From 3a8d4dbfe7b748cab9bf4b339788d842baca02a5 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Wed, 8 Feb 2023 14:35:16 -0800 Subject: [PATCH 1/9] fix: Improve error handling for enterprise certificate module --- go.mod | 2 +- go.sum | 4 ++-- transport/cert/enterprise_cert.go | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 2d845c545ca..1d4d69f43ea 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 github.com/google/go-cmp v0.5.9 github.com/google/uuid v1.3.0 - github.com/googleapis/enterprise-certificate-proxy v0.2.1 + github.com/googleapis/enterprise-certificate-proxy v0.2.2 github.com/googleapis/gax-go/v2 v2.7.0 go.opencensus.io v0.24.0 golang.org/x/net v0.0.0-20221014081412-f15817d10f9b diff --git a/go.sum b/go.sum index 44c266858aa..b090f2f433e 100644 --- a/go.sum +++ b/go.sum @@ -44,8 +44,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg= -github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.2 h1:jUqbmxlR+gGPQq/uvQviKpS1bSQecfs2t7o6F14sk9s= +github.com/googleapis/enterprise-certificate-proxy v0.2.2/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/transport/cert/enterprise_cert.go b/transport/cert/enterprise_cert.go index eaa52e07c08..1061b5f05f3 100644 --- a/transport/cert/enterprise_cert.go +++ b/transport/cert/enterprise_cert.go @@ -15,7 +15,6 @@ package cert import ( "crypto/tls" "errors" - "os" "github.com/googleapis/enterprise-certificate-proxy/client" ) @@ -36,8 +35,7 @@ type ecpSource struct { func NewEnterpriseCertificateProxySource(configFilePath string) (Source, error) { key, err := client.Cred(configFilePath) if err != nil { - if errors.Is(err, os.ErrNotExist) { - // Config file missing means Enterprise Certificate Proxy is not supported. + if errors.Is(err, client.ErrCredUnavailable) { return nil, errSourceUnavailable } return nil, err From 9c0fe70bd373118c8de5f8dbc945bd2568a35aca Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Mon, 13 Feb 2023 11:43:26 -0800 Subject: [PATCH 2/9] fix: Update ECP dependency to v0.2.3 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1d4d69f43ea..2283c03d945 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 github.com/google/go-cmp v0.5.9 github.com/google/uuid v1.3.0 - github.com/googleapis/enterprise-certificate-proxy v0.2.2 + github.com/googleapis/enterprise-certificate-proxy v0.2.3 github.com/googleapis/gax-go/v2 v2.7.0 go.opencensus.io v0.24.0 golang.org/x/net v0.0.0-20221014081412-f15817d10f9b diff --git a/go.sum b/go.sum index b090f2f433e..9eccfe1a097 100644 --- a/go.sum +++ b/go.sum @@ -44,8 +44,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.2 h1:jUqbmxlR+gGPQq/uvQviKpS1bSQecfs2t7o6F14sk9s= -github.com/googleapis/enterprise-certificate-proxy v0.2.2/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= From 6b41d3304ac2663c23737b7c410b5164ab7d5de7 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Fri, 24 Feb 2023 12:27:29 -0800 Subject: [PATCH 3/9] internal: Refactor cert logic to support token exchange over mTLS --- {transport => internal}/cert/default_cert.go | 0 {transport => internal}/cert/enterprise_cert.go | 0 .../cert/enterprise_cert_test.go | 0 .../cert/secureconnect_cert.go | 0 .../cert/secureconnect_cert_test.go | 0 .../cert/testdata/certificate_config.json | 0 .../testdata/certificate_config_invalid_pem.json | 0 .../cert/testdata/context_aware_metadata.json | 0 .../context_aware_metadata_invalid_pem.json | 0 .../context_aware_metadata_nonexpiring_pem.json | 0 {transport => internal}/cert/testdata/invalid.pem | 0 .../cert/testdata/nonexpiring.pem | 0 .../cert/testdata/rsa2048bit.pem | 0 {transport => internal}/cert/testdata/signer.sh | 2 +- .../cert/testdata/signer_invalid_pem.sh | 2 +- .../cert/testdata/testcert.pem | 0 internal/creds.go | 15 ++++++++++++++- {transport/internal/dca => internal}/dca.go | 11 +++++------ {transport/internal/dca => internal}/dca_test.go | 8 +++----- .../internal => internal}/ecp/test_signer.go | 0 transport/grpc/dial.go | 3 +-- transport/http/dial.go | 5 ++--- 22 files changed, 