Respond to comments

Author: aeitzman

google/externalaccount/aws.go

@@ -425,7 +425,7 @@ func (cs *awsCredentialSource) getAWSSessionToken() (string, error) {
 	}
 
 	if resp.StatusCode != 200 {
-		return "", fmt.Errorf("oauth2/google: unable to retrieve AWS session token - %s", string(respBody))
+		return "", fmt.Errorf("oauth2/google/externalaccount: unable to retrieve AWS session token - %s", string(respBody))
 	}
 
 	return string(respBody), nil
@@ -444,7 +444,7 @@ func (cs *awsCredentialSource) getRegion(headers map[string]string) (string, err
 	}
 
 	if cs.regionURL == "" {
-		return "", errors.New("oauth2/google: unable to determine AWS region")
+		return "", errors.New("oauth2/google/externalaccount: unable to determine AWS region")
 	}
 
 	req, err := http.NewRequest("GET", cs.regionURL, nil)
@@ -468,7 +468,7 @@ func (cs *awsCredentialSource) getRegion(headers map[string]string) (string, err
 	}
 
 	if resp.StatusCode != 200 {
-		return "", fmt.Errorf("oauth2/google: unable to retrieve AWS region - %s", string(respBody))
+		return "", fmt.Errorf("oauth2/google/externalaccount: unable to retrieve AWS region - %s", string(respBody))
 	}
 
 	// This endpoint will return the region in format: us-east-2b.
@@ -503,11 +503,11 @@ func (cs *awsCredentialSource) getSecurityCredentials(headers map[string]string)
 	}
 
 	if credentials.AccessKeyID == "" {
-		return result, errors.New("oauth2/google: missing AccessKeyId credential")
+		return result, errors.New("oauth2/google/externalaccount: missing AccessKeyId credential")
 	}
 
 	if credentials.SecretAccessKey == "" {
-		return result, errors.New("oauth2/google: missing SecretAccessKey credential")
+		return result, errors.New("oauth2/google/externalaccount: missing SecretAccessKey credential")
 	}
 
 	return &credentials, nil
@@ -538,7 +538,7 @@ func (cs *awsCredentialSource) getMetadataSecurityCredentials(roleName string, h
 	}
 
 	if resp.StatusCode != 200 {
-		return result, fmt.Errorf("oauth2/google: unable to retrieve AWS security credentials - %s", string(respBody))
+		return result, fmt.Errorf("oauth2/google/externalaccount: unable to retrieve AWS security credentials - %s", string(respBody))
 	}
 
 	err = json.Unmarshal(respBody, &result)
@@ -547,7 +547,7 @@ func (cs *awsCredentialSource) getMetadataSecurityCredentials(roleName string, h
 
 func (cs *awsCredentialSource) getMetadataRoleName(headers map[string]string) (string, error) {
 	if cs.credVerificationURL == "" {
-		return "", errors.New("oauth2/google: unable to determine the AWS metadata server security credentials endpoint")
+		return "", errors.New("oauth2/google/externalaccount: unable to determine the AWS metadata server security credentials endpoint")
 	}
 
 	req, err := http.NewRequest("GET", cs.credVerificationURL, nil)
@@ -571,7 +571,7 @@ func (cs *awsCredentialSource) getMetadataRoleName(headers map[string]string) (s
 	}
 
 	if resp.StatusCode != 200 {
-		return "", fmt.Errorf("oauth2/google: unable to retrieve AWS role name - %s", string(respBody))
+		return "", fmt.Errorf("oauth2/google/externalaccount: unable to retrieve AWS role name - %s", string(respBody))
 	}
 
 	return string(respBody), nil

google/externalaccount/aws_test.go

@@ -846,7 +846,7 @@ func TestAWSCredential_RequestWithBadVersion(t *testing.T) {
 	if err == nil {
 		t.Fatalf("parse() should have failed")
 	}
-	if got, want := err.Error(), "oauth2/google: aws version '3' is not supported in the current build"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: aws version '3' is not supported in the current build"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -875,7 +875,7 @@ func TestAWSCredential_RequestWithNoRegionURL(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: unable to determine AWS region"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: unable to determine AWS region"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -905,7 +905,7 @@ func TestAWSCredential_RequestWithBadRegionURL(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: unable to retrieve AWS region - Not Found"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: unable to retrieve AWS region - Not Found"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -937,7 +937,7 @@ func TestAWSCredential_RequestWithMissingCredential(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: missing AccessKeyId credential"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: missing AccessKeyId credential"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -969,7 +969,7 @@ func TestAWSCredential_RequestWithIncompleteCredential(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: missing SecretAccessKey credential"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: missing SecretAccessKey credential"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -998,7 +998,7 @@ func TestAWSCredential_RequestWithNoCredentialURL(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: unable to determine the AWS metadata server security credentials endpoint"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: unable to determine the AWS metadata server security credentials endpoint"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -1027,7 +1027,7 @@ func TestAWSCredential_RequestWithBadCredentialURL(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: unable to retrieve AWS role name - Not Found"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: unable to retrieve AWS role name - Not Found"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }
@@ -1056,7 +1056,7 @@ func TestAWSCredential_RequestWithBadFinalCredentialURL(t *testing.T) {
 		t.Fatalf("retrieveSubjectToken() should have failed")
 	}
 
