remove Unknown CredentialsType from public surface

Author: quartzmo

idtoken/idtoken.go

@@ -30,13 +30,40 @@ import (
 // ClientOption is for configuring a Google API client or transport.
 type ClientOption = option.ClientOption
 
-type credentialsType int
+// CredentialsType specifies the type of JSON credentials being provided
+// to a loading function such as [WithAuthCredentialsFile] or
+// [WithAuthCredentialsJSON].
+type CredentialsType = option.CredentialsType
 
 const (
-	unknownCredType credentialsType = iota
-	serviceAccount
-	impersonatedServiceAccount
-	externalAccount
+	// unknownCredType is a private CredentialsType representing an unknown JSON file type.
+	unknownCredType = internal.Unknown
+	// ServiceAccount represents a service account file type.
+	ServiceAccount = option.ServiceAccount
+	// User represents a user credentials file type.
+	User = option.User
+	// ImpersonatedServiceAccount represents an impersonated service account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ImpersonatedServiceAccount = option.ImpersonatedServiceAccount
+	// ExternalAccount represents an external account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ExternalAccount = option.ExternalAccount
 )
 
 // NewClient creates a HTTP Client that automatically adds an ID token to each
@@ -148,7 +175,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 		return nil, err
 	}
 	switch allowedType {
-	case serviceAccount:
+	case ServiceAccount:
 		cfg, err := google.JWTConfigFromJSON(data, ds.GetScopes()...)
 		if err != nil {
 			return nil, err
@@ -168,7 +195,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			return nil, err
 		}
 		return oauth2.ReuseTokenSource(tok, ts), nil
-	case impersonatedServiceAccount, externalAccount:
+	case ImpersonatedServiceAccount, ExternalAccount:
 		type url struct {
 			ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
 		}
@@ -184,20 +211,20 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			TargetPrincipal: account,
 			IncludeEmail:    true,
 		}
-		ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))
+		ts, err := impersonate.IDTokenSource(ctx, config, option.WithAuthCredentialsJSON(allowedType, data))
 		if err != nil {
 			return nil, err
 		}
 		return ts, nil
 	default:
-		return nil, fmt.Errorf("idtoken: unsupported credentials type")
+		return nil, fmt.Errorf("idtoken: unsupported credentials type: %d", allowedType)
 	}
 }
 
 // getAllowedType returns the credentials type of type credentialsType, and an error.
 // allowed types are "service_account" and "impersonated_service_account"
-func getAllowedType(data []byte) (credentialsType, error) {
-	var t credentialsType
+func getAllowedType(data []byte) (CredentialsType, error) {
+	var t CredentialsType
 	if len(data) == 0 {
 		return t, fmt.Errorf("idtoken: credential provided is 0 bytes")
 	}
@@ -211,14 +238,14 @@ func getAllowedType(data []byte) (credentialsType, error) {
 	return t, nil
 }
 
-func parseCredType(typeString string) credentialsType {
+func parseCredType(typeString string) CredentialsType {
 	switch typeString {
 	case "service_account":
-		return serviceAccount
+		return ServiceAccount
 	case "impersonated_service_account":
-		return impersonatedServiceAccount
+		return ImpersonatedServiceAccount
 	case "external_account":
-		return externalAccount
+		return ExternalAccount
 	default:
 		return unknownCredType
 	}
@@ -235,51 +262,6 @@ func (w withCustomClaims) Apply(o *internal.DialSettings) {
 	o.CustomClaims = w
 }
 
