feat(option): add internaloption to force use of certain credential

internal/creds.go

@@ -31,6 +31,9 @@ func Creds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
 }
 
 func baseCreds(ctx context.Context, ds *DialSettings) (*google.Credentials, error) {
+	if ds.InternalCredentials != nil {
+		return ds.InternalCredentials, nil
+	}
 	if ds.Credentials != nil {
 		return ds.Credentials, nil
 	}

internal/creds_test.go

@@ -236,3 +236,62 @@ func TestQuotaProjectFromCreds(t *testing.T) {
 		t.Errorf("QuotaProjectFromCreds(quotaProjectJSON): want %q, got %q", want, got)
 	}
 }
+
+func TestCredsWithCredentials(t *testing.T) {
+	tests := []struct {
+		name string
+		ds   *DialSettings
+		want string
+	}{
+		{
+			name: "only normal opt",
+			ds: &DialSettings{
+				Credentials: &google.Credentials{
+					TokenSource: oauth2.StaticTokenSource(&oauth2.Token{
+						AccessToken: "normal",
+					}),
+				},
+			},
+			want: "normal",
+		},
+		{
+			name: "normal and internal creds opt",
+			ds: &DialSettings{
+				Credentials: &google.Credentials{
+					TokenSource: oauth2.StaticTokenSource(&oauth2.Token{
+						AccessToken: "normal",
+					}),
+				},
+				InternalCredentials: &google.Credentials{
+					TokenSource: oauth2.StaticTokenSource(&oauth2.Token{
+						AccessToken: "internal",
+					}),
+				},
+			},
+			want: "internal",
+		},
+		{
+			name: "only internal creds opt",
+			ds: &DialSettings{
+				InternalCredentials: &google.Credentials{
+					TokenSource: oauth2.StaticTokenSource(&oauth2.Token{
+						AccessToken: "internal",
+					}),
+				},
+			},
+			want: "internal",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			creds, err := Creds(context.Background(), tc.ds)
+			if err != nil {
+				t.Fatalf("got %v, want nil error", err)
+			}
+			if tok, _ := creds.TokenSource.Token(); tok.AccessToken != tc.want {
+				t.Fatalf("tok.AccessToken = %q, want %q", tok.AccessToken, tc.want)
+			}
+		})
+	}
+}

internal/settings.go

@@ -45,6 +45,7 @@ type DialSettings struct {
 	SkipValidation      bool
 	ImpersonationConfig *impersonate.Config
 	EnableDirectPath    bool
+	InternalCredentials *google.Credentials
 
 	// Google API system parameters. For more information please read:
 	// https://cloud.google.com/apis/docs/system-parameters

option/internaloption/internaloption.go

@@ -6,6 +6,7 @@
 package internaloption
 
 import (
+	"golang.org/x/oauth2/google"
 	"google.golang.org/api/internal"
 	"google.golang.org/api/option"
 )
@@ -106,3 +107,15 @@ type enableJwtWithScope bool
 func (w enableJwtWithScope) Apply(o *internal.DialSettings) {
 	o.EnableJwtWithScope = bool(w)
 }
+
+// WithCredentials returns a client option to specify authenticates API calls.
+// This credential takes precedence over all other credential options.
+func WithCredentials(creds *google.Credentials) option.ClientOption {
+	return (*withCreds)(creds)
+}
+
+type withCreds google.Credentials
+
+func (w *withCreds) Apply(o *internal.DialSettings) {
+	o.InternalCredentials = (*google.Credentials)(w)
+}

option/internaloption/internaloption_test.go

@@ -0,0 +1,29 @@
+// Copyright 2021 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package internaloption
+
+import (
+	"testing"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/internal"
+)
+
+func TestWithCredentials(t *testing.T) {
+	want := "fakeToken"
+	fakeCreds := &google.Credentials{
+		TokenSource: oauth2.StaticTokenSource(&oauth2.Token{AccessToken: want}),
+	}
+	opt := WithCredentials(fakeCreds)
+	ds := &internal.DialSettings{}
+	opt.Apply(ds)
+	if ds.InternalCredentials == nil || ds.InternalCredentials.TokenSource == nil {
+		t.Errorf("ds.InternalCredentials should be initialized")
+	}
+	if tok, err := ds.InternalCredentials.TokenSource.Token(); err != nil || tok.AccessToken != "fakeToken" {
+		t.Errorf("ts.Token() = %q, want %q", tok.AccessToken, "")
+	}
+}