[oauth2] google: add Credentials.GetUniverseDomain with GCE MDS support

Chris Smith (Gerrit)

unread,

Dec 26, 2023, 5:23:05 PM12/26/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Chris Smith has uploaded this change for review.

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I296f88e7952fd87e47b76ffaeecd2be4dd4d5236
---
M google/default.go
M google/google.go
2 files changed, 41 insertions(+), 0 deletions(-)

diff --git a/google/default.go b/google/default.go
index 12b12a3..4ba12c1 100644
--- a/google/default.go
+++ b/google/default.go
@@ -47,6 +47,9 @@
 
 // UniverseDomain returns the default service domain for a given Cloud universe.
 // The default value is "googleapis.com".
+//
+// Deprecated: Use instead (*Credentials).GetUniverseDomain(), which supports
+// obtaining the universe domain from the GCE metadata server when available.
 func (c *Credentials) UniverseDomain() string {
 	if c.universeDomain == "" {
 		return universeDomainDefault
@@ -54,6 +57,28 @@
 	return c.universeDomain
 }
 
+// GetUniverseDomain returns the default service domain for a given Cloud
+// universe. Obtains the universe domain from the GCE metadata server when
+// available and if it was not already found in a credentials file. Returns
+// errors from metadata server unless the error is 404, in which case the
+// default value is returned. The default value is "googleapis.com".
+func (c *Credentials) GetUniverseDomain() (string, error) {
+	if c.universeDomain == "" {
+		// If we're on Google Compute Engine, an App Engine standard second
+		// generation runtime, or App Engine flexible, use the metadata server.
+		if metadata.OnGCE() {
+			var err error
+			c.universeDomain, err = computeUniverseDomain()
+			if err != nil {
+				return "", err
+			}
+		} else {
+			c.universeDomain = universeDomainDefault
+		}
+	}
+	return c.universeDomain, nil
+}
+
 // DefaultCredentials is the old name of Credentials.
 //
 // Deprecated: use Credentials instead.
diff --git a/google/google.go b/google/google.go
index c66c535..746df52 100644
--- a/google/google.go
+++ b/google/google.go
@@ -306,3 +306,19 @@
 		"oauth2.google.serviceAccount": acct,
 	}), nil
 }
+
+// computeUniverseDomain fetches the default service domain for a given Cloud
+// universe from Google Compute Engine (GCE)'s metadata server. It's only valid
+// to use this method if your program is running on a GCE instance.
+func computeUniverseDomain() (string, error) {
+	ud, err := metadata.Get("universe/universe_domain")
+	if err != nil {
+		if _, ok := err.(metadata.NotDefinedError); ok {
+			// http.StatusNotFound (404)
+			return universeDomainDefault, nil
+		} else {
+			return "", err
+		}
+	}
+	return ud, nil
+}

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Dec 27, 2023, 1:32:22 PM12/27/23

to goph...@pubsubhelper.golang.org, Brent Shaffer, Cody Oss, Viacheslav Rostovtsev, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss, Viacheslav Rostovtsev.

View Change

1 comment:

Patchset:
- Patch Set #1:
  I added tests for this PR to `google/google_test.go`, but because of existing key data in that file, got this complaint: "The push has been rejected because we detect that it contains a private key."
  I can force push that change (which adds no key data itself) if OK.

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Dec 27, 2023, 1:53:23 PM12/27/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss, Viacheslav Rostovtsev.

Chris Smith uploaded patch set #2 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I296f88e7952fd87e47b76ffaeecd2be4dd4d5236
---
M google/default.go
M google/google.go

M google/google_test.go
3 files changed, 82 insertions(+), 0 deletions(-)

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Viacheslav Rostovtsev (Gerrit)

unread,

Dec 27, 2023, 3:53:23 PM12/27/23

to Chris Smith, goph...@pubsubhelper.golang.org, Brent Shaffer, Cody Oss, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith, Cody Oss.

View Change

1 comment:

File google/default.go:
- Patch Set #2, Line 52: universe domain from the GCE metadata server when available.
  "So what will this function return for Compute Credentials", the reader will wonder

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Dec 28, 2023, 1:41:44 PM12/28/23

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith, Cody Oss.

