrl;
   }
 
-  @VisibleForTesting
-  String getEnv(String name) {
-    return System.getenv(name);
-  }
 
   @VisibleForTesting
   AwsSecurityCredentialsSupplier getAwsSecurityCredentialsSupplier() {

oauth2_http/java/com/google/auth/oauth2/EnvironmentProvider.java

@@ -1,6 +1,10 @@
 package com.google.auth.oauth2;
 
-/** Interface for an environment provider. */
-interface EnvironmentProvider {
+/**
+ * Interface for an environment provider.
+ * 
+ * <p>For internal use only.
+ */
+public interface EnvironmentProvider {
   String getEnv(String name);
 }

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -97,6 +97,7 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials {
   @Nullable protected ImpersonatedCredentials impersonatedCredentials;
 
   private EnvironmentProvider environmentProvider;
+  private PropertyProvider propertyProvider;
 
   private int connectTimeout;
   private int readTimeout;
@@ -205,6 +206,7 @@ protected ExternalAccountCredentials(
             : scopes;
     this.environmentProvider =
         environmentProvider == null ? SystemEnvironmentProvider.getInstance() : environmentProvider;
+    this.propertyProvider = SystemPropertyProvider.getInstance();
     this.workforcePoolUserProject = null;
     this.serviceAccountImpersonationOptions =
         new ServiceAccountImpersonationOptions(new HashMap<String, Object>());
@@ -253,6 +255,10 @@ protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
         builder.environmentProvider == null
             ? SystemEnvironmentProvider.getInstance()
             : builder.environmentProvider;
+    this.propertyProvider =
+        builder.propertyProvider == null
+            ? SystemPropertyProvider.getInstance()
+            : builder.propertyProvider;
     this.serviceAccountImpersonationOptions =
         builder.serviceAccountImpersonationOptions == null
             ? new ServiceAccountImpersonationOptions(new HashMap<String, Object>())
@@ -657,6 +663,10 @@ EnvironmentProvider getEnvironmentProvider() {
     return environmentProvider;
   }
 
+  PropertyProvider getPropertyProvider() {
+    return propertyProvider;
+  }
+
   /**
    * @return whether the current configuration is for Workforce Pools (which enable 3p user
    *     identities, rather than workloads)
@@ -772,6 +782,7 @@ public abstract static class Builder extends GoogleCredentials.Builder {
     protected String tokenInfoUrl;
     protected CredentialSource credentialSource;
     protected EnvironmentProvider environmentProvider;
+    protected PropertyProvider propertyProvider;
     protected HttpTransportFactory transportFactory;
 
     @Nullable protected String serviceAccountImpersonationUrl;
@@ -806,6 +817,7 @@ protected Builder(ExternalAccountCredentials credentials) {
       this.clientSecret = credentials.clientSecret;
       this.scopes = credentials.scopes;
       this.environmentProvider = credentials.environmentProvider;
+      this.propertyProvider = credentials.propertyProvider;
       this.workforcePoolUserProject = credentials.workforcePoolUserProject;
       this.serviceAccountImpersonationOptions = credentials.serviceAccountImpersonationOptions;
       this.metricsHandler = credentials.metricsHandler;
@@ -1029,6 +1041,18 @@ Builder setEnvironmentProvider(EnvironmentProvider environmentProvider) {
       return this;
     }
 
+    /**
+     * Sets the optional Property Provider.
+     *
+     * @param propertyProvider the {@code PropertyProvider} to set
+     * @return this {@code Builder} object
+     */
+    @CanIgnoreReturnValue
+    Builder setPropertyProvider(PropertyProvider propertyProvider) {
+      this.propertyProvider = propertyProvider;
+      return this;
+    }
+
     @Override
     public abstract ExternalAccountCredentials build();
   }