iam: add conformance tests for IAM Identity Management APIs for GCP

[SriramGuduri]

Summary

GCP IAM Admin API Conformance Testing Strategy

Specific challenges encountered with the GCP IAM Admin Java Client that necessitated a different testing approach compared to the standard REST-based conformance tests.

1. Client Transport Limitations (gRPC vs. REST)

Unlike other GCP client libraries we use, the google-iam-admin library does not natively expose an HTTP/JSON (REST) transport option in its StubSettings. It forces the use of gRPC, which requires HTTP/2. This prevented us from using our standard HTTP-based WireMock recording setup.

2. WireMock gRPC Extension Limitations

While we utilized the wiremock-grpc-extension to handle the HTTP/2 connection and protocol framing, it currently lacks full parity with the standard WireMock HTTP recorder:

• No Auto-Recording: The extension cannot transparently proxy binary gRPC streams and serialize the Protobuf responses into readable JSON files automatically.
• Strict Matching: The extension requires precise endpoint matching (e.g., strict leading slashes), which caused UNIMPLEMENTED errors when using standard auto-loaded mappings.

3. Implementation of Custom Record/Replay Pattern

To bridge this gap, we implemented a manual Record/Replay workflow:

• Record Mode:
  • Bypassed WireMock to connect directly to GCP.
  • Intercepted the response objects.
  • Manually serialized the Protobuf messages to JSON using JsonFormat and saved them to a dedicated recorded_responses directory (avoiding conflicts with WireMock's auto-scanner).
• Replay Mode:
  • Configured the client with SSL/ALPN to negotiate HTTP/2 with WireMock.
  • Programmatically loaded the JSON files, parsed them back into Protobuf objects, and registered them as stubs using the gRPC Extension DSL.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.21%. Comparing base (ce4f06c) to head (f12dcbd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #186   +/-   ##
=========================================
  Coverage     83.21%   83.21%           
  Complexity       91       91           
=========================================
  Files           150      150           
  Lines          8190     8190           
  Branches        950      950           
=========================================
  Hits           6815     6815           
  Misses          925      925           
  Partials        450      450           

Flag	Coverage Δ
unittests	83.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[SriramGuduri]

• Unrelated build check failure.
• Found the same issue with a dummy PR from main branch here: https://github.com/salesforce/multicloudj/pull/202/checks

[LihaoLiuXs]

We don't need this instruction in comment here. We can remove it.

[SriramGuduri]

ack

[LihaoLiuXs]

I didn't find any usage of this method in this PR. Where we need this getGrpcTransportChannelProvider?

[SriramGuduri]

It's not needed anymore. I'll remove it in follow up commit.

[LihaoLiuXs]

After the Identity creation, do we have any clean up step for these test created resources?

[SriramGuduri]

Good catch. CleanUp is not implemented. I'll address it in follow up commits.

[sandeepvinayak]

that's exactly what happens for other conformance tests, which part is unlike other conf tests?

[sandeepvinayak]

it's okay to use the same path for recording and let the wiremock framework take care of creating directories. I see now we have to create directories and all manually.

[sandeepvinayak]

scratch this please, I see it's a setup for grpc here https://github.com/wiremock/wiremock-grpc-extension

[sandeepvinayak]

I think useValidCredentials pattern is taken from blobstore, we aren't used it here, I think we should remove it, it doesn't add much value.

[sandeepvinayak]

ditto

[sandeepvinayak]

Let's create the directory manually as one time operation and assume that it exists, this won't work in bazel fork where build works in temp location.
(Also I believe the recordings directory should be taken care of wiremock for creation.)

[sandeepvinayak]

ditto, let's create it manually as one time

[sandeepvinayak]

don't wiremock load the recordings automatically for gRPC?

[sandeepvinayak]

nit: remove tab in log

[sandeepvinayak]

nit: remove genAI special symbols