Chris Smith uploaded patch set #3 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I296f88e7952fd87e47b76ffaeecd2be4dd4d5236
---
M google/default.go
M google/google.go
M google/google_test.go

3 files changed, 92 insertions(+), 0 deletions(-)

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Dec 28, 2023, 1:42:38 PM12/28/23

to goph...@pubsubhelper.golang.org, Brent Shaffer, Cody Oss, Viacheslav Rostovtsev, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss, Viacheslav Rostovtsev.

View Change

2 comments:

Patchset:
- Patch Set #3:
  Updated, PTAL!
File google/default.go:

- Patch Set #2, Line 52: universe domain from the GCE metadata server when available.
  "So what will this function return for Compute Credentials", the reader will wonder

- Done

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Jan 2, 2024, 4:52:39 PM1/2/24

to Chris Smith, goph...@pubsubhelper.golang.org, Brent Shaffer, Viacheslav Rostovtsev, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith, Viacheslav Rostovtsev.

View Change

1 comment:

File google/default.go:
- Patch Set #3, Line 83: return "", err
  Given we have a released API here, should we swallow the error instead? Or maybe this value should be precomputed once during credential/token creation and the error returns there? Should this value be cached after first lookup?

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 2, 2024, 6:17:08 PM1/2/24

to goph...@pubsubhelper.golang.org, Brent Shaffer, Cody Oss, Viacheslav Rostovtsev, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss, Viacheslav Rostovtsev.

View Change

1 comment:

File google/default.go:

- Patch Set #3, Line 83: return "", err

- Thanks Cody for raising this discussion. It's ugly and regrettable to deprecate and replace the existing method just to introduce the error return value, and I thought hard before doing it. Requirement AL-5 has the following "should" guidance:
  Authentication libraries should retrieve universe_domain in a 'lazy' way, when the end-user requests the universe_domain via the property/get method. They should not do it during the credentials initialization. Authentication libraries should group the universe_domain retrieval with the first authentication token retrieval.
  My decision to introduce the new method was heavily influenced by the planned transition to a new auth package and therefore the short remaining life expectancy of this package. Does that consideration make this any more palatable?

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Viacheslav Rostovtsev (Gerrit)

unread,

Jan 3, 2024, 5:11:20 PM1/3/24

to Chris Smith, goph...@pubsubhelper.golang.org, Brent Shaffer, Cody Oss, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith, Cody Oss.

Patch set 3:Code-Review +1

View Change

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Jan 3, 2024, 6:24:28 PM1/3/24

to Chris Smith, goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Brent Shaffer, Noah Dietz, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith.

View Change

1 comment:

File google/default.go:

- Patch Set #3, Line 83: return "", err

- Thanks Cody for raising this discussion. […]
  Seems okay if we are quickly moving away from this.
  Is this code this code may be racy, correct? Does c.universeDomain need to be protected some way?

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 4:00:50 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Chris Smith has uploaded this change for review.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf


---
M google/default.go
M google/google.go
M google/google_test.go
3 files changed, 92 insertions(+), 0 deletions(-)

diff --git a/google/default.go b/google/default.go
index 04ebdc0..3cb799e 100644
--- a/google/default.go
+++ b/google/default.go
@@ -46,7 +46,14 @@


 }
 
 // UniverseDomain returns the default service domain for a given Cloud universe.

+//


 // The default value is "googleapis.com".
+//
+// Deprecated: Use instead (*Credentials).GetUniverseDomain(), which supports

+// obtaining the universe domain when authenticating via the GCE metadata server.
+// Unlike GetUniverseDomain, this method, UniverseDomain, will always return the
+// default value when authenticating via the GCE metadata server.
+// See also [The attached service account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).


 func (c *Credentials) UniverseDomain() string {
 	if c.universeDomain == "" {
 		return universeDomainDefault

@@ -54,6 +61,34 @@


 	return c.universeDomain
 }
 
+// GetUniverseDomain returns the default service domain for a given Cloud
+// universe.

