hopefully fixed IT tests

ldetmer · ldetmer · commit 2778372f0efc · 2026-03-05T14:16:38.000-05:00
# Conflicts:
#	google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java
diff --git a/google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/MutableCredentialsTest.java b/google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/MutableCredentialsTest.java
@@ -29,6 +29,7 @@
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.oauth2.ServiceAccountCredentials;
+import com.google.cloud.spanner.SpannerOptions;
 import java.io.IOException;
 import java.net.URI;
 import java.util.*;
@@ -76,6 +77,25 @@ public void testCreateMutableCredentials() throws IOException {
     verify(initialScopedCredentials, times(1)).refresh();
   }
 
+  @Test
+  public void testCreateMutableCredentialsWithDefaultScopes() throws IOException {
+    Set<String> defaultScopes = SpannerOptions.getDefaultInstance().getScopes();
+    when(initialCredentials.createScoped(defaultScopes)).thenReturn(initialScopedCredentials);
+    when(initialScopedCredentials.getAuthenticationType()).thenReturn(initialAuthType);
+    when(initialScopedCredentials.getRequestMetadata(any(URI.class))).thenReturn(initialMetadata);
+    when(initialScopedCredentials.getUniverseDomain()).thenReturn(initialUniverseDomain);
+    when(initialScopedCredentials.getMetricsCredentialType())
+        .thenReturn(initialMetricsCredentialType);
+    when(initialScopedCredentials.hasRequestMetadata()).thenReturn(true);
+    when(initialScopedCredentials.hasRequestMetadataOnly()).thenReturn(true);
+
+    MutableCredentials credentials = new MutableCredentials(initialCredentials);
+    URI testUri = URI.create("https://spanner.googleapis.com");
+
+    validateInitialDelegatedCredentialsAreSet(credentials, testUri);
+    verify(initialCredentials).createScoped(defaultScopes);
+  }
+
   @Test
   public void testUpdateMutableCredentials() throws IOException {
     setupInitialCredentials();
@@ -106,7 +126,7 @@ public void testUpdateMutableCredentials() throws IOException {
   }
 
   @Test(expected = IllegalArgumentException.class)
-  public void testCreateMutableCredentialsEmptyScopes() {
+  public void testCreateMutableCredentialsEmptyScopesThrowsError() {
     new MutableCredentials(initialCredentials, Collections.emptySet());
   }
 
diff --git a/google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java b/google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java
@@ -17,8 +17,8 @@
 package com.google.cloud.spanner.connection.it;
 
 import static org.junit.Assert.*;
+import static org.junit.Assume.assumeTrue;
 
-import com.google.api.gax.core.FixedCredentialsProvider;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
 import com.google.cloud.spanner.*;
@@ -37,72 +37,59 @@
 @Category(SerialIntegrationTest.class)
 @RunWith(JUnit4.class)
 public class ITMutableCredentialsTest {
-  private static final String MISSING_PERM_KEY =
-      "/com/google/cloud/spanner/connection/test-key-missing-permissions.json";
 
-  private static final String INVALID_KEY = "/com/google/cloud/spanner/connection/test-key.json";
+  private static final String INVALID_CERT_PATH =
+      "/com/google/cloud/spanner/connection/test-key.json";
 
   @Test
   public void testMutableCredentialsUpdateAuthorizationForRunningClient() throws IOException {
-    System.out.println("property" + System.getenv("GOOGLE_ACCOUNT_CREDENTIALS"));
-    GoogleCredentials missingPermissionCredentials;
-    try (InputStream stream =
-        Files.newInputStream(
-            Paths.get("/tmpfs/src/gfile/secret_manager/java-it-service-account"))) {
-      missingPermissionCredentials = GoogleCredentials.fromStream(stream);
+    GoogleCredentials validCredentials;
+
+    // accept cert path overridden by environment variable for local testing
+    if (System.getenv("GOOGLE_ACCOUNT_CREDENTIALS") != null) {
+      try (InputStream stream =
+          Files.newInputStream(Paths.get(System.getenv("GOOGLE_ACCOUNT_CREDENTIALS")))) {
+        validCredentials = GoogleCredentials.fromStream(stream);
+      }
+    } else {
+      validCredentials = GoogleCredentials.getApplicationDefault();
     }
+
+    // credentials must be ServiceAccountCredentials
+    assumeTrue(validCredentials instanceof ServiceAccountCredentials);
+
     ServiceAccountCredentials invalidCredentials;
-    try (InputStream stream = ITMutableCredentialsTest.class.getResourceAsStream(INVALID_KEY)) {
+    try (InputStream stream =
+        ITMutableCredentialsTest.class.getResourceAsStream(INVALID_CERT_PATH)) {
       invalidCredentials = ServiceAccountCredentials.fromStream(stream);
     }
 
-    // create MutableCredentials first default account credentials
+    // create MutableCredentials first with valid credentials
     MutableCredentials mutableCredentials =
-        new MutableCredentials((ServiceAccountCredentials) missingPermissionCredentials);
+        new MutableCredentials((ServiceAccountCredentials) validCredentials);
 
-    System.out.println("missingPermissionCredentials " + missingPermissionCredentials);
+    System.out.println("validCredentials " + validCredentials);
 
-    System.out.println("application default " + GoogleCredentials.getApplicationDefault());
     SpannerOptions options =
         SpannerOptions.newBuilder()
-            .setEmulatorHost(null)
-            .setCredentials(FixedCredentialsProvider.create(mutableCredentials).getCredentials())
+            .setEmulatorHost(
+                null) // this setting is required otherwise SpannerOptions overrides credentials to
+                      // NoCredentials
+            .setCredentials(mutableCredentials)
             .build();
     System.out.println("initial credentials " + options.getCredentials());
-    System.out.println("default projecct" + options.getProjectId());
+    ProjectName projectName = ProjectName.of(options.getProjectId());
     try (Spanner spanner = options.getService();
         InstanceAdminClient instanceAdminClient = spanner.createInstanceAdminClient()) {
-      String project = "gcloud-devel";
-      String instance = "java-client-integration-tests";
-      try {
-        listInstances(instanceAdminClient, options.getProjectId(), instance);
-        // fail("Expected PERMISSION_DENIED");
-      } catch (Exception e) {
-        // specifically validate the permission denied error message
-        System.out.println("exception " + e.getMessage());
-        assertTrue(e.getMessage().contains("PERMISSION_DENIED"));
-        assertFalse(e.getMessage().contains("UNAUTHENTICATED"));
-      }
-
-      // update mutableCredentials now to use an invalid credential
+      instanceAdminClient.listInstances(projectName);
+      // update mutableCredentials now to use an invalid credentials
       mutableCredentials.updateCredentials(invalidCredentials);
       try {
-        listInstances(instanceAdminClient, options.getProjectId(), instance);
+        instanceAdminClient.listInstances(projectName);
         fail("Expected UNAUTHENTICATED after switching to invalid credentials");
       } catch (Exception e) {
         assertTrue(e.getMessage().contains("UNAUTHENTICATED"));
-        assertFalse(e.getMessage().contains("PERMISSION_DENIED"));
       }
     }
   }
-
-  private static void listInstances(
-      InstanceAdminClient instanceAdminClient, String projectId, String instanceId) {
-    InstanceAdminClient.ListInstancesPagedResponse response =
-        instanceAdminClient.listInstances(ProjectName.of(projectId));
-
-    for (InstanceAdminClient.ListInstancesPage page : response.iteratePages()) {
-      // no-op
-    }
-  }
 }
