Replace deprecated GoogleCredential with new auth lib (#129)

Replace deprecated GoogleCredential with new lib This PR also introduced a CredentialsBundle class to carry HttpTransport and JsonFactory object which are needed by most of the GCP library to instantiate client.
2025-08-04 00:42:12 +02:00 · 2019-07-02 10:29:51 -04:00 · 2019-07-02 10:29:51 -04:00 · 34a28e871e
commit 34a28e871e
parent dae8923bd1
29 changed files with 822 additions and 684 deletions
--- a/proxy/build.gradle
+++ b/proxy/build.gradle
@ -12,6 +12,8 @@ dependencies {
  compile deps['com.google.apis:google-api-services-cloudkms']
  compile deps['com.google.apis:google-api-services-monitoring']
  compile deps['com.google.apis:google-api-services-storage']
+  compile deps['com.google.auth:google-auth-library-credentials']
+  compile deps['com.google.auth:google-auth-library-oauth2-http']
  compile deps['com.google.auto.value:auto-value-annotations']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.code.gson:gson']
--- a/proxy/gradle/dependency-locks/compile.lockfile
+++ b/proxy/gradle/dependency-locks/compile.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/compileClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/compileClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -20,17 +22,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -39,15 +41,15 @@ io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-tcnative-boringssl-static:2.0.22.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/src/main/java/google/registry/proxy/MetricsModule.java
+++ b/proxy/src/main/java/google/registry/proxy/MetricsModule.java
@ -14,8 +14,6 @@

 package google.registry.proxy;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.model.MonitoredResource;
 import com.google.common.collect.ImmutableMap;
@ -29,6 +27,7 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.proxy.ProxyConfig.Environment;
 import google.registry.proxy.metric.MetricParameters;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Module that provides necessary bindings to instantiate a {@link MetricReporter} */
@ -39,9 +38,12 @@ public class MetricsModule {

  @Singleton
  @Provides
-  static Monitoring provideMonitoring(GoogleCredential credential, ProxyConfig config) {
+  static Monitoring provideMonitoring(GoogleCredentialsBundle credentialsBundle,
+      ProxyConfig config) {
    return new Monitoring.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
--- a/proxy/src/main/java/google/registry/proxy/ProxyModule.java
+++ b/proxy/src/main/java/google/registry/proxy/ProxyModule.java
@ -20,11 +20,11 @@ import static google.registry.proxy.ProxyConfig.getProxyConfig;
 import com.beust.jcommander.JCommander;
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParameterException;
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import com.google.api.services.cloudkms.v1.model.DecryptRequest;
 import com.google.api.services.storage.Storage;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
 import com.google.common.flogger.LoggerConfig;
@ -41,6 +41,7 @@ import google.registry.proxy.WebWhoisProtocolsModule.HttpsWhoisProtocol;
 import google.registry.proxy.WhoisProtocolModule.WhoisProtocol;
 import google.registry.proxy.handler.ProxyProtocolHandler;
 import google.registry.util.Clock;
+import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.SystemClock;
 import io.netty.handler.logging.LogLevel;
 import io.netty.handler.logging.LoggingHandler;
@ -50,6 +51,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.Date;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
@ -209,13 +211,13 @@ public class ProxyModule {

  @Singleton
  @Provides
-  static GoogleCredential provideCredential(ProxyConfig config) {
+  static GoogleCredentialsBundle provideCredential(ProxyConfig config) {
    try {
-      GoogleCredential credential = GoogleCredential.getApplicationDefault();
-      if (credential.createScopedRequired()) {
-        credential = credential.createScoped(config.gcpScopes);
+      GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
+      if (credentials.createScopedRequired()) {
+        credentials = credentials.createScoped(config.gcpScopes);
      }
-      return credential;
+      return GoogleCredentialsBundle.create(credentials);
    } catch (IOException e) {
      throw new RuntimeException("Unable to obtain OAuth2 credential.", e);
    }
@ -226,36 +228,45 @@ public class ProxyModule {
  @Provides
  @Named("accessToken")
  static Supplier<String> provideAccessTokenSupplier(
-      GoogleCredential credential, ProxyConfig config) {
+      GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return () -> {
+      GoogleCredentials credentials = credentialsBundle.getGoogleCredentials();
+      AccessToken accessToken = credentials.getAccessToken();
+      Date nextExpirationTime =
+          new Date(
+              System.currentTimeMillis() + config.accessTokenRefreshBeforeExpirationSeconds * 1000);
      // If we never obtained an access token, the expiration time is null.
-      if (credential.getExpiresInSeconds() == null
+      if (accessToken == null
          // If we have an access token, make sure to refresh it ahead of time.
-          || credential.getExpiresInSeconds() < config.accessTokenRefreshBeforeExpirationSeconds) {
+          || accessToken.getExpirationTime().before(nextExpirationTime)) {
        try {
-          credential.refreshToken();
+          credentials.refresh();
        } catch (IOException e) {
          throw new RuntimeException("Cannot refresh access token.", e);
        }
      }
-      return credential.getAccessToken();
+      return credentials.getAccessToken().getTokenValue();
    };
  }

  @Singleton
  @Provides
-  static CloudKMS provideCloudKms(GoogleCredential credential, ProxyConfig config) {
+  static CloudKMS provideCloudKms(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new CloudKMS.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }

  @Singleton
  @Provides
-  static Storage provideStorage(GoogleCredential credential, ProxyConfig config) {
+  static Storage provideStorage(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new Storage.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
@ -337,14 +348,14 @@ public class ProxyModule {
  @Singleton
  @Component(
      modules = {
-        ProxyModule.class,
-        CertificateModule.class,
-        HttpsRelayProtocolModule.class,
-        WhoisProtocolModule.class,
-        WebWhoisProtocolsModule.class,
-        EppProtocolModule.class,
-        HealthCheckProtocolModule.class,
-        MetricsModule.class
+          ProxyModule.class,
+          CertificateModule.class,
+          HttpsRelayProtocolModule.class,
+          WhoisProtocolModule.class,
+          WebWhoisProtocolsModule.class,
+          EppProtocolModule.class,
+          HealthCheckProtocolModule.class,
+          MetricsModule.class
      })
  interface ProxyComponent {