remove usage of appengine to get rid of unsafe imports

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I8228a126b322fb14250bbb5933199ce45e8584d3
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/562496
Reviewed-by: Than McIntosh <thanm@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>

go.mod

@@ -5,12 +5,6 @@ go 1.18
 require (
 	cloud.google.com/go/compute/metadata v0.2.3
 	github.com/google/go-cmp v0.5.9
-	google.golang.org/appengine v1.6.7
 )
 
-require (
+require cloud.google.com/go/compute v1.20.1 // indirect
-	cloud.google.com/go/compute v1.20.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
-)

go.sum

@@ -2,25 +2,5 @@ cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZN
 cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

google/appengine.go

@@ -1,38 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package google
-
-import (
-	"context"
-	"time"
-
-	"golang.org/x/oauth2"
-)
-
-// Set at init time by appengine_gen1.go. If nil, we're not on App Engine standard first generation (<= Go 1.9) or App Engine flexible.
-var appengineTokenFunc func(c context.Context, scopes ...string) (token string, expiry time.Time, err error)
-
-// Set at init time by appengine_gen1.go. If nil, we're not on App Engine standard first generation (<= Go 1.9) or App Engine flexible.
-var appengineAppIDFunc func(c context.Context) string
-
-// AppEngineTokenSource returns a token source that fetches tokens from either
-// the current application's service account or from the metadata server,
-// depending on the App Engine environment. See below for environment-specific
-// details. If you are implementing a 3-legged OAuth 2.0 flow on App Engine that
-// involves user accounts, see oauth2.Config instead.
-//
-// First generation App Engine runtimes (<= Go 1.9):
-// AppEngineTokenSource returns a token source that fetches tokens issued to the
-// current App Engine application's service account. The provided context must have
-// come from appengine.NewContext.
-//
-// Second generation App Engine runtimes (>= Go 1.11) and App Engine flexible:
-// AppEngineTokenSource is DEPRECATED on second generation runtimes and on the
-// flexible environment. It delegates to ComputeTokenSource, and the provided
-// context and scopes are not used. Please use DefaultTokenSource (or ComputeTokenSource,
-// which DefaultTokenSource will use in this case) instead.
-func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
-	return appEngineTokenSource(ctx, scope...)
-}

google/appengine_gen1.go

@@ -1,77 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-
-// This file applies to App Engine first generation runtimes (<= Go 1.9).
-
-package google
-
-import (
-	"context"
-	"sort"
-	"strings"
-	"sync"
-
-	"golang.org/x/oauth2"
-	"google.golang.org/appengine"
-)
-
-func init() {
-	appengineTokenFunc = appengine.AccessToken
-	appengineAppIDFunc = appengine.AppID
-}
-
-// See comment on AppEngineTokenSource in appengine.go.
-func appEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
-	scopes := append([]string{}, scope...)
-	sort.Strings(scopes)
-	return &gaeTokenSource{
-		ctx:    ctx,
-		scopes: scopes,
-		key:    strings.Join(scopes, " "),
-	}
-}
-
-// aeTokens helps the fetched tokens to be reused until their expiration.
-var (
-	aeTokensMu sync.Mutex
-	aeTokens   = make(map[string]*tokenLock) // key is space-separated scopes
-)
-
-type tokenLock struct {
-	mu sync.Mutex // guards t; held while fetching or updating t
-	t  *oauth2.Token
-}
-
-type gaeTokenSource struct {
-	ctx    context.Context
-	scopes []string
-	key    string // to aeTokens map; space-separated scopes
-}
-
-func (ts *gaeTokenSource) Token() (*oauth2.Token, error) {
-	aeTokensMu.Lock()
-	tok, ok := aeTokens[ts.key]
-	if !ok {
-		tok = &tokenLock{}
-		aeTokens[ts.key] = tok
-	}
-	aeTokensMu.Unlock()
-
-	tok.mu.Lock()
-	defer tok.mu.Unlock()
-	if tok.t.Valid() {
-		return tok.t, nil
-	}
-	access, exp, err := appengineTokenFunc(ts.ctx, ts.scopes...)
-	if err != nil {
-		return nil, err
-	}
-	tok.t = &oauth2.Token{
-		AccessToken: access,
-		Expiry:      exp,
-	}
-	return tok.t, nil
-}

