From 82619b423b1c02bc4f8fa21ab2c8d06fd406dba6 Mon Sep 17 00:00:00 2001 From: arithmetic1728 Date: Wed, 16 Dec 2020 15:29:17 -0800 Subject: [PATCH 1/2] fix: use default timeout if given 0 for ImpersonatedCredentials --- .../google/auth/oauth2/ImpersonatedCredentials.java | 13 ++++++++++++- .../auth/oauth2/ImpersonatedCredentialsTest.java | 9 +++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java index 0eaa3cd84..2878d5d86 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java @@ -91,6 +91,7 @@ public class ImpersonatedCredentials extends GoogleCredentials private static final long serialVersionUID = -2133257318957488431L; private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ss'Z'"; private static final int TWELVE_HOURS_IN_SECONDS = 43200; + private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600; private static final String CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform"; private static final String IAM_ACCESS_TOKEN_ENDPOINT = @@ -120,7 +121,8 @@ public class ImpersonatedCredentials extends GoogleCredentials * value should be at most 3600. However, you can follow these * instructions to set up the service account and extend the maximum lifetime to 43200 (12 - * hours). + * hours). If the given lifetime is 0, default value 3600 will be used instead when creating the + * credentials. * @param transportFactory HTTP transport factory that creates the transport used to get access * tokens * @return new credentials @@ -159,6 +161,8 @@ public static ImpersonatedCredentials create( * instructions to set up the service account and extend the maximum lifetime to 43200 (12 * hours). * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth + * If the given lifetime is 0, default value 3600 will be used instead when creating the + * credentials. * @return new credentials */ public static ImpersonatedCredentials create( @@ -186,6 +190,10 @@ public String getAccount() { return this.targetPrincipal; } + int getLifetime() { + return this.lifetime; + } + /** * Signs the provided bytes using the private key associated with the impersonated service account * @@ -226,6 +234,9 @@ private ImpersonatedCredentials(Builder builder) { if (this.lifetime > TWELVE_HOURS_IN_SECONDS) { throw new IllegalStateException("lifetime must be less than or equal to 43200"); } + if (this.lifetime == 0) { + this.lifetime = DEFAULT_LIFETIME_IN_SECONDS; + } } @Override diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java index 4334fc94f..a4e6b43c1 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java @@ -198,6 +198,15 @@ public void refreshAccessToken_malformedTarget() throws IOException { } } + @Test() + public void credential_with_zero_lifetime() throws IOException, IllegalStateException { + GoogleCredentials sourceCredentials = getSourceCredentials(); + ImpersonatedCredentials targetCredentials = + ImpersonatedCredentials.create( + sourceCredentials, IMPERSONATED_CLIENT_EMAIL, null, SCOPES, 0); + assertEquals(3600, targetCredentials.getLifetime()); + } + @Test() public void credential_with_invalid_lifetime() throws IOException, IllegalStateException { From cee35df2628d143d025b9458d32c0fffa6e349d9 Mon Sep 17 00:00:00 2001 From: arithmetic1728 Date: Thu, 17 Dec 2020 11:44:02 -0800 Subject: [PATCH 2/2] update --- .../google/auth/oauth2/ImpersonatedCredentials.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java index 2878d5d86..91e917a06 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java @@ -121,8 +121,8 @@ public class ImpersonatedCredentials extends GoogleCredentials * value should be at most 3600. However, you can follow these * instructions to set up the service account and extend the maximum lifetime to 43200 (12 - * hours). If the given lifetime is 0, default value 3600 will be used instead when creating the - * credentials. + * hours). If the given lifetime is 0, default value 3600 will be used instead when creating + * the credentials. * @param transportFactory HTTP transport factory that creates the transport used to get access * tokens * @return new credentials @@ -234,9 +234,6 @@ private ImpersonatedCredentials(Builder builder) { if (this.lifetime > TWELVE_HOURS_IN_SECONDS) { throw new IllegalStateException("lifetime must be less than or equal to 43200"); } - if (this.lifetime == 0) { - this.lifetime = DEFAULT_LIFETIME_IN_SECONDS; - } } @Override @@ -366,7 +363,7 @@ public static class Builder extends GoogleCredentials.Builder { private String targetPrincipal; private List delegates; private List scopes; - private int lifetime; + private int lifetime = DEFAULT_LIFETIME_IN_SECONDS; private HttpTransportFactory transportFactory; protected Builder() {} @@ -413,7 +410,7 @@ public List getScopes() { } public Builder setLifetime(int lifetime) { - this.lifetime = lifetime; + this.lifetime = lifetime == 0 ? DEFAULT_LIFETIME_IN_SECONDS : lifetime; return this; }