feat: Support transport and binding-enforcement MDS parameters. #1558
Conversation
rmehta19
force-pushed
the
mds-cred-token-req-param
branch
from
04db8a3 to
91dba11
Compare
|
cc: @rockspore |
| @@ -696,6 +725,14 @@ public Collection<String> getDefaultScopes() { | |||
| return defaultScopes; | |||
| } | |||
|
|
|||
| public String getTransport() { | |||
There was a problem hiding this comment.
Please provide javadoc on these, pointing to publicly documented Metadata Service parameters.
There was a problem hiding this comment.
Discussed offline: We will update public MDS docs when the feature is non-experimental. Since the usage of the S2A + MTLS + bound tokens flow is guarded by an environment variable (EXPERIMENTAL_GOOGLE_API_USE_S2A). Until the public docs are updated, we can link to AIP here and #1400 (AIP already linked in this merged PR).
product-auto-label
bot
added
size: m
|
| if (!transport.isEmpty()) { | ||
| tokenUrl.set("transport", transport); | ||
| } | ||
| if (!bindingEnforcement.isEmpty()) { | ||
| tokenUrl.set("binding-enforcement", bindingEnforcement); | ||
| } |
There was a problem hiding this comment.
I think this should be null and empty check. Setter can set a null value unless we want to add a check there
There was a problem hiding this comment.
Thanks for pointing that out, done in 9d46bbd
| private String transport = ""; | ||
| private String bindingEnforcement = ""; |
There was a problem hiding this comment.
nit:
| private String transport = ""; | |
| private String bindingEnforcement = ""; | |
| private String transport; | |
| private String bindingEnforcement; |
|
Update to use conventional commits: |
rmehta19
changed the title
|
Thanks for the review @lqiu96 ! |
| @@ -200,6 +218,16 @@ String createTokenUrlWithScopes() { | |||
| if (!scopes.isEmpty()) { | |||
| tokenUrl.set("scopes", Joiner.on(',').join(scopes)); | |||
| } | |||
| if (transport == Transport.MTLS) { | |||
| tokenUrl.set("transport", "mtls"); | |||
There was a problem hiding this comment.
Fields can be added to the Enum class, so that each Enum can have its own label, then you can just do tokenUrl.set("transport", transport.getLabel()). See this example.
There was a problem hiding this comment.
Thanks for pointing this out! Done in latest commit.
| @@ -109,6 +109,16 @@ public class ComputeEngineCredentials extends GoogleCredentials | |||
| static final int MAX_COMPUTE_PING_TRIES = 3; | |||
| static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500; | |||
|
|
|||
| public enum Transport { | |||
There was a problem hiding this comment.
I know the it is called transport in the token url, but since Transport in GAPIC has different meaning (the value of it is either gRPC or httpJson), can we name this differently? Maybe AuthTransport? Javadocs for what ALTS and MTLS mean would also be appreciated.
There was a problem hiding this comment.
Renamed to AuthTransport in latest commit and added some javadocs. Thanks!
| // Binding enforcement will always happen, irrespective of the IAM policy. | ||
| ON("on"), | ||
| // Binding enforcement will depend on IAM policy. | ||
| IAMPOLICY("iam-policy"); |
There was a problem hiding this comment.
| IAMPOLICY("iam-policy"); | |
| IAM_POLICY("iam-policy"); |
I believe the convention is underscore to separate the words for constants
| @CanIgnoreReturnValue | ||
| public Builder setTransport(AuthTransport transport) { | ||
| this.transport = transport; | ||
| return this; | ||
| } | ||
|
|
||
| @CanIgnoreReturnValue | ||
| public Builder setBindingEnforcement(BindingEnforcement bindingEnforcement) { | ||
| this.bindingEnforcement = bindingEnforcement; | ||
| return this; | ||
| } |
There was a problem hiding this comment.
can you some small/ simple javadocs for these public setters?
| public AuthTransport getTransport() { | ||
| return transport; | ||
| } | ||
|
|
||
| public BindingEnforcement getBindingEnforcement() { | ||
| return bindingEnforcement; | ||
| } | ||
|
|
There was a problem hiding this comment.
same here. also if it's returning AuthTransport, can it be getAuthTransport()?
| @Test | ||
| public void buildTokenUrl_nullTransport() { |
There was a problem hiding this comment.
nit: one additional test where both transport and bindingenforcements are null
| @@ -109,6 +109,40 @@ public class ComputeEngineCredentials extends GoogleCredentials | |||
| static final int MAX_COMPUTE_PING_TRIES = 3; | |||
| static final int COMPUTE_PING_CONNECTION_TIMEOUT_MS = 500; | |||
|
|
|||
| public enum AuthTransport { | |||
There was a problem hiding this comment.
I think AuthTransport is ok for this. I would prefer if this could be more specific if possible.
Is there a term for alts and mtls type of transport that we can use? Does TlsTransport make sense? I don't know if TLS has a transport concept or if that would be confusing.
GoogleMtlsTransport? Though I'm not sure mtls/atls are google specific terms
There was a problem hiding this comment.
TLDR: WDYT of GoogleAuthTransport?
I think AuthTransport is ok for this. I would prefer if this could be more specific if possible.
We generally call this "transport type": describes how the client is authenticating to Google APIS either via GFE (using mtls) or via DirectPath (using alts). However Blake mentioned above that transport has a different meaning in Client libraries (grpc vs http), so it would be good to clarify to something more specific, which is how we landed on AuthTransport initially.
Is there a term for alts and mtls type of transport that we can use? Does TlsTransport make sense? I don't know if TLS has a transport concept or if that would be confusing.
TLS is the security protocol being used, it's used in both mtls and alts. mtls is mutually authenticated TLS, alts is (in short) "Google-optimized" mtls (see public docs).
In the enum name, I think we want to focus on how clients are authenticating to Google APIS, not details of the protocol being used (mtls vs alts). How about GoogleAuthTransport? I think this captures that the enum is listing different ways to ways clients can authenticate to Google APIs.
GoogleMtlsTransport? Though I'm not sure mtls/atls are google specific terms.
I think this name would be ok. One thing is that mtls via GFE strictly adheres to the TLS standard (i.e. not Google specific). Whereas alts is a Google specific protocol.
I've done this in 8ce3a4d, let me know if the name sounds ok.
No description provided.