Merge branch 'main' into refactor-x509-provider

Author: vverman

oauth2_http/java/com/google/auth/mtls/MtlsHttpTransportFactory.java

@@ -32,6 +32,7 @@
 package com.google.auth.mtls;
 
 import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.core.InternalApi;
 import com.google.auth.http.HttpTransportFactory;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
@@ -45,6 +46,7 @@
  * <p><b>Warning:</b> This class is considered internal and is not intended for direct use by
  * library consumers. Its API and behavior may change without notice.
  */
+@InternalApi
 public class MtlsHttpTransportFactory implements HttpTransportFactory {
   private final KeyStore mtlsKeyStore;
 

oauth2_http/java/com/google/auth/oauth2/AccessToken.java

@@ -114,6 +114,13 @@ public int hashCode() {
     return Objects.hash(tokenValue, expirationTimeMillis, scopes);
   }
 
+  /**
+   * Returns a string representation of this access token, including the raw token value.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the raw, unmasked access token
+   * value. Do not log this output in production environments as it may expose sensitive
+   * credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -51,7 +51,6 @@
 import com.google.common.base.Joiner;
 import com.google.common.base.MoreObjects.ToStringHelper;
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.io.BufferedReader;
@@ -129,6 +128,7 @@ public class ComputeEngineCredentials extends GoogleCredentials
   private transient HttpTransportFactory transportFactory;
 
   private String universeDomainFromMetadata = null;
+  private String projectId = null;
 
   /**
    * Experimental Feature.
@@ -340,6 +340,81 @@ private String getUniverseDomainFromMetadata() throws IOException {
     return responseString;
   }
 
+  /**
+   * Retrieves the Google Cloud project ID from the Compute Engine (GCE) metadata server.
+   *
+   * <p>On its first successful execution, it fetches the project ID and caches it for the lifetime
+   * of the object. Subsequent calls will return the cached value without making additional network
+   * requests.
+   *
+   * <p>If the request to the metadata server fails (e.g., due to network issues, or if the VM lacks
+   * the required service account permissions), the method will attempt to fall back to a default
+   * project ID provider which could be {@code null}.
+   *
+   * @return the GCP project ID string, or {@code null} if the metadata server is inaccessible and
+   *     no fallback project ID can be determined.
+   */
+  @Override
+  public String getProjectId() {
+    synchronized (this) {
+      if (this.projectId != null) {
+        return this.projectId;
+      }
+    }
+
+    String projectIdFromMetadata = getProjectIdFromMetadata();
+    synchronized (this) {
+      // Check first if another thread set the Project ID. No need to overwrite
+      // if a Projects ID already exists. Tries to prevent a case where the last call
+      // for `getProjectIdFromMetadata()` returns null and overwrites valid data.
+      if (this.projectId == null) {
+        this.projectId = projectIdFromMetadata;
+      }
+    }
+    return this.projectId;
+  }
+
+  private String getProjectIdFromMetadata() {
+    try {
+      HttpResponse response = getMetadataResponse(getProjectIdUrl(), RequestType.UNTRACKED, false);
+      int statusCode = response.getStatusCode();
+      if (statusCode == HttpStatusCodes.STATUS_CODE_NOT_FOUND) {
+        LoggingUtils.log(
+            LOGGER_PROVIDER,
+            Level.WARNING,
+            Collections.emptyMap(),
+            String.format(
+                "Error code %s trying to get project ID from"
+                    + " Compute Engine metadata. This may be because the virtual machine instance"
+                    + " does not have permission scopes specified.",
+                statusCode));
+        return super.getProjectId();
+      }
+      if (statusCode != HttpStatusCodes.STATUS_CODE_OK) {
+        LoggingUtils.log(
+            LOGGER_PROVIDER,
+            Level.WARNING,
+            Collections.emptyMap(),
+            String.format(
+                "Unexpected Error code %s trying to get project ID"
+                    + " from Compute Engine metadata for the default service account: %s",
+                statusCode, response.parseAsString()));
+        return super.getProjectId();
+      }
+      return response.parseAsString();
+    } catch (IOException e) {
+      LoggingUtils.log(
+          LOGGER_PROVIDER,
+          Level.WARNING,
+          Collections.emptyMap(),
+          String.format(
+              "Unexpected Error: %s trying to get project ID"
+                  + " from Compute Engine metadata server. Reason: %s",
+              e.getMessage(), e.getCause().toString()));
+      return super.getProjectId();
+    }
+  }
+
   /** Refresh the access token by getting it from the GCE metadata server */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
@@ -435,11 +510,9 @@ public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.O
     }
     String rawToken = response.parseAsString();
 
