googleapis · lqiu96 · Mar 26, 2026 · Mar 26, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -36,8 +36,8 @@
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 import com.google.auth.Credentials;
 import com.google.auth.oauth2.AccessToken;
@@ -135,11 +135,7 @@ void createScoped_clonesWithScopes() throws IOException {
             .setAppIdentityService(appIdentity)
             .build();
     assertTrue(credentials.createScopedRequired());
-    try {
-      credentials.getRequestMetadata(CALL_URI);
-      fail("Should not be able to use credential without scopes.");
-    } catch (Exception expected) {
-    }
+    assertThrows(IOException.class, () -> credentials.getRequestMetadata(CALL_URI));
     assertEquals(0, appIdentity.getGetAccessTokenCallCount());
 
     GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);

@@ -0,0 +1,140 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.mtls;
+
+import com.google.api.core.InternalApi;
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import com.google.common.base.Strings;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Locale;
+
+/**
+ * Utility class for mTLS related operations.
+ *
+ * <p>For internal use only.
+ */
+@InternalApi
+public class MtlsUtils {
+  static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
+  static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
+  static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
+
+  private MtlsUtils() {
+    // Prevent instantiation for Utility class
+  }
+
+  /**
+   * Returns the path to the client certificate file specified by the loaded workload certificate
+   * configuration.
+   *
+   * @return The path to the certificate file.
+   * @throws IOException if the certificate configuration cannot be found or loaded.
+   */
+  public static String getCertificatePath(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    String certPath =
+        getWorkloadCertificateConfiguration(envProvider, propProvider, certConfigPathOverride)
+            .getCertPath();
+    if (Strings.isNullOrEmpty(certPath)) {
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
+    }
+    return certPath;
+  }
+
+  /**
+   * Resolves and loads the workload certificate configuration.
+   *
+   * <p>The configuration file is resolved in the following order of precedence: 1. The provided
+   * certConfigPathOverride (if not null). 2. The path specified by the
+   * GOOGLE_API_CERTIFICATE_CONFIG environment variable. 3. The well-known certificate configuration
+   * file in the gcloud config directory.
+   *
+   * @param envProvider the environment provider to use for resolving environment variables
+   * @param propProvider the property provider to use for resolving system properties
+   * @param certConfigPathOverride optional override path for the configuration file
+   * @return the loaded WorkloadCertificateConfiguration
+   * @throws IOException if the configuration file cannot be found, read, or parsed
+   */
+  static WorkloadCertificateConfiguration getWorkloadCertificateConfiguration(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    File certConfig;
+    if (certConfigPathOverride != null) {
+      certConfig = new File(certConfigPathOverride);
+    } else {
+      String envCredentialsPath = envProvider.getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
+      if (!Strings.isNullOrEmpty(envCredentialsPath)) {
+        certConfig = new File(envCredentialsPath);
+      } else {
+        certConfig = getWellKnownCertificateConfigFile(envProvider, propProvider);
+      }
+    }
+
+    if (!certConfig.isFile()) {
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration file does not exist or is not a file: "
+              + certConfig.getAbsolutePath());
+    }
+    try (InputStream certConfigStream = new FileInputStream(certConfig)) {
+      return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
+    }
+  }
+
+  private static File getWellKnownCertificateConfigFile(
+      EnvironmentProvider envProvider, PropertyProvider propProvider) throws IOException {
+    File cloudConfigPath;
+    String envPath = envProvider.getEnv("CLOUDSDK_CONFIG");
+    if (envPath != null) {
+      cloudConfigPath = new File(envPath);
+    } else {
+      String osName = propProvider.getProperty("os.name", "").toLowerCase(Locale.US);
+      if (osName.indexOf("windows") >= 0) {
+        String appData = envProvider.getEnv("APPDATA");
+        if (Strings.isNullOrEmpty(appData)) {
+          throw new CertificateSourceUnavailableException(
+              "APPDATA environment variable is not set on Windows.");
+        }
+        File appDataPath = new File(appData);
+        cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
+      } else {
+        File configPath = new File(propProvider.getProperty("user.home", ""), ".config");
+        cloudConfigPath = new File(configPath, CLOUDSDK_CONFIG_DIRECTORY);
+      }
+    }
+    return new File(cloudConfigPath, WELL_KNOWN_CERTIFICATE_CONFIG_FILE);
+  }
+}
@@ -31,40 +31,61 @@
 package com.google.auth.mtls;
 
 import com.google.api.client.util.SecurityUtils;
-import com.google.common.base.Strings;
+import com.google.api.core.InternalApi;
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import com.google.auth.oauth2.SystemEnvironmentProvider;
+import com.google.auth.oauth2.SystemPropertyProvider;
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.SequenceInputStream;
 import java.security.KeyStore;
-import java.util.Locale;
 
 /**
  * This class implements {@link MtlsProvider} for the Google Auth library transport layer via {@link
  * WorkloadCertificateConfiguration}. This is only meant to be used internally by Google Cloud
  * libraries, and the public facing methods may be changed without notice, and have no guarantee of
  * backwards compatibility.
  */
+@InternalApi
 public class X509Provider implements MtlsProvider {
-  static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
-  static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
-  static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
-
+  private final EnvironmentProvider envProvider;
+  private final PropertyProvider propProvider;
   private final String certConfigPathOverride;
 
   /**
    * Creates an X509 provider with an override path for the certificate configuration, bypassing the
    * normal checks for the well known certificate configuration file path and environment variable.
    * This is meant for internal Google Cloud usage and behavior may be changed without warning.
    *
+   * @param envProvider environment provider used for environment variables
+   * @param propProvider property provider used for system properties
    * @param certConfigPathOverride the path to read the certificate configuration from.
    */
-  public X509Provider(String certConfigPathOverride) {
+  @InternalApi
+  public X509Provider(
+      EnvironmentProvider envProvider,
+      PropertyProvider propProvider,
+      String certConfigPathOverride) {
+    this.envProvider = envProvider;
+    this.propProvider = propProvider;
     this.certConfigPathOverride = certConfigPathOverride;
   }
 
