feat: add quotaProject support to existing credentials (#724)

Author: kevmoo

googleapis_auth/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2.2.0-wip
+
+- Added `quotaProject` support to existing credentials classes
+  (`ServiceAccountCredentials`, `ClientViaServiceAccount`, `ClientFromFlow`).
+
 ## 2.1.0
 
 - `AuthClientSigningExtension`: Added `sign()` which accepts an optional

googleapis_auth/lib/src/auth_functions.dart

@@ -52,10 +52,14 @@ Client clientViaApiKey(String apiKey, {Client? baseClient}) {
 /// [baseClient].
 ///
 /// {@macro googleapis_auth_not_close_the_baseClient}
+///
+/// If [quotaProject] is provided, it will be added to the `X-Goog-User-Project`
+/// header for all requests.
 AuthClient authenticatedClient(
   Client baseClient,
   AccessCredentials credentials, {
   bool closeUnderlyingClient = false,
+  String? quotaProject,
 }) {
   if (credentials.accessToken.type != 'Bearer') {
     throw ArgumentError('Only Bearer access tokens are accepted.');
@@ -64,6 +68,7 @@ AuthClient authenticatedClient(
     baseClient,
     credentials,
     closeUnderlyingClient: closeUnderlyingClient,
+    quotaProject: quotaProject,
   );
 }
 

googleapis_auth/lib/src/oauth2_flows/base_flow.dart

@@ -14,9 +14,12 @@ abstract class BaseFlow {
   Future<AccessCredentials> run();
 }
 
+/// If [quotaProject] is provided, it will be added to the `X-Goog-User-Project`
+/// header for all requests.
 Future<AutoRefreshingAuthClient> clientFromFlow(
   BaseFlow Function(Client client) flowFactory, {
   Client? baseClient,
+  String? quotaProject,
 }) async {
   if (baseClient == null) {
     baseClient = Client();
@@ -28,7 +31,7 @@ Future<AutoRefreshingAuthClient> clientFromFlow(
 
   try {
     final credentials = await flow.run();
-    return _FlowClient(baseClient, credentials, flow);
+    return _FlowClient(baseClient, credentials, flow, quotaProject);
   } catch (e) {
     baseClient.close();
     rethrow;
@@ -38,21 +41,29 @@ Future<AutoRefreshingAuthClient> clientFromFlow(
 // Will close the underlying `http.Client`.
 class _FlowClient extends AutoRefreshDelegatingClient {
   final BaseFlow _flow;
-  @override
-  AccessCredentials credentials;
-  Client _authClient;
+  final String? _quotaProject;
+
+  AccessCredentials _credentials;
+  late Client _authClient;
+
+  _FlowClient(super.client, this._credentials, this._flow, this._quotaProject) {
+    _authClient = _recreateClient(_credentials);
+  }
 
-  _FlowClient(super.client, this.credentials, this._flow)
-    : _authClient = authenticatedClient(client, credentials);
+  @override
+  AccessCredentials get credentials => _credentials;
 
   @override
   Future<StreamedResponse> send(BaseRequest request) async {
-    if (credentials.accessToken.hasExpired) {
+    if (_credentials.accessToken.hasExpired) {
       final newCredentials = await _flow.run();
       notifyAboutNewCredentials(newCredentials);
-      credentials = newCredentials;
-      _authClient = authenticatedClient(baseClient, credentials);
+      _credentials = newCredentials;
+      _authClient = _recreateClient(newCredentials);
     }
     return _authClient.send(request);
   }
+
+  Client _recreateClient(AccessCredentials credentials) =>
+      authenticatedClient(baseClient, credentials, quotaProject: _quotaProject);
 }