-// CredentialsType specifies the type of JSON credentials being provided
-// to a loading function such as [WithAuthCredentialsFile] or
-// [WithAuthCredentialsJSON].
-type CredentialsType = option.CredentialsType
-
-const (
-	// Unknown represents an unknown JSON file type.
-	//
-	// IMPORTANT:
-	// This credential type does not validate the credential configuration. A security
-	// risk occurs when a credential configuration configured with malicious urls
-	// is used.
-	// You should validate credential configurations provided by untrusted sources.
-	// See [Security requirements when using credential configurations from an external
-	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
-	// for more details.
-	Unknown = option.Unknown
-	// ServiceAccount represents a service account file type.
-	ServiceAccount = option.ServiceAccount
-	// User represents a user credentials file type.
-	User = option.User
-	// ImpersonatedServiceAccount represents an impersonated service account file type.
-	//
-	// IMPORTANT:
-	// This credential type does not validate the credential configuration. A security
-	// risk occurs when a credential configuration configured with malicious urls
-	// is used.
-	// You should validate credential configurations provided by untrusted sources.
-	// See [Security requirements when using credential configurations from an external
-	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
-	// for more details.
-	ImpersonatedServiceAccount = option.ImpersonatedServiceAccount
-	// ExternalAccount represents an external account file type.
-	//
-	// IMPORTANT:
-	// This credential type does not validate the credential configuration. A security
-	// risk occurs when a credential configuration configured with malicious urls
-	// is used.
-	// You should validate credential configurations provided by untrusted sources.
-	// See [Security requirements when using credential configurations from an external
-	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
-	// for more details.
-	ExternalAccount = option.ExternalAccount
-)
-
 // WithCredentialsFile returns a ClientOption that authenticates
 // API calls with the given service account or refresh token JSON
 // credentials file.

idtoken/integration_test.go

@@ -11,13 +11,14 @@ import (
 	"strings"
 	"testing"
 
-	"golang.org/x/oauth2/google"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/api/option"
 )
 
 const (
 	envCredentialFile = "GOOGLE_APPLICATION_CREDENTIALS"
+	// Change this type as needed to match the credentials type of GOOGLE_APPLICATION_CREDENTIALS JSON or ADC credentials JSON.
+	credentialsFileType = idtoken.ServiceAccount
 
 	aud = "http://example.com"
 )
@@ -26,38 +27,11 @@ func TestNewTokenSource(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
-	ts, err := idtoken.NewTokenSource(context.Background(), "http://example.com", option.WithCredentialsFile(os.Getenv(envCredentialFile)))
-	if err != nil {
-		t.Fatalf("unable to create TokenSource: %v", err)
-	}
-	tok, err := ts.Token()
-	if err != nil {
-		t.Fatalf("unable to retrieve Token: %v", err)
-	}
-	req := &http.Request{Header: make(http.Header)}
-	tok.SetAuthHeader(req)
-	if !strings.HasPrefix(req.Header.Get("Authorization"), "Bearer ") {
-		t.Fatalf("token should sign requests with Bearer Authorization header")
-	}
-	validTok, err := idtoken.Validate(context.Background(), tok.AccessToken, aud)
-	if err != nil {
-		t.Fatalf("token validation failed: %v", err)
-	}
-	if validTok.Audience != aud {
-		t.Fatalf("got %q, want %q", validTok.Audience, aud)
-	}
-}
-
-func TestNewTokenSource_WithCredentialJSON(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping integration test")
-	}
-	ctx := context.Background()
-	creds, err := google.FindDefaultCredentials(ctx)
-	if err != nil {
-		t.Fatalf("unable to find default creds: %v", err)
+	credsPath := os.Getenv(envCredentialFile)
+	if credsPath == "" {
+		t.Fatalf("Env var is not set: %s", envCredentialFile)
 	}
-	ts, err := idtoken.NewTokenSource(ctx, aud, option.WithCredentialsJSON(creds.JSON))
+	ts, err := idtoken.NewTokenSource(context.Background(), "http://example.com", option.WithAuthCredentialsFile(credentialsFileType, credsPath))
 	if err != nil {
 		t.Fatalf("unable to create Client: %v", err)
 	}

option/option.go

@@ -24,17 +24,6 @@ import (
 type CredentialsType = internal.CredentialsType
 
 const (
-	// Unknown represents an unknown JSON file type.
-	//
-	// IMPORTANT:
-	// This credential type does not validate the credential configuration. A security
-	// risk occurs when a credential configuration configured with malicious urls
-	// is used.
-	// You should validate credential configurations provided by untrusted sources.
-	// See [Security requirements when using credential configurations from an external
-	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
-	// for more details.
-	Unknown CredentialsType = internal.Unknown
 	// ServiceAccount represents a service account file type.
 	ServiceAccount = internal.ServiceAccount
 	// User represents a user credentials file type.