From 2d867b03800ca60be0f722c79d63152ace7d4be3 Mon Sep 17 00:00:00 2001 From: Sita Lakshmi Sangameswaran Date: Wed, 11 Oct 2023 20:26:05 +0530 Subject: [PATCH] =?UTF-8?q?Revert=20"feat:=20add=20code=20sample=20and=20t?= =?UTF-8?q?est=20for=20getting=20an=20access=20token=20from=20an=20im?= =?UTF-8?q?=E2=80=A6"=20(#1299)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Revert "feat: add code sample and test for getting an access token from an impersonated SA (#1289)" This reverts commit 826ee4007d3e0600dfdf42383f56dbcf6cdd4cec. * fix test assertion --- ...ccessTokenFromImpersonatedCredentials.java | 77 ------------------- .../snippets/src/test/java/SnippetsIT.java | 42 +++------- 2 files changed, 12 insertions(+), 107 deletions(-) delete mode 100644 samples/snippets/src/main/java/AccessTokenFromImpersonatedCredentials.java diff --git a/samples/snippets/src/main/java/AccessTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/AccessTokenFromImpersonatedCredentials.java deleted file mode 100644 index 0d8cd962d..000000000 --- a/samples/snippets/src/main/java/AccessTokenFromImpersonatedCredentials.java +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// [START auth_cloud_accesstoken_impersonated_credentials] - -import com.google.auth.oauth2.GoogleCredentials; -import com.google.auth.oauth2.ImpersonatedCredentials; -import java.io.IOException; -import java.util.Arrays; -import java.util.List; - -public class AccessTokenFromImpersonatedCredentials { - - public static void main(String[] args) throws IOException { - // TODO(Developer): Replace the below variables before running the code. - - // Provide the scopes that you might need to request access to Google APIs, - // depending on the level of access you need. - // This example uses the cloud-wide scope and uses IAM to narrow the permissions. - // https://cloud.google.com/docs/authentication/external/authorization-gcp - // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes - String scope = "https://www.googleapis.com/auth/cloud-platform"; - - // The name of the privilege-bearing service account for whom the credential is created. - String impersonatedServiceAccount = "name@project.service.gserviceaccount.com"; - - getAccessToken(impersonatedServiceAccount, scope); - } - - // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token - // for the impersonated account. - // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission - // on SA2. - public static void getAccessToken( - String impersonatedServiceAccount, String scope) throws IOException { - - // Construct the GoogleCredentials object which obtains the default configuration from your - // working environment. - GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault(); - - // delegates: The chained list of delegates required to grant the final accessToken. - // For more information, see: - // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions - // Delegate is NOT USED here. - List delegates = null; - - // Create the impersonated credential. - ImpersonatedCredentials impersonatedCredentials = - ImpersonatedCredentials.newBuilder() - .setSourceCredentials(googleCredentials) - .setTargetPrincipal(impersonatedServiceAccount) - .setScopes(Arrays.asList(scope)) - .setLifetime(300) - .setDelegates(delegates) - .build(); - - // Get the OAuth2 token. - // Once you've obtained the OAuth2 token, you can use it to make an authenticated call. - impersonatedCredentials.refresh(); - String accessToken = impersonatedCredentials.getAccessToken().getTokenValue(); - System.out.println("Generated access token."); - } -} -// [END auth_cloud_accesstoken_impersonated_credentials] diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java index cf40dfdb6..ff4a66ae6 100644 --- a/samples/snippets/src/test/java/SnippetsIT.java +++ b/samples/snippets/src/test/java/SnippetsIT.java @@ -40,8 +40,6 @@ public class SnippetsIT { private static final String PROJECT_ID = System.getenv("GOOGLE_CLOUD_PROJECT"); private static final String CREDENTIALS = System.getenv("GOOGLE_APPLICATION_CREDENTIALS"); - private static final String impersonatedServiceAccount = "TODO"; - private static final String scope = "https://www.googleapis.com/auth/cloud-platform"; private ByteArrayOutputStream stdOut; // Check if the required environment variables are set. @@ -64,7 +62,18 @@ public static void setup() throws IOException { } @AfterClass - public static void cleanup() { + public static void cleanup() {} + + @Before + public void beforeEach() { + stdOut = new ByteArrayOutputStream(); + System.setOut(new PrintStream(stdOut)); + } + + @After + public void afterEach() { + stdOut = null; + System.setOut(null); } // Get an id token from a Google service account. @@ -84,18 +93,6 @@ private static String getIdTokenFromServiceAccount( return idToken.getTokenValue(); } - @Before - public void beforeEach() { - stdOut = new ByteArrayOutputStream(); - System.setOut(new PrintStream(stdOut)); - } - - @After - public void afterEach() { - stdOut = null; - System.setOut(null); - } - @Test public void testIdTokenFromServiceAccount() throws IOException { IdTokenFromServiceAccount.getIdTokenFromServiceAccount(CREDENTIALS, "https://example.com"); @@ -110,21 +107,6 @@ public void testVerifyGoogleIdToken() throws IOException { idToken, "https://example.com", "https://www.googleapis.com/oauth2/v3/certs"); } - @Test - public void testAccessTokenFromImpersonatedCredentials() - throws GeneralSecurityException, IOException { - AccessTokenFromImpersonatedCredentials.getAccessToken(impersonatedServiceAccount, scope); - assertThat(stdOut.toString()).contains("Generated access token."); - } - - @Test - public void testIdTokenFromImpersonatedCredentials() - throws GeneralSecurityException, IOException { - IdTokenFromImpersonatedCredentials.getIdTokenUsingOAuth2(impersonatedServiceAccount, scope, - "https://example.com"); - assertThat(stdOut.toString()).contains("Generated ID token."); - } - @Test public void testIdTokenFromMetadataServer() throws GeneralSecurityException, IOException { IdTokenFromMetadataServer.getIdTokenFromMetadataServer("https://www.google.com");