From f5b0bb5ac5ffd3d26c49135c6ce3cfb9167508b0 Mon Sep 17 00:00:00 2001
From: Chris Smith <chrisdsmith@google.com>
Date: Thu, 1 Aug 2024 15:35:17 -0600
Subject: [PATCH] fix(transport): disable automatic universe domain check
 (#2717)

---
 internal/creds.go           | 11 -----
 internal/settings.go        |  3 +-
 transport/grpc/dial.go      | 11 -----
 transport/http/dial.go      | 11 -----
 transport/http/dial_test.go | 91 -------------------------------------
 5 files changed, 1 insertion(+), 126 deletions(-)

diff --git a/internal/creds.go b/internal/creds.go
index 5ea555ed01a..4ed22bd76e7 100644
--- a/internal/creds.go
+++ b/internal/creds.go
@@ -302,14 +302,3 @@ func baseTransport() *http.Transport {
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 }
-
-// ErrUniverseNotMatch composes an error string from the provided universe
-// domain sources (DialSettings and Credentials, respectively).
-func ErrUniverseNotMatch(settingsUD, credsUD string) error {
-	return fmt.Errorf(
-		"the configured universe domain (%q) does not match the universe "+
-			"domain found in the credentials (%q). If you haven't configured "+
-			"WithUniverseDomain explicitly, \"googleapis.com\" is the default",
-		settingsUD,
-		credsUD)
-}
diff --git a/internal/settings.go b/internal/settings.go
index edba49af499..32949cccbd1 100644
--- a/internal/settings.go
+++ b/internal/settings.go
@@ -204,8 +204,7 @@ func (ds *DialSettings) IsUniverseDomainGDU() bool {
 }
 
 // GetUniverseDomain returns the default service domain for a given Cloud
-// universe, from google.Credentials, for comparison with the value returned by
-// (*DialSettings).GetUniverseDomain. This wrapper function should be removed
+// universe, from google.Credentials. This wrapper function should be removed
 // to close https://github.com/googleapis/google-api-go-client/issues/2399.
 func GetUniverseDomain(creds *google.Credentials) (string, error) {
 	timer := time.NewTimer(time.Second)
diff --git a/transport/grpc/dial.go b/transport/grpc/dial.go
index 2f6359f2921..d2a4f76645a 100644
--- a/transport/grpc/dial.go
+++ b/transport/grpc/dial.go
@@ -296,17 +296,6 @@ func dial(ctx context.Context, insecure bool, o *internal.DialSettings) (*grpc.C
 			if err != nil {
 				return nil, err
 			}
-			if o.TokenSource == nil {
-				// We only validate non-tokensource creds, as TokenSource-based credentials
-				// don't propagate universe.
-				credsUniverseDomain, err := internal.GetUniverseDomain(creds)
-				if err != nil {
-					return nil, err
-				}
-				if o.GetUniverseDomain() != credsUniverseDomain {
-					return nil, internal.ErrUniverseNotMatch(o.GetUniverseDomain(), credsUniverseDomain)
-				}
-			}
 			grpcOpts = append(grpcOpts, grpc.WithPerRPCCredentials(grpcTokenSource{
 				TokenSource:   oauth.TokenSource{TokenSource: creds.TokenSource},
 				quotaProject:  internal.GetQuotaProject(creds, o.QuotaProject),
diff --git a/transport/http/dial.go b/transport/http/dial.go
index 3747d0df0b2..2e2b15c6e0c 100644
--- a/transport/http/dial.go
+++ b/transport/http/dial.go
@@ -182,17 +182,6 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
 		if err != nil {
 			return nil, err
 		}
-		if settings.TokenSource == nil {
-			// We only validate non-tokensource creds, as TokenSource-based credentials
-			// don't propagate universe.
-			credsUniverseDomain, err := internal.GetUniverseDomain(creds)
-			if err != nil {
-				return nil, err
-			}
-			if settings.GetUniverseDomain() != credsUniverseDomain {
-				return nil, internal.ErrUniverseNotMatch(settings.GetUniverseDomain(), credsUniverseDomain)
-			}
-		}
 		paramTransport.quotaProject = internal.GetQuotaProject(creds, settings.QuotaProject)
 		ts := creds.TokenSource
 		if settings.ImpersonationConfig == nil && settings.TokenSource != nil {
diff --git a/transport/http/dial_test.go b/transport/http/dial_test.go
index ccf299f4182..8ec4a361239 100644
--- a/transport/http/dial_test.go
+++ b/transport/http/dial_test.go
@@ -7,12 +7,7 @@ package http
 import (
 	"context"
 	"fmt"
-	"strings"
 	"testing"
-
-	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/google"
-	"google.golang.org/api/option"
 )
 
