feat: Make ComputeCredential accept scopes.

Towards #2033
Addresses #2089

Author: amanda-tarafa

Src/Support/Google.Apis.Auth.Tests/OAuth2/ComputeCredentialTests.cs

@@ -18,6 +18,8 @@ limitations under the License.
 using Google.Apis.Http;
 using Google.Apis.Tests.Mocks;
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
 using Xunit;
 using static Google.Apis.Auth.JsonWebSignature;
@@ -153,5 +155,99 @@ public async Task FetchesOidcToken_WithOptions(OidcTokenFormat format, string ta
 
             Assert.Equal(expectedQueryString, messageHandler.LatestRequest.RequestUri.Query);
         }
+
+        public static IEnumerable<object[]> Scoped_WithDefaultTokenUrl_Data
+        {
+            get
+            {
+                // explicit scopes, expected token URL
+                yield return new object[] { null, GoogleAuthConsts.EffectiveComputeTokenUrl };
+                yield return new object[] {new string[] { "scope1", "scope2"}, $"{GoogleAuthConsts.EffectiveComputeTokenUrl}?scopes=scope1,scope2" };
+            }
+        }
+
+        public static IEnumerable<object[]> Scoped_WithCustomTokenUrl_Data
+        {
+            get
+            {
+                // explicit scopes, custom token URL, expected token URL
+                yield return new object[] { null, "https://custom.metadata.server/compute/token", "https://custom.metadata.server/compute/token" };
+                yield return new object[] { null, "https://custom.metadata.server/compute/token?parameter=value", "https://custom.metadata.server/compute/token?parameter=value" };
+                yield return new object[] { new string[] { "scope1", "scope2" }, "https://custom.metadata.server/compute/token", "https://custom.metadata.server/compute/token?scopes=scope1,scope2" };
+                yield return new object[] { new string[] { "scope1", "scope2" }, "https://custom.metadata.server/compute/token?parameter=value", "https://custom.metadata.server/compute/token?parameter=value&scopes=scope1,scope2" };
+            }
+        }
+
+        private void AssertScoped(ComputeCredential credential, string[] scopes, string expectedTokenUrl)
+        {
+            Assert.Collection(credential.Scopes ?? Enumerable.Empty<string>(),
+                (scopes?.Select<string, Action<string>>(expectedScope => actualScope => Assert.Equal(expectedScope, actualScope)) ?? Enumerable.Empty<Action<string>>()).ToArray());
+            Assert.Equal(expectedTokenUrl, credential.EffectiveTokenServerUrl);
+        }
+
+        private async Task AssertUsesScopedUrl(ComputeCredential credential, FetchesTokenMessageHandler fakeMessageHandler, string expectedTokenUrl)
+        {
+            Assert.NotNull(await credential.GetAccessTokenForRequestAsync());
+            Assert.Equal(1, fakeMessageHandler.Calls);
+            Assert.Equal(expectedTokenUrl, fakeMessageHandler.Requests.First().RequestUri.AbsoluteUri);
+        }
+
+        [Theory]
+        [MemberData(nameof(Scoped_WithDefaultTokenUrl_Data))]
+        public async Task Scoped_Initializer_WithDefaultTokenUrl(string[] scopes, string expectedTokenUrl)
+        {
+            var fakeMessageHandler = new FetchesTokenMessageHandler();
+            var credential = new ComputeCredential(new ComputeCredential.Initializer()
+            {
+                Scopes = scopes,
+                HttpClientFactory = new MockHttpClientFactory(fakeMessageHandler)
+            });
+
+            AssertScoped(credential, scopes, expectedTokenUrl);
+            await AssertUsesScopedUrl(credential, fakeMessageHandler, expectedTokenUrl);
+        }
+
+        [Theory]
+        [MemberData(nameof(Scoped_WithDefaultTokenUrl_Data))]
+        public async Task Scoped_MaybeWithScopes_WithDefaultTokenUrl(string[] scopes, string expectedTokenUrl)
+        {
+            var fakeMessageHandler = new FetchesTokenMessageHandler();
+            var credential = (new ComputeCredential(new ComputeCredential.Initializer()
+            {
+                HttpClientFactory = new MockHttpClientFactory(fakeMessageHandler)
+            }) as IGoogleCredential).MaybeWithScopes(scopes) as ComputeCredential;
+            
+            AssertScoped(credential, scopes, expectedTokenUrl);
+            await AssertUsesScopedUrl(credential, fakeMessageHandler, expectedTokenUrl);
+        }
+
+        [Theory]
+        [MemberData(nameof(Scoped_WithCustomTokenUrl_Data))]
+        public async Task Scoped_Initializer_WithCustomTokenUrl(string[] scopes, string customTokenUrl, string expectedTokenUrl)
+        {
+            var fakeMessageHandler = new FetchesTokenMessageHandler();
+            var credential = new ComputeCredential(new ComputeCredential.Initializer(customTokenUrl)
+            {
+                Scopes = scopes,
+                HttpClientFactory = new MockHttpClientFactory(fakeMessageHandler)
+            });
+
+            AssertScoped(credential, scopes, expectedTokenUrl);
+            await AssertUsesScopedUrl(credential, fakeMessageHandler, expectedTokenUrl);
+        }
+
+        [Theory]
+        [MemberData(nameof(Scoped_WithCustomTokenUrl_Data))]
+        public async Task Scoped_MaybeWithScopes_WithCustomTokenUrl(string[] scopes, string customTokenUrl, string expectedTokenUrl)
+        {
+            var fakeMessageHandler = new FetchesTokenMessageHandler();
+            var credential = (new ComputeCredential(new ComputeCredential.Initializer(customTokenUrl)
+            {
+                HttpClientFactory = new MockHttpClientFactory(fakeMessageHandler)
+            }) as IGoogleCredential).MaybeWithScopes(scopes) as ComputeCredential;
+
+            AssertScoped(credential, scopes, expectedTokenUrl);
+            await AssertUsesScopedUrl(credential, fakeMessageHandler, expectedTokenUrl);
+        }
     }
 }

