fix(auth): restore support for GOOGLE_CLOUD_UNIVERSE_DOMAIN env (#10915)

googleapis · Sep 25, 2024 · 94caaaa · 94caaaa
1 parent e8e3ac3
commit 94caaaa
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 34 deletions.
diff --git a/auth/grpctransport/grpctransport.go b/auth/grpctransport/grpctransport.go
@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
 
 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/credentials"
@@ -330,15 +331,23 @@ type grpcCredentialsProvider struct {
 	clientUniverseDomain string
 }
 
-// getClientUniverseDomain returns the default service domain for a given Cloud universe.
-// The default value is "googleapis.com". This is the universe domain
-// configured for the client, which will be compared to the universe domain
-// that is separately configured for the credentials.
+// getClientUniverseDomain returns the default service domain for a given Cloud
+// universe, with the following precedence:
+//
+// 1. A non-empty option.WithUniverseDomain or similar client option.
+// 2. A non-empty environment variable GOOGLE_CLOUD_UNIVERSE_DOMAIN.
+// 3. The default value "googleapis.com".
+//
+// This is the universe domain configured for the client, which will be compared
+// to the universe domain that is separately configured for the credentials.
 func (c *grpcCredentialsProvider) getClientUniverseDomain() string {
-	if c.clientUniverseDomain == "" {
-		return internal.DefaultUniverseDomain
+	if c.clientUniverseDomain != "" {
+		return c.clientUniverseDomain
+	}
+	if envUD := os.Getenv(internal.UniverseDomainEnvVar); envUD != "" {
+		return envUD
 	}
-	return c.clientUniverseDomain
+	return internal.DefaultUniverseDomain
 }
 
 func (c *grpcCredentialsProvider) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {

diff --git a/auth/grpctransport/grpctransport_test.go b/auth/grpctransport/grpctransport_test.go
@@ -267,25 +267,42 @@ func TestOptions_ResolveDetectOptions(t *testing.T) {
 
 func TestGrpcCredentialsProvider_GetClientUniverseDomain(t *testing.T) {
 	nonDefault := "example.com"
+	nonDefault2 := "other-example.com"
 	tests := []struct {
-		name           string
-		universeDomain string
-		want           string
+		name                 string
+		clientUniverseDomain string
+		envUniverseDomain    string
+		want                 string
 	}{
 		{
-			name:           "default",
-			universeDomain: "",
-			want:           internal.DefaultUniverseDomain,
+			name:                 "default",
+			clientUniverseDomain: "",
+			want:                 internal.DefaultUniverseDomain,
 		},
 		{
-			name:           "non-default",
-			universeDomain: nonDefault,
-			want:           nonDefault,
+			name:                 "client option",
+			clientUniverseDomain: nonDefault,
+			want:                 nonDefault,
+		},
+		{
+			name:                 "env var",
+			clientUniverseDomain: "",
+			envUniverseDomain:    nonDefault2,
+			want:                 nonDefault2,
+		},
+		{
+			name:                 "client option and env var",
+			clientUniverseDomain: nonDefault,
+			envUniverseDomain:    nonDefault2,
+			want:                 nonDefault,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			at := &grpcCredentialsProvider{clientUniverseDomain: tt.universeDomain}
+			if tt.envUniverseDomain != "" {
+				t.Setenv(internal.UniverseDomainEnvVar, tt.envUniverseDomain)
+			}
+			at := &grpcCredentialsProvider{clientUniverseDomain: tt.clientUniverseDomain}
 			got := at.getClientUniverseDomain()
 			if got != tt.want {
 				t.Errorf("got %q, want %q", got, tt.want)

diff --git a/auth/httptransport/transport.go b/auth/httptransport/transport.go
@@ -19,6 +19,7 @@ import (
 	"crypto/tls"
 	"net"
 	"net/http"
+	"os"
 	"time"
 