27 insertions(+), 19 deletions(-) rename {transport => internal}/cert/default_cert.go (100%) rename {transport => internal}/cert/enterprise_cert.go (100%) rename {transport => internal}/cert/enterprise_cert_test.go (100%) rename {transport => internal}/cert/secureconnect_cert.go (100%) rename {transport => internal}/cert/secureconnect_cert_test.go (100%) rename {transport => internal}/cert/testdata/certificate_config.json (100%) rename {transport => internal}/cert/testdata/certificate_config_invalid_pem.json (100%) rename {transport => internal}/cert/testdata/context_aware_metadata.json (100%) rename {transport => internal}/cert/testdata/context_aware_metadata_invalid_pem.json (100%) rename {transport => internal}/cert/testdata/context_aware_metadata_nonexpiring_pem.json (100%) rename {transport => internal}/cert/testdata/invalid.pem (100%) rename {transport => internal}/cert/testdata/nonexpiring.pem (100%) rename {transport => internal}/cert/testdata/rsa2048bit.pem (100%) rename {transport => internal}/cert/testdata/signer.sh (70%) rename {transport => internal}/cert/testdata/signer_invalid_pem.sh (71%) rename {transport => internal}/cert/testdata/testcert.pem (100%) rename {transport/internal/dca => internal}/dca.go (92%) rename {transport/internal/dca => internal}/dca_test.go (95%) rename {transport/internal => internal}/ecp/test_signer.go (100%) diff --git a/transport/cert/default_cert.go b/internal/cert/default_cert.go similarity index 100% rename from transport/cert/default_cert.go rename to internal/cert/default_cert.go diff --git a/transport/cert/enterprise_cert.go b/internal/cert/enterprise_cert.go similarity index 100% rename from transport/cert/enterprise_cert.go rename to internal/cert/enterprise_cert.go diff --git a/transport/cert/enterprise_cert_test.go b/internal/cert/enterprise_cert_test.go similarity index 100% rename from transport/cert/enterprise_cert_test.go rename to internal/cert/enterprise_cert_test.go diff --git a/transport/cert/secureconnect_cert.go b/internal/cert/secureconnect_cert.go similarity index 100% rename from transport/cert/secureconnect_cert.go rename to internal/cert/secureconnect_cert.go diff --git a/transport/cert/secureconnect_cert_test.go b/internal/cert/secureconnect_cert_test.go similarity index 100% rename from transport/cert/secureconnect_cert_test.go rename to internal/cert/secureconnect_cert_test.go diff --git a/transport/cert/testdata/certificate_config.json b/internal/cert/testdata/certificate_config.json similarity index 100% rename from transport/cert/testdata/certificate_config.json rename to internal/cert/testdata/certificate_config.json diff --git a/transport/cert/testdata/certificate_config_invalid_pem.json b/internal/cert/testdata/certificate_config_invalid_pem.json similarity index 100% rename from transport/cert/testdata/certificate_config_invalid_pem.json rename to internal/cert/testdata/certificate_config_invalid_pem.json diff --git a/transport/cert/testdata/context_aware_metadata.json b/internal/cert/testdata/context_aware_metadata.json similarity index 100% rename from transport/cert/testdata/context_aware_metadata.json rename to internal/cert/testdata/context_aware_metadata.json diff --git a/transport/cert/testdata/context_aware_metadata_invalid_pem.json b/internal/cert/testdata/context_aware_metadata_invalid_pem.json similarity index 100% rename from transport/cert/testdata/context_aware_metadata_invalid_pem.json rename to internal/cert/testdata/context_aware_metadata_invalid_pem.json diff --git a/transport/cert/testdata/context_aware_metadata_nonexpiring_pem.json b/internal/cert/testdata/context_aware_metadata_nonexpiring_pem.json similarity index 100% rename from transport/cert/testdata/context_aware_metadata_nonexpiring_pem.json rename to internal/cert/testdata/context_aware_metadata_nonexpiring_pem.json diff --git a/transport/cert/testdata/invalid.pem b/internal/cert/testdata/invalid.pem similarity index 100% rename from transport/cert/testdata/invalid.pem