From 54dd3ad6e40bc0eda275a348527ab727ff9936ba Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Wed, 9 Jan 2019 18:46:59 -0800
Subject: [PATCH] Skip acceptance tests during non-acceptance runs. (#2852)

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google/config.go                              | 13 ++--
 google/config_test.go                         | 60 +++++++++++++++++--
 google/provider.go                            |  7 ++-
 google/provider_test.go                       |  9 ---
 website/docs/provider_reference.html.markdown | 11 ++++
 5 files changed, 81 insertions(+), 19 deletions(-)

diff --git a/google/config.go b/google/config.go
index 44dbdeb2..80af6b1e 100644
--- a/google/config.go
+++ b/google/config.go
@@ -346,9 +346,14 @@ func (c *Config) loadAndValidate() error {
 
 func (c *Config) getTokenSource(clientScopes []string) (oauth2.TokenSource, error) {
 	if c.AccessToken != "" {
-		log.Printf("[INFO] Using configured Google access token (length %d)", len(c.AccessToken))
+		contents, _, err := pathorcontents.Read(c.AccessToken)
+		if err != nil {
+			return nil, fmt.Errorf("Error loading access token: %s", err)
+		}
+
+		log.Printf("[INFO] Authenticating using configured Google JSON 'access_token'...")
 		log.Printf("[INFO]   -- Scopes: %s", clientScopes)
-		token := &oauth2.Token{AccessToken: c.AccessToken}
+		token := &oauth2.Token{AccessToken: contents}
 		return oauth2.StaticTokenSource(token), nil
 	}
 
@@ -363,12 +368,12 @@ func (c *Config) getTokenSource(clientScopes []string) (oauth2.TokenSource, erro
 			return nil, fmt.Errorf("Unable to parse credentials from '%s': %s", contents, err)
 		}
 
-		log.Printf("[INFO] Requesting Google token using Credential File %q...", c.Credentials)
+		log.Printf("[INFO] Authenticating using configured Google JSON 'credentials'...")
 		log.Printf("[INFO]   -- Scopes: %s", clientScopes)
 		return creds.TokenSource, nil
 	}
 
-	log.Printf("[INFO] Authenticating using DefaultClient")
+	log.Printf("[INFO] Authenticating using DefaultClient...")
 	log.Printf("[INFO]   -- Scopes: %s", clientScopes)
 	return googleoauth.DefaultTokenSource(context.Background(), clientScopes...)
 }
diff --git a/google/config_test.go b/google/config_test.go
index 13b83a24..d15691d0 100644
--- a/google/config_test.go
+++ b/google/config_test.go
@@ -1,11 +1,18 @@
 package google
 
 import (
+	"context"
+	"fmt"
 	"io/ioutil"
+	"os"
 	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"golang.org/x/oauth2/google"
 )
 
 const testFakeCredentialsPath = "./test-fixtures/fake_account.json"
+const testOauthScope = "https://www.googleapis.com/auth/compute"
 
 func TestConfigLoadAndValidate_accountFilePath(t *testing.T) {
 	config := Config{
@@ -49,12 +56,17 @@ func TestConfigLoadAndValidate_accountFileJSONInvalid(t *testing.T) {
 	}
 }
 
-func TestConfigLoadValidate_accessToken(t *testing.T) {
-	accessToken := getTestAccessTokenFromEnv(t)
+func TestAccConfigLoadValidate_credentials(t *testing.T) {
+	if os.Getenv(resource.TestEnvVar) == "" {
+		t.Skip(fmt.Sprintf("Network access not allowed; use %s=1 to enable", resource.TestEnvVar))
+	}
+
+	creds := getTestCredsFromEnv()
+	proj := getTestProjectFromEnv()
 
 	config := Config{
-		AccessToken: accessToken,
-		Project:     "my-gce-project",
+		Credentials: creds,
+		Project:     proj,
 		Region:      "us-central1",
 	}
 
@@ -62,4 +74,44 @@ func TestConfigLoadValidate_accessToken(t *testing.T) {
 	if err != nil {
 		t.Fatalf("error: %v", err)
 	}
+
+	_, err = config.clientCompute.Zones.Get(proj, "us-central1-a").Do()
+	if err != nil {
+		t.Fatalf("expected call with loaded config client to work, got error: %s", err)
+	}
+}
+
+func TestAccConfigLoadValidate_accessToken(t *testing.T) {
+	if os.Getenv(resource.TestEnvVar) == "" {
+		t.Skip(fmt.Sprintf("Network access not allowed; use %s=1 to enable", resource.TestEnvVar))
+	}
+
+	creds := getTestCredsFromEnv()
+	proj := getTestProjectFromEnv()
+
+	c, err := google.CredentialsFromJSON(context.Background(), []byte(creds), testOauthScope)
+	if err != nil {
+		t.Fatalf("invalid test credentials: %s", err)
+	}
+
+	token, err := c.TokenSource.Token()
+	if err != nil {
+		t.Fatalf("Unable to generate test access token: %s", err)
+	}
+
+	config := Config{
+		AccessToken: token.AccessToken,
+		Project:     proj,
+		Region:      "us-central1",
+	}
+
+	err = config.loadAndValidate()
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+
+	_, err = config.clientCompute.Zones.Get(proj, "us-central1-a").Do()
+	if err != nil {
+		t.Fatalf("expected API call with loaded config to work, got error: %s", err)
+	}
 }
diff --git a/google/provider.go b/google/provider.go
index 1d7e6ae1..b1ebe1ef 100644
--- a/google/provider.go
+++ b/google/provider.go
@@ -31,8 +31,11 @@ func Provider() terraform.ResourceProvider {
 			},
 
 			"access_token": {
-				Type:          schema.TypeString,
-				Optional:      true,
+				Type:     schema.TypeString,
+				Optional: true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"GOOGLE_OAUTH_ACCESS_TOKEN",
+				}, nil),
 				ConflictsWith: []string{"credentials"},
 			},
 
diff --git a/google/provider_test.go b/google/provider_test.go
index e3ce5fcb..dacfcac5 100644
--- a/google/provider_test.go
+++ b/google/provider_test.go
@@ -57,10 +57,6 @@ var billingAccountEnvVars = []string{
 	"GOOGLE_BILLING_ACCOUNT",
 }
 
-var accessTokenEnvVars = []string{
-	"GOOGLE_OAUTH2_ACCESS_TOKEN",
-}
-
 func init() {
 	testAccProvider = Provider().(*schema.Provider)
 	testAccRandomProvider = random.Provider().(*schema.Provider)
@@ -206,11 +202,6 @@ func getTestServiceAccountFromEnv(t *testing.T) string {
 	return multiEnvSearch(serviceAccountEnvVars)
 }
 
-func getTestAccessTokenFromEnv(t *testing.T) string {
-	skipIfEnvNotSet(t, accessTokenEnvVars...)
-	return multiEnvSearch(accessTokenEnvVars)
-}
-
 func multiEnvSearch(ks []string) string {
 	for _, k := range ks {
 		if v := os.Getenv(k); v != "" {
diff --git a/website/docs/provider_reference.html.markdown b/website/docs/provider_reference.html.markdown
index 21829241..fca6603f 100644
--- a/website/docs/provider_reference.html.markdown
+++ b/website/docs/provider_reference.html.markdown
@@ -95,6 +95,17 @@ share the same configuration.
   only be used when running Terraform from within [certain GCP resources](https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions).
   Credentials obtained through `gcloud` are not guaranteed to work for all APIs.
 
+* `access_token` - (Optional) An temporary [OAuth 2.0 access token](https://developers.google.com/identity/protocols/OAuth2)
+  obtained from the Google Authorization server, i.e. the
+  `Authorization: Bearer` token used to authenticate Google API HTTP requests.
+
+  Access tokens can also be specified using any of the following environment
+  variables (listed in order of precedence):
+
+    * `GOOGLE_OAUTH_ACCESS_TOKEN`
+
+  -> These access tokens cannot be renewed by Terraform and thus will only work for at most 1 hour. If you anticipate Terraform needing access for more than one hour per run, please use `credentials` instead. Credentials are used to complete a two-legged OAuth 2.0 flow on your behalf to obtain access tokens and can be used renew or reauthenticate for tokens as needed.
+
 * `project` - (Optional) The ID of the project to apply any resources to.  This
   can also be specified using any of the following environment variables (listed
   in order of precedence):