Add test

include/grpc/grpc_security.h

@@ -142,19 +142,20 @@ GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials* creds);
    WARNING: Do NOT use this credentials to connect to a non-google service as
    this could result in an oauth2 token leak. The security level of the
    resulting connection is GRPC_PRIVACY_AND_INTEGRITY.
-   
+
    If specified, the supplied call credentials object will be attached to the
    returned channel credentials object. The call_credentials object must remain
-   valid throughout the lifetime of the returned grpc_channel_credentials object.
-   It is expected that the call credentials object was generated according to
-   the Application Default Credentials mechanism and asserts the identity of
-   default service account of the machine. Supplying any other sort of call
-   credential may result in RPCs suddenly and unexpectedly failing.
+   valid throughout the lifetime of the returned grpc_channel_credentials
+   object. It is expected that the call credentials object was generated
+   according to the Application Default Credentials mechanism and asserts the
+   identity of default service account of the machine. Supplying any other sort
+   of call credential may result in RPCs suddenly and unexpectedly failing.
 
    If nullptr is supplied, the returned call credentials object will use a call
    credentials object based on the default service account of the VM.
 */
-GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(grpc_call_credentials* call_credentials);
+GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create(
+    grpc_call_credentials* call_credentials);
 
 /** Callback for getting the SSL roots override from the application.
    In case of success, *pem_roots_certs must be set to a NULL terminated string

src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -291,9 +291,9 @@ static void update_tenancy() {
   gpr_mu_unlock(&g_state_mu);
 }
 
-static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>* call_creds,
-                               grpc_error* error)
-{
+static void default_call_creds(
+    grpc_core::RefCountedPtr<grpc_call_credentials>* call_creds,
+    grpc_error* error) {
   grpc_error* err;
 
   /* First, try the environment variable. */
@@ -319,14 +319,16 @@ static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>*
   }
 }
 
-grpc_channel_credentials* grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) {
+grpc_channel_credentials* grpc_google_default_credentials_create(
+    grpc_call_credentials* call_credentials) {
   grpc_channel_credentials* result = nullptr;
   grpc_core::RefCountedPtr<grpc_call_credentials> call_creds(call_credentials);
   grpc_error* error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
       "Failed to create Google credentials");
   grpc_core::ExecCtx exec_ctx;
 
-  GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1, (call_credentials));
+  GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1,
+                 (call_credentials));
 
   update_tenancy();
 

src/cpp/client/secure_credentials.cc

@@ -97,7 +97,8 @@ std::shared_ptr<CallCredentials> WrapCallCredentials(
 
 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
   grpc::GrpcLibraryCodegen init;  // To call grpc_init().
-  return WrapChannelCredentials(grpc_google_default_credentials_create(nullptr));
+  return WrapChannelCredentials(
+      grpc_google_default_credentials_create(nullptr));
 }
 
 // Builds SSL Credentials given SSL specific options

test/core/security/credentials_test.cc

@@ -1531,26 +1531,81 @@ static void test_google_default_creds_call_creds_specified(void) {
                                             nullptr, nullptr};
   grpc_core::ExecCtx exec_ctx;
   grpc_flush_cached_google_default_credentials();
-  grpc_call_credentials* call_creds = grpc_google_compute_engine_credentials_create(nullptr);
+  grpc_call_credentials* call_creds =
+      grpc_google_compute_engine_credentials_create(nullptr);
   set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
+  g_test_gce_tenancy_checker_called = false;
+  g_test_is_on_gce = true;
   grpc_httpcli_set_override(
       default_creds_metadata_server_detection_httpcli_get_success_override,
       httpcli_post_should_not_be_called);
-  g_test_gce_tenancy_checker_called = false;
-  g_test_is_on_gce = true;
-  grpc_composite_channel_credentials* channel_creds = reinterpret_cast<grpc_composite_channel_credentials*>(grpc_google_default_credentials_create(call_creds));
+  grpc_composite_channel_credentials* channel_creds =
+      reinterpret_cast<grpc_composite_channel_credentials*>(
+          grpc_google_default_credentials_create(call_creds));
   GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
   GPR_ASSERT(channel_creds != nullptr);
   GPR_ASSERT(channel_creds->call_creds() != nullptr);
   grpc_httpcli_set_override(compute_engine_httpcli_get_success_override,
                             httpcli_post_should_not_be_called);
-  run_request_metadata_test(channel_creds->mutable_call_creds(), auth_md_ctx, state);
+  run_request_metadata_test(channel_creds->mutable_call_creds(), auth_md_ctx,
+                            state);
   grpc_core::ExecCtx::Get()->Flush();
   channel_creds->Unref();
   grpc_httpcli_set_override(nullptr, nullptr);
 }
 
-// TODO: Test that we don't go down the nullptr path regardless of env vars.
+struct fake_call_creds : public grpc_call_credentials {
+ public:
+  // TODO: Keep a single md_elem?
+  explicit fake_call_creds() : grpc_call_credentials("fake") {}
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) {
+    grpc_slice key = grpc_slice_from_static_string("foo");
+    grpc_slice value = grpc_slice_from_static_string("oof");
+    grpc_mdelem dummy_md = grpc_mdelem_from_slices(key, value);
+    grpc_slice_unref(key);
+    grpc_slice_unref(value);
+    grpc_credentials_mdelem_array_add(md_array, dummy_md);
+    GRPC_MDELEM_UNREF(dummy_md);
+    return false;
+  }
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) {}
+};
+
+static void test_google_default_creds_not_default(void) {
+  expected_md emd[] = {{"foo", "oof"}};
+  request_metadata_state* state =
+      make_request_metadata_state(GRPC_ERROR_NONE, emd, GPR_ARRAY_SIZE(emd));
+  grpc_auth_metadata_context auth_md_ctx = {test_service_url, test_method,
+                                            nullptr, nullptr};
+  grpc_core::ExecCtx exec_ctx;
+  grpc_flush_cached_google_default_credentials();
+  grpc_core::RefCountedPtr<grpc_call_credentials> call_creds =
+      grpc_core::MakeRefCounted<fake_call_creds>();
+  set_gce_tenancy_checker_for_testing(test_gce_tenancy_checker);
+  g_test_gce_tenancy_checker_called = false;
+  g_test_is_on_gce = true;
+  grpc_httpcli_set_override(
+      default_creds_metadata_server_detection_httpcli_get_success_override,
+      httpcli_post_should_not_be_called);
+  grpc_composite_channel_credentials* channel_creds =
+      reinterpret_cast<grpc_composite_channel_credentials*>(
+          grpc_google_default_credentials_create(call_creds.release()));
+  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
+  GPR_ASSERT(channel_creds != nullptr);
+  GPR_ASSERT(channel_creds->call_creds() != nullptr);
+  run_request_metadata_test(channel_creds->mutable_call_creds(), auth_md_ctx,
+                            state);
+  grpc_core::ExecCtx::Get()->Flush();
+  channel_creds->Unref();
+  grpc_httpcli_set_override(nullptr, nullptr);
+}
 
 typedef enum {
   PLUGIN_INITIAL_STATE,
@@ -1862,6 +1917,7 @@ int main(int argc, char** argv) {
   test_google_default_creds_non_gce();
   test_no_google_default_creds();
   test_google_default_creds_call_creds_specified();
+  test_google_default_creds_not_default();
   test_metadata_plugin_success();
   test_metadata_plugin_failure();
   test_get_well_known_google_credentials_file_path();