From cfd2b878a5a235f39dd9f00cbd96e51836b957fd Mon Sep 17 00:00:00 2001
From: Steven van Rossum <stevenvanrossum@gmail.com>
Date: Mon, 29 Jul 2024 09:55:50 +0000
Subject: [PATCH 1/4] fix: license id claim must be requested with licenses
 (plural) query parameter

---
 .../com/google/auth/oauth2/ComputeEngineCredentials.java  | 4 ++--
 .../google/auth/oauth2/ComputeEngineCredentialsTest.java  | 4 ++--
 .../google/auth/oauth2/MockMetadataServerTransport.java   | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index 4fd1c1014..8fac3694a 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -320,9 +320,9 @@ public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.O
         documentUrl.set("format", "full");
       }
       if (options.contains(IdTokenProvider.Option.LICENSES_TRUE)) {
-        // license will only get returned if format is also full
+        // licenses will only get returned if format is also full
         documentUrl.set("format", "full");
-        documentUrl.set("license", "TRUE");
+        documentUrl.set("licenses", "TRUE");
       }
     }
     documentUrl.set("audience", targetAudience);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 3e0dc56ba..979b921b7 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -98,7 +98,7 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
           + "20iLCJzdWIiOiIxMTIxNzkwNjI3MjAzOTEzMDU4ODUifQ.redacted";
 
   // Id Token which includes GCE extended claims and any VM License data (if applicable)
-  public static final String FULL_ID_TOKEN_WITH_LICENSE =
+  public static final String FULL_ID_TOKEN_WITH_LICENSES =
       "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOG"
           + "I3OTIyOTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.ew0KICAiYXVkIjogImh0dHBzOi8"
           + "vZm9vLmJhciIsDQogICJhenAiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1IiwNCiAgImVtYWlsIjogIjEyMzQ1Ni1"
@@ -907,7 +907,7 @@ public void idTokenWithAudience_full() throws IOException {
 
   @Test
   @SuppressWarnings("unchecked")
-  public void idTokenWithAudience_license() throws IOException {
+  public void idTokenWithAudience_licenses() throws IOException {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
     ComputeEngineCredentials credentials =
         ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
index 66878d4c6..98a4141df 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
@@ -201,14 +201,14 @@ public LowLevelHttpResponse execute() throws IOException {
     if (queryPairs.containsKey("format")) {
       if (((String) queryPairs.get("format")).equals("full")) {
 
-        // return license only if format=full is set
-        if (queryPairs.containsKey("license")) {
-          if (((String) queryPairs.get("license")).equals("TRUE")) {
+        // return licenses only if format=full is set
+        if (queryPairs.containsKey("licenses")) {
+          if (((String) queryPairs.get("licenses")).equals("TRUE")) {
             return new MockLowLevelHttpRequest(url) {
               @Override
               public LowLevelHttpResponse execute() throws IOException {
                 return new MockLowLevelHttpResponse()
-                    .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSE);
+                    .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSES);
               }
             };
           }

From 788d3f453469aa373dc619ec7bf234d1fd153f9b Mon Sep 17 00:00:00 2001
From: Steven van Rossum <stevenvanrossum@gmail.com>
Date: Mon, 29 Jul 2024 10:44:05 +0000
Subject: [PATCH 2/4] fix: license_id is a property of compute_engine claim

---
 .../oauth2/ComputeEngineCredentialsTest.java     | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 979b921b7..40f881184 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -105,12 +105,12 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
           + "jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwNCiAgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSw"
           + "NCiAgImV4cCI6IDE1NjQ1MTk0OTYsDQogICJnb29nbGUiOiB7DQogICAgImNvbXB1dGVfZW5naW5lIjogew0KICA"
           + "gICAgImluc3RhbmNlX2NyZWF0aW9uX3RpbWVzdGFtcCI6IDE1NjMyMzA5MDcsDQogICAgICAiaW5zdGFuY2VfaWQ"
-          + "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgInB"
-          + "yb2plY3RfaWQiOiAiZm9vLWJhci04MjAiLA0KICAgICAgInByb2plY3RfbnVtYmVyIjogMTA3MTI4NDE4NDQzNiw"
-          + "NCiAgICAgICJ6b25lIjogInVzLWNlbnRyYWwxLWEiDQogICAgfSwNCiAgICAibGljZW5zZSI6IFsNCiAgICAgICA"
-          + "iTElDRU5TRV8xIiwNCiAgICAgICAiTElDRU5TRV8yIg0KICAgIF0NCiAgfSwNCiAgImlhdCI6IDE1NjQ1MTU4OTY"
-          + "sDQogICJpc3MiOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwNCiAgInN1YiI6ICIxMTIxNzkwNjI3MjA"
-          + "zOTEzMDU4ODUiDQp9.redacted";
+          + "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgImx"
+          + "pY2Vuc2VfaWQiOiBbDQogICAgICAgICIxMDAxMDAwIiwNCiAgICAgICAgIjEwMDEwMDEiLA0KICAgICAgICAiMTA"
+          + "wMTAwOCINCiAgICAgIF0sDQogICAgICAicHJvamVjdF9pZCI6ICJmb28tYmFyLTgyMCIsDQogICAgICAicHJvamV"
+          + "jdF9udW1iZXIiOiAxMDcxMjg0MTg0NDM2LA0KICAgICAgInpvbmUiOiAidXMtY2VudHJhbDEtYSINCiAgICB9DQo"
+          + "gIH0sDQogICJpYXQiOiAxNTY0NTE1ODk2LA0KICAiaXNzIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSI"
+          + "sDQogICJzdWIiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1Ig0KfQ.redacted";
 
