feat: Support transport and binding-enforcement MDS parameters. #1558
Conversation
rmehta19
force-pushed
the
mds-cred-token-req-param
branch
from
04db8a3 to
91dba11
Compare
|
cc: @rockspore |
| @@ -696,6 +725,14 @@ public Collection<String> getDefaultScopes() { | |||
| return defaultScopes; | |||
| } | |||
|
|
|||
| public String getTransport() { | |||
There was a problem hiding this comment.
Please provide javadoc on these, pointing to publicly documented Metadata Service parameters.
There was a problem hiding this comment.
Discussed offline: We will update public MDS docs when the feature is non-experimental. Since the usage of the S2A + MTLS + bound tokens flow is guarded by an environment variable (EXPERIMENTAL_GOOGLE_API_USE_S2A). Until the public docs are updated, we can link to AIP here and #1400 (AIP already linked in this merged PR).
product-auto-label
bot
added
size: m
|
| if (!transport.isEmpty()) { | ||
| tokenUrl.set("transport", transport); | ||
| } | ||
| if (!bindingEnforcement.isEmpty()) { | ||
| tokenUrl.set("binding-enforcement", bindingEnforcement); | ||
| } |
There was a problem hiding this comment.
I think this should be null and empty check. Setter can set a null value unless we want to add a check there
There was a problem hiding this comment.
Thanks for pointing that out, done in 9d46bbd
| private String transport = ""; | ||
| private String bindingEnforcement = ""; |
There was a problem hiding this comment.
nit:
| private String transport = ""; | |
| private String bindingEnforcement = ""; | |
| private String transport; | |
| private String bindingEnforcement; |
|
Update to use conventional commits: |
rmehta19
changed the title
|
Thanks for the review @lqiu96 ! |
| @@ -200,6 +218,16 @@ String createTokenUrlWithScopes() { | |||
| if (!scopes.isEmpty()) { | |||
| tokenUrl.set("scopes", Joiner.on(',').join(scopes)); | |||
| } | |||
| if (transport == Transport.MTLS) { | |||
| tokenUrl.set("transport", "mtls"); | |||
There was a problem hiding this comment.
Fields can be added to the Enum class, so that each Enum can have its own label, then you can just do tokenUrl.set("transport", transport.getLabel()). See this example.
There was a problem hiding this comment.
Thanks for pointing this out! Done in latest commit.
| @@ -109,6 +109,16 @@ public class ComputeEngineCredentials extends GoogleCredentials | |||
| static final int MAX_COMPUTE_PING_TRIES = 3; | |||
| static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500; | |||
|
|
|||
| public enum Transport { | |||
There was a problem hiding this comment.
I know the it is called transport in the token url, but since Transport in GAPIC has different meaning (the value of it is either gRPC or httpJson), can we name this differently? Maybe AuthTransport? Javadocs for what ALTS and MTLS mean would also be appreciated.
There was a problem hiding this comment.
Renamed to AuthTransport in latest commit and added some javadocs. Thanks!
| // Binding enforcement will always happen, irrespective of the IAM policy. | ||
| ON("on"), | ||
| // Binding enforcement will depend on IAM policy. | ||
| IAMPOLICY("iam-policy"); |
There was a problem hiding this comment.
| IAMPOLICY("iam-policy"); | |
| IAM_POLICY("iam-policy"); |
I believe the convention is underscore to separate the words for constants
| @CanIgnoreReturnValue | ||
| public Builder setTransport(AuthTransport transport) { | ||
| this.transport = transport; | ||
| return this; | ||
| } | ||
|
|
||
| @CanIgnoreReturnValue | ||
| public Builder setBindingEnforcement(BindingEnforcement bindingEnforcement) { | ||
| this.bindingEnforcement = bindingEnforcement; | ||
| return this; | ||
| } |
There was a problem hiding this comment.
can you some small/ simple javadocs for these public setters?
| public AuthTransport getTransport() { | ||
| return transport; | ||
| } | ||
|
|
||
| public BindingEnforcement getBindingEnforcement() { | ||
| return bindingEnforcement; | ||
| } | ||
|
|
There was a problem hiding this comment.
same here. also if it's returning AuthTransport, can it be getAuthTransport()?
oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
Show resolved
Hide resolved
| @@ -109,6 +109,40 @@ public class ComputeEngineCredentials extends GoogleCredentials | |||
| static final int MAX_COMPUTE_PING_TRIES = 3; | |||
| static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500; | |||
|
|
|||
| public enum AuthTransport { | |||
There was a problem hiding this comment.
I think AuthTransport is ok for this. I would prefer if this could be more specific if possible.