-	if got, want := err.Error(), "oauth2/google: unable to retrieve AWS security credentials - Not Found"; !reflect.DeepEqual(got, want) {
+	if got, want := err.Error(), "oauth2/google/externalaccount: unable to retrieve AWS security credentials - Not Found"; !reflect.DeepEqual(got, want) {
 		t.Errorf("subjectToken = %q, want %q", got, want)
 	}
 }

google/externalaccount/basecredentials.go

@@ -46,7 +46,7 @@ https://cloud.google.com/iam/docs/workload-identity-federation-with-other-provid
 To use a custom function to supply the token, define a struct that implements the [SubjectTokenSupplier] interface for OIDC/SAML providers,
 or one that implements [AwsSecurityCredentialsSupplier] for AWS providers. This can then be used when building a [Config].
 The [golang.org/x/oauth2.TokenSource] created from the config using [NewTokenSource] can then be used access Google
-Cloud resources. For instance, you can create a NewClient from thes
+Cloud resources. For instance, you can create a new client from the
 [cloud.google.com/go/storage] package and pass in option.WithTokenSource(yourTokenSource))
 
 Note that this library does not perform any validation on the token_url, token_info_url,
@@ -153,7 +153,7 @@ type Config struct {
 	ServiceAccountImpersonationLifetimeSeconds int
 	// ClientSecret is currently only required if token_info endpoint also
 	// needs to be called with the generated GCP access token. When provided, STS will be
-	// called with additional basic authentication using client_id as username and client_secret as password. Optional.
+	// called with additional basic authentication using ClientId as username and ClientSecret as password. Optional.
 	ClientSecret string
 	// ClientID is only required in conjunction with ClientSecret, as described above. Optional.
 	ClientID string
@@ -162,7 +162,7 @@ type Config struct {
 	// CredentialSource must be provided. Optional.
 	CredentialSource *CredentialSource
 	// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries
-	// will set the x-goog-user-project which overrides the project associated with the credentials. Optional.
+	// will set the x-goog-user-project header which overrides the project associated with the credentials. Optional.
 	QuotaProjectID string
 	// Scopes contains the desired scopes for the returned access token. Optional.
 	Scopes []string
@@ -190,15 +190,15 @@ func validateWorkforceAudience(input string) bool {
 // NewTokenSource Returns an external account TokenSource using the provided external account config.
 func NewTokenSource(ctx context.Context, conf Config) (oauth2.TokenSource, error) {
 	if conf.Audience == "" {
-		return nil, fmt.Errorf("oauth2/google: Audience must be set")
+		return nil, fmt.Errorf("oauth2/google/externalaccount: Audience must be set")
 	}
 	if conf.SubjectTokenType == "" {
-		return nil, fmt.Errorf("oauth2/google: Subject token type must be set")
+		return nil, fmt.Errorf("oauth2/google/externalaccount: Subject token type must be set")
 	}
 	if conf.WorkforcePoolUserProject != "" {
 		valid := validateWorkforceAudience(conf.Audience)
 		if !valid {
-			return nil, fmt.Errorf("oauth2/google: Workforce pool user project should not be set for non-workforce pool credentials")
+			return nil, fmt.Errorf("oauth2/google/externalaccount: Workforce pool user project should not be set for non-workforce pool credentials")
 		}
 	}
 	count := 0
@@ -212,10 +212,10 @@ func NewTokenSource(ctx context.Context, conf Config) (oauth2.TokenSource, error
 		count++
 	}
 	if count == 0 {
-		return nil, fmt.Errorf("oauth2/google: One of CredentialSource, SubjectTokenSupplier, or AwsSecurityCredentialsSupplier must be set")
+		return nil, fmt.Errorf("oauth2/google/externalaccount: One of CredentialSource, SubjectTokenSupplier, or AwsSecurityCredentialsSupplier must be set")
 	}
 	if count > 1 {
-		return nil, fmt.Errorf("oauth2/google: Only one of CredentialSource, SubjectTokenSupplier, or AwsSecurityCredentialsSupplier must be set")
+		return nil, fmt.Errorf("oauth2/google/externalaccount: Only one of CredentialSource, SubjectTokenSupplier, or AwsSecurityCredentialsSupplier must be set")
 	}
 	return conf.tokenSource(ctx, "https")
 }
@@ -263,21 +263,23 @@ type Format struct {
 }
 
