fix(storage): migrate oauth2/google usages to cloud.google.com/go/auth (#11191)

quartzmo · web-flow · commit 3a22349c1ba6 · 2025-05-14T05:08:44.000-04:00
diff --git a/storage/bucket.go b/storage/bucket.go
@@ -199,11 +199,11 @@ func (b *BucketHandle) SignedURL(object string, opts *SignedURLOptions) (string,
 		newopts.GoogleAccessID = id
 	}
 	if newopts.SignBytes == nil && len(newopts.PrivateKey) == 0 {
-		if b.c.creds != nil && len(b.c.creds.JSON) > 0 {
+		if j, ok := b.c.credsJSON(); ok {
 			var sa struct {
 				PrivateKey string `json:"private_key"`
 			}
-			err := json.Unmarshal(b.c.creds.JSON, &sa)
+			err := json.Unmarshal(j, &sa)
 			if err == nil && sa.PrivateKey != "" {
 				newopts.PrivateKey = []byte(sa.PrivateKey)
 			}
@@ -247,11 +247,11 @@ func (b *BucketHandle) GenerateSignedPostPolicyV4(object string, opts *PostPolic
 		newopts.GoogleAccessID = id
 	}
 	if newopts.SignBytes == nil && newopts.SignRawBytes == nil && len(newopts.PrivateKey) == 0 {
-		if b.c.creds != nil && len(b.c.creds.JSON) > 0 {
+		if j, ok := b.c.credsJSON(); ok {
 			var sa struct {
 				PrivateKey string `json:"private_key"`
 			}
-			err := json.Unmarshal(b.c.creds.JSON, &sa)
+			err := json.Unmarshal(j, &sa)
 			if err == nil && sa.PrivateKey != "" {
 				newopts.PrivateKey = []byte(sa.PrivateKey)
 			}
@@ -269,14 +269,14 @@ func (b *BucketHandle) GenerateSignedPostPolicyV4(object string, opts *PostPolic
 func (b *BucketHandle) detectDefaultGoogleAccessID() (string, error) {
 	returnErr := errors.New("no credentials found on client and not on GCE (Google Compute Engine)")
 
-	if b.c.creds != nil && len(b.c.creds.JSON) > 0 {
+	if j, ok := b.c.credsJSON(); ok {
 		var sa struct {
 			ClientEmail        string `json:"client_email"`
 			SAImpersonationURL string `json:"service_account_impersonation_url"`
 			CredType           string `json:"type"`
 		}
 
-		err := json.Unmarshal(b.c.creds.JSON, &sa)
+		err := json.Unmarshal(j, &sa)
 		if err != nil {
 			returnErr = err
 		} else {
@@ -322,7 +322,7 @@ func (b *BucketHandle) defaultSignBytesFunc(email string) func([]byte) ([]byte,
 		opts := []option.ClientOption{option.WithHTTPClient(b.c.hc)}
 
 		if b.c.creds != nil {
-			universeDomain, err := b.c.creds.GetUniverseDomain()
+			universeDomain, err := b.c.creds.UniverseDomain(ctx)
 			if err != nil {
 				return nil, err
 			}
diff --git a/storage/bucket_test.go b/storage/bucket_test.go
@@ -21,12 +21,12 @@ import (
 	"testing"
 	"time"
 
+	"cloud.google.com/go/auth"
 	"cloud.google.com/go/compute/metadata"
 	"cloud.google.com/go/internal/testutil"
 	"cloud.google.com/go/storage/internal/apiv2/storagepb"
 	"github.com/google/go-cmp/cmp"
 	gax "github.com/googleapis/gax-go/v2"
-	"golang.org/x/oauth2/google"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/option"
 	raw "google.golang.org/api/storage/v1"
@@ -1300,9 +1300,7 @@ func TestDetectDefaultGoogleAccessID(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			bucket := BucketHandle{
 				c: &Client{
-					creds: &google.Credentials{
-						JSON: []byte(tc.creds(tc.serviceAccount)),
-					},
+					creds: auth.NewCredentials(&auth.CredentialsOptions{JSON: []byte(tc.creds(tc.serviceAccount))}),
 				},
 				name: "my-bucket",
 			}
diff --git a/storage/go.mod b/storage/go.mod
@@ -6,6 +6,7 @@ retract [v1.25.0, v1.27.0] // due to https://github.com/googleapis/google-cloud-
 
 require (
 	cloud.google.com/go v0.121.0
+	cloud.google.com/go/auth v0.16.1
 	cloud.google.com/go/compute/metadata v0.6.0
 	cloud.google.com/go/iam v1.5.2
 	cloud.google.com/go/longrunning v0.6.7
@@ -31,7 +32,6 @@ require (
 
 require (
 	cel.dev/expr v0.20.0 // indirect
-	cloud.google.com/go/auth v0.16.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/monitoring v1.24.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
diff --git a/storage/http_client.go b/storage/http_client.go
@@ -30,25 +30,24 @@ import (
 	"strings"
 	"time"
 