+//
+// The default value is "googleapis.com".
+//
+// It obtains the universe domain from the attached service account on GCE when
+// authenticating via the GCE metadata server. See also [The attached service
+// account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).
+// If the GCE metadata server returns a 404 error, the default value is
+// returned. If the GCE metadata server returns an error other than 404, the
+// error is returned.

diff --git a/google/google_test.go b/google/google_test.go
index ea01049..002a40b 100644
--- a/google/google_test.go
+++ b/google/google_test.go
@@ -5,6 +5,8 @@
 package google
 
 import (
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 )
@@ -137,3 +139,42 @@
 		t.Errorf("Audience = %q; want %q", got, want)
 	}
 }
+
+func TestComputeTokenSource(t *testing.T) {
+	tokenPath := "/computeMetadata/v1/instance/service-accounts/default/token"
+	tokenResponseBody := `{"access_token":"Sample.Access.Token","token_type":"Bearer","expires_in":3600}`
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != tokenPath {
+			t.Errorf("got %s, want %s", r.URL.Path, tokenPath)
+		}
+		w.Write([]byte(tokenResponseBody))
+	}))
+	defer s.Close()
+	t.Setenv("GCE_METADATA_HOST", strings.TrimPrefix(s.URL, "http://"))
+	ts := ComputeTokenSource("")
+	_, err := ts.Token()


+	if err != nil {

+		t.Errorf("ts.Token() = %v", err)
+	}
+}
+
+func TestComputeUniverseDomain(t *testing.T) {
+	universeDomainPath := "/computeMetadata/v1/universe/universe_domain"
+	universeDomainResponseBody := "example.com"
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != universeDomainPath {
+			t.Errorf("got %s, want %s", r.URL.Path, universeDomainPath)
+		}
+		w.Write([]byte(universeDomainResponseBody))
+	}))
+	defer s.Close()
+	t.Setenv("GCE_METADATA_HOST", strings.TrimPrefix(s.URL, "http://"))
+
+	ud, err := computeUniverseDomain()


+	if err != nil {

+		t.Errorf("ts.UniverseDomain() = %v", err)
+	}
+	if ud != universeDomainResponseBody {
+		t.Errorf("got %s, want %s", ud, universeDomainResponseBody)
+	}
+}

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 4:25:30 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss, JBD, Shin Fan.

Chris Smith uploaded patch set #2 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf
---
M google/default.go

M google/default_test.go
M google/google_test.go
3 files changed, 167 insertions(+), 0 deletions(-)

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Jan 4, 2024, 4:33:30 PM1/4/24

to Chris Smith, goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith, Viacheslav Rostovtsev.

View Change

1 comment:

File google/default.go:
- Patch Set #2, Line 78: if c.universeDomain == "" && metadata.OnGCE() {
  this is an ungaurded read of a value controlled by the mutex

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Viacheslav Rostovtsev (Gerrit)

unread,

Jan 4, 2024, 4:57:15 PM1/4/24

to Chris Smith, goph...@pubsubhelper.golang.org, Cody Oss, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith.

Patch set 2:Code-Review +1

View Change

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 6:21:34 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith.

Chris Smith uploaded patch set #3 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf
---
M google/default.go
M google/default_test.go
M google/google_test.go
3 files changed, 167 insertions(+), 0 deletions(-)

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 6:23:01 PM1/4/24

to goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Cody Oss, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss.

View Change

1 comment:

File google/default.go:

- Patch Set #2, Line 78: if c.universeDomain == "" && metadata.OnGCE() {
  this is an ungaurded read of a value controlled by the mutex

- I moved the guard to the calling method GetUniverseDomain. I also tested locally with the `-race` flag, but could not surface a race condition even after removing the mutex.

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 6:59:03 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss.

Chris Smith uploaded patch set #4 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf
---
M google/default.go
M google/default_test.go
M google/google_test.go

3 files changed, 160 insertions(+), 0 deletions(-)

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 7:09:48 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss.

Chris Smith uploaded patch set #5 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf
---
M google/default.go
M google/default_test.go
M google/google_test.go

3 files changed, 169 insertions(+), 0 deletions(-)

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 7:19:17 PM1/4/24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss.

Chris Smith uploaded patch set #6 to this change.

View Change

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf
---
M google/default.go
M google/default_test.go
M google/google_test.go

3 files changed, 173 insertions(+), 0 deletions(-)

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 4, 2024, 7:24:02 PM1/4/24

to goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Cody Oss, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Cody Oss.

