Addressed comments.

vverman · vverman · commit 31f9a1197da5 · 2026-03-27T14:40:07.000-04:00
diff --git a/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java b/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java
@@ -30,6 +30,7 @@
 
 package com.google.auth.mtls;
 
+import com.google.api.core.InternalApi;
 import com.google.auth.oauth2.EnvironmentProvider;
 import com.google.auth.oauth2.PropertyProvider;
 import com.google.common.base.Strings;
@@ -44,7 +45,8 @@
  *
  * <p>For internal use only.
  */
-class MtlsUtils {
+@InternalApi
+public class MtlsUtils {
   static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
   static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
   static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
@@ -60,7 +62,7 @@ private MtlsUtils() {
    * @return The path to the certificate file.
    * @throws IOException if the certificate configuration cannot be found or loaded.
    */
-  static String getCertificatePath(
+  public static String getCertificatePath(
       EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
       throws IOException {
     String certPath =
@@ -103,7 +105,9 @@ static WorkloadCertificateConfiguration getWorkloadCertificateConfiguration(
     }
 
     if (!certConfig.isFile()) {
-      throw new CertificateSourceUnavailableException("File does not exist.");
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration file does not exist or is not a file: "
+              + certConfig.getAbsolutePath());
     }
     try (InputStream certConfigStream = new FileInputStream(certConfig)) {
       return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
diff --git a/oauth2_http/java/com/google/auth/mtls/X509Provider.java b/oauth2_http/java/com/google/auth/mtls/X509Provider.java
@@ -95,21 +95,6 @@ public X509Provider() {
     this(null);
   }
 
-  /**
-   * Returns the path to the client certificate file specified by the loaded workload certificate
-   * configuration.
-   *
-   * <p>If the configuration has not been loaded yet, this method will attempt to load it first by
-   * searching the override path, environment variable, and well-known locations.
-   *
-   * @return The path to the certificate file.
-   * @throws IOException if the certificate configuration cannot be found or loaded, or if the
-   *     configuration file does not specify a certificate path.
-   */
-  public String getCertificatePath() throws IOException {
-    return MtlsUtils.getCertificatePath(envProvider, propProvider, certConfigPathOverride);
-  }
-
   /**
    * Finds the certificate configuration file, then builds a Keystore using the X.509 certificate
    * and private key pointed to by the configuration. This will check the following locations in
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java
@@ -33,6 +33,7 @@
 
 import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.mtls.MtlsHttpTransportFactory;
+import com.google.auth.mtls.MtlsUtils;
 import com.google.auth.mtls.X509Provider;
 import com.google.auth.oauth2.IdentityPoolCredentialSource.IdentityPoolCredentialSourceType;
 import com.google.common.annotations.VisibleForTesting;
@@ -166,7 +167,10 @@ private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
     this.transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
 
     // Initialize the subject token supplier with the certificate path.
-    credentialSource.setCredentialLocation(x509Provider.getCertificatePath());
+    String explicitCertConfigPath = getExplicitCertConfigPath(credentialSource);
+    credentialSource.setCredentialLocation(
+        MtlsUtils.getCertificatePath(
+            getEnvironmentProvider(), getPropertyProvider(), explicitCertConfigPath));
     return new CertificateIdentityPoolSubjectTokenSupplier(credentialSource);
   }
 
@@ -179,16 +183,21 @@ private X509Provider getX509Provider(
     X509Provider x509Provider = builder.x509Provider;
     if (x509Provider == null) {
       // Determine the certificate path based on the configuration.
-      String explicitCertConfigPath =
-          certConfig.useDefaultCertificateConfig()
-              ? null
-              : certConfig.getCertificateConfigLocation();
+      String explicitCertConfigPath = getExplicitCertConfigPath(credentialSource);
       x509Provider =
           new X509Provider(getEnvironmentProvider(), getPropertyProvider(), explicitCertConfigPath);
     }
     return x509Provider;
   }
 
+  private static String getExplicitCertConfigPath(IdentityPoolCredentialSource credentialSource) {
+    IdentityPoolCredentialSource.CertificateConfig certConfig =
+        credentialSource.getCertificateConfig();
+    return certConfig.useDefaultCertificateConfig()
+        ? null
+        : certConfig.getCertificateConfigLocation();
+  }
+
   public static class Builder extends ExternalAccountCredentials.Builder {
 
     private IdentityPoolSubjectTokenSupplier subjectTokenSupplier;
diff --git a/oauth2_http/java/com/google/auth/oauth2/SystemEnvironmentProvider.java b/oauth2_http/java/com/google/auth/oauth2/SystemEnvironmentProvider.java
@@ -1,12 +1,14 @@
 package com.google.auth.oauth2;
 
