fix: Set the universe domain when using an impersonation chain.

This change ensures that the universe domain configuration is correctly passed when setting up an impersonation chain for credentials.

It also introduces internal test infrastructure to mock `impersonate.CredentialsTokenSource` and adds a unit test `TestCredentialsOpt` to verify this behavior.

Author: hessjcg

internal/proxy/internal_test.go

@@ -15,10 +15,16 @@
 package proxy
 
 import (
+	"context"
+	"os"
 	"testing"
 	"unsafe"
 
+	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/log"
 	"github.com/google/go-cmp/cmp"
+	"golang.org/x/oauth2"
+	"google.golang.org/api/impersonate"
+	"google.golang.org/api/option"
 )
 
 func TestClientUsesSyncAtomicAlignment(t *testing.T) {
@@ -77,3 +83,39 @@ func equalSlice[T comparable](x, y []T) bool {
 	}
 	return true
 }
+
+func TestCredentialsOpt(t *testing.T) {
+	// Mock impersonateTokenSource
+	originalImpersonateTokenSource := impersonateTokenSource
+	defer func() { impersonateTokenSource = originalImpersonateTokenSource }()
+
+	var gotOpts []option.ClientOption
+	impersonateTokenSource = func(ctx context.Context, config impersonate.CredentialsConfig, opts ...option.ClientOption) (oauth2.TokenSource, error) {
+		gotOpts = opts
+		return nil, nil
+	}
+
+	c := Config{
+		ImpersonationChain: "sa@project.iam.gserviceaccount.com",
+		UniverseDomain:     "example.com",
+	}
+
+	_, err := credentialsOpt(c, log.NewStdLogger(os.Stdout, os.Stderr))
+	if err != nil {
+		t.Fatalf("credentialsOpt error: %v", err)
+	}
+
+	// Verify that WithUniverseDomain was passed
+	// Since we can't inspect ClientOption internals directly easily, 
+	// we are relying on the fact that we passed it. 
+	// In a real mock we might check the type or value if possible, 
+	// or just ensure the length matches what we expect if we know the order.
+	// However, option.ClientOption is an interface. 
+	// To strictly verify, we would need to see if the option effect is applied.
+	// But simply checking we got the options passed to the mock is a good first step.
+	// For this test, we just want to ensure the logic branch was hit and options were passed.
+	
+	if len(gotOpts) == 0 {
+		t.Error("expected ClientOptions to be passed to impersonateTokenSource, got none")
+	}
+}

internal/proxy/proxy.go

@@ -15,8 +15,15 @@
 package proxy
 
 import (
+	"cloud.google.com/go/cloudsqlconn"
 	"context"
 	"fmt"
+	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cloudsql"
+	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/gcloud"
+	"golang.org/x/oauth2"
+	"google.golang.org/api/impersonate"
+	"google.golang.org/api/option"
+	"google.golang.org/api/sqladmin/v1"
 	"io"
 	"net"
 	"os"
@@ -26,20 +33,15 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
-
-	"cloud.google.com/go/cloudsqlconn"
-	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cloudsql"
-	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/gcloud"
-	"golang.org/x/oauth2"
-	"google.golang.org/api/impersonate"
-	"google.golang.org/api/option"
-	"google.golang.org/api/sqladmin/v1"
 )
 
 var (
 	// Instance connection name is the format <PROJECT>:<REGION>:<INSTANCE>
 	// Additionally, we have to support legacy "domain-scoped" projects (e.g. "google.com:PROJECT")
 	connNameRegex = regexp.MustCompile("([^:]+(:[^:]+)?):([^:]+):([^:]+)")
+
+	// impersonateTokenSource is a variable to allow mocking in tests.
+	impersonateTokenSource = impersonate.CredentialsTokenSource
 )
 
 // connName represents the "instance connection name", in the format
@@ -342,6 +344,9 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 	// credentials token source.
 	if c.ImpersonationChain != "" {
 		var iopts []option.ClientOption
+		if c.UniverseDomain != "" {
+			iopts = append(iopts, option.WithUniverseDomain(c.UniverseDomain))
+		}
 		switch {
 		case c.Token != "":
 			l.Infof("Impersonating service account with OAuth2 token")
@@ -365,7 +370,7 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 			l.Infof("Impersonating service account with Application Default Credentials")
 		}
 		target, delegates := parseImpersonationChain(c.ImpersonationChain)
-		ts, err := impersonate.CredentialsTokenSource(
+		ts, err := impersonateTokenSource(
 			context.Background(),
 			impersonate.CredentialsConfig{
 				TargetPrincipal: target,
@@ -379,7 +384,7 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 		}
 
 		if c.iamAuthNEnabled() {
-			iamLoginTS, err := impersonate.CredentialsTokenSource(
+			iamLoginTS, err := impersonateTokenSource(
 				context.Background(),
 				impersonate.CredentialsConfig{
 					TargetPrincipal: target,