fix(bigquery-jdbc): propagate connection proxy settings to auth library

[keshavdandeva]

b/526579065
#13494

This PR resolves an issue where the BigQuery JDBC driver fails to connect/authenticate in proxy-enforced network environments, resulting in authentication timeouts.

Problem

While the driver successfully parses connection-specific proxy parameters (ProxyHost and ProxyPort in the connection string) and configures the main BigQuery client, it does not propagate them to the Google Auth Library credential objects (used to fetch/refresh OAuth2 access tokens). As a result, token fetch requests bypass the proxy and attempt direct egress to oauth2.googleapis.com, which is blocked by the firewall.

Solution

1. Reordered Constructor: Updated BigQueryConnection.java to parse HTTP proxy settings and build HttpTransportOptions before instantiating credentials.
2. Propagated Transport Factory: Extracted the proxy-configured HttpTransportFactory and passed it into the credentials helper (BigQueryJdbcOAuthUtility.getCredentials(...)).
3. Updated Auth Utility: Overloaded and updated all authentication methods inside BigQueryJdbcOAuthUtility.java (getGoogleServiceAccountCredentials, getUserAuthorizer, getExternalAccountAuthCredentials, and getServiceAccountImpersonatedCredentials) to accept HttpTransportFactory and apply it to their respective credential builders.

---

Testing Done

1. Unit Tests

Added regression tests to BigQueryJdbcOAuthUtilityTest.java to assert that HttpTransportFactory is correctly set on the built credentials:

• testGetCredentialsPropagatesHttpTransportFactory (Service Account Credentials)
• testGetImpersonatedCredentialsPropagatesHttpTransportFactory (Impersonated Credentials)

2. Manual Verification

Verified routing in a network-isolated environment using Docker:

• Set up a local Squid proxy on port 3128 and a mock HTTPS server hosting the /token endpoint on port 45825 on the host loopback.
• Ran the client verifier container inside an isolated Docker bridge network (blocking direct access to the host loopback).
• Configured the connection URL string with proxy details: ;ProxyHost=host.docker.internal;ProxyPort=3128;.
• Result: The connection was established successfully, and the Squid proxy log recorded the authentication tunnel request:
  CONNECT localhost:45825 - HIER_DIRECT/::1 -
• Omitting proxy settings correctly threw a Connection refused exception and left Squid logs empty, proving that proxy routing was strictly enforced and active.

[gemini-code-assist]

Code Review

This pull request updates the BigQuery JDBC driver to propagate the HttpTransportFactory to various credential builders (Service Account, User Account, External Account, and Impersonated Credentials), ensuring that proxy and HTTP transport configurations are correctly applied during authentication. Unit tests have been added to verify this propagation. Feedback on the changes highlights a potential resource leak in BigQueryJdbcOAuthUtility.java where an InputStream is opened but not closed, and suggests wrapping it in a try-with-resources block.

[keshavdandeva]

/gemini review

[gemini-code-assist]

Code Review

This pull request propagates the HttpTransportFactory to various credential builders and utility methods in BigQueryConnection and BigQueryJdbcOAuthUtility to ensure proxy configurations are correctly applied during OAuth authentication. It also adds unit tests to verify this propagation. The review feedback highlights opportunities to clean up redundant type casts when building credentials and suggests explicitly specifying StandardCharsets.UTF_8 when converting a JSON string to bytes to prevent platform-dependent encoding issues.

[keshavdandeva]

/gemini review

[gemini-code-assist]

Code Review

This pull request propagates the HttpTransportFactory (representing proxy settings) to various credential types in BigQueryJdbcOAuthUtility to ensure authentication requests respect proxy configurations. The reviewer identified a gap where the httpTransportFactory is not propagated when using Application Default Credentials (APPLICATION_DEFAULT), which could cause token refresh requests to bypass the proxy and fail in proxy-enforced environments, and provided a code suggestion to fix it.

[keshavdandeva]

/gemini review

[gemini-code-assist]

Code Review

This pull request propagates the HttpTransportFactory (configured via proxy properties) to the various Google credential builders in BigQueryJdbcOAuthUtility to ensure proxy settings are respected during authentication. It also adds corresponding unit tests to verify propagation. The review feedback correctly identifies a critical issue where passing a null HttpTransportFactory to ExternalAccountCredentials.fromStream will trigger a NullPointerException due to internal validation checks. To prevent regressions for users without proxy configurations, the code should conditionally call the single-argument overload when the factory is null.

[keshavdandeva]

/gemini review

[gemini-code-assist]

Code Review

This pull request propagates the HttpTransportFactory through the JDBC connection and OAuth utility classes to ensure that HTTP transport configurations, such as proxy settings, are correctly applied when fetching Google credentials. It also adds corresponding unit tests to verify propagation. The reviewer suggested wrapping a ByteArrayInputStream in a try-with-resources block to maintain consistency with other stream handling and to prevent potential static analysis warnings about unclosed resources.