From 419a9438193586afb7986ccee59d19e9e364ec98 Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Thu, 9 Oct 2025 14:42:06 +0000 Subject: [PATCH 1/5] fix: Add setCredentials method as alternative for setCredentialsFile in LoggingAppender (#1530) * fix: Add setCredentials method as alternative for setCredentialsFile in LoggingAppender * chore: Fix test requiring ProjectId * Apply suggestion from @gkevinzheng Co-authored-by: Kevin Zheng <147537668+gkevinzheng@users.noreply.github.com> --------- Co-authored-by: Kevin Zheng <147537668+gkevinzheng@users.noreply.github.com> --- .../logging/logback/LoggingAppender.java | 43 +++++++++++++++++-- .../reflect-config.json | 1 + .../logging/logback/LoggingAppenderTest.java | 24 +++++++++-- 3 files changed, 61 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java index 769677cfc..a69f58649 100644 --- a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java +++ b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java @@ -23,6 +23,7 @@ import ch.qos.logback.core.UnsynchronizedAppenderBase; import ch.qos.logback.core.util.Loader; import com.google.api.core.InternalApi; +import com.google.api.core.ObsoleteApi; import com.google.auth.oauth2.GoogleCredentials; import com.google.cloud.MonitoredResource; import com.google.cloud.logging.Instrumentation; @@ -35,10 +36,12 @@ import com.google.cloud.logging.Payload; import com.google.cloud.logging.Severity; import com.google.cloud.logging.Synchronicity; +import com.google.common.base.Preconditions; import com.google.common.base.Strings; import com.google.common.collect.ImmutableList; -import java.io.FileInputStream; import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; import java.time.Instant; import java.util.ArrayList; import java.util.HashMap; @@ -138,6 +141,7 @@ public class LoggingAppender extends UnsynchronizedAppenderBase { private String log; private String resourceType; private String credentialsFile; + private GoogleCredentials credentials; private String logDestinationProjectId; private boolean autoPopulateMetadata = true; private boolean redirectToStdout = false; @@ -185,17 +189,46 @@ public void setResourceType(String resourceType) { } /** - * Sets the path to the If you know that you will be loading credential configurations of a specific type, it is + * recommended to use a credential-type-specific `fromStream()` method. This will ensure that an + * unexpected credential type with potential for malicious intent is not loaded unintentionally. + * You might still have to do validation for certain credential types. Please follow the + * recommendation for that method. + * + *

If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *

Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *

Sets the path to the credential * file. If not set the appender will use {@link GoogleCredentials#getApplicationDefault()} to * authenticate. * * @param credentialsFile the path to the credentials file. */ + @ObsoleteApi( + "This method is obsolete because of a potential security risk. Use the setCredentials() method instead") public void setCredentialsFile(String credentialsFile) { this.credentialsFile = credentialsFile; } + /** + * Sets the credential to use. If not set the appender will use {@link + * GoogleCredentials#getApplicationDefault()} to authenticate. + * + * @param credentials the GoogleCredentials to set + */ + public void setCredentials(GoogleCredentials credentials) { + Preconditions.checkNotNull(credentials, "Credentials cannot be null"); + this.credentials = credentials; + } + /** * Sets project ID to be used to customize log destination name for written log entries. * @@ -445,10 +478,12 @@ protected LoggingOptions getLoggingOptions() { if (loggingOptions == null) { LoggingOptions.Builder builder = LoggingOptions.newBuilder(); builder.setProjectId(logDestinationProjectId); - if (!Strings.isNullOrEmpty(credentialsFile)) { + if (credentials != null) { + builder.setCredentials(credentials); + } else if (!Strings.isNullOrEmpty(credentialsFile)) { try { builder.setCredentials( - GoogleCredentials.fromStream(new FileInputStream(credentialsFile))); + GoogleCredentials.fromStream(Files.newInputStream(Paths.get(credentialsFile)))); } catch (IOException e) { throw new RuntimeException( String.format( diff --git a/src/main/resources/META-INF/native-image/com.google.cloud/google-cloud-logging-logback/reflect-config.json b/src/main/resources/META-INF/native-image/com.google.cloud/google-cloud-logging-logback/reflect-config.json index 68b566d6e..9d249db03 100644 --- a/src/main/resources/META-INF/native-image/com.google.cloud/google-cloud-logging-logback/reflect-config.json +++ b/src/main/resources/META-INF/native-image/com.google.cloud/google-cloud-logging-logback/reflect-config.json @@ -35,6 +35,7 @@ {"name":"","parameterTypes":[] }, {"name":"setAutoPopulateMetadata","parameterTypes":["boolean"] }, {"name":"setCredentialsFile","parameterTypes":["java.lang.String"] }, + {"name":"setCredentials","parameterTypes":["com.google.auth.oauth2.GoogleCredentials"] }, {"name":"setFlushLevel","parameterTypes":["ch.qos.logback.classic.Level"] }, {"name":"setLog","parameterTypes":["java.lang.String"] }, {"name":"setLogDestinationProjectId","parameterTypes":["java.lang.String"] }, diff --git a/src/test/java/com/google/cloud/logging/logback/LoggingAppenderTest.java b/src/test/java/com/google/cloud/logging/logback/LoggingAppenderTest.java index 9632cf330..027230a83 100644 --- a/src/test/java/com/google/cloud/logging/logback/LoggingAppenderTest.java +++ b/src/test/java/com/google/cloud/logging/logback/LoggingAppenderTest.java @@ -23,11 +23,13 @@ import static org.easymock.EasyMock.replay; import static org.easymock.EasyMock.verify; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; import ch.qos.logback.classic.Level; import ch.qos.logback.classic.filter.ThresholdFilter; import ch.qos.logback.classic.spi.ILoggingEvent; import ch.qos.logback.classic.spi.LoggingEvent; +import com.google.auth.oauth2.GoogleCredentials; import com.google.cloud.MonitoredResource; import com.google.cloud.Timestamp; import com.google.cloud.logging.Instrumentation; @@ -60,7 +62,7 @@ public class LoggingAppenderTest { private static final String PROJECT_ID = "test-project"; private static final String CRED_FILE_PROJECT_ID = "project-12345"; - private static final String OVERRIDED_PROJECT_ID = "some-project-id"; + private static final String OVERRIDDEN_PROJECT_ID = "some-project-id"; private static final String DUMMY_CRED_FILE_PATH = "src/test/java/com/google/cloud/logging/logback/dummy-credentials.json"; private static final Payload.JsonPayload JSON_PAYLOAD = @@ -289,6 +291,22 @@ public void testMdcValuesAreConvertedToLabels() { assertThat(capturedArgument.getValue().iterator().next()).isEqualTo(INFO_ENTRY); } + @Test + public void testCreateLoggingOptionsWithValidCredentials() { + LoggingAppender appender = new LoggingAppender(); + appender.setCredentials(GoogleCredentials.newBuilder().build()); + // ServiceOptions requires a projectId to be set. Normally this is determined by the + // GoogleCredentials (Credential set above is a dummy value with no ProjectId). + appender.setLogDestinationProjectId(PROJECT_ID); + appender.getLoggingOptions(); + } + + @Test + public void testCreateLoggingOptionsWithNullCredentials() { + LoggingAppender appender = new LoggingAppender(); + assertThrows(NullPointerException.class, () -> appender.setCredentials(null)); + } + @Test(expected = RuntimeException.class) public void testCreateLoggingOptionsWithInvalidCredentials() { final String nonExistentFile = "/path/to/non/existent/file"; @@ -310,8 +328,8 @@ public void testCreateLoggingOptionsWithDestination() { // Try to build LoggingOptions with file based credentials. LoggingAppender appender = new LoggingAppender(); appender.setCredentialsFile(DUMMY_CRED_FILE_PATH); - appender.setLogDestinationProjectId(OVERRIDED_PROJECT_ID); - assertThat(appender.getLoggingOptions().getProjectId()).isEqualTo(OVERRIDED_PROJECT_ID); + appender.setLogDestinationProjectId(OVERRIDDEN_PROJECT_ID); + assertThat(appender.getLoggingOptions().getProjectId()).isEqualTo(OVERRIDDEN_PROJECT_ID); } private LoggingEvent createLoggingEvent(Level level, long timestamp) { From dd0f7344259c94e50fd93a9a83f33b1cb4e55548 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Mon, 20 Oct 