Support optional baseClient in ImpersonatedAuthClient, and safely extract quotaProject from ADC json

Author: kevmoo

googleapis_auth/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 - Added `quotaProject` support to existing credentials classes
   (`ServiceAccountCredentials`, `ClientViaServiceAccount`, `ClientFromFlow`).
+- `clientViaApplicationDefaultCredentials` now extracts `quotaProject` correctly
+  from service account credentials JSON.
+- `clientViaServiceAccountImpersonation` and `ImpersonatedAuthClient` now accept
+  an optional `baseClient`.
 
 ## 2.1.0
 

googleapis_auth/lib/src/adc_utils.dart

@@ -31,6 +31,13 @@ Future<AutoRefreshingAuthClient> fromApplicationsCredentialsFile(
     );
   }
 
+  if (credentials is! Map) {
+    throw Exception(
+      'Failed to parse JSON from credentials file from $fileSource',
+    );
+  }
+  final quotaProject = credentials['quota_project_id'] as String?;
+
   if (credentials case {
     'type': 'authorized_user',
     'client_id': final String clientIdString,
@@ -52,12 +59,13 @@ Future<AutoRefreshingAuthClient> fromApplicationsCredentialsFile(
         ),
         baseClient,
       ),
-      quotaProject: credentials['quota_project_id'] as String?,
+      quotaProject: quotaProject,
     );
   }
   return await clientViaServiceAccount(
     ServiceAccountCredentials.fromJson(credentials),
     scopes,
     baseClient: baseClient,
+    quotaProject: quotaProject,
   );
 }

googleapis_auth/lib/src/impersonated_auth_client.dart

@@ -46,13 +46,18 @@ import 'utils.dart';
 /// // Explicitly generate a new access token
 /// final token = await impersonated.generateAccessToken();
 /// ```
+///
+/// [baseClient] is an optional [http.Client] that will be used for
+/// the returned client's authenticated requests. If not provided, a new
+/// [http.Client] will be instantiated.
 Future<ImpersonatedAuthClient> clientViaServiceAccountImpersonation({
   required AuthClient sourceClient,
   required String targetServiceAccount,
   required List<String> targetScopes,
   List<String>? delegates,
   String universeDomain = defaultUniverseDomain,
   Duration lifetime = const Duration(hours: 1),
+  http.Client? baseClient,
 }) async {
   final impersonatedClient = ImpersonatedAuthClient(
     sourceClient: sourceClient,
@@ -61,6 +66,7 @@ Future<ImpersonatedAuthClient> clientViaServiceAccountImpersonation({
     delegates: delegates,
     universeDomain: universeDomain,
     lifetime: lifetime,
+    baseClient: baseClient,
   );
 
   // Generate initial credentials
@@ -113,13 +119,18 @@ class ImpersonatedAuthClient extends AutoRefreshDelegatingClient {
   ///
   /// [lifetime] specifies how long the access token should be valid. Defaults
   /// to 3600 seconds (1 hour). Maximum is 43200 seconds (12 hours).
+  ///
+  /// [baseClient] is an optional [http.Client] that will be used for
+  /// the returned client's authenticated requests. If not provided, a new
+  /// [http.Client] will be instantiated.
   ImpersonatedAuthClient({
     required AuthClient sourceClient,
     required this.targetServiceAccount,
     required List<String> targetScopes,
     List<String>? delegates,
     String universeDomain = defaultUniverseDomain,
     Duration lifetime = const Duration(hours: 1),
+    http.Client? baseClient,
   }) : _sourceClient = sourceClient,
        _targetScopes = List.unmodifiable(targetScopes),
        _delegates = delegates != null ? List.unmodifiable(delegates) : null,
@@ -130,7 +141,10 @@ class ImpersonatedAuthClient extends AutoRefreshDelegatingClient {
          null,
          targetScopes,
        ),
-       super(sourceClient, closeUnderlyingClient: false);
+       super(
+         baseClient ?? http.Client(),
+         closeUnderlyingClient: baseClient == null,
+       );
 
   @override
   AccessCredentials get credentials => _credentials;

googleapis_auth/test/adc_test.dart

@@ -137,4 +137,63 @@ void main() {
 
     c.close();
   });
+
+  test('service_account credentials with quota_project_id', () async {
+    await d
+        .file(
+          'creds.json',
+          json.encode({
+            'private_key_id': 'id',
+            'private_key': testPrivateKeyString,
+            'client_email': 'test@example.com',
+            'client_id': 'client_id',
+            'type': 'service_account',
+            'quota_project_id': 'test-quota-project',
+          }),
+        )
+        .create();
+
+    final c = await fromApplicationsCredentialsFile(
+      File(d.path('creds.json')),
+      'test-credentials-file',
+      ['https://www.googleapis.com/auth/cloud-platform'],
+      mockClient(
+        expectAsync1((Request request) async {
+          final url = request.url;
+          if (url == googleOauth2TokenEndpoint) {
+            expect(request.method, 'POST');
+            return Response(
+              jsonEncode({
+                'access_token': 'atoken',
+                'token_type': 'Bearer',
+                'expires_in': 3600,
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          }
+          if (url.toString() ==
+              'https://storage.googleapis.com/b/bucket/o/obj') {
+            expect(request.method, 'GET');
+            expect(
+              request.headers,
+              containsPair('X-Goog-User-Project', 'test-quota-project'),
+            );
+            return Response('hello world', 200);
+          }
+          return Response('bad', 404);
+        }, count: 2),
+        expectClose: false,
+      ),
+    );
+    expect(c.credentials.accessToken.data, 'atoken');
+
+    final r = await c.get(
+      Uri.https('storage.googleapis.com', '/b/bucket/o/obj'),
+    );
+    expect(r.statusCode, 200);
+    expect(r.body, 'hello world');
+
+    c.close();
+  });
 }

googleapis_auth/test/impersonated_auth_client_test.dart

@@ -436,4 +436,56 @@ void main() {
 
     impersonated.close();
   });
+
+  test('uses provided baseClient for authenticated requests', () async {
+    var generateTokenCalled = false;
+    final sourceBaseClient = mockClient((request) async {
+      generateTokenCalled = true;
+      final expireTime = DateTime.now().toUtc().add(const Duration(hours: 1));
+      return http.Response(
+        jsonEncode({
+          'accessToken': 'impersonated-token',
+          'expireTime': expireTime.toIso8601String(),
+        }),
+        200,
+        headers: jsonContentType,
+      );
+    }, expectClose: false);
+
+    final sourceCredentials = AccessCredentials(
+      AccessToken(
+        'Bearer',
+        'source-token',
+        DateTime.now().toUtc().add(const Duration(hours: 1)),
+      ),
+      null,
+      [],
+    );
+    final sourceClient = authenticatedClient(
+      sourceBaseClient,
+      sourceCredentials,
+    );
+
+    var authenticatedRequestCalled = false;
+    final customBaseClient = mockClient((request) async {
+      authenticatedRequestCalled = true;
+      expect(request.headers['Authorization'], 'Bearer impersonated-token');
+      return http.Response('ok', 200);
+    }, expectClose: false);
+
+    final impersonated = await clientViaServiceAccountImpersonation(
+      sourceClient: sourceClient,
+      targetServiceAccount: 'target@project.iam.gserviceaccount.com',
+      targetScopes: ['scope1'],
+      baseClient: customBaseClient,
+    );
+
+    expect(generateTokenCalled, isTrue);
+
+    final response = await impersonated.get(Uri.parse('https://example.com'));
+    expect(response.statusCode, 200);
+    expect(authenticatedRequestCalled, isTrue);
+
+    impersonated.close();
+  });
 }