Skip to content

Commit

Permalink
feat(core): Verify credential universe domain against configured univ…
Browse files Browse the repository at this point in the history
…erse domain (#17569)
  • Loading branch information
dazuma authored Jan 26, 2024
1 parent 3fc901f commit 635f91e
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 0 deletions.
19 changes: 19 additions & 0 deletions google-apis-core/lib/google/apis/core/base_service.rb
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,20 @@ def fetch_all(max: nil, items: :items, cache: true, response_page_token: :next_p
return PagedResults.new(self, max: max, items: items, cache: cache, response_page_token: response_page_token, &block)
end

# Verify that the universe domain setting matches the universe domain
# in the credentials, if present.
#
# @raise [Google::Apis::UniverseDomainError] if there is a mismatch
def verify_universe_domain!
auth = authorization
auth_universe_domain = auth.universe_domain if auth.respond_to? :universe_domain
if auth_universe_domain && auth_universe_domain != universe_domain
raise UniverseDomainError,
"Universe domain is #{universe_domain} but credentials are in #{auth_universe_domain}"
end
true
end

protected

# Create a new upload command.
Expand All @@ -348,6 +362,7 @@ def fetch_all(max: nil, items: :items, cache: true, response_page_token: :next_p
# Request-specific options
# @return [Google::Apis::Core::UploadCommand]
def make_upload_command(method, path, options)
verify_universe_domain!
template = Addressable::Template.new(root_url + upload_path + path)
if batch?
command = MultipartUploadCommand.new(method, template, client_version: client_version)
Expand All @@ -372,6 +387,7 @@ def make_upload_command(method, path, options)
# Request-specific options
# @return [Google::Apis::Core::StorageUploadCommand]
def make_storage_upload_command(method, path, options)
verify_universe_domain!
template = Addressable::Template.new(root_url + upload_path + path)
command = StorageUploadCommand.new(method, template, client_version: client_version)
command.options = request_options.merge(options)
Expand All @@ -389,6 +405,7 @@ def make_storage_upload_command(method, path, options)
# Request-specific options
# @return [Google::Apis::Core::DownloadCommand]
def make_download_command(method, path, options)
verify_universe_domain!
template = Addressable::Template.new(root_url + base_path + path)
command = DownloadCommand.new(method, template, client_version: client_version)
command.options = request_options.merge(options)
Expand All @@ -408,6 +425,7 @@ def make_download_command(method, path, options)
# Request-specific options
# @return [Google::Apis::Core::StorageDownloadCommand]
def make_storage_download_command(method, path, options)
verify_universe_domain!
template = Addressable::Template.new(root_url + base_path + path)
command = StorageDownloadCommand.new(method, template, client_version: client_version)
command.options = request_options.merge(options)
Expand All @@ -426,6 +444,7 @@ def make_storage_download_command(method, path, options)
# Request-specific options
# @return [Google::Apis::Core::DownloadCommand]
def make_simple_command(method, path, options)
verify_universe_domain!
full_path =
if path.start_with? "/"
path[1..-1]
Expand Down
4 changes: 4 additions & 0 deletions google-apis-core/lib/google/apis/errors.rb
Original file line number Diff line number Diff line change
Expand Up @@ -89,5 +89,9 @@ class ServerError < Error
# Error class for problems in batch requests.
class BatchError < Error
end

# Error class for universe domain issues
class UniverseDomainError < Error
end
end
end
26 changes: 26 additions & 0 deletions google-apis-core/spec/google/apis/core/service_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,13 @@
expect(a_request(:get, 'https://www.googleapis.com/zoo/animals').with(headers: expected_headers)).to have_been_made
end

it "should verify universe domain" do
service.authorization = OpenStruct.new universe_domain: "mydomain.com"
expect do
command
end.to raise_error(Google::Apis::UniverseDomainError)
end

include_examples 'with options'
end

Expand Down Expand Up @@ -531,4 +538,23 @@
service.root_url = "https://endpoint2.$UNIVERSE_DOMAIN$/"
expect(service.root_url).to eql "https://endpoint2.mydomain6.com/"
end

describe "#verify_universe_domain!" do
it "should skip universe domain verification if credentials do not have them" do
service_ud.authorization = "I have no universe domain"
service_ud.verify_universe_domain!
end

it "should verify default universe domain" do
service_ud.authorization = OpenStruct.new universe_domain: "googleapis.com"
service_ud.verify_universe_domain!
end

it "should raise on universe domain mismatch" do
service_ud.authorization = OpenStruct.new universe_domain: "mydomain.com"
expect do
service_ud.verify_universe_domain!
end.to raise_error(Google::Apis::UniverseDomainError)
end
end
end

0 comments on commit 635f91e

Please sign in to comment.