2025 17:11:06 +0100 Subject: [PATCH 2/5] deps: update dependency com.google.cloud:sdk-platform-java-config to v3.53.0 (#1533) --- .github/workflows/unmanaged_dependency_check.yaml | 2 +- .kokoro/presubmit/graalvm-native-a.cfg | 2 +- .kokoro/presubmit/graalvm-native-b.cfg | 2 +- .kokoro/presubmit/graalvm-native-c.cfg | 2 +- pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/unmanaged_dependency_check.yaml b/.github/workflows/unmanaged_dependency_check.yaml index 2003c1d4c..701369994 100644 --- a/.github/workflows/unmanaged_dependency_check.yaml +++ b/.github/workflows/unmanaged_dependency_check.yaml @@ -14,6 +14,6 @@ jobs: shell: bash run: .kokoro/build.sh - name: Unmanaged dependency check - uses: googleapis/sdk-platform-java/java-shared-dependencies/unmanaged-dependency-check@google-cloud-shared-dependencies/v3.52.3 + uses: googleapis/sdk-platform-java/java-shared-dependencies/unmanaged-dependency-check@google-cloud-shared-dependencies/v3.53.0 with: bom-path: pom.xml diff --git a/.kokoro/presubmit/graalvm-native-a.cfg b/.kokoro/presubmit/graalvm-native-a.cfg index 72294f90f..e06aeb829 100644 --- a/.kokoro/presubmit/graalvm-native-a.cfg +++ b/.kokoro/presubmit/graalvm-native-a.cfg @@ -3,7 +3,7 @@ # Configure the docker image for kokoro-trampoline. env_vars: { key: "TRAMPOLINE_IMAGE" - value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_a:3.52.3" + value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_a:3.53.0" } env_vars: { diff --git a/.kokoro/presubmit/graalvm-native-b.cfg b/.kokoro/presubmit/graalvm-native-b.cfg index c2efdcebf..15deac1d1 100644 --- a/.kokoro/presubmit/graalvm-native-b.cfg +++ b/.kokoro/presubmit/graalvm-native-b.cfg @@ -3,7 +3,7 @@ # Configure the docker image for kokoro-trampoline. env_vars: { key: "TRAMPOLINE_IMAGE" - value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_b:3.52.3" + value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_b:3.53.0" } env_vars: { diff --git a/.kokoro/presubmit/graalvm-native-c.cfg b/.kokoro/presubmit/graalvm-native-c.cfg index 8de3edd75..e7d2c0ef3 100644 --- a/.kokoro/presubmit/graalvm-native-c.cfg +++ b/.kokoro/presubmit/graalvm-native-c.cfg @@ -3,7 +3,7 @@ # Configure the docker image for kokoro-trampoline. env_vars: { key: "TRAMPOLINE_IMAGE" - value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_c:3.52.3" + value: "gcr.io/cloud-devrel-public-resources/graalvm_sdk_platform_c:3.53.0" } env_vars: { diff --git a/pom.xml b/pom.xml index 03b971ec2..71afbf01a 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ com.google.cloud sdk-platform-java-config - 3.52.3 + 3.53.0 From 6ab65323b1f964a64d52dca2fd968d9c0d6f6547 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Mon, 20 Oct 2025 14:25:35 -0400 Subject: [PATCH 3/5] chore(main): release 0.132.18-alpha-SNAPSHOT (#1532) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- pom.xml | 2 +- samples/snapshot/pom.xml | 2 +- .../java/com/google/cloud/logging/logback/LoggingAppender.java | 2 +- versions.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 71afbf01a..48e409081 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 google-cloud-logging-logback - 0.132.17-alpha + 0.132.18-alpha-SNAPSHOT jar Google Cloud Logging Logback Appender https://github.com/googleapis/java-logging-logback diff --git a/samples/snapshot/pom.xml b/samples/snapshot/pom.xml index 371f5ca33..6674d8670 100644 --- a/samples/snapshot/pom.xml +++ b/samples/snapshot/pom.xml @@ -28,7 +28,7 @@ com.google.cloud google-cloud-logging-logback - 0.132.17-alpha + 0.132.18-alpha-SNAPSHOT diff --git a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java index a69f58649..382eae014 100644 --- a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java +++ b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java @@ -125,7 +125,7 @@ public class LoggingAppender extends UnsynchronizedAppenderBase { // See // https://github.com/googleapis/release-please/blob/main/docs/customizing.md#updating-arbitrary-files // {x-version-update-start:google-cloud-logging-logback:current} - public static final String DEFAULT_INSTRUMENTATION_VERSION = "0.132.17-alpha"; + public static final String DEFAULT_INSTRUMENTATION_VERSION = "0.132.18-alpha-SNAPSHOT"; // {x-version-update-end} private static boolean instrumentationAdded = false; private static final Object instrumentationLock = new Object(); diff --git a/versions.txt b/versions.txt index feee45446..0c17ffe15 100644 --- a/versions.txt +++ b/versions.txt @@ -1,4 +1,4 @@ # Format: # module:released-version:current-version -google-cloud-logging-logback:0.132.17-alpha:0.132.17-alpha +google-cloud-logging-logback:0.132.17-alpha:0.132.18-alpha-SNAPSHOT From 0779caec8b3707d97b96070364886b7b1b3fdde3 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 21 Oct 2025 15:05:57 +0100 Subject: [PATCH 4/5] deps: update dependency com.google.cloud:google-cloud-logging to v3.23.7 (#1535) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 48e409081..fe4fabd26 100644 --- a/pom.xml +++ b/pom.xml @@ -17,7 +17,7 @@ 1.2.13 5.6.0 1.4.4 - 3.23.6 + 3.23.7 1.7.36 1.10.1 From de8a2305c56a09f4e411737ba96fc7500bdb823d Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 10:20:36 -0400 Subject: [PATCH 5/5] chore(main): release 0.132.18-alpha (#1534) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 13 +++++++++++++ pom.xml | 2 +- samples/snapshot/pom.xml | 2 +- .../cloud/logging/logback/LoggingAppender.java | 2 +- versions.txt | 2 +- 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ef4b1b1f..a1cb64520 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,19 @@ # Changelog +## [0.132.18-alpha](https://github.com/googleapis/java-logging-logback/compare/v0.132.17-alpha...v0.132.18-alpha) (2025-10-21) + + +### Bug Fixes + +* Add setCredentials method as alternative for setCredentialsFile in LoggingAppender ([#1530](https://github.com/googleapis/java-logging-logback/issues/1530)) ([419a943](https://github.com/googleapis/java-logging-logback/commit/419a9438193586afb7986ccee59d19e9e364ec98)) + + +### Dependencies + +* Update dependency com.google.cloud:google-cloud-logging to v3.23.7 ([#1535](https://github.com/googleapis/java-logging-logback/issues/1535)) ([0779cae](https://github.com/googleapis/java-logging-logback/commit/0779caec8b3707d97b96070364886b7b1b3fdde3)) +* Update dependency com.google.cloud:sdk-platform-java-config to v3.53.0 ([#1533](https://github.com/googleapis/java-logging-logback/issues/1533)) ([dd0f734](https://github.com/googleapis/java-logging-logback/commit/dd0f7344259c94e50fd93a9a83f33b1cb4e55548)) + ## [0.132.17-alpha](https://github.com/googleapis/java-logging-logback/compare/v0.132.16-alpha...v0.132.17-alpha) (2025-10-08) diff --git a/pom.xml b/pom.xml index fe4fabd26..e1745c86e 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 google-cloud-logging-logback - 0.132.18-alpha-SNAPSHOT + 0.132.18-alpha jar Google Cloud Logging Logback Appender https://github.com/googleapis/java-logging-logback diff --git a/samples/snapshot/pom.xml b/samples/snapshot/pom.xml index 6674d8670..33078f348 100644 --- a/samples/snapshot/pom.xml +++ b/samples/snapshot/pom.xml @@ -28,7 +28,7 @@ com.google.cloud google-cloud-logging-logback - 0.132.18-alpha-SNAPSHOT + 0.132.18-alpha diff --git a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java index 382eae014..fa0c8c1e1 100644 --- a/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java +++ b/src/main/java/com/google/cloud/logging/logback/LoggingAppender.java @@ -125,7 +125,7 @@ public class LoggingAppender extends UnsynchronizedAppenderBase { // See // https://github.com/googleapis/release-please/blob/main/docs/customizing.md#updating-arbitrary-files // {x-version-update-start:google-cloud-logging-logback:current} - public static final String DEFAULT_INSTRUMENTATION_VERSION = "0.132.18-alpha-SNAPSHOT"; + public static final String DEFAULT_INSTRUMENTATION_VERSION = "0.132.18-alpha"; // {x-version-update-end} private static boolean instrumentationAdded = false; private static final Object instrumentationLock = new Object(); diff --git a/versions.txt b/versions.txt index 0c17ffe15..f415385b6 100644 --- a/versions.txt +++ b/versions.txt @@ -1,4 +1,4 @@ # Format: # module:released-version:current-version -google-cloud-logging-logback:0.132.17-alpha:0.132.18-alpha-SNAPSHOT +google-cloud-logging-logback:0.132.18-alpha:0.132.18-alpha