+	"cloud.google.com/go/auth"
 	"cloud.google.com/go/iam/apiv1/iampb"
 	"cloud.google.com/go/internal/optional"
 	"cloud.google.com/go/internal/trace"
 	"github.com/google/uuid"
 	"github.com/googleapis/gax-go/v2/callctx"
-	"golang.org/x/oauth2/google"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/iterator"
 	"google.golang.org/api/option"
 	"google.golang.org/api/option/internaloption"
 	raw "google.golang.org/api/storage/v1"
-	"google.golang.org/api/transport"
 	htransport "google.golang.org/api/transport/http"
 )
 
 // httpStorageClient is the HTTP-JSON API implementation of the transport-agnostic
 // storageClient interface.
 type httpStorageClient struct {
-	creds                      *google.Credentials
+	creds                      *auth.Credentials
 	hc                         *http.Client
 	xmlHost                    string
 	raw                        *raw.Service
@@ -65,7 +64,7 @@ func newHTTPStorageClient(ctx context.Context, opts ...storageOption) (storageCl
 	o := s.clientOption
 	config := newStorageConfig(o...)
 
-	var creds *google.Credentials
+	var creds *auth.Credentials
 	// In general, it is recommended to use raw.NewService instead of htransport.NewClient
 	// since raw.NewService configures the correct default endpoints when initializing the
 	// internal http client. However, in our case, "NewRangeReader" in reader.go needs to
@@ -83,10 +82,10 @@ func newHTTPStorageClient(ctx context.Context, opts ...storageOption) (storageCl
 		)
 		// Don't error out here. The user may have passed in their own HTTP
 		// client which does not auth with ADC or other common conventions.
-		c, err := transport.Creds(ctx, o...)
+		c, err := internaloption.AuthCreds(ctx, o)
 		if err == nil {
 			creds = c
-			o = append(o, internaloption.WithCredentials(creds))
+			o = append(o, option.WithAuthCredentials(creds))
 		}
 	} else {
 		var hostURL *url.URL
diff --git a/storage/integration_test.go b/storage/integration_test.go
@@ -44,6 +44,8 @@ import (
 	"testing"
 	"time"
 
+	"cloud.google.com/go/auth"
+	"cloud.google.com/go/auth/credentials"
 	"cloud.google.com/go/compute/metadata"
 	"cloud.google.com/go/httpreplay"
 	"cloud.google.com/go/iam"
@@ -107,6 +109,13 @@ var (
 	controlClient *control.StorageControlClient
 )
 
+var (
+	testScopes = []string{
+		ScopeFullControl,
+		"https://www.googleapis.com/auth/cloud-platform",
+	}
+)
+
 func TestMain(m *testing.M) {
 	cleanup := initIntegrationTest()
 	cleanupEmulatorClients := initEmulatorClients()
@@ -6320,6 +6329,24 @@ func TestIntegration_NewReaderWithContentEncodingGzip(t *testing.T) {
 	})
 }
 
+type credentialsFile struct {
+	Type string `json:"type"`
+
+	// Service Account email
+	ClientEmail string `json:"client_email"`
+}
+
+func jwtConfigFromJSON(jsonKey []byte) (*credentialsFile, error) {
+	var f credentialsFile
+	if err := json.Unmarshal(jsonKey, &f); err != nil {
+		return nil, err
+	}
+	if f.Type != "service_account" {
+		return nil, fmt.Errorf("read JWT from JSON credentials: 'type' field is %q (expected service_account)", f.Type)
+	}
+	return &f, nil
+}
+
 func TestIntegration_HMACKey(t *testing.T) {
 	ctx := skipExtraReadAPIs(skipGRPC("hmac not implemented"), "no reads in test")
 	multiTransportTest(ctx, t, func(t *testing.T, ctx context.Context, _, _ string, client *Client) {
@@ -6339,13 +6366,12 @@ func TestIntegration_HMACKey(t *testing.T) {
 		if credentials.JSON == nil {
 			t.Fatal("could not read the JSON key file, is GCLOUD_TESTS_GOLANG_KEY set correctly?")
 		}
-		conf, err := google.JWTConfigFromJSON(credentials.JSON)
+		conf, err := jwtConfigFromJSON(credentials.JSON)
 		if err != nil {
 			t.Fatal(err)
 		}
-		serviceAccountEmail := conf.Email
 