+import com.google.api.core.InternalApi;
 import java.io.Serializable;
 
 /**
  * Represents the default system environment provider.
  *
  * <p>For internal use only.
  */
+@InternalApi
 public class SystemEnvironmentProvider implements EnvironmentProvider, Serializable {
   static final SystemEnvironmentProvider INSTANCE = new SystemEnvironmentProvider();
   private static final long serialVersionUID = -4698164985883575244L;
diff --git a/oauth2_http/javatests/com/google/auth/mtls/X509ProviderTest.java b/oauth2_http/javatests/com/google/auth/mtls/X509ProviderTest.java
@@ -60,11 +60,12 @@ class X509ProviderTest {
   void x509Provider_fileDoesntExist_throws() {
     String certConfigPath = "badfile.txt";
     X509Provider testProvider = new X509Provider(certConfigPath);
-    String expectedErrorMessage = "File does not exist.";
-
+    String expectedErrorMessage =
+        "Certificate configuration file does not exist or is not a file: "
+            + new File(certConfigPath).getAbsolutePath();
     CertificateSourceUnavailableException exception =
         assertThrows(CertificateSourceUnavailableException.class, testProvider::getKeyStore);
-    assertTrue(exception.getMessage().contains(expectedErrorMessage));
+    assertEquals(expectedErrorMessage, exception.getMessage());
   }
 
   @Test
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java
@@ -1120,7 +1120,6 @@ void build_withCertificateSourceAndCustomX509Provider_success()
 
     // Verify the custom provider methods were called during build.
     verify(x509Provider).getKeyStore();
-    verify(x509Provider).getCertificatePath();
   }
 
   @Test
@@ -1182,26 +1181,27 @@ void build_withCustomProvider_throwsOnGetKeyStore()
   @Test
   void build_withCustomProvider_throwsOnGetCertificatePath()
       throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
-    // Simulate a scenario where the X509Provider cannot access or read the certificate
-    // configuration file needed to determine the certificate path, resulting in an IOException.
+    // Simulate a scenario where path resolution fails during build with a custom
+    // provider.
+    // We achieve this by passing a non-existent configuration path which causes
+    // MtlsUtils to throw
+    // IOException.
     KeyStore keyStore = KeyStore.getInstance("JKS");
     keyStore.load(null, null);
     TestX509Provider x509Provider = new TestX509Provider(keyStore, "/path/to/certificate.json");
-    x509Provider.setShouldThrowOnGetCertificatePath(true); // Configure to throw
 
     Map<String, Object> certificateMap = new HashMap<>();
-    certificateMap.put("certificate_config_location", "/path/to/certificate.json");
+    certificateMap.put("certificate_config_location", "/non/existent/path.json");
 
     // Expect RuntimeException because the constructor wraps the IOException.
     RuntimeException exception =
         assertThrows(
             RuntimeException.class,
             () -> createCredentialsWithCertificate(x509Provider, certificateMap));
 
-    // Verify the cause is the expected IOException from the mock.
+    // Verify the cause is the expected IOException (or subclass) from MtlsUtils.
     assertNotNull(exception.getCause());
     assertTrue(exception.getCause() instanceof IOException);
-    assertEquals("Simulated IOException on certificate path", exception.getCause().getMessage());
 
     // Verify the wrapper exception message
     assertEquals(
@@ -1310,7 +1310,6 @@ private static class TestX509Provider extends X509Provider {
     private final KeyStore keyStore;
     private final String certificatePath;
     private boolean shouldThrowOnGetKeyStore = false;
-    private boolean shouldThrowOnGetCertificatePath = false;
 
     TestX509Provider(KeyStore keyStore, String certificatePath) {
       super();
@@ -1326,20 +1325,8 @@ public KeyStore getKeyStore() throws IOException {
       return keyStore;
     }
 
-    @Override
-    public String getCertificatePath() throws IOException {
-      if (shouldThrowOnGetCertificatePath) {
-        throw new IOException("Simulated IOException on certificate path");
-      }
-      return certificatePath;
-    }
-
     void setShouldThrowOnGetKeyStore(boolean shouldThrow) {
       this.shouldThrowOnGetKeyStore = shouldThrow;
     }
-
-    void setShouldThrowOnGetCertificatePath(boolean shouldThrow) {
-      this.shouldThrowOnGetCertificatePath = shouldThrow;
-    }
   }
 }