Src/Support/Google.Apis.Auth/OAuth2/ComputeCredential.cs

@@ -68,10 +68,12 @@ public class ComputeCredential : ServiceCredential, IOidcTokenProvider, IGoogleC
         public string OidcTokenUrl { get; }
 
         /// <inheritdoc/>
-        bool IGoogleCredential.HasExplicitScopes => false;
+        bool IGoogleCredential.HasExplicitScopes => HasExplicitScopes;
 
         /// <inheritdoc/>
-        bool IGoogleCredential.SupportsExplicitScopes => false;
+        bool IGoogleCredential.SupportsExplicitScopes => true;
+
+        internal string EffectiveTokenServerUrl { get; }
 
         /// <summary>
         /// An initializer class for the Compute credential. It uses <see cref="GoogleAuthConsts.ComputeTokenUrl"/>
@@ -107,14 +109,38 @@ internal Initializer(ComputeCredential other)
         public ComputeCredential() : this(new Initializer()) { }
 
         /// <summary>Constructs a new Compute credential instance.</summary>
-        public ComputeCredential(Initializer initializer) : base(initializer) => OidcTokenUrl = initializer.OidcTokenUrl;
+        public ComputeCredential(Initializer initializer) : base(initializer)
+        {
+            OidcTokenUrl = initializer.OidcTokenUrl;
+            if (HasExplicitScopes)
+            {
+                var uriBuilder = new UriBuilder(TokenServerUrl);
+                string scopesQuery = $"scopes={string.Join(",", Scopes)}";
+
+                // As per https://docs.microsoft.com/en-us/dotnet/api/system.uribuilder.query?view=net-6.0#examples
+                if (uriBuilder.Query is null || uriBuilder.Query.Length <= 1)
+                {
+                    uriBuilder.Query = scopesQuery;
+                }
+                else
+                {
+                    uriBuilder.Query = $"{uriBuilder.Query.Substring(1)}&{scopesQuery}";
+                }
+                EffectiveTokenServerUrl = uriBuilder.Uri.AbsoluteUri;
+            }
+            else
+            {
+                EffectiveTokenServerUrl = TokenServerUrl;
+            }
+        }
 
