feat(auth): Add hard-bound token request to compute token provider.

googleapis · Feb 12, 2025 · d21bbd6 · d21bbd6
1 parent 2a499d7
commit d21bbd6
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/auth/grpctransport/grpctransport.go b/auth/grpctransport/grpctransport.go
@@ -301,7 +301,7 @@ func dial(ctx context.Context, secure bool, opts *Options) (*grpc.ClientConn, er
 		if opts.Credentials != nil {
 			creds = opts.Credentials
 		} else {
-			if transportType == "MTLS_S2A" {
+			if transportType == transport.TransportTypeMTLSS2A {
 				// Check that the client allows requesting hard-bound token for the transport type mTLS using S2A.
 				for _, ev := range opts.InternalOptions.AllowHardBoundTokens {
 					if ev == "MTLS_S2A" {

diff --git a/auth/internal/transport/cba.go b/auth/internal/transport/cba.go
@@ -46,14 +46,20 @@ const (
 	googleAPIUseMTLS       = "GOOGLE_API_USE_MTLS_ENDPOINT"
 	googleAPIUseMTLSOld    = "GOOGLE_API_USE_MTLS"
 
-	transportTypeMTLSS2A = "MTLS_S2A"
-
 	universeDomainPlaceholder = "UNIVERSE_DOMAIN"
 
 	mtlsMDSRoot = "/run/google-mds-mtls/root.crt"
 	mtlsMDSKey  = "/run/google-mds-mtls/client.key"
 )
 
+// TransportType represents the type of transport.
+type TransportType int
+
+const (
+	TransportTypeUnknown TransportType = iota
+	TransportTypeMTLSS2A
+)
+
 // Options is a struct that is duplicated information from the individual
 // transport packages in order to avoid cyclic deps. It correlates 1:1 with
 // fields on httptransport.Options and grpctransport.Options.
@@ -125,10 +131,10 @@ func fixScheme(baseURL string) string {
 // GetGRPCTransportCredsAndEndpoint returns an instance of
 // [google.golang.org/grpc/credentials.TransportCredentials], and the
 // corresponding endpoint to use for GRPC client.
-func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCredentials, string, string, error) {
+func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCredentials, string, TransportType, error) {
 	config, err := getTransportConfig(opts)
 	if err != nil {
-		return nil, "", "", err
+		return nil, "", TransportTypeUnknown, err
 	}
 
 	defaultTransportCreds := credentials.NewTLS(&tls.Config{
@@ -146,13 +152,13 @@ func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCrede
 			if config.s2aAddress != "" {
 				s2aAddr = config.s2aAddress
 			} else {
-				return defaultTransportCreds, config.endpoint, "", nil
+				return defaultTransportCreds, config.endpoint, TransportTypeUnknown, nil
 			}
 		}
 	} else if config.s2aAddress != "" {
 		s2aAddr = config.s2aAddress
 	} else {
-		return defaultTransportCreds, config.endpoint, "", nil
+		return defaultTransportCreds, config.endpoint, TransportTypeUnknown, nil
 	}
 
 	var fallbackOpts *s2a.FallbackOptions
@@ -170,9 +176,9 @@ func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCrede
 	})
 	if err != nil {
 		// Use default if we cannot initialize S2A client transport credentials.
-		return defaultTransportCreds, config.endpoint, "", nil
+		return defaultTransportCreds, config.endpoint, TransportTypeUnknown, nil
 	}
-	return s2aTransportCreds, config.s2aMTLSEndpoint, transportTypeMTLSS2A, nil
+	return s2aTransportCreds, config.s2aMTLSEndpoint, TransportTypeMTLSS2A, nil
 }
 
 // GetHTTPTransportConfig returns a client certificate source and a function for

diff --git a/auth/internal/transport/cba_test.go b/auth/internal/transport/cba_test.go
@@ -764,7 +764,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) {
 			} else {
 				t.Setenv(googleAPIUseCertSource, "false")
 			}
-			_, endpoint, err := GetGRPCTransportCredsAndEndpoint(tc.opts)
+			_, endpoint, _, err := GetGRPCTransportCredsAndEndpoint(tc.opts)
 			if err != nil {
 				t.Fatalf("err: %v", err)
 			} else {