google/appengine_gen2_flex.go

@@ -1,27 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !appengine
-
-// This file applies to App Engine second generation runtimes (>= Go 1.11) and App Engine flexible.
-
-package google
-
-import (
-	"context"
-	"log"
-	"sync"
-
-	"golang.org/x/oauth2"
-)
-
-var logOnce sync.Once // only spam about deprecation once
-
-// See comment on AppEngineTokenSource in appengine.go.
-func appEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
-	logOnce.Do(func() {
-		log.Print("google: AppEngineTokenSource is deprecated on App Engine standard second generation runtimes (>= Go 1.11) and App Engine flexible. Please use DefaultTokenSource or ComputeTokenSource.")
-	})
-	return ComputeTokenSource("")
-}

google/default.go

@@ -224,16 +224,6 @@ func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsPar
 		return CredentialsFromJSONWithParams(ctx, b, params)
 	}
 
-	// Third, if we're on a Google App Engine standard first generation runtime (<= Go 1.9)
-	// use those credentials. App Engine standard second generation runtimes (>= Go 1.11)
-	// and App Engine flexible use ComputeTokenSource and the metadata server.
-	if appengineTokenFunc != nil {
-		return &Credentials{
-			ProjectID:   appengineAppIDFunc(ctx),
-			TokenSource: AppEngineTokenSource(ctx, params.Scopes...),
-		}, nil
-	}
-
 	// Fourth, if we're on Google Compute Engine, an App Engine standard second generation runtime,
 	// or App Engine flexible, use the metadata server.
 	if metadata.OnGCE() {

google/downscope/downscoping.go

@@ -42,13 +42,16 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"golang.org/x/oauth2"
 )
 
-var (
+const (
-	identityBindingEndpoint = "https://sts.googleapis.com/v1/token"
+	universeDomainPlaceholder       = "UNIVERSE_DOMAIN"
+	identityBindingEndpointTemplate = "https://sts.UNIVERSE_DOMAIN/v1/token"
+	universeDomainDefault           = "googleapis.com"
 )
 
 type accessBoundary struct {
@@ -105,6 +108,18 @@ type DownscopingConfig struct {
 	// access (or set of accesses) that the new token has to a given resource.
 	// There can be a maximum of 10 AccessBoundaryRules.
 	Rules []AccessBoundaryRule
+	// UniverseDomain is the default service domain for a given Cloud universe.
+	// The default value is "googleapis.com". Optional.
+	UniverseDomain string
+}
+
+// identityBindingEndpoint returns the identity binding endpoint with the
+// configured universe domain.
+func (dc *DownscopingConfig) identityBindingEndpoint() string {
+	if dc.UniverseDomain == "" {
+		return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, universeDomainDefault, 1)
+	}
+	return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, dc.UniverseDomain, 1)
 }
 
 // A downscopingTokenSource is used to retrieve a downscoped token with restricted
@@ -114,6 +129,9 @@ type downscopingTokenSource struct {
 	ctx context.Context
 	// config holds the information necessary to generate a downscoped Token.
 	config DownscopingConfig
+	// identityBindingEndpoint is the identity binding endpoint with the
+	// configured universe domain.
+	identityBindingEndpoint string
 }
 
 // NewTokenSource returns a configured downscopingTokenSource.
@@ -135,7 +153,11 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSo
 			return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
 		}
 	}
-	return downscopingTokenSource{ctx: ctx, config: conf}, nil
+	return downscopingTokenSource{
+		ctx:                     ctx,
+		config:                  conf,
+		identityBindingEndpoint: conf.identityBindingEndpoint(),
+	}, nil
 }
 
 // Token() uses a downscopingTokenSource to generate an oauth2 Token.
@@ -171,7 +193,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
 	form.Add("options", string(b))
 
 	myClient := oauth2.NewClient(dts.ctx, nil)
-	resp, err := myClient.PostForm(identityBindingEndpoint, form)
+	resp, err := myClient.PostForm(dts.identityBindingEndpoint, form)
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate POST Request %v", err)
 	}

google/downscope/downscoping_test.go

@@ -38,18 +38,43 @@ func Test_DownscopedTokenSource(t *testing.T) {
 		w.Write([]byte(standardRespBody))
 