 // CredentialSource stores the information necessary to retrieve the credentials for the STS exchange.
-// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
-// The EnvironmentID should start with AWS if being used for an AWS credential.
 type CredentialSource struct {
 	// File is the location for file sourced credentials.
+	// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
 	File string `json:"file"`
 
 	// Url is the URL to call for URL sourced credentials.
+	// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
 	URL string `json:"url"`
-	// Headers are the Headers to attach to the request for URL sourced credentials.
+	// Headers are the headers to attach to the request for URL sourced credentials.
 	Headers map[string]string `json:"headers"`
 
 	// Executable is the configuration object for executable sourced credentials.
+	// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
 	Executable *ExecutableConfig `json:"executable"`
 
-	// EnvironmentID is the EnvironmentID used for AWS sourced credentials.
+	// EnvironmentID is the EnvironmentID used for AWS sourced credentials. This should start with "AWS".
+	// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
 	EnvironmentID string `json:"environment_id"`
 	// RegionURL is the metadata URL to retrieve the region from for EC2 AWS credentials.
 	RegionURL string `json:"region_url"`
@@ -295,7 +297,7 @@ type ExecutableConfig struct {
 	// Command is the the full command to run to retrieve the subject token.
 	// This can include arguments. Must be an absolute path for the program. Required.
 	Command string `json:"command"`
-	// TimeoutMillis is the timeout duration, in milliseconds. Defaults to 30 seconds when not provided. Optional.
+	// TimeoutMillis is the timeout duration, in milliseconds. Defaults to 30000 milliseconds when not provided. Optional.
 	TimeoutMillis *int `json:"timeout_millis"`
 	// OutputFile is the absolute path to the output file where the executable will cache the response.
 	// If specified the auth libraries will first check this location before running the executable. Optional.
@@ -310,7 +312,7 @@ type SubjectTokenSupplier interface {
 	SubjectToken(ctx context.Context, options SupplierOptions) (string, error)
 }
 
-// AWSSecurityCredentialsSupplier can be used to supply AwsSecurityCredentials and an Aws Region to
+// AWSSecurityCredentialsSupplier can be used to supply AwsSecurityCredentials and an AWS Region to
 // exchange for a GCP access token.
 type AwsSecurityCredentialsSupplier interface {
 	// AwsRegion should return the AWS region or an error.
@@ -321,7 +323,7 @@ type AwsSecurityCredentialsSupplier interface {
 	AwsSecurityCredentials(ctx context.Context, options SupplierOptions) (*AwsSecurityCredentials, error)
 }
 
-// SupplierOptions contains information about the requested subject token or Aws credentials from the
+// SupplierOptions contains information about the requested subject token or AWS security credentials from the
 // Google external account credential.
 type SupplierOptions struct {
 	// Audience is the requested audience for the external account credential.
@@ -355,7 +357,7 @@ func (c *Config) parse(ctx context.Context) (baseCredentialSource, error) {
 	} else if len(c.CredentialSource.EnvironmentID) > 3 && c.CredentialSource.EnvironmentID[:3] == "aws" {
 		if awsVersion, err := strconv.Atoi(c.CredentialSource.EnvironmentID[3:]); err == nil {
 			if awsVersion != 1 {
-				return nil, fmt.Errorf("oauth2/google: aws version '%d' is not supported in the current build", awsVersion)
+				return nil, fmt.Errorf("oauth2/google/externalaccount: aws version '%d' is not supported in the current build", awsVersion)
 			}
 
 			awsCredSource := awsCredentialSource{
@@ -379,7 +381,7 @@ func (c *Config) parse(ctx context.Context) (baseCredentialSource, error) {
 	} else if c.CredentialSource.Executable != nil {
 		return createExecutableCredential(ctx, c.CredentialSource.Executable, c)
 	}
-	return nil, fmt.Errorf("oauth2/google: unable to parse credential source")
+	return nil, fmt.Errorf("oauth2/google/externalaccount: unable to parse credential source")
 }
 
