From adffd94437cee5e033b67282039fc9c21708ffc7 Mon Sep 17 00:00:00 2001
From: Chris Smith <chrisdsmith@google.com>
Date: Fri, 19 Jan 2024 13:42:45 -0700
Subject: [PATCH] google/internal/externalaccount: update
 serviceAccountImpersonationRE to support universe domain

Change-Id: Iafe35c293209bd88997c876341ebde7ac9ecda93
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/557195
TryBot-Bypass: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Auto-Submit: Cody Oss <codyoss@google.com>
---
 .../externalaccount/executablecredsource.go   |  2 +-
 .../executablecredsource_test.go              | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/google/internal/externalaccount/executablecredsource.go b/google/internal/externalaccount/executablecredsource.go
index 6497dc0..843d1c3 100644
--- a/google/internal/externalaccount/executablecredsource.go
+++ b/google/internal/externalaccount/executablecredsource.go
@@ -19,7 +19,7 @@ import (
 	"time"
 )
 
-var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
+var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials\\..+/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
 
 const (
 	executableSupportedMaxVersion = 1
diff --git a/google/internal/externalaccount/executablecredsource_test.go b/google/internal/externalaccount/executablecredsource_test.go
index df8a906..18ee049 100644
--- a/google/internal/externalaccount/executablecredsource_test.go
+++ b/google/internal/externalaccount/executablecredsource_test.go
@@ -1021,3 +1021,37 @@ func TestRetrieveOutputFileSubjectTokenJwt(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceAccountImpersonationRE(t *testing.T) {
+	tests := []struct {
+		name                           string
+		serviceAccountImpersonationURL string
+		want                           string
+	}{
+		{
+			name:                           "universe domain Google Default Universe (GDU) googleapis.com",
+			serviceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+		{
+			name:                           "email does not match",
+			serviceAccountImpersonationURL: "test@project.iam.gserviceaccount.com",
+			want:                           "",
+		},
+		{
+			name:                           "universe domain non-GDU",
+			serviceAccountImpersonationURL: "https://iamcredentials.apis-tpclp.goog/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+	}
+	for _, tt := range tests {
+		matches := serviceAccountImpersonationRE.FindStringSubmatch(tt.serviceAccountImpersonationURL)
+		if matches == nil {
+			if tt.want != "" {
+				t.Errorf("%q: got nil, want %q", tt.name, tt.want)
+			}
+		} else if matches[1] != tt.want {
+			t.Errorf("%q: got %q, want %q", tt.name, matches[1], tt.want)
+		}
+	}
+}