 func TestNewClient(t *testing.T) {
@@ -31,89 +26,3 @@ func TestNewClient(t *testing.T) {
 		t.Fatalf("got %s, want: %s", got, want)
 	}
 }
-
-func TestNewClient_MismatchedUniverseChecks(t *testing.T) {
-	t.Setenv("GOOGLE_API_GO_EXPERIMENTAL_DISABLE_NEW_AUTH_LIB", "true")
-	rootTokenScope := "https://www.googleapis.com/auth/cloud-platform"
-	otherUniverse := "example.com"
-	defaultUniverse := "googleapis.com"
-	fakeCreds := `
-	{"type": "service_account",
-     "project_id": "some-project",
-     "universe_domain": "UNIVERSE"}`
-
-	// utility function to make a fake credential quickly
-	makeFakeCredF := func(universe string) option.ClientOption {
-		data := []byte(strings.ReplaceAll(fakeCreds, "UNIVERSE", universe))
-		creds, _ := google.CredentialsFromJSON(context.Background(), data, rootTokenScope)
-		return option.WithCredentials(creds)
-	}
-
-	testCases := []struct {
-		description string
-		opts        []option.ClientOption
-		wantErr     bool
-	}{
-		{
-			description: "default creds and no universe",
-			opts: []option.ClientOption{
-				option.WithCredentials(&google.Credentials{}),
-			},
-			wantErr: false,
-		},
-		{
-			description: "default creds and default universe",
-			opts: []option.ClientOption{
-				option.WithCredentials(&google.Credentials{}),
-				option.WithUniverseDomain(defaultUniverse),
-			},
-			wantErr: false,
-		},
-		{
-			description: "default creds and mismatched universe",
-			opts: []option.ClientOption{
-				option.WithCredentials(&google.Credentials{}),
-				option.WithUniverseDomain(otherUniverse),
-			},
-			wantErr: true,
-		},
-		{
-			description: "foreign universe creds and default universe",
-			opts: []option.ClientOption{
-				makeFakeCredF(otherUniverse),
-				option.WithUniverseDomain(defaultUniverse),
-			},
-			wantErr: true,
-		},
-		{
-			description: "foreign universe creds and foreign universe",
-			opts: []option.ClientOption{
-				makeFakeCredF(otherUniverse),
-				option.WithUniverseDomain(otherUniverse),
-			},
-			wantErr: false,
-		},
-		{
-			description: "tokensource + mismatched universe",
-			opts: []option.ClientOption{
-				option.WithTokenSource(oauth2.StaticTokenSource(&oauth2.Token{})),
-				option.WithUniverseDomain(otherUniverse),
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		opts := []option.ClientOption{
-			option.WithScopes(rootTokenScope),
-		}
-		opts = append(opts, tc.opts...)
-		_, _, gotErr := NewClient(context.Background(), opts...)
-		if tc.wantErr && gotErr == nil {
-			t.Errorf("%q: wanted error, got none", tc.description)
-		}
-		if !tc.wantErr && gotErr != nil {
-			t.Errorf("%q: wanted success, got err: %v", tc.description, gotErr)
-		}
-	}
-}