   @Test
   public void buildTokenUrlWithScopes_null_scopes() {
@@ -925,7 +925,9 @@ public void idTokenWithAudience_licenses() throws IOException {
     Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
     assertTrue("Full ID Token format not provided", p.containsKey("google"));
     ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
-    assertTrue(googleClaim.containsKey("license"));
+    assertTrue(googleClaim.containsKey("compute_engine"));
+    ArrayMap computeEngineClaim = (ArrayMap) googleClaim.get("compute_engine");
+    assertTrue(computeEngineClaim.containsKey("license_id"));
   }
 
   static class MockMetadataServerTransportFactory implements HttpTransportFactory {

From d4c76d684bfd7c8e2d461ec2bc576b7232c75415 Mon Sep 17 00:00:00 2001
From: Steven van Rossum <stevenvanrossum@gmail.com>
Date: Mon, 29 Jul 2024 11:37:24 +0000
Subject: [PATCH 3/4] chore: use parameterized types

---
 .../google/auth/oauth2/ComputeEngineCredentialsTest.java | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 40f881184..d18aa3ebd 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -901,7 +901,8 @@ public void idTokenWithAudience_full() throws IOException {
     tokenCredential.refresh();
     Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
     assertTrue("Full ID Token format not provided", p.containsKey("google"));
-    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
+    ArrayMap<String, ArrayMap<String, ?>> googleClaim =
+        (ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
     assertTrue(googleClaim.containsKey("compute_engine"));
   }
 
@@ -924,9 +925,11 @@ public void idTokenWithAudience_licenses() throws IOException {
     tokenCredential.refresh();
     Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
     assertTrue("Full ID Token format not provided", p.containsKey("google"));
-    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
+    ArrayMap<String, ArrayMap<String, ?>> googleClaim =
+        (ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
     assertTrue(googleClaim.containsKey("compute_engine"));
-    ArrayMap computeEngineClaim = (ArrayMap) googleClaim.get("compute_engine");
+    ArrayMap<String, ?> computeEngineClaim =
+        (ArrayMap<String, ?>) googleClaim.get("compute_engine");
     assertTrue(computeEngineClaim.containsKey("license_id"));
   }
 

From 5388635717ba3aa6e20fa58d213397edd13e697d Mon Sep 17 00:00:00 2001
From: Steven van Rossum <stevenvanrossum@gmail.com>
Date: Mon, 29 Jul 2024 12:01:48 +0000
Subject: [PATCH 4/4] fix: accurately mock value parser for licenses parameter

---
 .../com/google/auth/oauth2/MockMetadataServerTransport.java  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
index 98a4141df..874955639 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
@@ -46,10 +46,13 @@
 import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /** Transport that simulates the GCE metadata server for access tokens. */
 public class MockMetadataServerTransport extends MockHttpTransport {
 
+  private static final Pattern BOOL_PARAMETER_VALUE = Pattern.compile("on|1|(?i)y|yes|true");
+
   private String accessToken;
 
   private Integer requestStatusCode;
@@ -203,7 +206,7 @@ public LowLevelHttpResponse execute() throws IOException {
 
         // return licenses only if format=full is set
         if (queryPairs.containsKey("licenses")) {
-          if (((String) queryPairs.get("licenses")).equals("TRUE")) {
+          if (BOOL_PARAMETER_VALUE.matcher((String) queryPairs.get("licenses")).matches()) {
             return new MockLowLevelHttpRequest(url) {
               @Override
               public LowLevelHttpResponse execute() throws IOException {