-		hmacKey, err := client.CreateHMACKey(ctx, projectID, serviceAccountEmail)
+		hmacKey, err := client.CreateHMACKey(ctx, projectID, conf.ClientEmail)
 		if err != nil {
 			t.Fatalf("Failed to create HMACKey: %v", err)
 		}
@@ -6571,14 +6597,8 @@ func TestIntegration_SignedURL_WithCreds(t *testing.T) {
 		t.Skip("Integration tests skipped in short mode")
 	}
 
-	ctx := context.Background()
-
-	creds, err := findTestCredentials(ctx, "GCLOUD_TESTS_GOLANG_KEY", ScopeFullControl, "https://www.googleapis.com/auth/cloud-platform")
-	if err != nil {
-		t.Fatalf("unable to find test credentials: %v", err)
-	}
-
-	multiTransportTest(skipGRPC("creds capture logic must be implemented for gRPC constructor"), t, func(t *testing.T, ctx context.Context, bucket, _ string, client *Client) {
+	ctx := skipGRPC("creds capture logic must be implemented for gRPC constructor")
+	tFunc := func(t *testing.T, ctx context.Context, bucket, _ string, client *Client) {
 		// We can use any client to create the object
 		obj := "testBucketSignedURL"
 		contents := []byte("test")
@@ -6598,7 +6618,17 @@ func TestIntegration_SignedURL_WithCreds(t *testing.T) {
 		if err := verifySignedURL(url, nil, contents); err != nil {
 			t.Fatalf("problem with the signed URL: %v", err)
 		}
-	}, option.WithCredentials(creds))
+	}
+	creds, err := findLegacyOAuth2TestCredentials(ctx, "GCLOUD_TESTS_GOLANG_KEY", testScopes)
+	if err != nil {
+		t.Fatalf("unable to find test credentials: %v", err)
+	}
+	multiTransportTest(ctx, t, tFunc, option.WithCredentials(creds))
+	newAuthCreds, err := findNewAuthTestCredentials(ctx, "GCLOUD_TESTS_GOLANG_KEY", testScopes)
+	if err != nil {
+		t.Fatalf("unable to find test credentials: %v", err)
+	}
+	multiTransportTest(ctx, t, tFunc, option.WithAuthCredentials(newAuthCreds))
 }
 
 func TestIntegration_SignedURL_DefaultSignBytes(t *testing.T) {
@@ -6652,16 +6682,8 @@ func TestIntegration_PostPolicyV4_WithCreds(t *testing.T) {
 		t.Skip("Integration tests skipped in short mode")
 	}
 
-	// By default we are authed with a token source, so don't have the context to
-	// read some of the fields from the keyfile.
-	// Here we explictly send the key to the client.
-	creds, err := findTestCredentials(context.Background(), "GCLOUD_TESTS_GOLANG_KEY", ScopeFullControl, "https://www.googleapis.com/auth/cloud-platform")
-	if err != nil {
-		t.Fatalf("unable to find test credentials: %v", err)
-	}
-
 	ctx := skipExtraReadAPIs(skipGRPC("creds capture logic must be implemented for gRPC constructor"), "test is not testing the read behaviour")
-	multiTransportTest(ctx, t, func(t *testing.T, ctx context.Context, bucket, _ string, clientWithCredentials *Client) {
+	tFunc := func(t *testing.T, ctx context.Context, bucket, _ string, clientWithCredentials *Client) {
 		h := testHelper{t}
 
 		statusCodeToRespond := 200
@@ -6700,7 +6722,17 @@ func TestIntegration_PostPolicyV4_WithCreds(t *testing.T) {
 				}
 			})
 		}
-	}, option.WithCredentials(creds))
+	}
+	creds, err := findLegacyOAuth2TestCredentials(ctx, "GCLOUD_TESTS_GOLANG_KEY", testScopes)
+	if err != nil {
+		t.Fatalf("unable to find test credentials: %v", err)
+	}
+	multiTransportTest(ctx, t, tFunc, option.WithCredentials(creds))
+	newAuthCreds, err := findNewAuthTestCredentials(ctx, "GCLOUD_TESTS_GOLANG_KEY", testScopes)
+	if err != nil {
+		t.Fatalf("unable to find test credentials: %v", err)
+	}
+	multiTransportTest(ctx, t, tFunc, option.WithAuthCredentials(newAuthCreds))
 