Is there a term for alts and mtls type of transport that we can use? Does TlsTransport make sense? I don't know if TLS has a transport concept or if that would be confusing.
GoogleMtlsTransport? Though I'm not sure mtls/atls are google specific terms
There was a problem hiding this comment.
TLDR: WDYT of GoogleAuthTransport?
I think AuthTransport is ok for this. I would prefer if this could be more specific if possible.
We generally call this "transport type": describes how the client is authenticating to Google APIS either via GFE (using mtls) or via DirectPath (using alts). However Blake mentioned above that transport has a different meaning in Client libraries (grpc vs http), so it would be good to clarify to something more specific, which is how we landed on AuthTransport initially.
Is there a term for alts and mtls type of transport that we can use? Does TlsTransport make sense? I don't know if TLS has a transport concept or if that would be confusing.
TLS is the security protocol being used, it's used in both mtls and alts. mtls is mutually authenticated TLS, alts is (in short) "Google-optimized" mtls (see public docs).
In the enum name, I think we want to focus on how clients are authenticating to Google APIS, not details of the protocol being used (mtls vs alts). How about GoogleAuthTransport? I think this captures that the enum is listing different ways to ways clients can authenticate to Google APIs.
GoogleMtlsTransport? Though I'm not sure mtls/atls are google specific terms.
I think this name would be ok. One thing is that mtls via GFE strictly adheres to the TLS standard (i.e. not Google specific). Whereas alts is a Google specific protocol.
I've done this in 8ce3a4d, let me know if the name sounds ok.
Thanks @lqiu96 ! Addressed. Would you be able to merge if the changes look good to you? |
| // Experimental Feature: | ||
| // Behavior of setting {@link GoogleAuthTransport} / {@link BindingEnforcement}: | ||
| // - MTLS-bound token where binding enforcement depends on IAM policy: MTLS / {}, {} / IAM_POLICY, | ||
| // MTLS / IAM_POLICY | ||
| // - MTLS-bound token where bindings are always enforced: {} / ON, MTLS / ON | ||
| // - DirectPath bound token: ALTS / {} |
There was a problem hiding this comment.
Can you move this into the javadocs for GoogleAuthTransport so it can be referenced for users in the future?
Yep lgtm, feel free to merge |
Thanks @lqiu96 ! I don't have write permissions on this repo; would you be able to merge? |
| // Experimental Feature: | ||
| // |
There was a problem hiding this comment.
Thanks for catching! removed.
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [org.jetbrains:annotations](https://github.com/JetBrains/java-annotations) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `26.0.1` -> `26.0.2` | | [io.grpc:grpc-stub](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [io.grpc:grpc-protobuf](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [io.grpc:grpc-netty](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [io.grpc:protoc-gen-grpc-java](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [io.grpc:grpc-bom](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [io.grpc:grpc-api](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.69.1` -> `1.70.0` | | [com.google.api-client:google-api-client](https://github.com/googleapis/google-api-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.7.1` -> `2.7.2` | | [com.squareup.wire:wire-schema](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-runtime](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-reflector](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-moshi-adapter](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-grpc-client](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-gradle-plugin](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.squareup.wire:wire-bom](https://github.com/square/wire) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `5.0.0` -> `5.2.1` | | [com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.30.1` -> `1.31.0` | | [com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.30.1` -> `1.31.