rename to internal/cert/testdata/invalid.pem diff --git a/transport/cert/testdata/nonexpiring.pem b/internal/cert/testdata/nonexpiring.pem similarity index 100% rename from transport/cert/testdata/nonexpiring.pem rename to internal/cert/testdata/nonexpiring.pem diff --git a/transport/cert/testdata/rsa2048bit.pem b/internal/cert/testdata/rsa2048bit.pem similarity index 100% rename from transport/cert/testdata/rsa2048bit.pem rename to internal/cert/testdata/rsa2048bit.pem diff --git a/transport/cert/testdata/signer.sh b/internal/cert/testdata/signer.sh similarity index 70% rename from transport/cert/testdata/signer.sh rename to internal/cert/testdata/signer.sh index 6b4fb6cd960..85f8b859ff1 100755 --- a/transport/cert/testdata/signer.sh +++ b/internal/cert/testdata/signer.sh @@ -4,4 +4,4 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -go run ../internal/ecp/test_signer.go testdata/rsa2048bit.pem +go run ../ecp/test_signer.go testdata/rsa2048bit.pem diff --git a/transport/cert/testdata/signer_invalid_pem.sh b/internal/cert/testdata/signer_invalid_pem.sh similarity index 71% rename from transport/cert/testdata/signer_invalid_pem.sh rename to internal/cert/testdata/signer_invalid_pem.sh index f97fb1489f9..c7d2fd775e4 100755 --- a/transport/cert/testdata/signer_invalid_pem.sh +++ b/internal/cert/testdata/signer_invalid_pem.sh @@ -4,4 +4,4 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -go run ../internal/ecp/test_signer.go testdata/invalid.pem +go run ../ecp/test_signer.go testdata/invalid.pem diff --git a/transport/cert/testdata/testcert.pem b/internal/cert/testdata/testcert.pem similarity index 100% rename from transport/cert/testdata/testcert.pem rename to internal/cert/testdata/testcert.pem diff --git a/internal/creds.go b/internal/creds.go index 32d52413b30..8f9e6a6702e 100644 --- a/internal/creds.go +++ b/internal/creds.go @@ -10,6 +10,8 @@ import ( "errors" "fmt" "io/ioutil" + //"log" + "crypto/tls" "golang.org/x/oauth2" "google.golang.org/api/internal/impersonate" @@ -81,7 +83,18 @@ const ( // More details: google.aip.dev/auth/4111 func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) { // By default, a standard OAuth 2.0 token source is created - cred, err := google.CredentialsFromJSON(ctx, data, ds.GetScopes()...) + var params google.CredentialsParams + params.Scopes = ds.GetScopes() + var oauthds DialSettings + oauthds.DefaultEndpoint = google.Endpoint.TokenURL + oauthds.DefaultMTLSEndpoint = google.MTLSTokenURL + oauthds.ClientCertSource = ds.ClientCertSource + clientCertSource,oauthendpoint,err := GetClientCertificateSourceAndEndpoint(&oauthds); + params.TLSConfig = &tls.Config{ + GetClientCertificate: clientCertSource, + } + params.TokenURL = oauthendpoint + cred, err := google.CredentialsFromJSONWithParams(ctx, data, params) if err != nil { return nil, err } diff --git a/transport/internal/dca/dca.go b/internal/dca.go similarity index 92% rename from transport/internal/dca/dca.go rename to internal/dca.go index 78004f0475f..11b5c2eac0d 100644 --- a/transport/internal/dca/dca.go +++ b/internal/dca.go @@ -23,15 +23,14 @@ // // This package is not intended for use by end developers. Use the // google.golang.org/api/option package to configure API clients. -package dca +package internal import ( "net/url" "os" "strings" - "google.golang.org/api/internal" - "google.golang.org/api/transport/cert" + "google.golang.org/api/internal/cert" ) const ( @@ -43,7 +42,7 @@ const ( // GetClientCertificateSourceAndEndpoint is a convenience function that invokes // getClientCertificateSource and getEndpoint sequentially and returns the client // cert source and endpoint as a tuple. -func GetClientCertificateSourceAndEndpoint(settings *internal.DialSettings) (cert.Source, string, error) { +func GetClientCertificateSourceAndEndpoint(settings *DialSettings) (cert.Source, string, error) { clientCertSource, err := getClientCertificateSource(settings) if err != nil { return nil, "", err @@ -65,7 +64,7 @@ func