View Change

1 comment:

Patchset:

Patch Set #6:

Local concurrency testing:

WITH MUTEX:

➜ google git:(default-universe-domain-mds) go test -timeout 30s -race -run ^TestComputeUniverseDomain$ golang.org/x/oauth2/google -v
=== RUN TestComputeUniverseDomain
--- PASS: TestComputeUniverseDomain (0.00s)
PASS
ok golang.org/x/oauth2/google 1.414s

WITHOUT MUTEX:

➜  google git:(default-universe-domain-mds) ✗ go test -timeout 30s -race -run ^TestComputeUniverseDomain$ golang.org/x/oauth2/google -v
=== RUN   TestComputeUniverseDomain
==================
WARNING: DATA RACE
Write at 0x00c0000a0268 by goroutine 9:
  golang.org/x/oauth2/google.(*Credentials).computeUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default.go:98 +0x64
  golang.org/x/oauth2/google.(*Credentials).GetUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default.go:79 +0x88
  golang.org/x/oauth2/google.TestComputeUniverseDomain.func2()
      /Users/chrisdsmith/oss/oauth2/google/default_test.go:279 +0x5d

Previous write at 0x00c0000a0268 by goroutine 7:
  golang.org/x/oauth2/google.(*Credentials).computeUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default.go:98 +0x64
  golang.org/x/oauth2/google.(*Credentials).GetUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default.go:79 +0x88
  golang.org/x/oauth2/google.TestComputeUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default_test.go:288 +0x6a9
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1595 +0x238
  testing.(*T).Run.func1()
      /usr/local/go/src/testing/testing.go:1648 +0x44

Goroutine 9 (running) created at:
  golang.org/x/oauth2/google.TestComputeUniverseDomain()
      /Users/chrisdsmith/oss/oauth2/google/default_test.go:278 +0x69c
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1595 +0x238
  testing.(*T).Run.func1()
      /usr/local/go/src/testing/testing.go:1648 +0x44

Goroutine 7 (running) created at:
  testing.(*T).Run()
      /usr/local/go/src/testing/testing.go:1648 +0x82a
  testing.runTests.func1()
      /usr/local/go/src/testing/testing.go:2054 +0x84
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1595 +0x238
  testing.runTests()
      /usr/local/go/src/testing/testing.go:2052 +0x896
  testing.(*M).Run()
      /usr/local/go/src/testing/testing.go:1925 +0xb57
  main.main()
      _testmain.go:91 +0x2bd
==================
    testing.go:1465: race detected during execution of test
--- FAIL: TestComputeUniverseDomain (0.00s)
=== NAME
    testing.go:1465: race detected during execution of test
FAIL
FAIL	golang.org/x/oauth2/google	0.209s
FAIL

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Jan 5, 2024, 9:28:13 AM1/5/24

to Chris Smith, goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith.

Patch set 6:Code-Review +2

View Change

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Jan 5, 2024, 9:28:29 AM1/5/24

to Chris Smith, goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Chris Smith.

Patch set 6:Run-TryBot +1Auto-Submit +1

View Change

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Gopher Robot (Gerrit)

unread,

Jan 5, 2024, 9:38:48 AM1/5/24

to Chris Smith, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Cody Oss, Viacheslav Rostovtsev, golang-co...@googlegroups.com

Gopher Robot submitted this change.

View Change

Approvals:
  Gopher Robot: TryBots succeeded
  Cody Oss: Looks good to me, approved; Run legacy TryBots; Automatically submit change
  Viacheslav Rostovtsev: Looks good to me, but someone else must approve

google: add Credentials.GetUniverseDomain with GCE MDS support

* Deprecate Credentials.UniverseDomain

Change-Id: I1cbc842fbfce35540c8dff99fec09e036b9e2cdf

Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/554215
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Cody Oss <cod...@google.com>
Auto-Submit: Cody Oss <cod...@google.com>
Reviewed-by: Cody Oss <cod...@google.com>
Reviewed-by: Viacheslav Rostovtsev <vir...@google.com>