googleapis_auth/lib/src/service_account_client.dart

@@ -39,10 +39,17 @@ Future<AccessCredentials> obtainAccessCredentialsViaServiceAccount(
 ///
 /// {@macro googleapis_auth_close_the_client}
 /// {@macro googleapis_auth_not_close_the_baseClient}
+///
+/// If [quotaProject] is provided, it will be added to the `X-Goog-User-Project`
+/// header for all requests.
+///
+/// Otherwise, the [ServiceAccountCredentials.quotaProject] property on
+/// [clientCredentials] will be used.
 Future<AutoRefreshingAuthClient> clientViaServiceAccount(
   ServiceAccountCredentials clientCredentials,
   List<String> scopes, {
   Client? baseClient,
+  String? quotaProject,
 }) async => await clientFromFlow(
   (c) => JwtFlow(
     clientCredentials.email,
@@ -52,4 +59,5 @@ Future<AutoRefreshingAuthClient> clientViaServiceAccount(
     c,
   ),
   baseClient: baseClient,
+  quotaProject: quotaProject ?? clientCredentials.quotaProject,
 );

googleapis_auth/lib/src/service_account_credentials.dart

@@ -43,6 +43,9 @@ class ServiceAccountCredentials {
   /// (e.g., Government Cloud or other isolated environments).
   final String universeDomain;
 
+  /// The quota project to use for requests.
+  final String? quotaProject;
+
   /// Private key as an [RSAPrivateKey].
   final RSAPrivateKey privateRSAKey;
 
@@ -75,6 +78,7 @@ class ServiceAccountCredentials {
           projectId: map['project_id'] as String?,
           universeDomain:
               map['universe_domain'] as String? ?? defaultUniverseDomain,
+          quotaProject: map['quota_project_id'] as String?,
         ),
       final Map map when map['type'] != 'service_account' =>
         throw ArgumentError(
@@ -109,13 +113,17 @@ class ServiceAccountCredentials {
   /// The optional named argument [universeDomain] specifies the universe
   /// domain.
   /// Defaults to [defaultUniverseDomain] if not provided.
+  ///
+  /// The optional named argument [quotaProject] specifies the quota project
+  /// to use for requests.
   ServiceAccountCredentials(
     this.email,
     this.clientId,
     this.privateKey, {
     this.impersonatedUser,
     this.projectId,
     this.universeDomain = defaultUniverseDomain,
+    this.quotaProject,
   }) : privateRSAKey = keyFromString(privateKey);
 
   /// Signs the given [data] using RSA-SHA256 with this service account's

googleapis_auth/pubspec.yaml

@@ -1,5 +1,5 @@
 name: googleapis_auth
-version: 2.1.0
+version: 2.2.0-wip
 description: Obtain Access credentials for Google services using OAuth 2.0
 repository: https://github.com/google/googleapis.dart/tree/master/googleapis_auth
 

googleapis_auth/test/oauth2_test.dart

@@ -74,6 +74,7 @@ void main() {
       'type': 'service_account',
       'project_id': 'test-project',
       'universe_domain': 'example.com',
+      'quota_project_id': 'test-quota',
     };
 
     test('from valid individual params', () {
@@ -82,13 +83,15 @@ void main() {
         clientId,
         testPrivateKeyString,
         projectId: 'test-project',
+        quotaProject: 'test-quota',
       );
       expect(credentials.email, 'email');
       expect(credentials.clientId, clientId);
       expect(credentials.privateKey, testPrivateKeyString);
       expect(credentials.impersonatedUser, isNull);
       expect(credentials.projectId, 'test-project');
       expect(credentials.universeDomain, defaultUniverseDomain);
+      expect(credentials.quotaProject, 'test-quota');
     });
 
     test('from valid individual params with user', () {
@@ -98,13 +101,15 @@ void main() {
         testPrivateKeyString,
         impersonatedUser: 'x@y.com',
         projectId: 'test-project',
+        quotaProject: 'test-quota',
       );
       expect(credentials.email, 'email');
       expect(credentials.clientId, clientId);
       expect(credentials.privateKey, testPrivateKeyString);
       expect(credentials.impersonatedUser, 'x@y.com');
       expect(credentials.projectId, 'test-project');
       expect(credentials.universeDomain, defaultUniverseDomain);
+      expect(credentials.quotaProject, 'test-quota');
     });
 