 }
 
@@ -7014,7 +7046,7 @@ func verifyPostPolicy(pv4 *PostPolicyV4, obj *ObjectHandle, bytesToWrite []byte,
 		})
 }
 
-func findTestCredentials(ctx context.Context, envVar string, scopes ...string) (*google.Credentials, error) {
+func findLegacyOAuth2TestCredentials(ctx context.Context, envVar string, scopes []string) (*google.Credentials, error) {
 	key := os.Getenv(envVar)
 	var opts []option.ClientOption
 	if len(scopes) > 0 {
@@ -7026,6 +7058,13 @@ func findTestCredentials(ctx context.Context, envVar string, scopes ...string) (
 	return transport.Creds(ctx, opts...)
 }
 
+func findNewAuthTestCredentials(ctx context.Context, envVar string, scopes []string) (*auth.Credentials, error) {
+	return credentials.DetectDefault(&credentials.DetectOptions{
+		CredentialsFile: os.Getenv(envVar),
+		Scopes:          scopes,
+	})
+}
+
 type testHelper struct {
 	t *testing.T
 }
diff --git a/storage/storage.go b/storage/storage.go
@@ -38,6 +38,7 @@ import (
 	"time"
 	"unicode/utf8"
 
+	"cloud.google.com/go/auth"
 	"cloud.google.com/go/internal/optional"
 	"cloud.google.com/go/internal/trace"
 	"cloud.google.com/go/storage/internal"
@@ -46,12 +47,10 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/sdk/metric"
 	"go.opentelemetry.io/otel/sdk/metric/metricdata"
-	"golang.org/x/oauth2/google"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/option"
 	"google.golang.org/api/option/internaloption"
 	raw "google.golang.org/api/storage/v1"
-	"google.golang.org/api/transport"
 	htransport "google.golang.org/api/transport/http"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/experimental/stats"
@@ -121,7 +120,7 @@ type Client struct {
 	// xmlHost is the default host used for XML requests.
 	xmlHost string
 	// May be nil.
-	creds *google.Credentials
+	creds *auth.Credentials
 	retry *retryConfig
 
 	// tc is the transport-agnostic client implemented with either gRPC or HTTP.
@@ -131,6 +130,15 @@ type Client struct {
 	grpcAppendableUploads bool
 }
 
+// credsJSON returns the raw JSON of the Client's creds and true, or an empty slice
+// and false if no credentials JSON is available.
+func (c Client) credsJSON() ([]byte, bool) {
+	if c.creds != nil && len(c.creds.JSON()) > 0 {
+		return c.creds.JSON(), true
+	}
+	return []byte{}, false
+}
+
 // NewClient creates a new Google Cloud Storage client using the HTTP transport.
 // The default scope is ScopeFullControl. To use a different scope, like
 // ScopeReadOnly, use option.WithScopes.
@@ -141,7 +149,7 @@ type Client struct {
 // You may configure the client by passing in options from the [google.golang.org/api/option]
 // package. You may also use options defined in this package, such as [WithJSONReads].
 func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error) {
-	var creds *google.Credentials
+	var creds *auth.Credentials
 
 	// In general, it is recommended to use raw.NewService instead of htransport.NewClient
 	// since raw.NewService configures the correct default endpoints when initializing the
@@ -161,10 +169,10 @@ func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error
 
 		// Don't error out here. The user may have passed in their own HTTP
 		// client which does not auth with ADC or other common conventions.
-		c, err := transport.Creds(ctx, opts...)
+		c, err := internaloption.AuthCreds(ctx, opts)
 		if err == nil {
 			creds = c
-			opts = append(opts, internaloption.WithCredentials(creds))
+			opts = append(opts, option.WithAuthCredentials(creds))
 		}
 	} else {
 		var hostURL *url.URL
