diff --git a/auth/grpctransport/grpctransport.go b/auth/grpctransport/grpctransport.go index 38212ed0f82a..dea74e82ae32 100644 --- a/auth/grpctransport/grpctransport.go +++ b/auth/grpctransport/grpctransport.go @@ -197,8 +197,9 @@ type InternalOptions struct { // DefaultEndpointTemplate combined with UniverseDomain specifies // the default endpoint. DefaultEndpointTemplate string - // DefaultMTLSEndpoint specifies the default mTLS endpoint. - DefaultMTLSEndpoint string + // DefaultMTLSEndpointTemplate combined with UniverseDomain specifies the + // default mTLS endpoint. + DefaultMTLSEndpointTemplate string // DefaultScopes specifies the default OAuth2 scopes to be used for a // service. DefaultScopes []string @@ -244,7 +245,7 @@ func dial(ctx context.Context, secure bool, opts *Options) (*grpc.ClientConn, er } if io := opts.InternalOptions; io != nil { tOpts.DefaultEndpointTemplate = io.DefaultEndpointTemplate - tOpts.DefaultMTLSEndpoint = io.DefaultMTLSEndpoint + tOpts.DefaultMTLSEndpointTemplate = io.DefaultMTLSEndpointTemplate tOpts.EnableDirectPath = io.EnableDirectPath tOpts.EnableDirectPathXds = io.EnableDirectPathXds } diff --git a/auth/httptransport/httptransport.go b/auth/httptransport/httptransport.go index cbe5a7a40a77..2434859fcfd6 100644 --- a/auth/httptransport/httptransport.go +++ b/auth/httptransport/httptransport.go @@ -141,8 +141,9 @@ type InternalOptions struct { // DefaultEndpointTemplate combined with UniverseDomain specifies the // default endpoint. DefaultEndpointTemplate string - // DefaultMTLSEndpoint specifies the default mTLS endpoint. - DefaultMTLSEndpoint string + // DefaultMTLSEndpointTemplate combined with UniverseDomain specifies the + // default mTLS endpoint. + DefaultMTLSEndpointTemplate string // DefaultScopes specifies the default OAuth2 scopes to be used for a // service. DefaultScopes []string @@ -200,7 +201,7 @@ func NewClient(opts *Options) (*http.Client, error) { } if io := opts.InternalOptions; io != nil { tOpts.DefaultEndpointTemplate = io.DefaultEndpointTemplate - tOpts.DefaultMTLSEndpoint = io.DefaultMTLSEndpoint + tOpts.DefaultMTLSEndpointTemplate = io.DefaultMTLSEndpointTemplate } clientCertProvider, dialTLSContext, err := transport.GetHTTPTransportConfig(tOpts) if err != nil { diff --git a/auth/internal/transport/cba.go b/auth/internal/transport/cba.go index f606888f1204..c2d8e28fc21e 100644 --- a/auth/internal/transport/cba.go +++ b/auth/internal/transport/cba.go @@ -51,22 +51,18 @@ const ( mtlsMDSKey = "/run/google-mds-mtls/client.key" ) -var ( - errUniverseNotSupportedMTLS = errors.New("mTLS is not supported in any universe other than googleapis.com") -) - // Options is a struct that is duplicated information from the individual // transport packages in order to avoid cyclic deps. It correlates 1:1 with // fields on httptransport.Options and grpctransport.Options. type Options struct { - Endpoint string - DefaultMTLSEndpoint string - DefaultEndpointTemplate string - ClientCertProvider cert.Provider - Client *http.Client - UniverseDomain string - EnableDirectPath bool - EnableDirectPathXds bool + Endpoint string + DefaultEndpointTemplate string + DefaultMTLSEndpointTemplate string + ClientCertProvider cert.Provider + Client *http.Client + UniverseDomain string + EnableDirectPath bool + EnableDirectPathXds bool } // getUniverseDomain returns the default service domain for a given Cloud @@ -94,6 +90,16 @@ func (o *Options) defaultEndpoint() string { return strings.Replace(o.DefaultEndpointTemplate, universeDomainPlaceholder, o.getUniverseDomain(), 1) } +// defaultMTLSEndpoint returns the DefaultMTLSEndpointTemplate merged with the +// universe domain if the DefaultMTLSEndpointTemplate is set, otherwise returns an +// empty string. +func (o *Options) defaultMTLSEndpoint() string { + if o.DefaultMTLSEndpointTemplate == "" { + return "" + } + return strings.Replace(o.DefaultMTLSEndpointTemplate, universeDomainPlaceholder, o.getUniverseDomain(), 1) +} + // mergedEndpoint merges a user-provided Endpoint of format host[:port] with the // default endpoint. func (o *Options) mergedEndpoint() (string, error) { @@ -256,9 +262,6 @@ func getTransportConfig(opts *Options) (*transportConfig, error) { if !shouldUseS2A(clientCertSource, opts) { return &defaultTransportConfig, nil } - if !opts.isUniverseDomainGDU() { - return nil, errUniverseNotSupportedMTLS - } s2aAddress := GetS2AAddress() mtlsS2AAddress := GetMTLSS2AAddress() @@ -270,7 +273,7 @@ func getTransportConfig(opts *Options) (*transportConfig, error) { endpoint: endpoint, s2aAddress: s2aAddress, mtlsS2AAddress: mtlsS2AAddress, - s2aMTLSEndpoint: opts.DefaultMTLSEndpoint, + s2aMTLSEndpoint: opts.defaultMTLSEndpoint(), }, nil } @@ -316,24 +319,23 @@ type transportConfig struct { // getEndpoint returns the endpoint for the service, taking into account the // user-provided endpoint override "settings.Endpoint". // -// If no endpoint override is specified, we will either return the default endpoint or -// the default mTLS endpoint if a client certificate is available. +// If no endpoint override is specified, we will either return the default +// endpoint or the default mTLS endpoint if a client certificate is available. // -// You can override the default endpoint choice (mtls vs. regular) by setting the -// GOOGLE_API_USE_MTLS_ENDPOINT environment variable. +// You can override the default endpoint choice (mTLS vs. regular) by setting +// the GOOGLE_API_USE_MTLS_ENDPOINT environment variable. // // If the endpoint override is an address (host:port) rather than full base // URL (ex. https://...), then the user-provided address will be merged into // the default endpoint. For example, WithEndpoint("myhost:8000") and -// DefaultEndpointTemplate("https://UNIVERSE_DOMAIN/bar/baz") will return "https://myhost:8080/bar/baz" +// DefaultEndpointTemplate("https://UNIVERSE_DOMAIN/bar/baz") will return +// "https://myhost:8080/bar/baz". Note that this does not apply to the mTLS +// endpoint. func getEndpoint(opts *Options, clientCertSource cert.Provider) (string, error) { if opts.Endpoint == "" { mtlsMode := getMTLSMode() if mtlsMode == mTLSModeAlways || (clientCertSource != nil && mtlsMode == mTLSModeAuto) { - if !opts.isUniverseDomainGDU() { - return "", errUniverseNotSupportedMTLS - } - return opts.DefaultMTLSEndpoint, nil + return opts.defaultMTLSEndpoint(), nil } return opts.defaultEndpoint(), nil } diff --git a/auth/internal/transport/cba_test.go b/auth/internal/transport/cba_test.go index 3c0a90269ac4..e60d4e21e9fe 100644 --- a/auth/internal/transport/cba_test.go +++ b/auth/internal/transport/cba_test.go @@ -26,12 +26,14 @@ import ( ) const ( - testMTLSEndpoint = "https://test.mtls.googleapis.com/" - testEndpointTemplate = "https://test.UNIVERSE_DOMAIN/" - testRegularEndpoint = "https://test.googleapis.com/" - testOverrideEndpoint = "https://test.override.example.com/" - testUniverseDomain = "example.com" - testUniverseDomainEndpoint = "https://test.example.com/" + testEndpointTemplate = "https://test.UNIVERSE_DOMAIN/" + testMTLSEndpointTemplate = "https://test.mtls.UNIVERSE_DOMAIN/" + testDefaultUniverseEndpoint = "https://test.googleapis.com/" + testDefaultUniverseMTLSEndpoint = "https://test.mtls.googleapis.com/" + testOverrideEndpoint = "https://test.override.example.com/" + testUniverseDomain = "example.com" + testUniverseDomainEndpoint = "https://test.example.com/" + testUniverseDomainMTLSEndpoint = "https://test.mtls.example.com/" ) var ( @@ -260,9 +262,9 @@ func TestGetEndpointWithClientCertSource(t *testing.T) { for _, tc := range testCases { t.Run(tc.want, func(t *testing.T) { got, err := getEndpoint(&Options{ - Endpoint: tc.endpoint, - DefaultEndpointTemplate: tc.defaultEndpointTemplate, - DefaultMTLSEndpoint: tc.defaultMTLSEndpoint, + Endpoint: tc.endpoint, + DefaultEndpointTemplate: tc.defaultEndpointTemplate, + DefaultMTLSEndpointTemplate: tc.defaultMTLSEndpoint, }, fakeClientCertSource) if tc.wantErr && err == nil { t.Fatalf("want err, got nil err") @@ -287,57 +289,57 @@ func TestGetGRPCTransportConfigAndEndpoint_S2A(t *testing.T) { { name: "has client cert", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + ClientCertProvider: fakeClientCertSource, }, s2ARespFn: validConfigResp, - want: testMTLSEndpoint, + want: testDefaultUniverseMTLSEndpoint, }, { name: "no client cert, S2A address not empty", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: validConfigResp, - want: testMTLSEndpoint, + want: testDefaultUniverseMTLSEndpoint, }, { name: "no client cert, S2A address not empty, EnableDirectPath == true", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - EnableDirectPath: true, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + EnableDirectPath: true, }, s2ARespFn: validConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, }, { name: "no client cert, S2A address not empty, EnableDirectPathXds == true", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - EnableDirectPathXds: true, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + EnableDirectPathXds: true, }, s2ARespFn: validConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, }, { name: "no client cert, S2A address empty", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: invalidConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, }, { name: "no client cert, S2A address not empty, override endpoint", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + Endpoint: testOverrideEndpoint, }, s2ARespFn: validConfigResp, want: testOverrideEndpoint, @@ -345,29 +347,29 @@ func TestGetGRPCTransportConfigAndEndpoint_S2A(t *testing.T) { { "no client cert, S2A address not empty, DefaultMTLSEndpoint not set", &Options{ - DefaultMTLSEndpoint: "", - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: "", }, validConfigResp, - testRegularEndpoint, + testDefaultUniverseEndpoint, }, { "no client cert, MTLS S2A address not empty, no MTLS MDS cert", &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, validConfigRespMTLSS2A, - testRegularEndpoint, + testDefaultUniverseEndpoint, }, { "no client cert, dual S2A addresses, no MTLS MDS cert", &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, validConfigRespDualS2A, - testMTLSEndpoint, + testDefaultUniverseMTLSEndpoint, }, } defer setupTest(t)() @@ -399,39 +401,39 @@ func TestGetHTTPTransportConfig_S2A(t *testing.T) { { name: "has client cert", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + ClientCertProvider: fakeClientCertSource, }, s2ARespFn: validConfigResp, - want: testMTLSEndpoint, + want: testMTLSEndpointTemplate, isDialFnNil: true, }, { name: "no client cert, S2A address not empty", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: validConfigResp, - want: testMTLSEndpoint, + want: testMTLSEndpointTemplate, }, { name: "no client cert, S2A address empty", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: invalidConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, isDialFnNil: true, }, { name: "no client cert, S2A address not empty, override endpoint", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + Endpoint: testOverrideEndpoint, }, s2ARespFn: validConfigResp, want: testOverrideEndpoint, @@ -440,42 +442,42 @@ func TestGetHTTPTransportConfig_S2A(t *testing.T) { { name: "no client cert, S2A address not empty, but DefaultMTLSEndpoint is not set", opts: &Options{ - DefaultMTLSEndpoint: "", - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: "", }, s2ARespFn: validConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, isDialFnNil: true, }, { name: "no client cert, S2A address not empty, custom HTTP client", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, - Client: http.DefaultClient, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + Client: http.DefaultClient, }, s2ARespFn: validConfigResp, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, isDialFnNil: true, }, { name: "no client cert, MTLS S2A address not empty, no MTLS MDS cert", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: validConfigRespMTLSS2A, - want: testRegularEndpoint, + want: testDefaultUniverseEndpoint, isDialFnNil: true, }, { name: "no client cert, dual S2A addresses, no MTLS MDS cert", opts: &Options{ - DefaultMTLSEndpoint: testMTLSEndpoint, - DefaultEndpointTemplate: testEndpointTemplate, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, s2ARespFn: validConfigRespDualS2A, - want: testMTLSEndpoint, + want: testMTLSEndpointTemplate, isDialFnNil: false, }, } @@ -556,52 +558,50 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) { name string opts *Options wantEndpoint string - wantErr error }{ { name: "google default universe (GDU), no client cert, template is regular endpoint", opts: &Options{ - DefaultEndpointTemplate: testRegularEndpoint, - DefaultMTLSEndpoint: testMTLSEndpoint, + DefaultEndpointTemplate: testDefaultUniverseEndpoint, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, - wantEndpoint: testRegularEndpoint, + wantEndpoint: testDefaultUniverseEndpoint, }, { name: "google default universe (GDU), no client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, - wantEndpoint: testRegularEndpoint, + wantEndpoint: testDefaultUniverseEndpoint, }, { name: "google default universe (GDU), client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + ClientCertProvider: fakeClientCertSource, }, - wantEndpoint: testMTLSEndpoint, + wantEndpoint: testDefaultUniverseMTLSEndpoint, }, { name: "UniverseDomain, no client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, }, wantEndpoint: testUniverseDomainEndpoint, }, { name: "UniverseDomain, client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, + ClientCertProvider: fakeClientCertSource, }, - wantEndpoint: testUniverseDomainEndpoint, - wantErr: errUniverseNotSupportedMTLS, + wantEndpoint: testUniverseDomainMTLSEndpoint, }, } @@ -614,9 +614,7 @@ func TestGetTransportConfig_UniverseDomain(t *testing.T) { } config, err := getTransportConfig(tc.opts) if err != nil { - if err != tc.wantErr { - t.Fatalf("err: %v", err) - } + t.Fatalf("err: %v", err) } else { if tc.wantEndpoint != config.endpoint { t.Errorf("want endpoint: %s, got %s", tc.wantEndpoint, config.endpoint) @@ -631,81 +629,80 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) { name string opts *Options wantEndpoint string - wantErr error }{ { name: "google default universe (GDU), no client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, }, - wantEndpoint: testRegularEndpoint, + wantEndpoint: testDefaultUniverseEndpoint, }, { name: "google default universe (GDU), no client cert, endpoint", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + Endpoint: testOverrideEndpoint, }, wantEndpoint: testOverrideEndpoint, }, { name: "google default universe (GDU), client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + ClientCertProvider: fakeClientCertSource, }, - wantEndpoint: testMTLSEndpoint, + wantEndpoint: testDefaultUniverseMTLSEndpoint, }, { name: "google default universe (GDU), client cert, endpoint", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - ClientCertProvider: fakeClientCertSource, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + ClientCertProvider: fakeClientCertSource, + Endpoint: testOverrideEndpoint, }, wantEndpoint: testOverrideEndpoint, }, { name: "UniverseDomain, no client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, }, wantEndpoint: testUniverseDomainEndpoint, }, { name: "UniverseDomain, no client cert, endpoint", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, + Endpoint: testOverrideEndpoint, }, wantEndpoint: testOverrideEndpoint, }, { name: "UniverseDomain, client cert", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, - ClientCertProvider: fakeClientCertSource, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, + ClientCertProvider: fakeClientCertSource, }, - wantErr: errUniverseNotSupportedMTLS, + wantEndpoint: testUniverseDomainMTLSEndpoint, }, { name: "UniverseDomain, client cert, endpoint", opts: &Options{ - DefaultEndpointTemplate: testEndpointTemplate, - DefaultMTLSEndpoint: testMTLSEndpoint, - UniverseDomain: testUniverseDomain, - ClientCertProvider: fakeClientCertSource, - Endpoint: testOverrideEndpoint, + DefaultEndpointTemplate: testEndpointTemplate, + DefaultMTLSEndpointTemplate: testMTLSEndpointTemplate, + UniverseDomain: testUniverseDomain, + ClientCertProvider: fakeClientCertSource, + Endpoint: testOverrideEndpoint, }, wantEndpoint: testOverrideEndpoint, }, @@ -720,9 +717,7 @@ func TestGetGRPCTransportCredsAndEndpoint_UniverseDomain(t *testing.T) { } _, endpoint, err := GetGRPCTransportCredsAndEndpoint(tc.opts) if err != nil { - if err != tc.wantErr { - t.Fatalf("err: %v", err) - } + t.Fatalf("err: %v", err) } else { if tc.wantEndpoint != endpoint { t.Errorf("want endpoint: %s, got %s", tc.wantEndpoint, endpoint) @@ -745,7 +740,7 @@ func TestGetClientCertificateProvider(t *testing.T) { opts: &Options{ UniverseDomain: internal.DefaultUniverseDomain, ClientCertProvider: fakeClientCertSource, - Endpoint: testRegularEndpoint, + Endpoint: testDefaultUniverseEndpoint, }, useCertEnvVar: "false", wantCertProvider: nil, @@ -765,7 +760,7 @@ func TestGetClientCertificateProvider(t *testing.T) { opts: &Options{ UniverseDomain: internal.DefaultUniverseDomain, ClientCertProvider: fakeClientCertSource, - Endpoint: testRegularEndpoint, + Endpoint: testDefaultUniverseEndpoint, }, useCertEnvVar: "unset", wantCertProvider: fakeClientCertSource, diff --git a/auth/internal/transport/s2a.go b/auth/internal/transport/s2a.go index 37894bfcd013..2119a20b064e 100644 --- a/auth/internal/transport/s2a.go +++ b/auth/internal/transport/s2a.go @@ -114,7 +114,7 @@ func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool { return false } // If DefaultMTLSEndpoint is not set or has endpoint override, skip S2A. - if opts.DefaultMTLSEndpoint == "" || opts.Endpoint != "" { + if opts.DefaultMTLSEndpointTemplate == "" || opts.Endpoint != "" { return false } // If custom HTTP client is provided, skip S2A.