         /// <inheritdoc/>
         IGoogleCredential IGoogleCredential.WithQuotaProject(string quotaProject) =>
             new ComputeCredential(new Initializer(this) { QuotaProject = quotaProject });
 
         /// <inheritdoc/>
-        IGoogleCredential IGoogleCredential.MaybeWithScopes(IEnumerable<string> scopes) => this;
+        IGoogleCredential IGoogleCredential.MaybeWithScopes(IEnumerable<string> scopes) =>
+            new ComputeCredential(new Initializer(this) { Scopes = scopes });
 
         /// <inheritdoc/>
         IGoogleCredential IGoogleCredential.WithUserForDomainWideDelegation(string user) =>
@@ -130,7 +156,7 @@ IGoogleCredential IGoogleCredential.WithHttpClientFactory(IHttpClientFactory htt
         public override async Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
         {
             // Create and send the HTTP request to compute server token URL.
-            var httpRequest = new HttpRequestMessage(HttpMethod.Get, TokenServerUrl);
+            var httpRequest = new HttpRequestMessage(HttpMethod.Get, EffectiveTokenServerUrl);
             httpRequest.Headers.Add(MetadataFlavor, GoogleMetadataHeader);
             var response = await HttpClient.SendAsync(httpRequest, taskCancellationToken).ConfigureAwait(false);
             Token = await TokenResponse.FromHttpResponseAsync(response, Clock, Logger).ConfigureAwait(false);

Src/Support/Google.Apis.Auth/OAuth2/GoogleCredential.cs

@@ -218,8 +218,12 @@ public static GoogleCredential FromComputeCredential(ComputeCredential computeCr
         /// <list type="number">
         /// <item>
         /// <description>
-        /// <see cref="ComputeCredential"/> is scoped by default. This library doesn't currently
-        /// support explicit scopes to be set on a <see cref="ComputeCredential"/>.
+        /// <see cref="ComputeCredential"/> is scoped by default but in some environments it may be scoped
+        /// explicitly, for instance when running on GKE with Workload Identity or on AppEngine Flex.
+        /// It's possible to create a <see cref="ComputeCredential"/> with explicit scopes set by calling
+        /// <see cref="CreateScoped(IEnumerable{string})"/>. If running on an environment that does not
+        /// accept explicit scoping, for instance GCE where scopes are set on the VM, explicit scopes
+        /// will be ignored.
         /// </description>
         /// </item>
         /// <item>

Src/Support/Google.Apis.Tests/Mocks/CountableMessageHandler.cs

@@ -14,6 +14,8 @@ You may obtain a copy of the License at
 limitations under the License.
 */
 
+using System.Collections.Concurrent;
+using System.Collections.Generic;
 using System.Net.Http;
 using System.Threading;
 
@@ -22,19 +24,22 @@ namespace Google.Apis.Tests.Mocks
     /// <summary>Base mock message handler which counts the number of calls.</summary>
     public abstract class CountableMessageHandler : HttpMessageHandler
     {
-        private int calls;
+        private int _calls;
+        private readonly ConcurrentQueue<HttpRequestMessage> _requests = new ConcurrentQueue<HttpRequestMessage>();
 
         /// <summary>Gets or sets the calls counter.</summary>
         public int Calls
         {
-            get { return calls; }
-            set { calls = value; }
+            get { return _calls; }
         }
 
+        public IEnumerable<HttpRequestMessage> Requests { get => _requests; }
+
         sealed protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             request, CancellationToken cancellationToken)
         {
-            Interlocked.Increment(ref calls);
+            Interlocked.Increment(ref _calls);
+            _requests.Enqueue(request);
             return SendAsyncCore(request, cancellationToken);
         }