Merge remote-tracking branch 'origin/main' into b/488439640

Author: diegomarquezp

.kokoro/build.sh

@@ -80,7 +80,28 @@ graalvm)
     # Run Unit and Integration Tests with Native Image
     bash .kokoro/populate-secrets.sh
     export GOOGLE_APPLICATION_CREDENTIALS="${KOKORO_GFILE_DIR}/secret_manager/java-it-service-account"
-    mvn -B ${INTEGRATION_TEST_ARGS} -ntp -Pnative -Pnative-test -Pslf4j2x test -pl 'oauth2_http'
+    
+    # GraalVM Native Image ignores JAVA_TOOL_OPTIONS at runtime. If the CI environment
+    # injects a custom truststore (e.g., for a proxy) via JAVA_TOOL_OPTIONS, we need to
+    # extract it and pass it explicitly to the native executable.
+    TRUST_STORE=""
+    if [[ "${JAVA_TOOL_OPTIONS}" =~ -Djavax.net.ssl.trustStore=([^ ]+) ]]; then
+        TRUST_STORE="${BASH_REMATCH[1]}"
+    fi
+    
+    # We use 'package' instead of 'test' to build the native image without automatically
+    # running it via the Maven plugin. This allows us to run it manually with the
+    # extracted truststore argument in the next step, avoiding complex Maven XML overrides.
+    mvn -B ${INTEGRATION_TEST_ARGS} -ntp -Pnative -Pnative-test -Pslf4j2x package -pl 'oauth2_http'
+    
+    # Run the native tests manually with the truststore
+    CMD="./oauth2_http/target/native-tests --xml-output-dir ./oauth2_http/target/native-test-reports"
+    if [ -n "$TRUST_STORE" ]; then
+        CMD="$CMD -Djavax.net.ssl.trustStore=$TRUST_STORE"
+    fi
+    
+    echo "Executing: $CMD"
+    $CMD
     RETURN_CODE=$?
     ;;
 samples)

appengine/javatests/com/google/auth/appengine/AppEngineCredentialsTest.java

@@ -36,8 +36,8 @@
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 import com.google.auth.Credentials;
 import com.google.auth.oauth2.AccessToken;
@@ -135,11 +135,7 @@ void createScoped_clonesWithScopes() throws IOException {
             .setAppIdentityService(appIdentity)
             .build();
     assertTrue(credentials.createScopedRequired());
-    try {
-      credentials.getRequestMetadata(CALL_URI);
-      fail("Should not be able to use credential without scopes.");
-    } catch (Exception expected) {
-    }
+    assertThrows(IOException.class, () -> credentials.getRequestMetadata(CALL_URI));
     assertEquals(0, appIdentity.getGetAccessTokenCallCount());
 
     GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);

oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java

@@ -105,9 +105,9 @@ public class IdTokenCredentials extends OAuth2Credentials {
 
   private static final long serialVersionUID = -2133257318957588431L;
 
-  private IdTokenProvider idTokenProvider;
+  private final IdTokenProvider idTokenProvider;
+  private final List<IdTokenProvider.Option> options;
   private String targetAudience;
-  private List<IdTokenProvider.Option> options;
 
   private IdTokenCredentials(Builder builder) {
     this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
@@ -131,7 +131,7 @@ public IdToken getIdToken() {
 
   @Override
   public int hashCode() {
-    return Objects.hash(options, targetAudience);
+    return Objects.hash(idTokenProvider, options, targetAudience);
   }
 
   @Override
@@ -146,7 +146,8 @@ public boolean equals(Object obj) {
     }
     IdTokenCredentials other = (IdTokenCredentials) obj;
     return Objects.equals(this.idTokenProvider, other.idTokenProvider)
-        && Objects.equals(this.targetAudience, other.targetAudience);
+        && Objects.equals(this.targetAudience, other.targetAudience)
+        && Objects.equals(this.options, other.options);
   }
 
   @Override
@@ -169,16 +170,29 @@ public static class Builder extends OAuth2Credentials.Builder {
 
     protected Builder() {}
 
+    /**
+     * Sets the provider for the ID token.
+     *
+     * @param idTokenProvider the provider for the ID token, cannot be null
+     * @return the builder object
+     */
     @CanIgnoreReturnValue
     public Builder setIdTokenProvider(IdTokenProvider idTokenProvider) {
-      this.idTokenProvider = idTokenProvider;
+      this.idTokenProvider = Preconditions.checkNotNull(idTokenProvider);
       return this;
     }
 
     public IdTokenProvider getIdTokenProvider() {
       return this.idTokenProvider;
     }
 
