impl(auth): support universe domain for service account creds

src/auth/src/credentials/service_account.rs

@@ -54,7 +54,7 @@
 //!     "private_key_id": "test-private-key-id",
 //!     "private_key": "<YOUR_PKCS8_PEM_KEY_HERE>",
 //!     "project_id": "test-project-id",
-//!     "universe_domain": "test-universe-domain",
+//!     "universe_domain": "googleapis.com",
 //! });
 //! let credentials: Credentials = Builder::new(service_account_key)
 //!     .with_quota_project_id("my-quota-project")
@@ -196,7 +196,7 @@ impl AccessSpecifier {
 ///     "private_key_id": "test-private-key-id",
 ///     "private_key": "<YOUR_PKCS8_PEM_KEY_HERE>",
 ///     "project_id": "test-project-id",
-///     "universe_domain": "test-universe-domain",
+///     "universe_domain": "googleapis.com",
 /// });
 /// let credentials = Builder::new(key)
 ///     .with_access_specifier(AccessSpecifier::from_audience("https://pubsub.googleapis.com"))
@@ -207,6 +207,7 @@ pub struct Builder {
     service_account_key: Value,
     access_specifier: AccessSpecifier,
     quota_project_id: Option<String>,
+    universe_domain: Option<String>,
     iam_endpoint_override: Option<String>,
 }
 
@@ -222,6 +223,7 @@ impl Builder {
             service_account_key,
             access_specifier: AccessSpecifier::Scopes([DEFAULT_SCOPE].map(str::to_string).to_vec()),
             quota_project_id: None,
+            universe_domain: None,
             iam_endpoint_override: None,
         }
     }
@@ -265,6 +267,31 @@ impl Builder {
         self
     }
 
+    /// Sets the universe domain for this credentials.
+    ///
+    /// The universe domain is the default service domain for a given cloud universe.
+    /// Any value provided here overrides a `universe_domain` value from the input service account JSON.
+    ///
+    /// # Example
+    /// ```
+    /// # use google_cloud_auth::credentials::service_account::Builder;
+    /// # use serde_json::json;
+    /// # async fn sample() -> anyhow::Result<()> {
+    /// # let config = json!({
+    /// #     "type": "service_account",
+    /// #     "client_email": "foo@bar.com",
+    /// #     "private_key": "---BEGIN---"
+    /// # });
+    /// let credentials = Builder::new(config)
+    ///     .with_universe_domain("googleapis.com")
+    ///     .build()?;
+    /// # Ok(()) }
+    /// ```
+    pub fn with_universe_domain<S: Into<String>>(mut self, universe_domain: S) -> Self {
+        self.universe_domain = Some(universe_domain.into());
+        self
+    }
+
     #[cfg(all(test, google_cloud_unstable_trusted_boundaries))]
     fn maybe_iam_endpoint_override(mut self, iam_endpoint_override: Option<String>) -> Self {
         self.iam_endpoint_override = iam_endpoint_override;
@@ -313,7 +340,7 @@ impl Builder {
     ///     "private_key_id": "test-private-key-id",
     ///     "private_key": "-----BEGIN PRIVATE KEY-----\nBLAHBLAHBLAH\n-----END PRIVATE KEY-----\n",
     ///     "project_id": "test-project-id",
-    ///     "universe_domain": "test-universe-domain",
+    ///     "universe_domain": "googleapis.com",
     /// });
     /// let credentials: AccessTokenCredentials = Builder::new(service_account_key)
     ///     .with_quota_project_id("my-quota-project")
@@ -343,15 +370,19 @@ impl Builder {
     ) -> BuildResult<CredentialsWithAccessBoundary<ServiceAccountCredentials<TokenCache>>> {
         let iam_endpoint = self.iam_endpoint_override.clone();
         let quota_project_id = self.quota_project_id.clone();
+        let universe_domain_override = self.universe_domain.clone();
         let token_provider = self.build_token_provider()?;
         let client_email = token_provider.service_account_key.client_email.clone();
+        let universe_domain =
+            universe_domain_override.or(token_provider.service_account_key.universe_domain.clone());
         let access_boundary_url = crate::access_boundary::service_account_lookup_url(
             &client_email,
             iam_endpoint.as_deref(),
         );
         let creds = ServiceAccountCredentials {
             quota_project_id,
             token_provider: TokenCache::new(token_provider),
+            universe_domain: universe_domain.clone(),
         };
 
