Added back accidentally removed tests.

vverman · vverman · commit 2576ae96bf98 · 2026-03-23T19:49:46.000-07:00
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
@@ -96,7 +96,7 @@ public class IdentityPoolCredentials extends ExternalAccountCredentials {
         == IdentityPoolCredentialSourceType.CERTIFICATE) {
       try {
         this.subjectTokenSupplier =
-            createCertificateSubjectTokenSupplier(credentialSource);
+            createCertificateSubjectTokenSupplier(builder, credentialSource);
       } catch (IOException e) {
         throw new RuntimeException(
             // Wrap IOException in RuntimeException because constructors cannot throw checked
@@ -160,31 +160,40 @@ public Builder toBuilder() {
   }
 
   private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
-      IdentityPoolCredentialSource credentialSource) throws IOException {
-    final IdentityPoolCredentialSource.CertificateConfig certConfig =
-        credentialSource.getCertificateConfig();
-    String explicitCertConfigPath =
-        certConfig.useDefaultCertificateConfig()
-            ? null
-            : certConfig.getCertificateConfigLocation();
-
+      Builder builder, IdentityPoolCredentialSource credentialSource) throws IOException {
     // Configure the mTLS transport with the x509 keystore.
-    X509Provider x509Provider =
-        new X509Provider(getEnvironmentProvider(), getPropertyProvider(), explicitCertConfigPath);
+    X509Provider x509Provider = getX509Provider(builder, credentialSource);
     KeyStore mtlsKeyStore = x509Provider.getKeyStore();
     this.transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
 
     // Initialize the subject token supplier with the certificate path.
-    String configCertPath =
-        MtlsUtils.getCertificatePath(
-            getEnvironmentProvider(), getPropertyProvider(), explicitCertConfigPath);
-    credentialSource.setCredentialLocation(configCertPath);
+    credentialSource.setCredentialLocation(x509Provider.getCertificatePath());
     return new CertificateIdentityPoolSubjectTokenSupplier(credentialSource);
   }
 
+  private X509Provider getX509Provider(
+      Builder builder, IdentityPoolCredentialSource credentialSource) {
+    final IdentityPoolCredentialSource.CertificateConfig certConfig =
+        credentialSource.getCertificateConfig();
+
+    // Use the provided X509Provider if available, otherwise initialize a default one.
+    X509Provider x509Provider = builder.x509Provider;
+    if (x509Provider == null) {
+      // Determine the certificate path based on the configuration.
+      String explicitCertConfigPath =
+          certConfig.useDefaultCertificateConfig()
+              ? null
+              : certConfig.getCertificateConfigLocation();
+      x509Provider =
+          new X509Provider(getEnvironmentProvider(), getPropertyProvider(), explicitCertConfigPath);
+    }
+    return x509Provider;
+  }
+
   public static class Builder extends ExternalAccountCredentials.Builder {
 
     private IdentityPoolSubjectTokenSupplier subjectTokenSupplier;
+    private X509Provider x509Provider;
 
     Builder() {}
 
@@ -195,9 +204,21 @@ public static class Builder extends ExternalAccountCredentials.Builder {
       }
     }
 
-    
-
-
+    /**
+     * Sets a custom {@link X509Provider} to manage the client certificate and private key for mTLS.
+     * If set, this provider will be used instead of the default behavior which initializes an
+     * {@code X509Provider} based on the {@code certificateConfigLocation} or default paths found in
+     * the {@code credentialSource}. This is primarily used for testing.
+     *
+     * @param x509Provider the custom X509 provider to use.
+     * @return this {@code Builder} object
+     */
+    @CanIgnoreReturnValue
+    @VisibleForTesting
+    Builder setX509Provider(X509Provider x509Provider) {
+      this.x509Provider = x509Provider;
+      return this;
+    }
     /**
      * Sets the subject token supplier. The supplier should return a valid subject token string.
      *
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java
@@ -1078,6 +1078,51 @@ void build_withCertificateSource_succeeds() throws Exception {
         "Metrics header should indicate certificate source");
   }
 
+  @Test
+  void build_withCertificateSourceAndCustomX509Provider_success()
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    // Create an empty KeyStore and a spy on a custom X509Provider.
+    KeyStore keyStore = KeyStore.getInstance("JKS");
+    keyStore.load(null, null);
+    TestX509Provider x509Provider =
+        spy(new TestX509Provider(keyStore, "/path/to/certificate.json"));
+
+    // Set up credential source for certificate type.
+    Map<String, Object> certificateMap = new HashMap<>();
+    certificateMap.put("use_default_certificate_config", true);
+    Map<String, Object> credentialSourceMap = new HashMap<>();
+    credentialSourceMap.put("certificate", certificateMap);
+    IdentityPoolCredentialSource credentialSource =
+        new IdentityPoolCredentialSource(credentialSourceMap);
+    MockExternalAccountCredentialsTransportFactory mockTransportFactory =
+        new MockExternalAccountCredentialsTransportFactory();
+
+    // Build credentials with the custom provider.
+    IdentityPoolCredentials credentials =
+        IdentityPoolCredentials.newBuilder()
+            .setX509Provider(x509Provider)
+            .setHttpTransportFactory(mockTransportFactory)
+            .setAudience("test-audience")
+            .setSubjectTokenType("test-token-type")
+            .setCredentialSource(credentialSource)
+            .build();
+
+    // Verify successful creation and correct internal setup.
+    assertNotNull(credentials, "Credentials should be successfully created");
+    assertTrue(
+        credentials.getIdentityPoolSubjectTokenSupplier()
+            instanceof CertificateIdentityPoolSubjectTokenSupplier,
+        "Subject token supplier should be for certificates");
+    assertEquals(
+        IdentityPoolCredentials.CERTIFICATE_METRICS_HEADER_VALUE,
+        credentials.getCredentialSourceType(),
+        "Metrics header should indicate certificate source");
+
+    // Verify the custom provider methods were called during build.
+    verify(x509Provider).getKeyStore();
+    verify(x509Provider).getCertificatePath();
+  }
+
   @Test
   void build_withDefaultCertificate_throwsOnTransportInitFailure() {
     // Setup credential source to use default certificate config.
@@ -1104,6 +1149,81 @@ void build_withDefaultCertificate_throwsOnTransportInitFailure() {
         exception.getMessage());
   }
 