GetClientCertificateSourceAndEndpoint(settings *internal.DialSettings) (cer // Important Note: For now, the environment variable GOOGLE_API_USE_CLIENT_CERTIFICATE // must be set to "true" to allow certificate to be used (including user provided // certificates). For details, see AIP-4114. -func getClientCertificateSource(settings *internal.DialSettings) (cert.Source, error) { +func getClientCertificateSource(settings *DialSettings) (cert.Source, error) { if !isClientCertificateEnabled() { return nil, nil } else if settings.ClientCertSource != nil { @@ -94,7 +93,7 @@ func isClientCertificateEnabled() bool { // URL (ex. https://...), then the user-provided address will be merged into // the default endpoint. For example, WithEndpoint("myhost:8000") and // WithDefaultEndpoint("https://foo.com/bar/baz") will return "https://myhost:8080/bar/baz" -func getEndpoint(settings *internal.DialSettings, clientCertSource cert.Source) (string, error) { +func getEndpoint(settings *DialSettings, clientCertSource cert.Source) (string, error) { if settings.Endpoint == "" { mtlsMode := getMTLSMode() if mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto) { diff --git a/transport/internal/dca/dca_test.go b/internal/dca_test.go similarity index 95% rename from transport/internal/dca/dca_test.go rename to internal/dca_test.go index 8597d090815..6ff7ad91531 100644 --- a/transport/internal/dca/dca_test.go +++ b/internal/dca_test.go @@ -2,14 +2,12 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package dca +package internal import ( "testing" "crypto/tls" - - "google.golang.org/api/internal" ) func TestGetEndpoint(t *testing.T) { @@ -51,7 +49,7 @@ func TestGetEndpoint(t *testing.T) { } for _, tc := range testCases { - got, err := getEndpoint(&internal.DialSettings{ + got, err := getEndpoint(&DialSettings{ Endpoint: tc.UserEndpoint, DefaultEndpoint: tc.DefaultEndpoint, }, nil) @@ -106,7 +104,7 @@ func TestGetEndpointWithClientCertSource(t *testing.T) { } for _, tc := range testCases { - got, err := getEndpoint(&internal.DialSettings{ + got, err := getEndpoint(&DialSettings{ Endpoint: tc.UserEndpoint, DefaultEndpoint: tc.DefaultEndpoint, DefaultMTLSEndpoint: tc.DefaultMTLSEndpoint, diff --git a/transport/internal/ecp/test_signer.go b/internal/ecp/test_signer.go similarity index 100% rename from transport/internal/ecp/test_signer.go rename to internal/ecp/test_signer.go diff --git a/transport/grpc/dial.go b/transport/grpc/dial.go index efcc8e6c641..c76894ff4c6 100644 --- a/transport/grpc/dial.go +++ b/transport/grpc/dial.go @@ -21,7 +21,6 @@ import ( "golang.org/x/oauth2" "google.golang.org/api/internal" "google.golang.org/api/option" - "google.golang.org/api/transport/internal/dca" "google.golang.org/grpc" "google.golang.org/grpc/credentials" grpcgoogle "google.golang.org/grpc/credentials/google" @@ -123,7 +122,7 @@ func dial(ctx context.Context, insecure bool, o *internal.DialSettings) (*grpc.C if o.GRPCConn != nil { return o.GRPCConn, nil } - clientCertSource, endpoint, err := dca.GetClientCertificateSourceAndEndpoint(o) + clientCertSource, endpoint, err := internal.GetClientCertificateSourceAndEndpoint(o) if err != nil { return nil, err } diff --git a/transport/http/dial.go b/transport/http/dial.go index 47568a4061d..3b1be000766 100644 --- a/transport/http/dial.go +++ b/transport/http/dial.go @@ -21,9 +21,8 @@ import ( "google.golang.org/api/googleapi/transport" "google.golang.org/api/internal" "google.golang.org/api/option" - "google.golang.org/api/transport/cert" + "google.golang.org/api/internal/cert" "google.golang.org/api/transport/http/internal/propagation" - "google.golang.org/api/transport/internal/dca" ) // NewClient returns an HTTP client for use communicating with a Google cloud @@ -34,7 +33,7 @@ func NewClient(ctx context.Context, opts ...option.ClientOption) (*http.Client, if err != nil { return nil, "", err } - clientCertSource, endpoint, err := dca.GetClientCertificateSourceAndEndpoint(settings) + clientCertSource, endpoint, err := internal.GetClientCertificateSourceAndEndpoint(settings) if err != nil { return nil, "", err } From 56ed1616c7f6068bbbb8b79211f799fbcd0c1eb3 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Fri, 3 Mar 2023 11:34:14 -0800 Subject: [PATCH 4/9] internal: Refactor cert logic to support token exchange over mTLS part 2 --- internal/creds.go | 57 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/internal/creds.go b/internal/creds.go index 8f9e6a6702e..c3fc25d9d69 100644 --- a/internal/creds.go +++ b/internal/creds.go @@ -6,12 +6,14 @@ package internal import ( "context" + "crypto/tls" "encoding/json" "errors" "fmt" "io/ioutil" - //"log" - "crypto/tls" + "net" + "net/http" + "time" "golang.org/x/oauth2" "google.golang.org/api/internal/impersonate" @@ -82,18 +84,21 @@ const ( // - Otherwise, executes standard OAuth 2.0 flow // More details: google.aip.dev/auth/4111 func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) { - // By default, a standard OAuth 2.0 token source is created var params google.CredentialsParams params.Scopes = ds.GetScopes() - var oauthds DialSettings - oauthds.DefaultEndpoint = google.Endpoint.TokenURL - oauthds.DefaultMTLSEndpoint = google.MTLSTokenURL - oauthds.ClientCertSource = ds.ClientCertSource - clientCertSource,oauthendpoint,err := GetClientCertificateSourceAndEndpoint(&oauthds); - params.TLSConfig = &tls.Config{ + + // Determine configurations for the OAuth2 transport, which is separate from the API transport. + // The OAuth2 transport and endpoint will be configured for mTLS if applicable. + clientCertSource, oauth2Endpoint, err := GetClientCertificateSourceAndEndpoint(oauth2DialSettings(ds)) + params.TokenURL = oauth2Endpoint + if clientCertSource != nil { + tlsConfig := &tls.Config{ GetClientCertificate: clientCertSource, } - params.TokenURL = oauthendpoint + ctx = context.WithValue(ctx, oauth2.HTTPClient, customHTTPClient(tlsConfig)) + } + + // By default, a standard OAuth 2.0 token source is created cred, err := google.CredentialsFromJSONWithParams(ctx, data, params) if err != nil { return nil, err @@ -170,3 +175,35 @@ func impersonateCredentials(ctx context.Context, creds *google.Credentials, ds * ProjectID: creds.ProjectID, }, nil } + +// oauth2DialSettings returns the settings to be used by the OAuth2 transport, which is separate from the API transport. +func oauth2DialSettings(ds *DialSettings) *DialSettings { + var ods DialSettings + ods.DefaultEndpoint = google.Endpoint.TokenURL + ods.DefaultMTLSEndpoint = google.MTLSTokenURL + ods.ClientCertSource = ds.ClientCertSource + return &ods +} + +// customHTTPClient constructs an HTTPClient using the provided tlsConfig, to support mTLS. +func customHTTPClient(tlsConfig *tls.Config) *http.Client { + trans := baseTransport() + trans.TLSClientConfig = tlsConfig + return &http.Client{Transport: trans} +} + +func baseTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + MaxIdleConns: 100, + MaxIdleConnsPerHost: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } +} From b0209d758dba288156d3031a32b575fb7c9f6241 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Tue, 7 Mar 2023 09:41:33 -0800 Subject: [PATCH 5/9] chore: Upgrade oauth2 version to v0.6.0 --- go.mod | 8 ++++---- go.sum | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index f3b8a36fd0f..c2ff8adc97a 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( github.com/googleapis/enterprise-certificate-proxy v0.2.3 github.com/googleapis/gax-go/v2 v2.7.0 go.opencensus.io v0.24.0 - golang.org/x/net v0.7.0 - golang.org/x/oauth2 v0.5.0 + golang.org/x/net v0.8.0 + golang.org/x/oauth2 v0.6.0 golang.org/x/sync v0.1.0 google.golang.org/appengine v1.6.7 google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 @@ -22,6 +22,6 @@ require ( cloud.google.com/go/compute v1.18.0 // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect github.com/golang/protobuf v1.5.2 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/sys v0.6.0 // indirect + golang.org/x/text v0.8.0 // indirect ) diff --git a/go.sum