---
M google/default.go
M google/default_test.go
M google/google_test.go
3 files changed, 173 insertions(+), 0 deletions(-)

diff --git a/google/default.go b/google/default.go
index 04ebdc0..02ccd08 100644
--- a/google/default.go
+++ b/google/default.go
@@ -12,6 +12,7 @@
 	"os"
 	"path/filepath"
 	"runtime"
+	"sync"
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
@@ -41,12 +42,20 @@
 	// running on Google Cloud Platform.
 	JSON []byte
 
+	udMu sync.Mutex // guards universeDomain
 	// universeDomain is the default service domain for a given Cloud universe.
 	universeDomain string


 }
 
 // UniverseDomain returns the default service domain for a given Cloud universe.
+//
 // The default value is "googleapis.com".
+//
+// Deprecated: Use instead (*Credentials).GetUniverseDomain(), which supports
+// obtaining the universe domain when authenticating via the GCE metadata server.
+// Unlike GetUniverseDomain, this method, UniverseDomain, will always return the
+// default value when authenticating via the GCE metadata server.
+// See also [The attached service account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).
 func (c *Credentials) UniverseDomain() string {
 	if c.universeDomain == "" {
 		return universeDomainDefault

@@ -54,6 +63,55 @@


 	return c.universeDomain
 }
 
+// GetUniverseDomain returns the default service domain for a given Cloud
+// universe.
+//
+// The default value is "googleapis.com".
+//
+// It obtains the universe domain from the attached service account on GCE when
+// authenticating via the GCE metadata server. See also [The attached service
+// account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).
+// If the GCE metadata server returns a 404 error, the default value is
+// returned. If the GCE metadata server returns an error other than 404, the
+// error is returned.
+func (c *Credentials) GetUniverseDomain() (string, error) {

+	c.udMu.Lock()
+	defer c.udMu.Unlock()
+	if c.universeDomain == "" && metadata.OnGCE() {


+		// If we're on Google Compute Engine, an App Engine standard second
+		// generation runtime, or App Engine flexible, use the metadata server.

+		err := c.computeUniverseDomain()


+		if err != nil {
+			return "", err
+		}
+	}

+	// If not on Google Compute Engine, or in case of any non-error path in
+	// computeUniverseDomain that did not set universeDomain, set the default
+	// universe domain.
+	if c.universeDomain == "" {


+		c.universeDomain = universeDomainDefault
+	}
+	return c.universeDomain, nil
+}
+

+// computeUniverseDomain fetches the default service domain for a given Cloud
+// universe from Google Compute Engine (GCE)'s metadata server. It's only valid
+// to use this method if your program is running on a GCE instance.

+func (c *Credentials) computeUniverseDomain() error {
+	var err error
+	c.universeDomain, err = metadata.Get("universe/universe_domain")


+	if err != nil {
+		if _, ok := err.(metadata.NotDefinedError); ok {
+			// http.StatusNotFound (404)

+			c.universeDomain = universeDomainDefault
+			return nil
+		} else {
+			return err
+		}
+	}
+	return nil


+}
+
 // DefaultCredentials is the old name of Credentials.
 //
 // Deprecated: use Credentials instead.

diff --git a/google/default_test.go b/google/default_test.go
index 439887a..7352ffc 100644
--- a/google/default_test.go
+++ b/google/default_test.go
@@ -6,6 +6,9 @@
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 )
 
@@ -74,6 +77,9 @@
 	if want := "googleapis.com"; creds.UniverseDomain() != want {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
+	if want := "googleapis.com"; creds.UniverseDomain() != want {
+		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_SA_Params_UniverseDomain(t *testing.T) {
@@ -94,6 +100,9 @@
 	if creds.UniverseDomain() != universeDomain2 {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), universeDomain2)
 	}
+	if creds.UniverseDomain() != universeDomain2 {
+		t.Fatalf("got %q, want %q", creds.UniverseDomain(), universeDomain2)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_SA_UniverseDomain(t *testing.T) {
@@ -113,6 +122,13 @@
 	if creds.UniverseDomain() != universeDomain {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), universeDomain)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if got != universeDomain {
+		t.Fatalf("got %q, want %q", got, universeDomain)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_SA_UniverseDomain_Params_UniverseDomain(t *testing.T) {
@@ -133,6 +149,13 @@
 	if creds.UniverseDomain() != universeDomain2 {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), universeDomain2)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if got != universeDomain2 {
+		t.Fatalf("got %q, want %q", got, universeDomain2)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_User(t *testing.T) {
@@ -149,6 +172,13 @@
 	if want := "googleapis.com"; creds.UniverseDomain() != want {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if want := "googleapis.com"; got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_User_Params_UniverseDomain(t *testing.T) {
@@ -166,6 +196,13 @@
 	if want := "googleapis.com"; creds.UniverseDomain() != want {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if want := "googleapis.com"; got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_User_UniverseDomain(t *testing.T) {
@@ -182,6 +219,13 @@
 	if want := "googleapis.com"; creds.UniverseDomain() != want {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if want := "googleapis.com"; got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}
 }
 
