fix: Prioritize universe domain specified in GCECredentials arguments…

… over metadata-fetched value (#472)
googleapis · Feb 1, 2024 · 0fc7a5d · 0fc7a5d
1 parent e5b5014
commit 0fc7a5d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/lib/googleauth/compute_engine.rb b/lib/googleauth/compute_engine.rb
@@ -80,6 +80,14 @@ def reset_cache
         alias unmemoize_all reset_cache
       end
 
+      # Construct a GCECredentials
+      def initialize options = {}
+        # Override the constructor to remember whether the universe domain was
+        # overridden by a constructor argument.
+        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
+        super options
+      end
+
       # Overrides the super class method to change how access tokens are
       # fetched.
       def fetch_access_token _options = {}
@@ -119,9 +127,11 @@ def build_token_hash body, content_type, retrieval_time
           else
             Signet::OAuth2.parse_credentials body, content_type
           end
-        universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
-        universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
-        hash["universe_domain"] = universe_domain.strip
+        unless @universe_domain_overridden
+          universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
+          universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+          hash["universe_domain"] = universe_domain.strip
+        end
         # The response might have been cached, which means expires_in might be
         # stale. Update it based on the time since the data was retrieved.
         # We also ensure expires_in is conservative; subtracting at least 1

diff --git a/spec/googleauth/compute_engine_spec.rb b/spec/googleauth/compute_engine_spec.rb
@@ -130,6 +130,14 @@ def make_auth_stubs opts
       @client.universe_domain = "anotheruniverse.com"
       expect(@client.universe_domain).to eq("anotheruniverse.com")
     end
+
+    it "prioritizes argument-specified universe domain" do
+      make_auth_stubs access_token: "1/abcde"
+      custom_client = GCECredentials.new universe_domain: "override-universe.com"
+      custom_client.fetch_access_token!
+      expect(custom_client.access_token).to eq("1/abcde")
+      expect(custom_client.universe_domain).to eq("override-universe.com")
+    end
   end
 
   context "error in universe_domain" do