+  /**
+   * Creates an X509 provider with an override path for the certificate configuration.
+   *
+   * @param certConfigPathOverride the path to read the certificate configuration from.
+   */
+  public X509Provider(String certConfigPathOverride) {
+    this(
+        SystemEnvironmentProvider.getInstance(),
+        SystemPropertyProvider.getInstance(),
+        certConfigPathOverride);
+  }
+
   /**
    * Creates a new X.509 provider that will check the environment variable path and the well known
    * Gcloud certificate configuration location. This is meant for internal Google Cloud usage and
@@ -74,29 +95,6 @@ public X509Provider() {
     this(null);
   }
 
-  /**
-   * Returns the path to the client certificate file specified by the loaded workload certificate
-   * configuration.
-   *
-   * <p>If the configuration has not been loaded yet (e.g., if {@link #getKeyStore()} has not been
-   * called), this method will attempt to load it first by searching the override path, environment
-   * variable, and well-known locations.
-   *
-   * @return The path to the certificate file.
-   * @throws IOException if the certificate configuration cannot be found or loaded, or if the
-   *     configuration file does not specify a certificate path.
-   * @throws CertificateSourceUnavailableException if the configuration file is not found.
-   */
-  public String getCertificatePath() throws IOException {
-    String certPath = getWorkloadCertificateConfiguration().getCertPath();
-    if (Strings.isNullOrEmpty(certPath)) {
-      // Ensure the loaded configuration actually contains the required path.
-      throw new CertificateSourceUnavailableException(
-          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
-    }
-    return certPath;
-  }
-
   /**
    * Finds the certificate configuration file, then builds a Keystore using the X.509 certificate
    * and private key pointed to by the configuration. This will check the following locations in
@@ -115,12 +113,14 @@ public String getCertificatePath() throws IOException {
    */
   @Override
   public KeyStore getKeyStore() throws CertificateSourceUnavailableException, IOException {
-    WorkloadCertificateConfiguration workloadCertConfig = getWorkloadCertificateConfiguration();
+    WorkloadCertificateConfiguration workloadCertConfig =
+        MtlsUtils.getWorkloadCertificateConfiguration(
+            envProvider, propProvider, certConfigPathOverride);
 
     // Read the certificate and private key file paths into streams.
-    try (InputStream certStream = createInputStream(new File(workloadCertConfig.getCertPath()));
+    try (InputStream certStream = new FileInputStream(new File(workloadCertConfig.getCertPath()));
         InputStream privateKeyStream =
-            createInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
+            new FileInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
         SequenceInputStream certAndPrivateKeyStream =
             new SequenceInputStream(certStream, privateKeyStream)) {
 
@@ -149,74 +149,4 @@ public boolean isAvailable() throws IOException {
     }
     return true;
   }
-
-  private WorkloadCertificateConfiguration getWorkloadCertificateConfiguration()
-      throws IOException {
-    File certConfig;
-    if (this.certConfigPathOverride != null) {
-      certConfig = new File(certConfigPathOverride);
-    } else {
-      String envCredentialsPath = getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
-      if (!Strings.isNullOrEmpty(envCredentialsPath)) {
-        certConfig = new File(envCredentialsPath);
-      } else {
-        certConfig = getWellKnownCertificateConfigFile();
-      }
-    }
-    InputStream certConfigStream = null;
-    try {
-      if (!isFile(certConfig)) {
-        // Path will be put in the message from the catch block below
-        throw new CertificateSourceUnavailableException("File does not exist.");
-      }
-      certConfigStream = createInputStream(certConfig);
-      return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
-    } finally {
-      if (certConfigStream != null) {
-        certConfigStream.close();
-      }
-    }
-  }
-
-  /*
-   * Start of methods to allow overriding in the test code to isolate from the environment.
-   */
-  boolean isFile(File file) {
-    return file.isFile();
-  }
-
-  InputStream createInputStream(File file) throws FileNotFoundException {
-    return new FileInputStream(file);
-  }
-
-  String getEnv(String name) {
-    return System.getenv(name);
-  }
-
-  String getOsName() {
-    return getProperty("os.name", "").toLowerCase(Locale.US);
-  }
-
-  String getProperty(String property, String def) {
-    return System.getProperty(property, def);
-  }
-
-  /*
-   * End of methods to allow overriding in the test code to isolate from the environment.
-   */
-
-  private File getWellKnownCertificateConfigFile() {
-    File cloudConfigPath;
-    String envPath = getEnv("CLOUDSDK_CONFIG");
-    if (envPath != null) {
-      cloudConfigPath = new File(envPath);
-    } else if (getOsName().indexOf("windows") >= 0) {
-      File appDataPath = new File(getEnv("APPDATA"));
-      cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
-    } else {
-      File configPath = new File(getProperty("user.home", ""), ".config");
-      cloudConfigPath = new File(configPath, CLOUDSDK_CONFIG_DIRECTORY);
-    }
-    return new File(cloudConfigPath, WELL_KNOWN_CERTIFICATE_CONFIG_FILE);
-  }
 }
@@ -196,11 +196,6 @@ String getRegionalCredentialVerificationUrl() {
     return this.regionalCredentialVerificationUrl;
   }
 
-  @VisibleForTesting
-  String getEnv(String name) {
-    return System.getenv(name);
-  }
-
   @VisibleForTesting
   AwsSecurityCredentialsSupplier getAwsSecurityCredentialsSupplier() {
     return this.awsSecurityCredentialsSupplier;