b/go.sum index 17336876a71..91227b32215 100644 --- a/go.sum +++ b/go.sum @@ -71,11 +71,23 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +<<<<<<< HEAD golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +======= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= +>>>>>>> 736cf457b1 (chore: Upgrade oauth2 version to v0.6.0) golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -85,6 +97,7 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +<<<<<<< HEAD golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -92,6 +105,19 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +======= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +>>>>>>> 736cf457b1 (chore: Upgrade oauth2 version to v0.6.0) golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= From bca0958e62f9d846aa9598e6bd4df8b7e5f6b177 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Tue, 7 Mar 2023 09:53:50 -0800 Subject: [PATCH 6/9] chore: Fix go.sum --- go.sum | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/go.sum b/go.sum index 91227b32215..8b1d52e8710 100644 --- a/go.sum +++ b/go.sum @@ -71,23 +71,11 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -<<<<<<< HEAD -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= -golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= -======= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= -golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= ->>>>>>> 736cf457b1 (chore: Upgrade oauth2 version to v0.6.0) golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -97,27 +85,13 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -<<<<<<< HEAD -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -======= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= ->>>>>>> 736cf457b1 (chore: Upgrade oauth2 version to v0.6.0) golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= From 579122905514a763d20677536cb2626b24cb500f Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Tue, 7 Mar 2023 14:43:47 -0800 Subject: [PATCH 7/9] internal: gofmt --- transport/http/dial.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/transport/http/dial.go b/transport/http/dial.go index 3b1be000766..4f7f44e8dbf 100644 --- a/transport/http/dial.go +++ b/transport/http/dial.go @@ -20,8 +20,8 @@ import ( "golang.org/x/oauth2" "google.golang.org/api/googleapi/transport" "google.golang.org/api/internal" - "google.golang.org/api/option" "google.golang.org/api/internal/cert" + "google.golang.org/api/option" "google.golang.org/api/transport/http/internal/propagation" ) From 0d71fb25901d3ac0ac4095422fcb813915684f49 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Tue, 7 Mar 2023 15:35:22 -0800 Subject: [PATCH 8/9] internal: package internal comment --- internal/dca.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/dca.go b/internal/dca.go index 11b5c2eac0d..204a3fd2f3f 100644 --- a/internal/dca.go +++ b/internal/dca.go @@ -23,6 +23,8 @@ // // This package is not intended for use by end developers. Use the // google.golang.org/api/option package to configure API clients. + +// Package internal supports the options and transport packages. package internal import ( From 197ea6a72b7d1701960d575a926b66aae1b9cb8d Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Tue, 7 Mar 2023 16:17:01 -0800 Subject: [PATCH 9/9] internal: handle err in creds.go --- internal/creds.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/creds.go b/internal/creds.go index c3fc25d9d69..69b186b70a7 100644 --- a/internal/creds.go +++ b/internal/creds.go @@ -90,6 +90,9 @@ func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*g // Determine configurations for the OAuth2 transport, which is separate from the API transport. // The OAuth2 transport and endpoint will be configured for mTLS if applicable. clientCertSource, oauth2Endpoint, err := GetClientCertificateSourceAndEndpoint(oauth2DialSettings(ds)) + if err != nil { + return nil, err + } params.TokenURL = oauth2Endpoint if clientCertSource != nil { tlsConfig := &tls.Config{