     test('from JSON string', () {
@@ -118,6 +123,7 @@ void main() {
       expect(credentialsFromJson.impersonatedUser, isNull);
       expect(credentialsFromJson.projectId, 'test-project');
       expect(credentialsFromJson.universeDomain, 'example.com');
+      expect(credentialsFromJson.quotaProject, 'test-quota');
     });
 
     test('from JSON string with user', () {
@@ -132,6 +138,7 @@ void main() {
       expect(credentialsFromJson.impersonatedUser, 'x@y.com');
       expect(credentialsFromJson.projectId, 'test-project');
       expect(credentialsFromJson.universeDomain, 'example.com');
+      expect(credentialsFromJson.quotaProject, 'test-quota');
     });
 
     test('from JSON map', () {
@@ -145,6 +152,7 @@ void main() {
       expect(credentialsFromJson.impersonatedUser, isNull);
       expect(credentialsFromJson.projectId, 'test-project');
       expect(credentialsFromJson.universeDomain, 'example.com');
+      expect(credentialsFromJson.quotaProject, 'test-quota');
     });
 
     test('from JSON map with user', () {
@@ -159,6 +167,7 @@ void main() {
       expect(credentialsFromJson.impersonatedUser, 'x@y.com');
       expect(credentialsFromJson.projectId, 'test-project');
       expect(credentialsFromJson.universeDomain, 'example.com');
+      expect(credentialsFromJson.quotaProject, 'test-quota');
     });
 
     test('sign data', () {
@@ -336,6 +345,35 @@ void main() {
         expect(response.statusCode, 204);
       });
 
+      test('successful request with quotaProject', () async {
+        final client = authenticatedClient(
+          mockClient(
+            expectAsync1((request) async {
+              expect(request.method, 'POST');
+              expect(request.url, url);
+              expect(request.headers, hasLength(2));
+              expect(
+                request.headers,
+                containsPair('Authorization', 'Bearer bar'),
+              );
+              expect(
+                request.headers,
+                containsPair('x-goog-user-project', 'test-quota-project'),
+              );
+
+              return Response('', 204);
+            }),
+            expectClose: false,
+          ),
+          credentials,
+          quotaProject: 'test-quota-project',
+        );
+        expect(client.credentials, credentials);
+
+        final response = await client.send(RequestImpl('POST', url));
+        expect(response.statusCode, 204);
+      });
+
       test('throws on access denied', () {
         final client = authenticatedClient(
           mockClient(
@@ -555,6 +593,54 @@ void main() {
         client.close();
       });
 
+      test('clientViaServiceAccount sends quotaProject header', () async {
+        final credentials = ServiceAccountCredentials.fromJson({
+          'private_key_id': '301029',
+          'private_key': testPrivateKeyString,
+          'client_email': 'test@test.iam.gserviceaccount.com',
+          'client_id': 'myid',
+          'type': 'service_account',
+          'quota_project_id': 'test-quota-project',
+        });
+
+        var callCount = 0;
+        final client = await clientViaServiceAccount(
+          credentials,
+          ['https://www.googleapis.com/auth/cloud-platform'],
+          baseClient: mockClient(
+            expectAsync1((request) async {
+              if (callCount == 0) {
+                expect(request.method, 'POST');
+                expect(request.url, googleOauth2TokenEndpoint);
+                callCount++;
+                return Response(
+                  jsonEncode({
+                    'access_token': 'test_token',
+                    'token_type': 'Bearer',
+                    'expires_in': 3600,
+                  }),
+                  200,
+                  headers: jsonContentType,
+                );
+              } else {
+                expect(
+                  request.headers,
+                  containsPair('x-goog-user-project', 'test-quota-project'),
+                );
+                callCount++;
+                return Response('', 200);
+              }
+            }, count: 2),
+            expectClose: false,
+          ),
+        );
+
+        final response = await client.get(Uri.parse('http://example.com'));
+        expect(response.statusCode, 200);
+
+        client.close();
+      });
+
       test('clientViaMetadataServer returns null credentials', () async {
         final client = await clientViaMetadataServer(
           baseClient: mockClient(