 	"cloud.google.com/go/auth"
@@ -178,13 +179,23 @@ type authTransport struct {
 	clientUniverseDomain string
 }
 
-// getClientUniverseDomain returns the universe domain configured for the client.
-// The default value is "googleapis.com".
+// getClientUniverseDomain returns the default service domain for a given Cloud
+// universe, with the following precedence:
+//
+// 1. A non-empty option.WithUniverseDomain or similar client option.
+// 2. A non-empty environment variable GOOGLE_CLOUD_UNIVERSE_DOMAIN.
+// 3. The default value "googleapis.com".
+//
+// This is the universe domain configured for the client, which will be compared
+// to the universe domain that is separately configured for the credentials.
 func (t *authTransport) getClientUniverseDomain() string {
-	if t.clientUniverseDomain == "" {
-		return internal.DefaultUniverseDomain
+	if t.clientUniverseDomain != "" {
+		return t.clientUniverseDomain
+	}
+	if envUD := os.Getenv(internal.UniverseDomainEnvVar); envUD != "" {
+		return envUD
 	}
-	return t.clientUniverseDomain
+	return internal.DefaultUniverseDomain
 }
 
 // RoundTrip authorizes and authenticates the request with an

diff --git a/auth/httptransport/transport_test.go b/auth/httptransport/transport_test.go
@@ -22,25 +22,42 @@ import (
 
 func TestAuthTransport_GetClientUniverseDomain(t *testing.T) {
 	nonDefault := "example.com"
+	nonDefault2 := "other-example.com"
 	tests := []struct {
-		name           string
-		universeDomain string
-		want           string
+		name                 string
+		clientUniverseDomain string
+		envUniverseDomain    string
+		want                 string
 	}{
 		{
-			name:           "default",
-			universeDomain: "",
-			want:           internal.DefaultUniverseDomain,
+			name:                 "default",
+			clientUniverseDomain: "",
+			want:                 internal.DefaultUniverseDomain,
 		},
 		{
-			name:           "non-default",
-			universeDomain: nonDefault,
-			want:           nonDefault,
+			name:                 "client option",
+			clientUniverseDomain: nonDefault,
+			want:                 nonDefault,
+		},
+		{
+			name:                 "env var",
+			clientUniverseDomain: "",
+			envUniverseDomain:    nonDefault2,
+			want:                 nonDefault2,
+		},
+		{
+			name:                 "client option and env var",
+			clientUniverseDomain: nonDefault,
+			envUniverseDomain:    nonDefault2,
+			want:                 nonDefault,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			at := &authTransport{clientUniverseDomain: tt.universeDomain}
+			if tt.envUniverseDomain != "" {
+				t.Setenv(internal.UniverseDomainEnvVar, tt.envUniverseDomain)
+			}
+			at := &authTransport{clientUniverseDomain: tt.clientUniverseDomain}
 			got := at.getClientUniverseDomain()
 			if got != tt.want {
 				t.Errorf("got %q, want %q", got, tt.want)

diff --git a/auth/internal/internal.go b/auth/internal/internal.go
@@ -38,8 +38,11 @@ const (
 	// QuotaProjectEnvVar is the environment variable for setting the quota
 	// project.
 	QuotaProjectEnvVar = "GOOGLE_CLOUD_QUOTA_PROJECT"
-	projectEnvVar      = "GOOGLE_CLOUD_PROJECT"
-	maxBodySize        = 1 << 20
+	// UniverseDomainEnvVar is the environment variable for setting the default
+	// service domain for a given Cloud universe.
+	UniverseDomainEnvVar = "GOOGLE_CLOUD_UNIVERSE_DOMAIN"
+	projectEnvVar        = "GOOGLE_CLOUD_PROJECT"
+	maxBodySize          = 1 << 20
 
 	// DefaultUniverseDomain is the default value for universe domain.
 	// Universe domain is the default service domain for a given Cloud universe.