impl(oauth2): check for valid RAB email address (googleapis#16134)

scotthart · web-flow · commit 458cbf4fd713 · 2026-06-04T15:22:33.000Z
diff --git a/google/cloud/internal/oauth2_compute_engine_credentials.cc b/google/cloud/internal/oauth2_compute_engine_credentials.cc
@@ -243,7 +243,12 @@ Credentials::AllowedLocationsRequestType
 ComputeEngineCredentials::AllowedLocationsRequest() const {
   // TODO(#16079): Remove conditional and else clause when GA.
 #ifdef GOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB
-  return ServiceAccountAllowedLocationsRequest{AccountEmail()};
+  auto email = AccountEmail();
+  // RAB only supports values that contain the '@' character.
+  if (absl::StrContains(email, "@")) {
+    return ServiceAccountAllowedLocationsRequest{std::move(email)};
+  }
+  return std::monostate{};
 #else
   return std::monostate{};
 #endif
diff --git a/google/cloud/internal/oauth2_compute_engine_credentials_test.cc b/google/cloud/internal/oauth2_compute_engine_credentials_test.cc
@@ -432,6 +432,44 @@ TEST(ComputeEngineCredentialsTest, AccountEmail) {
 #endif
 }
 
+TEST(ComputeEngineCredentialsTest, AccountEmailInvalidForRAB) {
+  auto const alias = std::string{"default"};
+  auto const not_an_email = std::string{"not-an-email"};
+  auto const svc_acct_info_resp = std::string{R"""({
+      "email": ")""" + not_an_email + R"""(",
+      "scopes": ["scope1","scope2"]
+  })"""};
+
+  auto client = std::make_unique<MockRestClient>();
+  EXPECT_CALL(*client, Get(_, expect_service_config(alias)))
+      .WillOnce([&](RestContext&, RestRequest const&) {
+        auto response = std::make_unique<MockRestResponse>();
+        EXPECT_CALL(*response, StatusCode)
+            .WillRepeatedly(Return(HttpStatusCode::kOk));
+        EXPECT_CALL(std::move(*response), ExtractPayload).WillOnce([&] {
+          return MakeMockHttpPayloadSuccess(svc_acct_info_resp);
+        });
+        return std::unique_ptr<RestResponse>(std::move(response));
+      });
+
+  MockHttpClientFactory client_factory;
+  EXPECT_CALL(client_factory, Call).WillOnce(Return(ByMove(std::move(client))));
+  ComputeEngineCredentials credentials(alias, Options{},
+                                       client_factory.AsStdFunction());
+  EXPECT_EQ(credentials.service_account_email(), alias);
+  auto refreshed_email = credentials.AccountEmail();
+  EXPECT_EQ(not_an_email, refreshed_email);
+  EXPECT_EQ(credentials.service_account_email(), refreshed_email);
+  // TODO(#16079): Remove conditional and else clause when GA.
+#ifdef GOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB
+  EXPECT_THAT(credentials.AllowedLocationsRequest(),
+              VariantWith<std::monostate>(std::monostate()));
+#else
+  EXPECT_THAT(credentials.AllowedLocationsRequest(),
+              VariantWith<std::monostate>(std::monostate()));
+#endif
+}
+
 auto expected_universe_domain_request = []() {
   auto const expected_path = absl::StrCat(
       internal::GceMetadataScheme(), "://", internal::GceMetadataHostname(),