 func TestCredentialsFromJSONWithParams_User_UniverseDomain_Params_UniverseDomain(t *testing.T) {
@@ -199,4 +243,55 @@
 	if want := "googleapis.com"; creds.UniverseDomain() != want {
 		t.Fatalf("got %q, want %q", creds.UniverseDomain(), want)
 	}
+	got, err := creds.GetUniverseDomain()


+	if err != nil {

+		t.Fatal(err)
+	}
+	if want := "googleapis.com"; got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}


+}
+
+func TestComputeUniverseDomain(t *testing.T) {
+	universeDomainPath := "/computeMetadata/v1/universe/universe_domain"
+	universeDomainResponseBody := "example.com"
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != universeDomainPath {
+			t.Errorf("got %s, want %s", r.URL.Path, universeDomainPath)
+		}
+		w.Write([]byte(universeDomainResponseBody))
+	}))
+	defer s.Close()
+	t.Setenv("GCE_METADATA_HOST", strings.TrimPrefix(s.URL, "http://"))
+

+	scope := "https://www.googleapis.com/auth/cloud-platform"
+	params := CredentialsParams{
+		Scopes: []string{scope},
+	}
+	// Copied from FindDefaultCredentialsWithParams, metadata.OnGCE() = true block
+	creds := &Credentials{
+		ProjectID:      "fake_project",
+		TokenSource:    computeTokenSource("", params.EarlyTokenRefresh, params.Scopes...),
+		universeDomain: params.UniverseDomain, // empty
+	}
+	c := make(chan bool)
+	go func() {
+		got, err := creds.GetUniverseDomain() // First conflicting access.


+		if err != nil {

+			t.Error(err)
+		}
+		if want := universeDomainResponseBody; got != want {
+			t.Errorf("got %q, want %q", got, want)
+		}
+		c <- true
+	}()
+	got, err := creds.GetUniverseDomain() // Second conflicting access.
+	<-c


+	if err != nil {

+		t.Error(err)
+	}
+	if want := universeDomainResponseBody; got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}


+
 }
diff --git a/google/google_test.go b/google/google_test.go

index ea01049..7078d42 100644


--- a/google/google_test.go
+++ b/google/google_test.go
@@ -5,6 +5,8 @@
 package google
 
 import (
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 )

@@ -137,3 +139,21 @@


 		t.Errorf("Audience = %q; want %q", got, want)
 	}
 }
+
+func TestComputeTokenSource(t *testing.T) {
+	tokenPath := "/computeMetadata/v1/instance/service-accounts/default/token"
+	tokenResponseBody := `{"access_token":"Sample.Access.Token","token_type":"Bearer","expires_in":3600}`
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != tokenPath {
+			t.Errorf("got %s, want %s", r.URL.Path, tokenPath)
+		}
+		w.Write([]byte(tokenResponseBody))
+	}))
+	defer s.Close()
+	t.Setenv("GCE_METADATA_HOST", strings.TrimPrefix(s.URL, "http://"))
+	ts := ComputeTokenSource("")
+	_, err := ts.Token()
+	if err != nil {
+		t.Errorf("ts.Token() = %v", err)
+	}
+}

To view, visit change 554215. To unsubscribe, or for help writing mail filters, visit settings.

Chris Smith (Gerrit)

unread,

Jan 5, 2024, 11:42:30 AM1/5/24

to goph...@pubsubhelper.golang.org, Viacheslav Rostovtsev, Brent Shaffer, Cody Oss, Noah Dietz, golang-co...@googlegroups.com

Chris Smith abandoned this change.

View Change

Abandoned

Replaced by 554215

To view, visit change 552875. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward