When using JSON credentials, do not require projectId to be provided as a parameter. Instead, just read it from the JSON file.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=152176955

Author: emrekultursay

README.md

@@ -208,10 +208,9 @@ launcher command (same way as with `-agentpath`):
 
 <pre>
 -Dcom.google.cdbg.auth.serviceaccount.enable=<i>true</i>
--Dcom.google.cdbg.auth.serviceaccount.projectid=<i>myprojectid</i>
--Dcom.google.cdbg.auth.serviceaccount.email=<i>email@something.com</i>
 -Dcom.google.cdbg.auth.serviceaccount.jsonfile=<i>/opt/cdbg/svc.json</i>
 </pre>
 
-You can set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable
+You can also set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable
 to the JSON file instead of setting the `auth.serviceaccount.jsonfile` argument.
+

src/agent/internals/src/main/java/com/google/devtools/cdbg/debuglets/java/GcpEnvironment.java

@@ -16,6 +16,8 @@
 
 package com.google.devtools.cdbg.debuglets.java;
 
+import static com.google.devtools.cdbg.debuglets.java.AgentLogger.warn;
+
 import com.google.devtools.clouddebugger.v2.Labels;
 
 import java.lang.reflect.Constructor;
@@ -87,37 +89,23 @@ static URL getControllerBaseUrl() {
    */
   static boolean getIsServiceAccountEnabled() {
     String value = getFlag("auth.serviceaccount.enable", "enable_service_account_auth");
-    return value.equals("1") || value.equalsIgnoreCase("true"); 
+    return value.equals("1") || value.equalsIgnoreCase("true");
   }
-  
+
   /**
    * Lazily creates and returns the class to get access token and project information.
    */
   static synchronized MetadataQuery getMetadataQuery() {
     // Lazy initialization.
     if (metadataQuery == null) {
       if (getIsServiceAccountEnabled()) {
-        String projectId = getFlag("auth.serviceaccount.projectid", "project_id");
-        if (projectId.isEmpty()) {
-          throw new RuntimeException(
-              "Project ID not specified for service account authentication. Please set "
-              + "either auth.serviceaccount.projectid system property or project_id agent option");
-        }
-
-        String email = getFlag("auth.serviceaccount.email", "service_account_email");
-        if (email.isEmpty()) {
-          throw new RuntimeException(
-              "Service account e-mail not specified for service account authentication. Please set "
-              + "either auth.serviceaccount.email system property or "
-              + "service_account_email agent option");
-        }
-
-        String p12File = getFlag("auth.serviceaccount.p12file", "service_account_p12_file");
         String jsonFile = environmentStore.get("GOOGLE_APPLICATION_CREDENTIALS");
         if (jsonFile == null) {
           jsonFile = getFlag("auth.serviceaccount.jsonfile", "service_account_json_file");
         }
 
+        // TODO(emrekultursay): Remove support for p12 file.
+        String p12File = getFlag("auth.serviceaccount.p12file", "service_account_p12_file");
         if (p12File.isEmpty() && jsonFile.isEmpty()) {
           throw new RuntimeException(
               "Service account JSON file not specified for service account authentication. "
@@ -126,6 +114,33 @@ static synchronized MetadataQuery getMetadataQuery() {
               + "GOOGLE_APPLICATION_CREDENTIALS environment variable");
         }
 
+        String projectId;
+        String email;
+
+        if (!p12File.isEmpty()) {
+          warn("p12 file based service account authentication is deprecated and will be removed. "
+              + "Please use JSON file based service account authentication.");
+
+          projectId = getFlag("auth.serviceaccount.projectid", "project_id");
+          if (projectId.isEmpty()) {
+            throw new RuntimeException(
+                "Project ID not specified for service account authentication. Please set either"
+                + "auth.serviceaccount.projectid system property or project_id agent option");
+          }
+
+          email = getFlag("auth.serviceaccount.email", "service_account_email");
+          if (email.isEmpty()) {
+            throw new RuntimeException(
+                "Service account e-mail not specified for service account authentication. Please "
+                + "set either auth.serviceaccount.email system property or "
+                + "service_account_email agent option");
+          }
+        } else {
+          // These will be read from the JSON file.
+          projectId = "";
+          email = "";
+        }
+
         try {
           // Use reflection to create a new instance of "ServiceAccountAuth" class. This way this
           // class has no explicit dependency on "com.google.api.client" package that can be

src/agent/internals/src/main/java/com/google/devtools/cdbg/debuglets/java/ServiceAccountAuth.java

@@ -18,7 +18,9 @@
 
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.JsonParser;
 import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.util.Key;
 
 import java.io.File;
 import java.io.FileInputStream;
@@ -32,27 +34,39 @@
  * Exchanges service account private key for OAuth access token.
  */
 final class ServiceAccountAuth implements MetadataQuery {
+
+  /** The JSON Service Account file gets parsed into an object of this type. */
+  public static class ServiceAccountAuthJsonFile {
+    /** The only field we are interested in is project_id, the rest will be ignored. */
+    @Key("project_id")
+    private String projectId = null;
+
+    String getProjectId() {
+      return projectId;
+    }
+  }
+
   /**
    * OAuth scope requested.
    */
   private static final String CLOUD_PLATFORM_SCOPE =
       "https://www.googleapis.com/auth/cloud-platform";
-  
+
   /**
-   * Time to refresh the token before it expires. 
+   * Time to refresh the token before it expires.
    */
   private static final int TOKEN_EXPIRATION_BUFFER_SEC = 60;
 
   /**
    * GCP project ID that created the service account.
    */
   private final String projectId;
-  
+
   /**
    * GCP project number corresponding to projectId.
    */
   private final String projectNumber;
-  
+
   /**
    * Runs OAuth flow to obtain the access token.
    */
@@ -79,10 +93,10 @@ public ServiceAccountAuth(
     Objects.requireNonNull(serviceAccountP12File);
     Objects.requireNonNull(serviceAccountJsonFile);
 
-    this.projectId = projectId;
-    this.projectNumber = projectNumber;
-
     if (!serviceAccountP12File.isEmpty()) {
+      this.projectId = projectId;
+      this.projectNumber = projectNumber;
+
       this.credential = new GoogleCredential.Builder()
           .setTransport(GoogleNetHttpTransport.newTrustedTransport())
           .setJsonFactory(JacksonFactory.getDefaultInstance())
@@ -91,7 +105,10 @@ public ServiceAccountAuth(
           .setServiceAccountScopes(Collections.singleton(CLOUD_PLATFORM_SCOPE))
           .build();
     } else if (!serviceAccountJsonFile.isEmpty()) {
-      InputStream serviceAccountJsonStream = new FileInputStream(new File(serviceAccountJsonFile));
+      this.projectId = parseServiceAccountAuthJsonFile(serviceAccountJsonFile).getProjectId();
+      this.projectNumber = this.projectId;
+
+      InputStream serviceAccountJsonStream = new FileInputStream(serviceAccountJsonFile);
       this.credential = GoogleCredential.fromStream(serviceAccountJsonStream)
           .createScoped(Collections.singleton(CLOUD_PLATFORM_SCOPE));
     } else {
@@ -109,10 +126,10 @@ public String getProjectId() {
   public String getProjectNumber() {
     return projectNumber;
   }
-  
+
   /**
    * Gets the cached OAuth access token refreshing it as needed.
-   * 
+   *
    * <p> Access token refresh is done synchronously delaying the call.
    */
   @Override
@@ -135,4 +152,21 @@ public synchronized String getAccessToken() {
   public void shutdown() {
     // TODO(vlif): implement if not handled properly by JVM shutdown.
   }
+
+
+  /** Parses the given JSON auth file.
+   * <p> TODO(emrekultursay): Remove this method when a new version of the google-api-java-client
+   * library is released (newer than v22), and replace it with the new
+   * GoogleCredential.getServiceAccountProjectId() method. */
+  private static ServiceAccountAuthJsonFile parseServiceAccountAuthJsonFile(
+      String serviceAccountJsonFile) throws IOException {
+    JsonParser parser = JacksonFactory.getDefaultInstance().createJsonParser(
+        new FileInputStream(serviceAccountJsonFile));
+    ServiceAccountAuthJsonFile parsedFile = parser.parse(ServiceAccountAuthJsonFile.class);
+    if (parsedFile.getProjectId() == null) {
+      throw new IllegalArgumentException("Service account JSON file is missing project_id field");
+    }
+
+    return parsedFile;
+  }
 }