From 635f91e8c0a4c39beacbbe1a91ee3a2f60eb6315 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Thu, 25 Jan 2024 18:05:54 -0800
Subject: [PATCH] feat(core): Verify credential universe domain against
 configured universe domain (#17569)

---
 .../lib/google/apis/core/base_service.rb      | 19 ++++++++++++++
 google-apis-core/lib/google/apis/errors.rb    |  4 +++
 .../spec/google/apis/core/service_spec.rb     | 26 +++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/google-apis-core/lib/google/apis/core/base_service.rb b/google-apis-core/lib/google/apis/core/base_service.rb
index 43f0c1575c0..8287974a678 100644
--- a/google-apis-core/lib/google/apis/core/base_service.rb
+++ b/google-apis-core/lib/google/apis/core/base_service.rb
@@ -336,6 +336,20 @@ def fetch_all(max: nil, items: :items, cache: true, response_page_token: :next_p
           return PagedResults.new(self, max: max, items: items, cache: cache, response_page_token: response_page_token, &block)
         end
 
+        # Verify that the universe domain setting matches the universe domain
+        # in the credentials, if present.
+        #
+        # @raise [Google::Apis::UniverseDomainError] if there is a mismatch
+        def verify_universe_domain!
+          auth = authorization
+          auth_universe_domain = auth.universe_domain if auth.respond_to? :universe_domain
+          if auth_universe_domain && auth_universe_domain != universe_domain
+            raise UniverseDomainError,
+                  "Universe domain is #{universe_domain} but credentials are in #{auth_universe_domain}"
+          end
+          true
+        end
+
         protected
 
         # Create a new upload command.
@@ -348,6 +362,7 @@ def fetch_all(max: nil, items: :items, cache: true, response_page_token: :next_p
         #  Request-specific options
         # @return [Google::Apis::Core::UploadCommand]
         def make_upload_command(method, path, options)
+          verify_universe_domain!
           template = Addressable::Template.new(root_url + upload_path + path)
           if batch?
             command = MultipartUploadCommand.new(method, template, client_version: client_version)
@@ -372,6 +387,7 @@ def make_upload_command(method, path, options)
         #  Request-specific options
         # @return [Google::Apis::Core::StorageUploadCommand]
         def make_storage_upload_command(method, path, options)
+          verify_universe_domain!
           template = Addressable::Template.new(root_url + upload_path + path)
           command = StorageUploadCommand.new(method, template, client_version: client_version)
           command.options = request_options.merge(options)
@@ -389,6 +405,7 @@ def make_storage_upload_command(method, path, options)
         #  Request-specific options
         # @return [Google::Apis::Core::DownloadCommand]
         def make_download_command(method, path, options)
+          verify_universe_domain!
           template = Addressable::Template.new(root_url + base_path + path)
           command = DownloadCommand.new(method, template, client_version: client_version)
           command.options = request_options.merge(options)
@@ -408,6 +425,7 @@ def make_download_command(method, path, options)
         #  Request-specific options
         # @return [Google::Apis::Core::StorageDownloadCommand]
         def make_storage_download_command(method, path, options)
+          verify_universe_domain!
           template = Addressable::Template.new(root_url + base_path + path)
           command = StorageDownloadCommand.new(method, template, client_version: client_version)
           command.options = request_options.merge(options)
@@ -426,6 +444,7 @@ def make_storage_download_command(method, path, options)
         #  Request-specific options
         # @return [Google::Apis::Core::DownloadCommand]
         def make_simple_command(method, path, options)
+          verify_universe_domain!
           full_path =
             if path.start_with? "/"
               path[1..-1]
diff --git a/google-apis-core/lib/google/apis/errors.rb b/google-apis-core/lib/google/apis/errors.rb
index 47b9eda8238..00d6c30b8a6 100644
--- a/google-apis-core/lib/google/apis/errors.rb
+++ b/google-apis-core/lib/google/apis/errors.rb
@@ -89,5 +89,9 @@ class ServerError < Error
     # Error class for problems in batch requests.
     class BatchError < Error
     end
+
+    # Error class for universe domain issues
+    class UniverseDomainError < Error
+    end
   end
 end
diff --git a/google-apis-core/spec/google/apis/core/service_spec.rb b/google-apis-core/spec/google/apis/core/service_spec.rb
index f0bc3886c0a..3d50a9d346b 100644
--- a/google-apis-core/spec/google/apis/core/service_spec.rb
+++ b/google-apis-core/spec/google/apis/core/service_spec.rb
@@ -133,6 +133,13 @@
       expect(a_request(:get, 'https://www.googleapis.com/zoo/animals').with(headers: expected_headers)).to have_been_made
     end
 
+    it "should verify universe domain" do
+      service.authorization = OpenStruct.new universe_domain: "mydomain.com"
+      expect do
+        command
+      end.to raise_error(Google::Apis::UniverseDomainError)
+    end
+
     include_examples 'with options'
   end
 
@@ -531,4 +538,23 @@
     service.root_url = "https://endpoint2.$UNIVERSE_DOMAIN$/"
     expect(service.root_url).to eql "https://endpoint2.mydomain6.com/"
   end
+
+  describe "#verify_universe_domain!" do
+    it "should skip universe domain verification if credentials do not have them" do
+      service_ud.authorization = "I have no universe domain"
+      service_ud.verify_universe_domain!
+    end
+
+    it "should verify default universe domain" do
+      service_ud.authorization = OpenStruct.new universe_domain: "googleapis.com"
+      service_ud.verify_universe_domain!
+    end
+
+    it "should raise on universe domain mismatch" do
+      service_ud.authorization = OpenStruct.new universe_domain: "mydomain.com"
+      expect do
+        service_ud.verify_universe_domain!
+      end.to raise_error(Google::Apis::UniverseDomainError)
+    end
+  end
 end