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.45.1` -> `1.45.2` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.45.1` -> `1.45.2` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.2` -> `2.30.4` | --- ### Release Notes <details> <summary>JetBrains/java-annotations (org.jetbrains:annotations)</summary> ### [`v26.0.2`](https://github.com/JetBrains/java-annotations/blob/HEAD/CHANGELOG.md#Version-2602) [Compare Source](JetBrains/java-annotations@26.0.1...26.0.2) - Fixed missing klibs for apple artifacts. </details> <details> <summary>googleapis/google-api-java-client (com.google.api-client:google-api-client)</summary> ### [`v2.7.2`](https://github.com/googleapis/google-api-java-client/blob/HEAD/CHANGELOG.md#272-2025-01-22) ##### Bug Fixes - Add warnings to users about using credentials from external sources ([#​2551](googleapis/google-api-java-client#2551)) ([3bb2879](googleapis/google-api-java-client@3bb2879)) </details> <details> <summary>square/wire (com.squareup.wire:wire-schema)</summary> ### [`v5.2.1`](https://github.com/square/wire/blob/HEAD/CHANGELOG.md#Version-521) [Compare Source](square/wire@5.2.0...5.2.1) *2025-01-07* ##### JVM generation - Fix support for mutable messages in Wire's Kotlin Generator. ([#​3233](square/wire#3233) by \[Rahul Ravikumar]\[tikurahul]) ### [`v5.2.0`](https://github.com/square/wire/blob/HEAD/CHANGELOG.md#Version-520) [Compare Source](square/wire@5.1.0...5.2.0) *2025-01-06* ##### Common - Enforce recursion limit when parsing nested groups. ([#​3119](square/wire#3119)) ##### CLI `wire-compiler` - It is now possible to set multiple targets. ([#​3106](square/wire#3106) & [#​3107](square/wire#3107)) - The option `opaque_types` introduced in `4.9.2` for the Wire Gradle plugin is now available on CLI. ([#​3147](square/wire#3147)) ##### JVM generation - [KotlinPoet has been updated to `2.0.0`](https://square.github.io/kotlinpoet/changelog/#version-200) which dramatically changes how generated Kotlin files are wrapped. This is neither a source nor a binary breaking changes. - A new `@WireEnclosingType` annotation is now applied to generated types so R8 doesn't prune too much. ([#​3123](square/wire#3123)) - Split the redact method into chunks when a type has more than 100 fields to avoid compilation error. ([#​3214](square/wire#3214) by \[Damian Wieczorek]\[damianw]) - Add support for mutable messages in Wire's Kotlin Generator. ([#​3217](square/wire#3217) by \[Rahul Ravikumar]\[tikurahul]) - You can opt-in by adding `mutableTypes = true` on your Kotlin target. This is unsafe and we do not recommend that you use it unless you have a sound use-case for it. - Wire is now using Palantir's JavaPoet instead of Square's JavaPoet. ##### Swift - Fix buffer overflow and data corruption when a type has more than 5 layers of nesting ([#​3203](square/wire#3203) by \[Eric Amorde]\[amorde]) ### [`v5.1.0`](https://github.com/square/wire/blob/HEAD/CHANGELOG.md#Version-510) [Compare Source](square/wire@5.0.0...5.1.0) *2024-09-11* ##### Common - Support for Kotlin `2.0.20`. ([#​3093](square/wire#3093)) - `srcDir(String)` has been undeprecated. ([#​3039](square/wire#3039)) - Some loggings now happen at the debug level, instead of info. ([#​3041](square/wire#3041)) - Remove some unactionable warnings on Kotlin/JS ([#​3047](square/wire#3047)) - Propagate the deprecated flag on EnumType after pruning by wire-gradle-plugin ([#​3076](square/wire#3076) by \[Aaron Edwards]\[aaron-edwards]) - Introduce `ProtoReader32`, a specialization for Kotlin/JS ([#​3077](square/wire#3077)) This is an alternative to `ProtoReader`, which uses `Long` as a cursor. It originates as an optimization for Kotlin/JS, where `Long` cursors are prohibitively expensive. - Fix Gradle project isolation issue when reading a property ([#​3078](square/wire#3078) by \[Aurimas]\[liutikas]) - Change the recursion limit to match grpc's default ([#​3091](square/wire#3091)) ##### Kotlin - New enum option `enum_mode` to take precedence over the `enumMode` option added in `5.0.0-alpha02`. Use this if you want to migrate your enums granularly. ([#​2993](square/wire#2993)) - Don't throw if reading trailers fail ([#​3087](square/wire#3087)) ##### Swift - Avoid crash when parsing an empty repeated `[packed=true]` for fixed-length types. ([#​3044](square/wire#3044) by \[Sasha Weiss]\[sashaweiss-signal]) </details> <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-oauth2-http)</summary> ### [`v1.31.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1310-2025-01-22) ##### Features - ImpersonatedCredentials to support universe domain for idtoken and signblob ([#​1566](googleapis/google-auth-library-java#1566)) ([adc2ff3](googleapis/google-auth-library-java@adc2ff3)) - Support transport and binding-enforcement MDS parameters. ([#​1558](googleapis/google-auth-library-java#1558)) ([9828a8e](googleapis/google-auth-library-java@9828a8e)) ##### Documentation - Promote use of bill of materials in quickstart documentation ([#​1620](googleapis/google-auth-library-java#1620)) ([fc20d9c](googleapis/google-auth-library-java@fc20d9c)), closes [#​1552](googleapis/google-auth-library-java#1552) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.45.2`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.45.2): 1.45.2 ##### Components ##### Application Security Management (WAF) - 🐛 🍒 8258 - Prevents a NPE when there is no subscriber for user events ([#​8260](DataDog/dd-trace-java#8260) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 12db0f59db2e6ebf55203c87fccab042d495106a
No description provided.