fix(auth/impersonate): properly send default detect params (#9529)

Fixes: #9136

Author: codyoss

auth/impersonate/idtoken.go

@@ -24,7 +24,6 @@ import (
 	"time"
 
 	"cloud.google.com/go/auth"
-	"cloud.google.com/go/auth/detect"
 	"cloud.google.com/go/auth/httptransport"
 	"cloud.google.com/go/auth/internal"
 )
@@ -88,9 +87,9 @@ func NewIDTokenProvider(opts *IDTokenOptions) (auth.TokenProvider, error) {
 	if opts.Client == nil && opts.TokenProvider == nil {
 		var err error
 		client, err = httptransport.NewClient(&httptransport.Options{
-			DetectOpts: &detect.Options{
-				Audience: defaultAud,
-				Scopes:   []string{defaultScope},
+			InternalOptions: &httptransport.InternalOptions{
+				DefaultAudience: defaultAud,
+				DefaultScopes:   []string{defaultScope},
 			},
 		})
 		if err != nil {

auth/impersonate/impersonate.go

@@ -24,7 +24,6 @@ import (
 	"time"
 
 	"cloud.google.com/go/auth"
-	"cloud.google.com/go/auth/detect"
 	"cloud.google.com/go/auth/httptransport"
 	"cloud.google.com/go/auth/internal"
 )
@@ -57,9 +56,9 @@ func NewCredentialTokenProvider(opts *CredentialOptions) (auth.TokenProvider, er
 	if opts.Client == nil && opts.TokenProvider == nil {
 		var err error
 		client, err = httptransport.NewClient(&httptransport.Options{
-			DetectOpts: &detect.Options{
-				Audience: defaultAud,
-				Scopes:   []string{defaultScope},
+			InternalOptions: &httptransport.InternalOptions{
+				DefaultAudience: defaultAud,
+				DefaultScopes:   []string{defaultScope},
 			},
 		})
 		if err != nil {

auth/impersonate/integration_test.go

@@ -72,14 +72,20 @@ func TestMain(m *testing.M) {
 func TestCredentialsTokenSourceIntegration(t *testing.T) {
 	testutil.IntegrationTestCheck(t)
 	tests := []struct {
-		name        string
-		baseKeyFile string
-		delegates   []string
+		name            string
+		baseKeyFile     string
+		delegates       []string
+		useDefaultCreds bool
 	}{
 		{
 			name:        "SA -> SA",
 			baseKeyFile: readerKeyFile,
 		},
+		{
+			name:            "SA -> SA (Default)",
+			baseKeyFile:     readerKeyFile,
+			useDefaultCreds: true,
+		},
 		{
 			name:        "SA -> Delegate -> SA",
 			baseKeyFile: baseKeyFile,
@@ -90,19 +96,27 @@ func TestCredentialsTokenSourceIntegration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := context.Background()
-			creds, err := detect.DefaultCredentials(&detect.Options{
-				Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
-				CredentialsFile: tt.baseKeyFile,
-			})
-			if err != nil {
-				t.Fatalf("detect.DefaultCredentials() = %v", err)
+			var creds *detect.Credentials
+			if !tt.useDefaultCreds {
+				var err error
+				creds, err = detect.DefaultCredentials(&detect.Options{
+					Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
+					CredentialsFile: tt.baseKeyFile,
+				})
+				if err != nil {
+					t.Fatalf("detect.DefaultCredentials() = %v", err)
+				}
 			}
-			tp, err := impersonate.NewCredentialTokenProvider(&impersonate.CredentialOptions{
+
+			opts := &impersonate.CredentialOptions{
 				TargetPrincipal: writerEmail,
 				Scopes:          []string{"https://www.googleapis.com/auth/devstorage.full_control"},
 				Delegates:       tt.delegates,
-				TokenProvider:   creds,
-			})
+			}
+			if !tt.useDefaultCreds {
+				opts.TokenProvider = creds
+			}
+			tp, err := impersonate.NewCredentialTokenProvider(opts)
 			if err != nil {
 				t.Fatalf("failed to create ts: %v", err)
 			}
@@ -123,14 +137,20 @@ func TestIDTokenSourceIntegration(t *testing.T) {
 
 	ctx := context.Background()
 	tests := []struct {
-		name        string
-		baseKeyFile string
-		delegates   []string
+		name            string
+		baseKeyFile     string
+		delegates       []string
+		useDefaultCreds bool
 	}{
 		{
 			name:        "SA -> SA",
 			baseKeyFile: readerKeyFile,
 		},
+
+		{
+			name:            "SA -> SA (Default)",
+			useDefaultCreds: true,
+		},
 		{
 			name:        "SA -> Delegate -> SA",
 			baseKeyFile: baseKeyFile,
@@ -141,21 +161,28 @@ func TestIDTokenSourceIntegration(t *testing.T) {
 	for _, tt := range tests {
 		name := tt.name
 		t.Run(name, func(t *testing.T) {
-			creds, err := detect.DefaultCredentials(&detect.Options{
-				Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
-				CredentialsFile: tt.baseKeyFile,
-			})
-			if err != nil {
-				t.Fatalf("detect.DefaultCredentials() = %v", err)
+			var creds *detect.Credentials
+			if !tt.useDefaultCreds {
+				var err error
+				creds, err = detect.DefaultCredentials(&detect.Options{
+					Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
+					CredentialsFile: tt.baseKeyFile,
+				})
+				if err != nil {
+					t.Fatalf("detect.DefaultCredentials() = %v", err)
+				}
 			}
 			aud := "http://example.com/"
-			tp, err := impersonate.NewIDTokenProvider(&impersonate.IDTokenOptions{
+			opts := &impersonate.IDTokenOptions{
 				TargetPrincipal: writerEmail,
 				Audience:        aud,
 				Delegates:       tt.delegates,
 				IncludeEmail:    true,
-				TokenProvider:   creds,
-			})
+			}
+			if !tt.useDefaultCreds {
+				opts.TokenProvider = creds
+			}
+			tp, err := impersonate.NewIDTokenProvider(opts)
 			if err != nil {
 				t.Fatalf("failed to create ts: %v", err)
 			}

auth/internal/transport/s2a.go

@@ -161,7 +161,6 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
 	if clientCertSource != nil {
 		return false
 	}
-	log.Println(os.Getenv(googleAPIUseS2AEnv))
 	// If EXPERIMENTAL_GOOGLE_API_USE_S2A is not set to true, skip S2A.
 	if b, err := strconv.ParseBool(os.Getenv(googleAPIUseS2AEnv)); err == nil && !b {
 		return false