GCP auth failure logging and testing

buildSrc/src/main/groovy/io.micronaut.build.internal.test-fixtures.gradle

@@ -0,0 +1,3 @@
+plugins {
+    id 'java-test-fixtures'
+}

gcp-common/build.gradle

@@ -1,5 +1,6 @@
 plugins {
     id("io.micronaut.build.internal.gcp-module")
+    id 'io.micronaut.build.internal.test-fixtures'
 }
 
 dependencies {
@@ -10,9 +11,14 @@ dependencies {
     implementation(mn.micronaut.json.core)
     implementation(mn.jackson.annotations)
 
+    testFixturesApi(platform(mn.micronaut.core.bom))
+
     testAnnotationProcessor(mn.micronaut.inject.java)
     testImplementation(mn.micronaut.discovery.core)
+    testImplementation(mn.micronaut.http.server.netty)
 
     testImplementation(mnSerde.micronaut.serde.jackson)
 
+    testImplementation(libs.system.stubs.core)
+
 }

gcp-common/src/main/java/io/micronaut/gcp/credentials/AuthenticationLoggingInterceptor.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2017-2023 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.gcp.credentials;
+
+import com.google.auth.RequestMetadataCallback;
+import io.micronaut.aop.MethodInterceptor;
+import io.micronaut.aop.MethodInvocationContext;
+import io.micronaut.core.annotation.Nullable;
+import io.micronaut.core.type.MutableArgumentValue;
+import jakarta.inject.Singleton;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * An interceptor for managed instances of {@link com.google.auth.oauth2.GoogleCredentials} that logs certain types of
+ * authentication errors that the GCP libraries handle silently as infinitely retryable events.
+ *
+ * @author Jeremy Grelle
+ * @since 5.2.0
+ */
+@Singleton
+public class AuthenticationLoggingInterceptor implements MethodInterceptor<Object, Object> {
+
+    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationLoggingInterceptor.class);
+    private static final String LOGGED_AUTHENTICATION_METHOD = "getRequestMetadata";
+
+    /**
+     * Intercepts the "getRequestMetadata" call and logs any retryable errors before allowing the GCP library to continue
+     * its normal retry algorithm.
+     *
+     * @param context The method invocation context
+     * @return the result of the method invocation
+     */
+    @Override
+    public @Nullable Object intercept(MethodInvocationContext<Object, Object> context) {
+        if (!context.getExecutableMethod().getMethodName().equals(LOGGED_AUTHENTICATION_METHOD)) {
+            return context.proceed();
+        }
+        Map<String, MutableArgumentValue<?>> params = context.getParameters();
+        params.entrySet().stream().filter(entry -> entry.getValue().getType().equals(RequestMetadataCallback.class))
+            .findFirst()
+            .ifPresent(entry -> {
+                @SuppressWarnings("unchecked") MutableArgumentValue<RequestMetadataCallback> argValue = (MutableArgumentValue<RequestMetadataCallback>) entry.getValue();
+                RequestMetadataCallback callback = argValue.getValue();
+                argValue.setValue(new LoggingRequestMetadataCallback(callback));
+            });
+        return context.proceed();
+    }
+
+    /**
+     * A wrapper {@link RequestMetadataCallback} implementation that logs failures with a warning before proceeding with
+     * the original callback.
+     */
+    private static final class LoggingRequestMetadataCallback implements RequestMetadataCallback {
+
+        private final RequestMetadataCallback callback;
+
+        private LoggingRequestMetadataCallback(RequestMetadataCallback callback) {
+            this.callback = callback;
+        }
+
+        @Override
+        public void onSuccess(Map<String, List<String>> metadata) {
+            this.callback.onSuccess(metadata);
+        }
+
+        @Override
+        public void onFailure(Throwable ex) {
+            if (ex instanceof IOException) {
+                LOG.warn("A failure occurred while attempting to build credential metadata for a GCP API request. The GCP libraries treat this as " +
+                    "a retryable error, but misconfigured credentials can keep it from ever succeeding.", ex);
+            }
+            this.callback.onFailure(ex);
+        }
+    }
+}

gcp-common/src/main/java/io/micronaut/gcp/credentials/GoogleCredentialsFactory.java

@@ -21,13 +21,13 @@
 import io.micronaut.context.annotation.Primary;
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.context.exceptions.ConfigurationException;
+import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.util.ArgumentUtils;
 import io.micronaut.core.util.StringUtils;
+import jakarta.inject.Singleton;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import io.micronaut.core.annotation.NonNull;
-import jakarta.inject.Singleton;
 import java.io.ByteArrayInputStream;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -83,11 +83,11 @@ public GoogleCredentialsFactory(@NonNull GoogleCredentialsConfiguration configur
      * @return The {@link GoogleCredentials}
      * @throws IOException An exception if an error occurs
      */
-    @Requires(missingBeans = GoogleCredentials.class)
-    @Requires(classes = com.google.auth.oauth2.GoogleCredentials.class)
+    @Requires(classes = GoogleCredentials.class)
     @Requires(property = GoogleCredentialsConfiguration.PREFIX + ".enabled", value = StringUtils.TRUE, defaultValue = StringUtils.TRUE)
     @Primary
     @Singleton
+    @LogAuthenticationFailures
     protected GoogleCredentials defaultGoogleCredentials() throws IOException {
         final List<String> scopes = configuration.getScopes().stream()
                 .map(URI::toString).collect(Collectors.toList());

gcp-common/src/main/java/io/micronaut/gcp/credentials/LogAuthenticationFailures.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2017-2023 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.gcp.credentials;
+
+import com.google.auth.oauth2.GoogleCredentials;
+import io.micronaut.aop.Around;
+import io.micronaut.context.annotation.Type;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+/**
+ * Annotation for applying authentication failure logging AOP advice to a managed instance of
+ * {@link GoogleCredentials}.
+ *
+ * @author Jeremy Grelle
+ * @since 5.2.0
+ */
+@Documented
+@Retention(RUNTIME)
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Around(proxyTargetMode = Around.ProxyTargetConstructorMode.ALLOW)
+@Type(AuthenticationLoggingInterceptor.class)
+public @interface LogAuthenticationFailures {
+}