+    /**
+     * Sets the target audience for the ID token.
+     *
+     * @param targetAudience the target audience, cannot be null for non-UserCredentials. If set for
+     *     UserCredentials, the value will be ignored.
+     * @return the builder object
+     */
     @CanIgnoreReturnValue
     public Builder setTargetAudience(String targetAudience) {
       this.targetAudience = targetAudience;
@@ -189,6 +203,12 @@ public String getTargetAudience() {
       return this.targetAudience;
     }
 
+    /**
+     * Sets the options for the ID token.
+     *
+     * @param options list of options, can be null or empty if no options are needed.
+     * @return the builder object
+     */
     @CanIgnoreReturnValue
     public Builder setOptions(List<IdTokenProvider.Option> options) {
       this.options = options;

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -45,6 +45,7 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.core.InternalApi;
+import com.google.api.core.ObsoleteApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpCredentialsAdapter;
@@ -59,9 +60,9 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
-import java.text.DateFormat;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
+import java.time.DateTimeException;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.Collection;
@@ -101,7 +102,6 @@ public class ImpersonatedCredentials extends GoogleCredentials
     implements ServiceAccountSigner, IdTokenProvider {
 
   private static final long serialVersionUID = -2133257318957488431L;
-  private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ssX";
   private static final int TWELVE_HOURS_IN_SECONDS = 43200;
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
   private GoogleCredentials sourceCredentials;
@@ -510,12 +510,16 @@ public CredentialTypeForMetrics getMetricsCredentialType() {
   }
 
   /**
-   * Clones the impersonated credentials with a new calendar.
+   * This method is marked obsolete. There is no alternative to setting a custom calendar for the
+   * Credential.
+   *
+   * <p>Clones the impersonated credentials with a new calendar.
    *
    * @param calendar the calendar that will be used by the new ImpersonatedCredentials instance when
    *     parsing the received expiration time of the refreshed access token
    * @return the cloned impersonated credentials with the given custom calendar
    */
+  @ObsoleteApi("This method is obsolete and will be removed in a future release.")
   public ImpersonatedCredentials createWithCustomCalendar(Calendar calendar) {
     return toBuilder()
         .setScopes(this.scopes)
@@ -660,14 +664,23 @@ public AccessToken refreshAccessToken() throws IOException {
     String expireTime =
         OAuth2Utils.validateString(responseData, "expireTime", "Expected to find an expireTime");
 
-    DateFormat format = new SimpleDateFormat(RFC3339);
-    format.setCalendar(calendar);
+    Instant expirationInstant;
     try {
-      Date date = format.parse(expireTime);
-      return new AccessToken(accessToken, date);
-    } catch (ParseException pe) {
-      throw new IOException("Error parsing expireTime: " + pe.getMessage());
+      if (calendar != null) {
+        // For backward compatibility, if a custom calendar is set, use its timezone
+        // and convert it to an Instant
+        expirationInstant =
+            Instant.from(
+                DateTimeFormatter.ISO_INSTANT
+                    .withZone(calendar.getTimeZone().toZoneId())
+                    .parse(expireTime));
+      } else {
+        expirationInstant = Instant.parse(expireTime);
+      }
+    } catch (DateTimeException e) {
+      throw new IOException("Error parsing expireTime: " + expireTime, e);
     }
+    return new AccessToken(accessToken, Date.from(expirationInstant));
   }
 
   /**
@@ -883,7 +896,17 @@ public Builder setIamEndpointOverride(String iamEndpointOverride) {
       return this;
     }
 
+    /**
+     * This method is marked obsolete. There is no alternative to setting a custom calendar for the
+     * Credential.
+     *
+     * <p>Sets the calendar to be used for parsing the expiration time.
+     *
+     * @param calendar the calendar to use
+     * @return the builder
+     */
     @CanIgnoreReturnValue
+    @ObsoleteApi("This method is obsolete and will be removed in a future release.")
     public Builder setCalendar(Calendar calendar) {
       this.calendar = calendar;
       return this;
@@ -903,6 +926,15 @@ public Builder setReadTimeout(int readTimeout) {
       return this;
     }
 