+  @Test
+  void build_withCustomProvider_throwsOnGetKeyStore()
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    // Simulate a scenario where the X509Provider fails to load the KeyStore, typically due to an
+    // IOException when reading the certificate or private key files.
+    KeyStore keyStore = KeyStore.getInstance("JKS");
+    keyStore.load(null, null);
+    TestX509Provider x509Provider = new TestX509Provider(keyStore, "/path/to/certificate.json");
+    x509Provider.setShouldThrowOnGetKeyStore(true); // Configure to throw
+
+    Map<String, Object> certificateMap = new HashMap<>();
+    certificateMap.put("certificate_config_location", "/path/to/certificate.json");
+
+    // Expect RuntimeException because the constructor wraps the IOException.
+    RuntimeException exception =
+        assertThrows(
+            RuntimeException.class,
+            () -> createCredentialsWithCertificate(x509Provider, certificateMap));
+
+    // Verify the cause is the expected IOException from the mock.
+    assertNotNull(exception.getCause());
+    assertTrue(exception.getCause() instanceof IOException);
+    assertEquals("Simulated IOException on get keystore", exception.getCause().getMessage());
+
+    // Verify the wrapper exception message
+    assertEquals(
+        "Failed to initialize IdentityPoolCredentials from certificate source due to an I/O error.",
+        exception.getMessage());
+  }
+
+  @Test
+  void build_withCustomProvider_throwsOnGetCertificatePath()
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    // Simulate a scenario where the X509Provider cannot access or read the certificate
+    // configuration file needed to determine the certificate path, resulting in an IOException.
+    KeyStore keyStore = KeyStore.getInstance("JKS");
+    keyStore.load(null, null);
+    TestX509Provider x509Provider = new TestX509Provider(keyStore, "/path/to/certificate.json");
+    x509Provider.setShouldThrowOnGetCertificatePath(true); // Configure to throw
+
+    Map<String, Object> certificateMap = new HashMap<>();
+    certificateMap.put("certificate_config_location", "/path/to/certificate.json");
+
+    // Expect RuntimeException because the constructor wraps the IOException.
+    RuntimeException exception =
+        assertThrows(
+            RuntimeException.class,
+            () -> createCredentialsWithCertificate(x509Provider, certificateMap));
+
+    // Verify the cause is the expected IOException from the mock.
+    assertNotNull(exception.getCause());
+    assertTrue(exception.getCause() instanceof IOException);
+    assertEquals("Simulated IOException on certificate path", exception.getCause().getMessage());
+
+    // Verify the wrapper exception message
+    assertEquals(
+        "Failed to initialize IdentityPoolCredentials from certificate source due to an I/O error.",
+        exception.getMessage());
+  }
+
+  private void createCredentialsWithCertificate(
+      X509Provider x509Provider, Map<String, Object> certificateMap) {
+    Map<String, Object> credentialSourceMap = new HashMap<>();
+     credentialSourceMap.put("certificate", certificateMap);
+    IdentityPoolCredentialSource credentialSource =
+        new IdentityPoolCredentialSource(credentialSourceMap);
+
+    IdentityPoolCredentials.newBuilder()
+        .setX509Provider(x509Provider)
+        .setHttpTransportFactory(new MockExternalAccountCredentialsTransportFactory())
+        .setAudience("")
+        .setSubjectTokenType("")
+        .setCredentialSource(credentialSource)
+        .build();
+  }
 
   static InputStream writeIdentityPoolCredentialsStream(
       String tokenUrl,
@@ -1186,5 +1306,40 @@ public HttpTransport create() {
     }
   }
 
+   static class TestX509Provider extends X509Provider {
+    private final KeyStore keyStore;
+    private final String certPath;
+    private boolean throwOnGetKeyStore;
+    private boolean throwOnGetCertificatePath;
+
+    public TestX509Provider(KeyStore keyStore, String certPath) {
+      super();
+      this.keyStore = keyStore;
+      this.certPath = certPath;
+    }
+
+    public void setShouldThrowOnGetKeyStore(boolean throwOnGetKeyStore) {
+      this.throwOnGetKeyStore = throwOnGetKeyStore;
+    }
+
+    public void setShouldThrowOnGetCertificatePath(boolean throwOnGetCertificatePath) {
+      this.throwOnGetCertificatePath = throwOnGetCertificatePath;
+    }
+
+    @Override
+    public KeyStore getKeyStore() throws IOException {
+      if (throwOnGetKeyStore) {
+        throw new IOException("Simulated IOException on get keystore");
+      }
+      return keyStore;
+    }
 
+    @Override
+    public String getCertificatePath() throws IOException {
+      if (throwOnGetCertificatePath) {
+        throw new IOException("Simulated IOException on certificate path");
+      }
+      return certPath;
+    }
+  }
 }
