Add support for WIF credentials in App Distribution Gradle Plugin

Author: lfkellogg

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/AuthenticatedHttpClient.kt

@@ -16,7 +16,7 @@
 
 package com.google.firebase.appdistribution.gradle
 
-import com.google.api.client.auth.oauth2.Credential
+import com.google.api.client.http.HttpRequestInitializer
 import com.google.api.client.googleapis.GoogleUtils
 import com.google.api.client.http.GenericUrl
 import com.google.api.client.http.HttpContent
@@ -34,8 +34,8 @@ private constructor(
   private val httpRequestFactory: HttpRequestFactory,
 ) {
   constructor(
-    credential: Credential
-  ) : this(newGoogleHttpTransport().createRequestFactory(credential))
+    requestInitializer: HttpRequestInitializer
+  ) : this(newGoogleHttpTransport().createRequestFactory(requestInitializer))
 
   constructor(httpTransport: HttpTransport) : this(httpTransport.createRequestFactory())
 

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/CredentialsRetriever.kt

@@ -16,7 +16,7 @@
 
 package com.google.firebase.appdistribution.gradle
 
-import com.google.api.client.auth.oauth2.Credential
+import com.google.api.client.http.HttpRequestInitializer
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
 import com.google.api.client.http.HttpTransport
 import com.google.firebase.appdistribution.gradle.AppDistributionEnvironment.Companion.ENV_FIREBASE_TOKEN
@@ -40,13 +40,13 @@ class CredentialsRetriever(
   ) : this(GoogleNetHttpTransport.newTrustedTransport(), appDistributionEnvironment)
 
   /** Returns the auth credential, if found. Otherwise returns null. */
-  fun getAuthCredential(serviceCredentialsPath: String? = null): Credential? {
+  fun getAuthCredential(serviceCredentialsPath: String? = null): HttpRequestInitializer? {
     // Check the explicitly passed in service credentials first
     if (serviceCredentialsPath != null) {
       val serviceCredentialsFile =
         ensureFileExists(serviceCredentialsPath, SERVICE_CREDENTIALS_NOT_FOUND)
       return try {
-        ServiceAccountCredentials.fromFile(serviceCredentialsFile).googleCredential
+        ServiceAccountCredentials.fromFile(serviceCredentialsFile).requestInitializer
       } catch (e: IOException) {
         throw AppDistributionException(
           SERVICE_CREDENTIALS_NOT_FOUND,
@@ -95,7 +95,7 @@ class CredentialsRetriever(
       return try {
         val envServiceAccountCredentials =
           ServiceAccountCredentials.fromFile(serviceCredentialsFile)
-        envServiceAccountCredentials.googleCredential
+        envServiceAccountCredentials.requestInitializer
       } catch (e: IOException) {
         throw AppDistributionException(
           SERVICE_CREDENTIALS_NOT_FOUND,

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/FirebaseAppDistribution.kt

@@ -16,7 +16,7 @@
 
 package com.google.firebase.appdistribution.gradle
 
-import com.google.api.client.auth.oauth2.Credential
+import com.google.api.client.http.HttpRequestInitializer
 import com.google.api.client.http.HttpResponseException
 import com.google.firebase.appdistribution.gradle.AppDistributionException.Reason.MISSING_CREDENTIALS
 import java.io.IOException
@@ -76,9 +76,9 @@ object FirebaseAppDistribution {
   private fun getCredential(options: TesterManagementOptions) =
     options.credential ?: throw AppDistributionException(MISSING_CREDENTIALS)
 
-  private fun getAuthenticatedHttpClient(credential: Credential): AuthenticatedHttpClient {
+  private fun getAuthenticatedHttpClient(requestInitializer: HttpRequestInitializer): AuthenticatedHttpClient {
     return try {
-      AuthenticatedHttpClient(credential)
+      AuthenticatedHttpClient(requestInitializer)
     } catch (e: Exception) {
       when (e) {
         is GeneralSecurityException,

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/TesterManagementOptions.kt

@@ -15,6 +15,7 @@
  */
 package com.google.firebase.appdistribution.gradle
 
+import com.google.api.client.http.HttpRequestInitializer
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
 import com.google.firebase.appdistribution.gradle.AppDistributionException.Reason.MISSING_PROJECT_NUMBER
 import com.google.firebase.appdistribution.gradle.AppDistributionException.Reason.MISSING_TESTER_EMAILS
@@ -34,7 +35,7 @@ class TesterManagementOptions(
     )
 ) {
   val emails = splitCommaOrNewlineSeparatedString(getValueFromStringOrFile(emailsValue, emailsFile))
-  val credential = credentialsRetriever.getAuthCredential(serviceCredentialsFile)
+  val credential: HttpRequestInitializer? = credentialsRetriever.getAuthCredential(serviceCredentialsFile)
 
   init {
     // If project number is set it would be greater than 0, the default primitive value