-    LoggingUtils.log(
-        LOGGER_PROVIDER,
-        Level.FINE,
-        ImmutableMap.of("idToken", rawToken),
-        "Response Payload for ID token");
+    GenericData idTokenData = new GenericData();
+    idTokenData.set("id_token", rawToken);
+    LoggingUtils.logResponsePayload(idTokenData, LOGGER_PROVIDER, "Response Payload for ID token");
     return IdToken.create(rawToken);
   }
 
@@ -448,6 +521,9 @@ private HttpResponse getMetadataResponse(
     GenericUrl genericUrl = new GenericUrl(url);
     HttpRequest request =
         transportFactory.create().createRequestFactory().buildGetRequest(genericUrl);
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead where appropriate.
+    request.setLoggingEnabled(false);
     JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY);
     request.setParser(parser);
     request.getHeaders().set(METADATA_FLAVOR, GOOGLE);
@@ -461,17 +537,17 @@ private HttpResponse getMetadataResponse(
     request.setThrowExceptionOnExecuteError(false);
     HttpResponse response;
     try {
-      String requestMessage;
-      String responseMessage;
+      String requestMessage = null;
+      String responseMessage = null;
       if (requestType.equals(RequestType.ID_TOKEN_REQUEST)) {
         requestMessage = "Sending request to get ID token";
         responseMessage = "Received response for ID token request";
       } else if (requestType.equals(RequestType.ACCESS_TOKEN_REQUEST)) {
         requestMessage = "Sending request to refresh access token";
         responseMessage = "Received response for refresh access token";
       } else {
-        // TODO: this includes get universe domain and get default sa.
-        // refactor for more clear logging message.
+        // TODO: this includes get universe domain and get default sa. Refactor for more clear
+        // logging message.
         requestMessage = "Sending request for universe domain/default service account";
         responseMessage = "Received response for universe domain/default service account";
       }
@@ -564,13 +640,21 @@ static boolean checkStaticGceDetection(DefaultCredentialsProvider provider) {
     return false;
   }
 
+  @VisibleForTesting
+  void setProjectId(String projectId) {
+    this.projectId = projectId;
+  }
+
   private static boolean pingComputeEngineMetadata(
       HttpTransportFactory transportFactory, DefaultCredentialsProvider provider) {
     GenericUrl tokenUrl = new GenericUrl(getMetadataServerUrl(provider));
     for (int i = 1; i <= MAX_COMPUTE_PING_TRIES; ++i) {
       try {
         HttpRequest request =
             transportFactory.create().createRequestFactory().buildGetRequest(tokenUrl);
+        // Disable automatic logging by google-http-java-client. This is a ping request
+        // and does not need to be logged by LoggingUtils.
+        request.setLoggingEnabled(false);
         request.setConnectTimeout(COMPUTE_PING_CONNECTION_TIMEOUT_MS);
         request.getHeaders().set(METADATA_FLAVOR, GOOGLE);
         MetricsUtils.setMetricsHeader(
@@ -642,6 +726,11 @@ public static String getIdentityDocumentUrl() {
         + "/computeMetadata/v1/instance/service-accounts/default/identity";
   }
 
+  public static String getProjectIdUrl() {
+    return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
+        + "/computeMetadata/v1/project/project-id";
+  }
+
   @Override
   public int hashCode() {
     return Objects.hash(transportFactoryClassName);

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -75,6 +75,8 @@
  * </pre>
  */
 public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials {
+  private static final LoggerProvider LOGGER_PROVIDER =
+      LoggerProvider.forClazz(ExternalAccountAuthorizedUserCredentials.class);
 
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
 
@@ -191,13 +193,19 @@ public AccessToken refreshAccessToken() throws IOException {
     HttpResponse response;
     try {
       HttpRequest httpRequest = buildRefreshRequest();
+      LoggingUtils.logRequest(
+          httpRequest, LOGGER_PROVIDER, "Sending request to refresh access token");
       response = httpRequest.execute();
+      LoggingUtils.logResponse(
+          response, LOGGER_PROVIDER, "Received response for refresh access token");
     } catch (HttpResponseException e) {
       throw OAuthException.createFromHttpResponseException(e);
     }
 
     // Parse response.
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logResponsePayload(
+        responseData, LOGGER_PROVIDER, "Response payload for refresh access token");
     response.disconnect();
 
