From 7e7d2bae4fe6e6a173d5cfeeeadd1eca34469536 Mon Sep 17 00:00:00 2001 From: Prathamesh Bhagat Date: Wed, 15 Oct 2025 01:15:45 +0530 Subject: [PATCH 1/5] Add GCP auth login --- pom.xml | 11 +++- .../infisical/sdk/auth/GCPAuthProvider.java | 52 ++++++++++++++++ .../infisical/sdk/resources/AuthClient.java | 14 +++++ .../sdk/auth/GCPAuthIntegrationTest.java | 59 +++++++++++++++++++ 4 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java create mode 100644 src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java diff --git a/pom.xml b/pom.xml index 26697e2..339701e 100644 --- a/pom.xml +++ b/pom.xml @@ -95,7 +95,7 @@ ch.qos.logback logback-classic - 1.5.6 + 1.5.13 @@ -130,6 +130,15 @@ 2.34.8 true + + + + com.google.auth + google-auth-library-oauth2-http + 1.20.0 + true + + org.junit.jupiter diff --git a/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java b/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java new file mode 100644 index 0000000..f4ba6c0 --- /dev/null +++ b/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java @@ -0,0 +1,52 @@ +package com.infisical.sdk.auth; + +import java.net.UnknownHostException; +import java.util.Arrays; +import java.util.HashMap; + +import com.google.auth.oauth2.GoogleCredentials; +import com.google.auth.oauth2.IdTokenCredentials; +import com.google.auth.oauth2.IdTokenProvider; +import com.google.auth.oauth2.IdTokenProvider.Option; +import com.infisical.sdk.util.InfisicalException; + +public class GCPAuthProvider { + + public static HashMap getGCPAuthInput(String identityId) throws InfisicalException{ + + if ( identityId == null || identityId.isEmpty() ) + + throw new InfisicalException( "Infisical Identity ID is required"); + + try{ + + // This will fetch credentials from environment variable named GOOGLE_APPLICATION_CREDENTIALS or + // or if it's running in a GCP instance it will get them from the instance itself (GCP service account attached) + GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault(); + + IdTokenCredentials idTokenCredentials = + IdTokenCredentials.newBuilder() + .setIdTokenProvider((IdTokenProvider) googleCredentials) + .setTargetAudience(identityId) + .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE)) + .build(); + + // Get the ID token. + String idToken = idTokenCredentials.refreshAccessToken().getTokenValue(); + + // Body cannot be a string so used a HashMap, you can use builder, POJO etc + HashMap body = new HashMap<>(); + body.put("identityId", identityId); + body.put("jwt", idToken); + + return body; + + } catch (Exception e){ + if (e.getCause() instanceof UnknownHostException) { + throw new InfisicalException("No network connection."); + } + throw new InfisicalException("Failed to fetch Google credentials: " + e.getMessage()); + } + + } +} diff --git a/src/main/java/com/infisical/sdk/resources/AuthClient.java b/src/main/java/com/infisical/sdk/resources/AuthClient.java index bf334df..e694740 100644 --- a/src/main/java/com/infisical/sdk/resources/AuthClient.java +++ b/src/main/java/com/infisical/sdk/resources/AuthClient.java @@ -2,6 +2,7 @@ import com.infisical.sdk.api.ApiClient; import com.infisical.sdk.auth.AwsAuthProvider; +import com.infisical.sdk.auth.GCPAuthProvider; import com.infisical.sdk.models.AwsAuthLoginInput; import com.infisical.sdk.models.LdapAuthLoginInput; import com.infisical.sdk.models.MachineIdentityCredential; @@ -56,6 +57,19 @@ public void AwsAuthLogin(AwsAuthLoginInput input) throws InfisicalException { this.onAuthenticate.accept(credential.getAccessToken()); } + public void GCPAuthLogin(String identityId) throws InfisicalException { + + if (identityId == null || identityId.isEmpty()) + + throw new InfisicalException("Infisical Identity ID is required"); + + var url = String.format("%s%s", this.apiClient.GetBaseUrl(), "/api/v1/auth/gcp-auth/login"); + + var input = GCPAuthProvider.getGCPAuthInput(identityId); + var credential = this.apiClient.post(url, input, MachineIdentityCredential.class); + this.onAuthenticate.accept(credential.getAccessToken()); + } + public void SetAccessToken(String accessToken) { this.onAuthenticate.accept(accessToken); } diff --git a/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java b/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java new file mode 100644 index 0000000..e8609af --- /dev/null +++ b/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java @@ -0,0 +1,59 @@ +package com.infisical.sdk.auth; + +import com.infisical.sdk.InfisicalSdk; +import com.infisical.sdk.config.SdkConfig; +import com.infisical.sdk.util.EnvironmentVariables; +import org.junit.jupiter.api.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import static org.junit.jupiter.api.Assertions.