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/UploadDistributionOptions.kt

@@ -16,7 +16,7 @@
 
 package com.google.firebase.appdistribution.gradle
 
-import com.google.api.client.auth.oauth2.Credential
+import com.google.api.client.http.HttpRequestInitializer
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
 import com.google.api.client.http.HttpTransport
 import com.google.common.base.Splitter
@@ -71,7 +71,7 @@ internal constructor(
   val testers = extractValues(testersValue, testersPath)
   val groups = extractValues(groupsValue, groupsPath)
   val testDevices = extractTestDevices(testDevicesValue, testDevicesPath)
-  val credential: Credential? =
+  val credential: HttpRequestInitializer? =
     CredentialsRetriever(transport, appDistributionEnvironment)
       .getAuthCredential(serviceCredentialsFile)
   val testCases = extractValues(testCasesValue, testCasesPath)

firebase-appdistribution-gradle/src/main/java/com/google/firebase/appdistribution/gradle/models/ServiceAccountCredentials.kt

@@ -16,17 +16,20 @@
 
 package com.google.firebase.appdistribution.gradle.models
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential
+import com.google.auth.http.HttpCredentialsAdapter
+import com.google.auth.oauth2.GoogleCredentials
 import com.google.firebase.appdistribution.gradle.ApiEndpoints
 import java.io.File
 import java.nio.file.Files
 
-class ServiceAccountCredentials private constructor(val googleCredential: GoogleCredential) {
+class ServiceAccountCredentials private constructor(val requestInitializer: HttpCredentialsAdapter) {
   companion object {
     fun fromFile(credentials: File): ServiceAccountCredentials =
       ServiceAccountCredentials(
-        GoogleCredential.fromStream(Files.newInputStream(credentials.toPath()))
-          .createScoped(ApiEndpoints.SCOPES)
+        HttpCredentialsAdapter(
+          GoogleCredentials.fromStream(Files.newInputStream(credentials.toPath()))
+            .createScoped(ApiEndpoints.SCOPES)
+        )
       )
   }
 }

firebase-appdistribution-gradle/src/test/fixtures/test-wif-credentials.json

@@ -0,0 +1,9 @@
+{
+  "type": "external_account",
+  "audience": "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-pool/providers/my-provider",
+  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "credential_source": {
+    "file": "/var/run/secrets/token"
+  }
+}

firebase-appdistribution-gradle/src/test/java/com/google/firebase/appdistribution/gradle/CredentialsRetrieverTest.kt

@@ -18,6 +18,9 @@ package com.google.firebase.appdistribution.gradle
 
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential
 import com.google.api.client.http.HttpTransport
+import com.google.auth.http.HttpCredentialsAdapter
+import com.google.auth.oauth2.ExternalAccountCredentials
+import com.google.auth.oauth2.ServiceAccountCredentials as GoogleServiceAccountCredentials
 import junit.framework.TestCase.assertEquals
 import junit.framework.TestCase.assertNull
 import kotlin.test.assertContains
@@ -48,13 +51,24 @@ class CredentialsRetrieverTest {
   fun testGetAuthCredential_usesServiceCredentialsJsonPassedIn() {
     val credentialsRetriever = CredentialsRetriever()
 
-    val credential = getAuthCredential(credentialsRetriever, TEST_SERVICE_CREDENTIALS_PATH)
+    val credential = credentialsRetriever.getAuthCredential(TEST_SERVICE_CREDENTIALS_PATH) as HttpCredentialsAdapter
+    val googleCreds = credential.credentials as GoogleServiceAccountCredentials
 
     assertEquals(
       "firebase-adminsdk@my-project.iam.gserviceaccount.com",
-      credential.serviceAccountId
+      googleCreds.clientEmail
     )
-    assertEquals("abcefg123456789", credential.serviceAccountPrivateKeyId)
+    assertEquals("abcefg123456789", googleCreds.privateKeyId)
+  }
+
+  @Test
+  fun testGetAuthCredential_usesWifCredentialsJsonPassedIn() {
+    val credentialsRetriever = CredentialsRetriever()
+
+    val credential = credentialsRetriever.getAuthCredential(TEST_WIF_CREDENTIALS_PATH) as HttpCredentialsAdapter
+    val googleCreds = credential.credentials
+
+    assert(googleCreds is ExternalAccountCredentials)
   }
 