     // Required fields.
@@ -276,6 +284,13 @@ public int hashCode() {
         quotaProjectId);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes sensitive fields such as the
+   * client secret, refresh token, and request metadata containing the raw Bearer access token. Do
+   * not log this output in production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)
@@ -379,6 +394,9 @@ private HttpRequest buildRefreshRequest() throws IOException {
             .create()
             .createRequestFactory()
             .buildPostRequest(new GenericUrl(tokenUrl), new UrlEncodedContent(tokenRequest));
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead.
+    request.setLoggingEnabled(false);
 
     request.setParser(new JsonObjectParser(JSON_FACTORY));
 

oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java

@@ -65,6 +65,8 @@
 import java.util.Objects;
 
 public class GdchCredentials extends GoogleCredentials {
+  private static final LoggerProvider LOGGER_PROVIDER =
+      LoggerProvider.forClazz(GdchCredentials.class);
   static final String SUPPORTED_FORMAT_VERSION = "1";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
@@ -260,14 +262,20 @@ public AccessToken refreshAccessToken() throws IOException {
 
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
     HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead.
+    request.setLoggingEnabled(false);
 
     request.setParser(new JsonObjectParser(jsonFactory));
 
     HttpResponse response;
     String errorTemplate = "Error getting access token for GDCH service account: %s, iss: %s";
 
     try {
+      LoggingUtils.logRequest(request, LOGGER_PROVIDER, "Sending request to get GDCH access token");
       response = request.execute();
+      LoggingUtils.logResponse(
+          response, LOGGER_PROVIDER, "Received response for GDCH access token");
     } catch (HttpResponseException re) {
       String message = String.format(errorTemplate, re.getMessage(), getServiceIdentityName());
       throw GoogleAuthException.createWithTokenEndpointResponseException(re, message);
@@ -277,6 +285,8 @@ public AccessToken refreshAccessToken() throws IOException {
     }
 
     GenericData responseData = response.parseAs(GenericData.class);
+    LoggingUtils.logResponsePayload(
+        responseData, LOGGER_PROVIDER, "Response payload for GDCH access token");
     String accessToken =
         OAuth2Utils.validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
     int expiresInSeconds =

oauth2_http/java/com/google/auth/oauth2/IamUtils.java

@@ -135,6 +135,10 @@ private static String getSignature(
 
     HttpRequest request = factory.buildPostRequest(genericUrl, signContent);
 
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead.
+    request.setLoggingEnabled(false);
+
     JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY);
     request.setParser(parser);
     request.setThrowExceptionOnExecuteError(false);
@@ -232,6 +236,10 @@ static IdToken getIdToken(
     HttpRequest request =
         transport.createRequestFactory(adapter).buildPostRequest(genericUrl, idTokenContent);
 
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead.
+    request.setLoggingEnabled(false);
+
     JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY);
     request.setParser(parser);
     request.setThrowExceptionOnExecuteError(false);

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -628,6 +628,9 @@ public AccessToken refreshAccessToken() throws IOException {
 
     HttpContent requestContent = new JsonHttpContent(parser.getJsonFactory(), body);
     HttpRequest request = requestFactory.buildPostRequest(url, requestContent);
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    // Client Library Debug Logging via LoggingUtils is used instead.
+    request.setLoggingEnabled(false);
     request.setConnectTimeout(connectTimeout);
     request.setReadTimeout(readTimeout);
     adapter.initialize(request);
@@ -707,6 +710,13 @@ public int hashCode() {
         iamEndpointOverride);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the source credentials which may
+   * recursively contain sensitive fields such as access tokens. Do not log this output in
+   * production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/java/com/google/auth/oauth2/InternalAwsSecurityCredentialsSupplier.java

@@ -205,6 +205,10 @@ private String retrieveResource(
       HttpRequest request =
           requestFactory.buildRequest(requestMethod, new GenericUrl(url), content);
 
+      // Disable automatic logging by google-http-java-client to prevent leakage of sensitive
+      // metadata responses.
+      request.setLoggingEnabled(false);
+
       HttpHeaders requestHeaders = request.getHeaders();
       for (Map.Entry<String, Object> header : headers.entrySet()) {
         requestHeaders.set(header.getKey(), header.getValue());

oauth2_http/java/com/google/auth/oauth2/LoggingUtils.java

@@ -76,7 +76,12 @@ static void logResponsePayload(
     }
   }
 
-  // generic log method to use when not logging standard request, response and payload
+  /**
+   * Generic log method to use when not logging standard request, response and payload.
+   *
+   * <p>Any key in the provided {@code contextMap} that matches the sensitive keys set (e.g.
+   * access_token, refresh_token) will have its value masked via SHA-256 hash before being logged.
+   */
   static void log(
       LoggerProvider loggerProvider, Level level, Map<String, Object> contextMap, String message) {
     if (loggingEnabled) {

oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -446,6 +446,14 @@ protected Map<String, List<String>> getRequestMetadataInternal() {
     return null;
   }
 
+  /**
+   * Returns a string representation of this credential, including request metadata and access
+   * token.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the request metadata which
+   * contains the raw Bearer access token, and the raw access token value. Do not log this output in
+   * production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     OAuthValue localValue = value;