New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Query S2A Address from MDS #1400
base: main
Are you sure you want to change the base?
Conversation
0f96e86
to
ddac7aa
Compare
cc: @xmenxk |
public static final String GOOGLE = "Google"; | ||
private static final String PARSE_ERROR_S2A = "Error parsing Mtls Auto Config response."; | ||
|
||
private MtlsConfig config; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: MTLS?
request.setParser(parser); | ||
request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
request.setThrowExceptionOnExecuteError(false); | ||
HttpResponse response = request.execute(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be useful to have retry logic here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added retry logic, similar to
google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Line 435 in dde6876
private static boolean pingComputeEngineMetadata( |
*/ | ||
@ThreadSafe | ||
public final class S2A { | ||
public static final String DEFAULT_METADATA_SERVER_URL = "http://169.254.169.254"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like getting metadata server address is already implemented here:
google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Line 467 in dde6876
public static String getMetadataServerUrl(DefaultCredentialsProvider provider) { |
should we reuse that definition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Used ComputeEngineCredentials.getMeadataServerUrl()
if (transportFactory == null) { | ||
transportFactory = | ||
Iterables.getFirst( | ||
ServiceLoader.load(HttpTransportFactory.class), OAuth2Utils.HTTP_TRANSPORT_FACTORY); | ||
} | ||
String url = getMdsMtlsEndpoint(); | ||
GenericUrl genericUrl = new GenericUrl(url); | ||
HttpRequest request = | ||
transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); | ||
request.setParser(parser); | ||
request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
request.setThrowExceptionOnExecuteError(false); | ||
HttpResponse response = request.execute(); | ||
|
||
if (!response.isSuccessStatusCode()) { | ||
return MtlsConfig.createBuilder().build(); | ||
} | ||
|
||
InputStream content = response.getContent(); | ||
if (content == null) { | ||
return MtlsConfig.createBuilder().build(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible to reuse the code below for querying mds endpoint?
google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Line 338 in dde6876
private HttpResponse getMetadataResponse(String url) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use this function to get the MDS HttpResponse, but it would only replace a few lines (~7) in this function:
creating the HttpRequest and executing it to get the response, replaced with
response = getMetadataResponse(url)
.
However, in order to do this, we would also have to:
- ignore the
ComputeEngineCredentials
specific errors thrown by the function, because we only care if we are able to successfully create a response (aligning with Go implementation, return empty S2A Address if any error). This technically works, although I am not sure it is best practice. getMetadataResponse(String url)
is not static, so we would have to create an instance ofComputeEngineCredentials
to use it.
WDYT?
Quality Gate passedIssues Measures |
Add utility to get S2A address from MDS MTLS autoconfiguration endpoint.
This utility will be used when creating mTLS channel using S2A Java Client, which takes S2A Address as input to create S2AChannelCredentials.
Parallel change in go: googleapis/google-api-go-client#1874
S2A Java client: grpc/grpc-java#11113