   @Test
@@ -65,7 +79,7 @@ class CredentialsRetrieverTest {
     environmentVariables[AppDistributionEnvironment.ENV_FIREBASE_TOKEN] = expectedRefreshToken
     val credentialsRetriever = CredentialsRetriever(transport)
 
-    val credential = getAuthCredential(credentialsRetriever)
+    val credential = credentialsRetriever.getAuthCredential() as GoogleCredential
 
     assertEquals("some-access-token", credential.accessToken)
   }
@@ -77,7 +91,7 @@ class CredentialsRetrieverTest {
     environmentVariables["XDG_CONFIG_HOME"] = "src/test/fixtures"
     val credentialsRetriever = CredentialsRetriever(transport)
 
-    val credential = getAuthCredential(credentialsRetriever)
+    val credential = credentialsRetriever.getAuthCredential() as GoogleCredential
 
     assertContains("some-access-token", credential.accessToken)
   }
@@ -93,13 +107,14 @@ class CredentialsRetrieverTest {
       TEST_SERVICE_CREDENTIALS_PATH
     val credentialsRetriever = CredentialsRetriever(testEnvironment)
 
-    val credential = getAuthCredential(credentialsRetriever)
+    val credential = credentialsRetriever.getAuthCredential() as HttpCredentialsAdapter
+    val googleCreds = credential.credentials as GoogleServiceAccountCredentials
 
     assertEquals(
       "firebase-adminsdk@my-project.iam.gserviceaccount.com",
-      credential.serviceAccountId
+      googleCreds.clientEmail
     )
-    assertEquals("abcefg123456789", credential.serviceAccountPrivateKeyId)
+    assertEquals("abcefg123456789", googleCreds.privateKeyId)
   }
 
   @Test
@@ -120,17 +135,18 @@ class CredentialsRetrieverTest {
     val credentialsRetriever = CredentialsRetriever(transport)
 
     // Also pass in service credentials json directly
-    val credential = getAuthCredential(credentialsRetriever, TEST_SERVICE_CREDENTIALS_PATH)
+    val credential = credentialsRetriever.getAuthCredential(TEST_SERVICE_CREDENTIALS_PATH) as HttpCredentialsAdapter
+    val googleCreds = credential.credentials as GoogleServiceAccountCredentials
 
     // Verify service credentials auth is configured
     assertEquals(
       "firebase-adminsdk@my-project.iam.gserviceaccount.com",
-      credential.serviceAccountId
+      googleCreds.clientEmail
     )
-    assertEquals("abcefg123456789", credential.serviceAccountPrivateKeyId)
+    assertEquals("abcefg123456789", googleCreds.privateKeyId)
 
     // Verify the firebase refresh token was not used
-    assertNull(credential.accessToken)
+    assertNull(googleCreds.accessToken)
   }
 
   @Test
@@ -147,7 +163,7 @@ class CredentialsRetrieverTest {
       )
     val credentialsRetriever = CredentialsRetriever(transport)
 
-    val credential = getAuthCredential(credentialsRetriever)
+    val credential = credentialsRetriever.getAuthCredential() as GoogleCredential
 
     // Verify access token is the one set as the env firebase token
     assertEquals("access-token-for-env-firebase-token", credential.accessToken)
@@ -164,20 +180,17 @@ class CredentialsRetrieverTest {
     environmentVariables[AppDistributionEnvironment.ENV_GOOGLE_APPLICATION_CREDENTIALS] =
       TEST_SERVICE_CREDENTIALS_PATH
 
-    val credential = getAuthCredential(credentialsRetriever)
+    val credential = credentialsRetriever.getAuthCredential() as GoogleCredential
 
     // Verify Firebase CLI token is used, which also verifies that default credentials aren't used
     // since it's not of type ServiceAccountCredentials
     assertEquals("some-access-token", credential.accessToken)
   }
 
-  private fun getAuthCredential(
-    credentialsRetriever: CredentialsRetriever,
-    serviceCredentialsPath: String? = null
-  ) = credentialsRetriever.getAuthCredential(serviceCredentialsPath) as GoogleCredential
-
   companion object {
     private val TEST_SERVICE_CREDENTIALS_PATH =
       FixtureUtils.getFixtureAsFile("test-service-credentials.json").absolutePath
+    private val TEST_WIF_CREDENTIALS_PATH =
+      FixtureUtils.getFixtureAsFile("test-wif-credentials.json").absolutePath
   }
 }