         Ok(CredentialsWithAccessBoundary::new(
@@ -485,6 +516,7 @@ where
 {
     token_provider: T,
     quota_project_id: Option<String>,
+    universe_domain: Option<String>,
 }
 
 #[derive(Debug)]
@@ -601,6 +633,10 @@ where
             .maybe_quota_project_id(self.quota_project_id.as_deref())
             .build()
     }
+
+    async fn universe_domain(&self) -> Option<String> {
+        self.universe_domain.clone()
+    }
 }
 
 #[async_trait::async_trait]
@@ -686,6 +722,7 @@ mod tests {
         let sac = ServiceAccountCredentials {
             token_provider: TokenCache::new(mock),
             quota_project_id: None,
+            universe_domain: None,
         };
 
         let mut extensions = Extensions::new();
@@ -729,6 +766,7 @@ mod tests {
         let sac = ServiceAccountCredentials {
             token_provider: TokenCache::new(mock),
             quota_project_id: Some(quota_project.to_string()),
+            universe_domain: None,
         };
 
         let headers = get_headers_from_cache(sac.headers(Extensions::new()).await.unwrap())?;
@@ -757,6 +795,7 @@ mod tests {
         let sac = ServiceAccountCredentials {
             token_provider: TokenCache::new(mock),
             quota_project_id: None,
+            universe_domain: None,
         };
         let result = sac.headers(Extensions::new()).await;
         assert!(result.is_err(), "{result:?}");
@@ -832,7 +871,7 @@ mod tests {
             "private_key_id": "test-private-key-id",
             "private_key": private_key,
             "project_id": "test-project-id",
-            "universe_domain": "test-universe-domain"
+            "universe_domain": "googleapis.com"
         });
 
         let credentials = Builder::new(json_value).build()?;
@@ -866,6 +905,55 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test]
+    #[parallel]
+    async fn universe_domain() -> TestResult {
+        let private_key = PKCS8_PK.clone();
+        // SA key without universe_domain
+        let json_value = json!({
+            "client_email": "test-client-email",
+            "private_key_id": "test-private-key-id",
+            "private_key": private_key,
+            "project_id": "test-project-id",
+        });
+
+        let credentials = Builder::new(json_value).build()?;
+
+        let universe_domain = credentials.universe_domain().await;
+        assert_eq!(universe_domain, None, "{universe_domain:?}");
+
+        // SA key with universe_domain
+        let json_value = json!({
+            "client_email": "test-client-email",
+            "private_key_id": "test-private-key-id",
+            "private_key": private_key,
+            "project_id": "test-project-id",
+            "universe_domain": "some-universe-domain.com"
+        });
+
+        let credentials = Builder::new(json_value.clone()).build()?;
+
+        let universe_domain = credentials.universe_domain().await;
+        assert_eq!(
+            universe_domain.as_deref(),
+            Some("some-universe-domain.com"),
+            "{universe_domain:?}"
+        );
+
+        let credentials = Builder::new(json_value)
+            .with_universe_domain("other-universe-domain.com")
+            .build()?;
+
+        let universe_domain = credentials.universe_domain().await;
+        assert_eq!(
+            universe_domain.as_deref(),
+            Some("other-universe-domain.com"),
+            "{universe_domain:?}"
+        );
+
+        Ok(())
+    }
+
     #[tokio::test]
     #[parallel]
     async fn get_service_account_headers_invalid_key_failure() -> TestResult {