 type baseCredentialSource interface {
@@ -449,7 +451,7 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
 		TokenType:   stsResp.TokenType,
 	}
 	if stsResp.ExpiresIn < 0 {
-		return nil, fmt.Errorf("oauth2/google: got invalid expiry from security token service")
+		return nil, fmt.Errorf("oauth2/google/externalaccount: got invalid expiry from security token service")
 	} else if stsResp.ExpiresIn >= 0 {
 		accessToken.Expiry = now().Add(time.Duration(stsResp.ExpiresIn) * time.Second)
 	}

google/externalaccount/basecredentials_test.go

@@ -271,7 +271,7 @@ func TestNonworkforceWithWorkforcePoolUserProject(t *testing.T) {
 	if err == nil {
 		t.Fatalf("Expected error but found none")
 	}
-	if got, want := err.Error(), "oauth2/google: Workforce pool user project should not be set for non-workforce pool credentials"; got != want {
+	if got, want := err.Error(), "oauth2/google/externalaccount: Workforce pool user project should not be set for non-workforce pool credentials"; got != want {
 		t.Errorf("Incorrect error received.\nExpected: %s\nRecieved: %s", want, got)
 	}
 }

google/externalaccount/executablecredsource.go

@@ -39,51 +39,51 @@ func (nce nonCacheableError) Error() string {
 }
 
 func missingFieldError(source, field string) error {
-	return fmt.Errorf("oauth2/google: %v missing `%q` field", source, field)
+	return fmt.Errorf("oauth2/google/externalaccount: %v missing `%q` field", source, field)
 }
 
 func jsonParsingError(source, data string) error {
-	return fmt.Errorf("oauth2/google: unable to parse %v\nResponse: %v", source, data)
+	return fmt.Errorf("oauth2/google/externalaccount: unable to parse %v\nResponse: %v", source, data)
 }
 
 func malformedFailureError() error {
-	return nonCacheableError{"oauth2/google: response must include `error` and `message` fields when unsuccessful"}
+	return nonCacheableError{"oauth2/google/externalaccount: response must include `error` and `message` fields when unsuccessful"}
 }
 
 func userDefinedError(code, message string) error {
-	return nonCacheableError{fmt.Sprintf("oauth2/google: response contains unsuccessful response: (%v) %v", code, message)}
+	return nonCacheableError{fmt.Sprintf("oauth2/google/externalaccount: response contains unsuccessful response: (%v) %v", code, message)}
 }
 
 func unsupportedVersionError(source string, version int) error {
-	return fmt.Errorf("oauth2/google: %v contains unsupported version: %v", source, version)
+	return fmt.Errorf("oauth2/google/externalaccount: %v contains unsupported version: %v", source, version)
 }
 
 func tokenExpiredError() error {
-	return nonCacheableError{"oauth2/google: the token returned by the executable is expired"}
+	return nonCacheableError{"oauth2/google/externalaccount: the token returned by the executable is expired"}
 }
 
 func tokenTypeError(source string) error {
-	return fmt.Errorf("oauth2/google: %v contains unsupported token type", source)
+	return fmt.Errorf("oauth2/google/externalaccount: %v contains unsupported token type", source)
 }
 
 func exitCodeError(exitCode int) error {
-	return fmt.Errorf("oauth2/google: executable command failed with exit code %v", exitCode)
+	return fmt.Errorf("oauth2/google/externalaccount: executable command failed with exit code %v", exitCode)
 }
 
 func executableError(err error) error {
-	return fmt.Errorf("oauth2/google: executable command failed: %v", err)
+	return fmt.Errorf("oauth2/google/externalaccount: executable command failed: %v", err)
 }
 
 func executablesDisallowedError() error {
-	return errors.New("oauth2/google: executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run")
+	return errors.New("oauth2/google/externalaccount: executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run")
 }
 
 func timeoutRangeError() error {
-	return errors.New("oauth2/google: invalid `timeout_millis` field — executable timeout must be between 5 and 120 seconds")
+	return errors.New("oauth2/google/externalaccount: invalid `timeout_millis` field — executable timeout must be between 5 and 120 seconds")
 }
 
 func commandMissingError() error {
-	return errors.New("oauth2/google: missing `command` field — executable command must be provided")
+	return errors.New("oauth2/google/externalaccount: missing `command` field — executable command must be provided")
 }
 
 type environment interface {