+    /**
+     * This method is marked obsolete. There is no alternative to getting a custom calendar for the
+     * Credential.
+     *
+     * <p>Returns the calendar to be used for parsing the expiration time.
+     *
+     * @return the calendar
+     */
+    @ObsoleteApi("This method is obsolete and will be removed in a future release.")
     public Calendar getCalendar() {
       return this.calendar;
     }

oauth2_http/javatests/com/google/auth/TestUtils.java

@@ -46,9 +46,9 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.text.SimpleDateFormat;
 import java.util.Calendar;
 import java.util.Date;
@@ -90,15 +90,11 @@ private static boolean hasBearerToken(Map<String, List<String>> metadata, String
   public static InputStream jsonToInputStream(GenericJson json) throws IOException {
     json.setFactory(JSON_FACTORY);
     String text = json.toPrettyString();
-    return new ByteArrayInputStream(text.getBytes("UTF-8"));
+    return new ByteArrayInputStream(text.getBytes(StandardCharsets.UTF_8));
   }
 
   public static InputStream stringToInputStream(String text) {
-    try {
-      return new ByteArrayInputStream(text.getBytes("UTF-8"));
-    } catch (UnsupportedEncodingException e) {
-      throw new RuntimeException("Unexpected encoding exception", e);
-    }
+    return new ByteArrayInputStream(text.getBytes(StandardCharsets.UTF_8));
   }
 
   /**

oauth2_http/javatests/com/google/auth/http/HttpCredentialsAdapterTest.java

@@ -79,7 +79,7 @@ void initialize_populatesOAuth2Credentials() throws IOException {
 
     HttpHeaders requestHeaders = request.getHeaders();
     String authorizationHeader = requestHeaders.getAuthorization();
-    assertEquals(authorizationHeader, expectedAuthorization);
+    assertEquals(expectedAuthorization, authorizationHeader);
   }
 
   @Test

oauth2_http/javatests/com/google/auth/mtls/SecureConnectProviderTest.java

@@ -38,7 +38,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.security.GeneralSecurityException;
 import java.util.List;
 import org.junit.jupiter.api.Test;
 
@@ -70,7 +69,7 @@ public InputStream getErrorStream() {
     }
 
     @Override
-    public int waitFor() throws InterruptedException {
+    public int waitFor() {
       return 0;
     }
 
@@ -83,7 +82,9 @@ public int exitValue() {
     }
 
     @Override
-    public void destroy() {}
+    public void destroy() {
+      // Nothing was initialized and nothing needs to be destroyed
+    }
   }
 
   static class TestProcessProvider implements SecureConnectProvider.ProcessProvider {
@@ -102,19 +103,22 @@ public Process createProcess(InputStream metadata) throws IOException {
 
   @Test
   void testGetKeyStoreNonZeroExitCode() {
-    InputStream metadata =
+    try (InputStream metadata =
         this.getClass()
             .getClassLoader()
-            .getResourceAsStream("com/google/api/gax/rpc/mtls/mtlsCertAndKey.pem");
-    IOException actual =
-        assertThrows(
-            IOException.class,
-            () -> SecureConnectProvider.getKeyStore(metadata, new TestProcessProvider(1)));
-    assertTrue(
-        actual
-            .getMessage()
-            .contains("SecureConnect: Cert provider command failed with exit code: 1"),
-        "expected to fail with nonzero exit code");
+            .getResourceAsStream("com/google/api/gax/rpc/mtls/mtlsCertAndKey.pem")) {
+      IOException actual =
+          assertThrows(
+              IOException.class,
+              () -> SecureConnectProvider.getKeyStore(metadata, new TestProcessProvider(1)));
+      assertTrue(
+          actual
+              .getMessage()
+              .contains("SecureConnect: Cert provider command failed with exit code: 1"),
+          "expected to fail with nonzero exit code");
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
   }
 
   @Test
@@ -147,8 +151,7 @@ void testRunCertificateProviderCommandTimeout() {
   }
 
   @Test
-  void testGetKeyStore_FileNotFoundException()
-      throws IOException, GeneralSecurityException, InterruptedException {
+  void testGetKeyStore_FileNotFoundException() {
     SecureConnectProvider provider =
         new SecureConnectProvider(new TestProcessProvider(0), "/invalid/metadata/path.json");