*; + +public class GCPAuthIntegrationTest { + + private static final Logger logger = LoggerFactory.getLogger(GCPAuthIntegrationTest.class); + @Test + public void testGCPAuthAndFetchSecrets() { + + try { + + // Load env variables + var envVars = new EnvironmentVariables(); + + // Get Machine Identity Id + String machineIdentityId = System.getenv("INFISICAL_MACHINE_IDENTITY_ID"); + + + // Check if env variable machine identity is set, others are already tested via env tests + assertNotNull(machineIdentityId, "INFISICAL_MACHINE_IDENTITY_ID env variable must be set"); + assertFalse(machineIdentityId == "", "INFISICAL_MACHINE_IDENTITY_ID env variable must not be empty"); + + + // Create SDK instance + var sdk = new InfisicalSdk(new SdkConfig.Builder() + .withSiteUrl(envVars.getSiteUrl()) + .build() + ); + + // Authenticate using GCP Auth + assertDoesNotThrow(() -> { + sdk.Auth().GCPAuthLogin(machineIdentityId); + }); + + // Test if we have correctly logged in and we can list the secrets + var secrets = sdk.Secrets().ListSecrets( + envVars.getProjectId(), + "dev", + "/", + null, + null, + null); + + logger.info("TestGCPAuth Successful"); + logger.info("Secrets length : {}", secrets.size()); + + } catch (Exception e) { + throw new AssertionError(e); + } + } +} From 8bbeb4b6df056db35990db4b6ef07ab1893b48a7 Mon Sep 17 00:00:00 2001 From: PRATHAMESH BHAGAT <90595097+PrathameshBhagat@users.noreply.github.com> Date: Thu, 16 Oct 2025 10:58:42 +0530 Subject: [PATCH 2/5] Update logback core and classic versions to 1.5.19 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 339701e..e2028ae 100644 --- a/pom.xml +++ b/pom.xml @@ -82,7 +82,7 @@ ch.qos.logback logback-core - 1.5.13 + 1.5.19 @@ -95,7 +95,7 @@ ch.qos.logback logback-classic - 1.5.13 + 1.5.19 From a8427e5245a2e5eaa72d59417ef2850cb11cc3b6 Mon Sep 17 00:00:00 2001 From: PRATHAMESH BHAGAT <90595097+PrathameshBhagat@users.noreply.github.com> Date: Thu, 16 Oct 2025 10:59:57 +0530 Subject: [PATCH 3/5] Update src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- .../java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java b/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java index e8609af..ec13f32 100644 --- a/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java +++ b/src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java @@ -26,7 +26,7 @@ public void testGCPAuthAndFetchSecrets() { // Check if env variable machine identity is set, others are already tested via env tests assertNotNull(machineIdentityId, "INFISICAL_MACHINE_IDENTITY_ID env variable must be set"); - assertFalse(machineIdentityId == "", "INFISICAL_MACHINE_IDENTITY_ID env variable must not be empty"); +assertFalse(machineIdentityId.isEmpty(), "INFISICAL_MACHINE_IDENTITY_ID env variable must not be empty"); // Create SDK instance From 39758749c29dbdd075ae7048ff56bf4105a237c8 Mon Sep 17 00:00:00 2001 From: PRATHAMESH BHAGAT <90595097+PrathameshBhagat@users.noreply.github.com> Date: Thu, 16 Oct 2025 19:28:52 +0530 Subject: [PATCH 4/5] Fix whitespaces in GCPAuthLogin method --- src/main/java/com/infisical/sdk/resources/AuthClient.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/infisical/sdk/resources/AuthClient.java b/src/main/java/com/infisical/sdk/resources/AuthClient.java index e694740..c56d637 100644 --- a/src/main/java/com/infisical/sdk/resources/AuthClient.java +++ b/src/main/java/com/infisical/sdk/resources/AuthClient.java @@ -59,7 +59,7 @@ public void AwsAuthLogin(AwsAuthLoginInput input) throws InfisicalException { public void GCPAuthLogin(String identityId) throws InfisicalException { - if (identityId == null || identityId.isEmpty()) + if (identityId == null||identityId.isEmpty()) throw new InfisicalException("Infisical Identity ID is required"); From 2f2d9e2770c978a2fb4ef407143ebfbd88eb46ca Mon Sep 17 00:00:00 2001 From: Prathamesh Bhagat Date: Thu, 16 Oct 2025 23:45:07 +0530 Subject: [PATCH 5/5] fix greptile issues, bump auth library, remove options and update error message --- pom.xml | 2 +- src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index e2028ae..b599ce3 100644 --- a/pom.xml +++ b/pom.xml @@ -135,7 +135,7 @@ com.google.auth google-auth-library-oauth2-http - 1.20.0 + 1.40.0 true diff --git a/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java b/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java index f4ba6c0..7ac3e2c 100644 --- a/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java +++ b/src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java @@ -28,7 +28,6 @@ public static HashMap getGCPAuthInput(String identityId) throws I IdTokenCredentials.newBuilder() .setIdTokenProvider((IdTokenProvider) googleCredentials) .setTargetAudience(identityId) - .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE)) .build(); // Get the ID token. @@ -43,7 +42,7 @@ public static HashMap getGCPAuthInput(String identityId) throws I } catch (Exception e){ if (e.getCause() instanceof UnknownHostException) { - throw new InfisicalException("No network connection."); + throw new InfisicalException("Unknown Host, may be check network connection ?"); } throw new InfisicalException("Failed to fetch Google credentials: " + e.getMessage()); }