From 0f0a2f07eb7455c98dc29c8c711a666fa6e3a627 Mon Sep 17 00:00:00 2001 From: Cody Oss <6331106+codyoss@users.noreply.github.com> Date: Wed, 17 Apr 2024 13:05:14 -0500 Subject: [PATCH] fix(internal): set scopes for new auth flow (#2525) Also updated a test that relied on impl specific types before. Testing the TokenSource methods instead of NewClient as NewClient defers impl to NewTokenSource anyways. Fixes: #2523 Fixes: #2522 --- idtoken/integration_test.go | 33 ++++++++------------------------- internal/creds.go | 6 +++++- 2 files changed, 13 insertions(+), 26 deletions(-) diff --git a/idtoken/integration_test.go b/idtoken/integration_test.go index 32281fa8507..1fa4149b3de 100644 --- a/idtoken/integration_test.go +++ b/idtoken/integration_test.go @@ -11,7 +11,6 @@ import ( "strings" "testing" - "golang.org/x/oauth2" "golang.org/x/oauth2/google" "google.golang.org/api/idtoken" "google.golang.org/api/option" @@ -49,28 +48,7 @@ func TestNewTokenSource(t *testing.T) { } } -func TestNewClient_WithCredentialFile(t *testing.T) { - if testing.Short() { - t.Skip("skipping integration test") - } - client, err := idtoken.NewClient(context.Background(), aud, option.WithCredentialsFile(os.Getenv(envCredentialFile))) - if err != nil { - t.Fatalf("unable to create Client: %v", err) - } - tok, err := client.Transport.(*oauth2.Transport).Source.Token() - if err != nil { - t.Fatalf("unable to retrieve Token: %v", err) - } - validTok, err := idtoken.Validate(context.Background(), tok.AccessToken, aud) - if err != nil { - t.Fatalf("token validation failed: %v", err) - } - if validTok.Audience != aud { - t.Fatalf("got %q, want %q", validTok.Audience, aud) - } -} - -func TestNewClient_WithCredentialJSON(t *testing.T) { +func TestNewTokenSource_WithCredentialJSON(t *testing.T) { if testing.Short() { t.Skip("skipping integration test") } @@ -79,14 +57,19 @@ func TestNewClient_WithCredentialJSON(t *testing.T) { if err != nil { t.Fatalf("unable to find default creds: %v", err) } - client, err := idtoken.NewClient(ctx, aud, option.WithCredentialsJSON(creds.JSON)) + ts, err := idtoken.NewTokenSource(ctx, aud, option.WithCredentialsJSON(creds.JSON)) if err != nil { t.Fatalf("unable to create Client: %v", err) } - tok, err := client.Transport.(*oauth2.Transport).Source.Token() + tok, err := ts.Token() if err != nil { t.Fatalf("unable to retrieve Token: %v", err) } + req := &http.Request{Header: make(http.Header)} + tok.SetAuthHeader(req) + if !strings.HasPrefix(req.Header.Get("Authorization"), "Bearer ") { + t.Fatalf("token should sign requests with Bearer Authorization header") + } validTok, err := idtoken.Validate(context.Background(), tok.AccessToken, aud) if err != nil { t.Fatalf("token validation failed: %v", err) diff --git a/internal/creds.go b/internal/creds.go index 6ffdd820fae..b6dbace4c97 100644 --- a/internal/creds.go +++ b/internal/creds.go @@ -64,12 +64,16 @@ func credsNewAuth(ctx context.Context, settings *DialSettings) (*google.Credenti useSelfSignedJWT = true } + if len(settings.Scopes) > 0 { + scopes = make([]string, len(settings.Scopes)) + copy(scopes, settings.Scopes) + } if len(settings.Audiences) > 0 { aud = settings.Audiences[0] } // Only default scopes if user did not also set an audience. if len(settings.Scopes) == 0 && aud == "" && len(settings.DefaultScopes) > 0 { - scopes = make([]string, len(scopes)) + scopes = make([]string, len(settings.DefaultScopes)) copy(scopes, settings.DefaultScopes) } if len(scopes) == 0 && aud == "" {