Conditionally enable AllowHardBoundTokens in gengrpc (#1635)

This PR to conditionally enable AllowHardBoundTokens for three initial services:
- SecretManager
- Cloudkms
- Showcase

This change is safe for the following reasons:
1- Mtls Hard Bound Tokens flow requires S2A to be enabled as well for the auth library to even read the AllowHardBoundTokens internaloption as shown in: https://togithub.com/googleapis/google-cloud-go/blob/942c7707bd5119a62a4e7d92803179f6af865eaa/auth/grpctransport/grpctransport.go#L308. Currently, S2A is off by default in the client library and is only enabled internally for selected users.

2- Getting hard bound tokens is guarded behind an experiment in Metadata server. Meaning even if an application has both S2A and AllowHardBoundTokens internal options enabled they need to be allowlisted in the MDS experiment to fetch a hard-bound token.

3- Hard-bound token flow is in audit mode (no enforcement). If an application is using hard-bound tokens and they don't have a policy in place the binding is not enforced.

Author: yamandabbagh

internal/gengapic/generator.go

@@ -41,6 +41,12 @@ var enableWrapperTypesForPageSize = map[string]bool{
 	"google.cloud.bigquery.v2": true,
 }
 
+var enableMtlsHardBoundTokens = map[string]bool{
+	"cloudkms.googleapis.com":      true,
+	"secretmanager.googleapis.com": true,
+	"showcase.googleapis.com":      true,
+}
+
 type generator struct {
 	pt printer.P
 

internal/gengapic/gengrpc.go

@@ -186,6 +186,9 @@ func (g *generator) grpcClientOptions(serv *descriptorpb.ServiceDescriptorProto,
 	p("    internaloption.WithDefaultAudience(%q),", generateDefaultAudience(host))
 	p("    internaloption.WithDefaultScopes(DefaultAuthScopes()...),")
 	p("    internaloption.EnableJwtWithScope(),")
+	if _, ok := enableMtlsHardBoundTokens[g.serviceConfig.GetName()]; ok {
+		p("internaloption.AllowHardBoundTokens(\"MTLS_S2A\"),")
+	}
 	p("    internaloption.EnableNewAuthLibrary(),")
 	p("    option.WithGRPCDialOption(grpc.WithDefaultCallOptions(")
 	p("      grpc.MaxCallRecvMsgSize(math.MaxInt32))),")

internal/gengapic/testdata/empty_opt.want

@@ -24,6 +24,7 @@ func defaultGRPCClientOptions() []option.ClientOption {
 		internaloption.WithDefaultAudience("https://foo.googleapis.com/"),
 		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
 		internaloption.EnableJwtWithScope(),
+		internaloption.AllowHardBoundTokens("MTLS_S2A"),
 		internaloption.EnableNewAuthLibrary(),
 		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
 		grpc.MaxCallRecvMsgSize(math.MaxInt32))),

internal/gengapic/testdata/foo_opt.want

@@ -24,6 +24,7 @@ func defaultFooGRPCClientOptions() []option.ClientOption {
 		internaloption.WithDefaultAudience("https://foo.googleapis.com/"),
 		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
 		internaloption.EnableJwtWithScope(),
+		internaloption.AllowHardBoundTokens("MTLS_S2A"),
 		internaloption.EnableNewAuthLibrary(),
 		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
 		grpc.MaxCallRecvMsgSize(math.MaxInt32))),

internal/gengapic/testdata/host_port_opt.want

@@ -22,6 +22,7 @@ func defaultBarGRPCClientOptions() []option.ClientOption {
 		internaloption.WithDefaultAudience("https://foo.googleapis.com/"),
 		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
 		internaloption.EnableJwtWithScope(),
+		internaloption.AllowHardBoundTokens("MTLS_S2A"),
 		internaloption.EnableNewAuthLibrary(),
 		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
 		grpc.MaxCallRecvMsgSize(math.MaxInt32))),

internal/gengapic/testdata/iam_override_opt.want

@@ -21,6 +21,7 @@ func defaultBazGRPCClientOptions() []option.ClientOption {
 		internaloption.WithDefaultAudience("https://foo.googleapis.com/"),
 		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
 		internaloption.EnableJwtWithScope(),
+		internaloption.AllowHardBoundTokens("MTLS_S2A"),
 		internaloption.EnableNewAuthLibrary(),
 		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
 		grpc.MaxCallRecvMsgSize(math.MaxInt32))),