 	}))
-	new := []AccessBoundaryRule{
+	myTok := oauth2.Token{AccessToken: "Mellon"}
+	tmpSrc := oauth2.StaticTokenSource(&myTok)
+	rules := []AccessBoundaryRule{
 		{
 			AvailableResource:    "test1",
 			AvailablePermissions: []string{"Perm1", "Perm2"},
 		},
 	}
-	myTok := oauth2.Token{AccessToken: "Mellon"}
+	dts := downscopingTokenSource{
-	tmpSrc := oauth2.StaticTokenSource(&myTok)
+		ctx: context.Background(),
-	dts := downscopingTokenSource{context.Background(), DownscopingConfig{tmpSrc, new}}
+		config: DownscopingConfig{
-	identityBindingEndpoint = ts.URL
+			RootSource: tmpSrc,
+			Rules:      rules,
+		},
+		identityBindingEndpoint: ts.URL,
+	}
 	_, err := dts.Token()
 	if err != nil {
 		t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
 	}
 }
+
+func Test_DownscopingConfig(t *testing.T) {
+	tests := []struct {
+		universeDomain string
+		want           string
+	}{
+		{"", "https://sts.googleapis.com/v1/token"},
+		{"googleapis.com", "https://sts.googleapis.com/v1/token"},
+		{"example.com", "https://sts.example.com/v1/token"},
+	}
+	for _, tt := range tests {
+		c := DownscopingConfig{
+			UniverseDomain: tt.universeDomain,
+		}
+		if got := c.identityBindingEndpoint(); got != tt.want {
+			t.Errorf("got %q, want %q", got, tt.want)
+		}
+	}
+}

google/internal/externalaccount/executablecredsource.go

@@ -19,7 +19,7 @@ import (
 	"time"
 )
 
-var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
+var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials\\..+/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
 
 const (
 	executableSupportedMaxVersion = 1

google/internal/externalaccount/executablecredsource_test.go

@@ -1021,3 +1021,37 @@ func TestRetrieveOutputFileSubjectTokenJwt(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceAccountImpersonationRE(t *testing.T) {
+	tests := []struct {
+		name                           string
+		serviceAccountImpersonationURL string
+		want                           string
+	}{
+		{
+			name:                           "universe domain Google Default Universe (GDU) googleapis.com",
+			serviceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+		{
+			name:                           "email does not match",
+			serviceAccountImpersonationURL: "test@project.iam.gserviceaccount.com",
+			want:                           "",
+		},
+		{
+			name:                           "universe domain non-GDU",
+			serviceAccountImpersonationURL: "https://iamcredentials.apis-tpclp.goog/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+	}
+	for _, tt := range tests {
+		matches := serviceAccountImpersonationRE.FindStringSubmatch(tt.serviceAccountImpersonationURL)
+		if matches == nil {
+			if tt.want != "" {
+				t.Errorf("%q: got nil, want %q", tt.name, tt.want)
+			}
+		} else if matches[1] != tt.want {
+			t.Errorf("%q: got %q, want %q", tt.name, matches[1], tt.want)
+		}
+	}
+}

internal/client_appengine.go

@@ -1,13 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-
-package internal
-
-import "google.golang.org/appengine/urlfetch"
-
-func init() {
-	appengineClientHook = urlfetch.Client
-}

internal/transport.go

@@ -18,16 +18,11 @@ var HTTPClient ContextKey
 // because nobody else can create a ContextKey, being unexported.
 type ContextKey struct{}
 
-var appengineClientHook func(context.Context) *http.Client
-
 func ContextClient(ctx context.Context) *http.Client {
 	if ctx != nil {
 		if hc, ok := ctx.Value(HTTPClient).(*http.Client); ok {
 			return hc
 		}
 	}
-	if appengineClientHook != nil {
-		return appengineClientHook(ctx)
-	}
 	return http.DefaultClient
 }