feat: allow custom scopes for compute engine creds

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -43,12 +43,17 @@
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.Beta;
+import com.google.common.base.Joiner;
 import com.google.common.base.MoreObjects;
+import com.google.common.collect.ImmutableSet;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.SocketTimeoutException;
 import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
@@ -94,6 +99,8 @@ public class ComputeEngineCredentials extends GoogleCredentials
 
   private final String transportFactoryClassName;
 
+  private final Collection<String> scopes;
+
   private transient HttpTransportFactory transportFactory;
   private transient String serviceAccountEmail;
 
@@ -102,13 +109,28 @@ public class ComputeEngineCredentials extends GoogleCredentials
    *
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
    */
-  private ComputeEngineCredentials(HttpTransportFactory transportFactory) {
+  private ComputeEngineCredentials(
+      HttpTransportFactory transportFactory, Collection<String> scopes) {
     this.transportFactory =
         firstNonNull(
             transportFactory,
             getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
+    if (scopes == null) {
+      this.scopes = ImmutableSet.<String>of();
+    } else {
+      List<String> scopeList = new ArrayList<String>(scopes);
+      scopeList.removeAll(Arrays.asList("", null));
+      this.scopes = ImmutableSet.<String>copyOf(scopeList);
+    }
+  }
+
+  /** Clones the compute engine account with the specified scopes. */
+  @Override
+  public GoogleCredentials createScoped(Collection<String> newScopes) {
+    return new ComputeEngineCredentials(this.transportFactory, newScopes);
   }
 
   /**
@@ -117,13 +139,30 @@ private ComputeEngineCredentials(HttpTransportFactory transportFactory) {
    * @return new ComputeEngineCredentials
    */
   public static ComputeEngineCredentials create() {
-    return new ComputeEngineCredentials(null);
+    return new ComputeEngineCredentials(null, null);
+  }
+
+  public final Collection<String> getScopes() {
+    return scopes;
+  }
+
+  /**
+   * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
+   *
+   * @return token url with the given scopes
+   */
+  String createTokenUrlWithScopes() {
+    GenericUrl tokenUrl = new GenericUrl(getTokenServerEncodedUrl());
+    if (!scopes.isEmpty()) {
+      tokenUrl.set("scopes", Joiner.on(',').join(scopes));
+    }
+    return tokenUrl.toString();
   }
 
   /** Refresh the access token by getting it from the GCE metadata server */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
-    HttpResponse response = getMetadataResponse(getTokenServerEncodedUrl());
+    HttpResponse response = getMetadataResponse(createTokenUrlWithScopes());
     int statusCode = response.getStatusCode();
     if (statusCode == HttpStatusCodes.STATUS_CODE_NOT_FOUND) {
       throw new IOException(
@@ -307,7 +346,8 @@ public boolean equals(Object obj) {
       return false;
     }
     ComputeEngineCredentials other = (ComputeEngineCredentials) obj;
-    return Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName);
+    return Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
+        && Objects.equals(this.scopes, other.scopes);
   }
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
@@ -399,24 +439,35 @@ private String getDefaultServiceAccount() throws IOException {
 
   public static class Builder extends GoogleCredentials.Builder {
     private HttpTransportFactory transportFactory;
+    private Collection<String> scopes;
 
     protected Builder() {}
 
     protected Builder(ComputeEngineCredentials credentials) {
       this.transportFactory = credentials.transportFactory;
+      this.scopes = credentials.scopes;
     }
 
     public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
       this.transportFactory = transportFactory;
       return this;
     }
 
+    public Builder setScopes(Collection<String> scopes) {
+      this.scopes = scopes;
+      return this;
+    }
+
     public HttpTransportFactory getHttpTransportFactory() {
       return transportFactory;
     }
 
+    public Collection<String> getScopes() {
+      return scopes;
+    }
+
     public ComputeEngineCredentials build() {
-      return new ComputeEngineCredentials(transportFactory);
+      return new ComputeEngineCredentials(transportFactory, scopes);
     }
   }
 }

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -56,6 +56,8 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import org.junit.Test;
@@ -68,6 +70,9 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
 
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
+  private static final String TOKEN_URL =
+      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+
   // Id Token which includes basic default claims
   public static final String STANDARD_ID_TOKEN =
       "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
@@ -113,6 +118,69 @@ public HttpTransport create() {
     }
   }
 
+  @Test
+  public void createTokenUrlWithScopes_null_scopes() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setScopes(null).build();
+    Collection<String> scopes = credentials.getScopes();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL, tokenUrlWithScopes);
+    assertTrue(scopes.isEmpty());
+  }
+
+  @Test
+  public void createTokenUrlWithScopes_empty_scopes() {
+    ComputeEngineCredentials.Builder builder =
+        ComputeEngineCredentials.newBuilder().setScopes(Collections.<String>emptyList());
+    ComputeEngineCredentials credentials = builder.build();
+    Collection<String> scopes = credentials.getScopes();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL, tokenUrlWithScopes);
+    assertTrue(scopes.isEmpty());
+    assertTrue(builder.getScopes().isEmpty());
+  }
+
+  @Test
+  public void createTokenUrlWithScopes_single_scope() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setScopes(Arrays.asList("foo")).build();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+    Collection<String> scopes = credentials.getScopes();
+
+    assertEquals(TOKEN_URL + "?scopes=foo", tokenUrlWithScopes);
+    assertEquals(1, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+  }
+
+  @Test
+  public void createTokenUrlWithScopes_multiple_scopes() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setScopes(Arrays.asList(null, "foo", "", "bar"))
+            .build();
+    Collection<String> scopes = credentials.getScopes();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?scopes=foo,bar", tokenUrlWithScopes);
+    assertEquals(2, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+    assertEquals("bar", scopes.toArray()[1]);
+  }
+
+  @Test
+  public void createScoped() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setScopes(null).build();
+    ComputeEngineCredentials credentialsWithScopes =
+        (ComputeEngineCredentials) credentials.createScoped(Arrays.asList("foo"));
+    Collection<String> scopes = credentialsWithScopes.getScopes();
+
+    assertEquals(1, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+  }
+
   @Test
   public void getRequestMetadata_hasAccessToken() throws IOException {
     String accessToken = "1/MkSJoj1xsli0AccessToken_NKPY2";