[no ticket][risk=low] Upgrade auth library and use legacy bundle serv…

…ice (#8487)

* bump version

* bump version

* bring appengine bundle back

* downgrade version

* bring app engine back

* remove debug logging

api/build.gradle

@@ -6,6 +6,7 @@ buildscript {
     // External properties on the default project. Values declared in ext blocks
     // outside of the buildscript block aren't usable here.
     ext {
+        GAE_VERSION = '2.0.9'
         GOOGLE_TRUTH_VERSION = '1.1.3'
         GSON_VERSION = '2.9.0'
         HIBERNATE_VERSION = '5.6.15.Final'
@@ -425,15 +426,15 @@ dependencies {
 
     // TODO: consider switching google deps to the BOM.  https://cloud.google.com/java/docs/bom
 
-    implementation 'com.google.api-client:google-api-client-appengine:1.35.2'
+    implementation "com.google.appengine:appengine-api-1.0-sdk:$project.ext.GAE_VERSION"
     implementation 'com.google.apis:google-api-services-admin-directory:directory_v1-rev20220919-2.0.0'
     implementation 'com.google.apis:google-api-services-cloudbilling:v1-rev20220908-2.0.0'
     implementation 'com.google.apis:google-api-services-cloudresourcemanager:v3-rev20220925-2.0.0'
     implementation 'com.google.apis:google-api-services-oauth2:v2-rev20200213-2.0.0'
     implementation 'com.google.apis:google-api-services-iam:v1-rev20220825-2.0.0'
     implementation 'com.google.api-client:google-api-client-appengine:2.2.0'
-    implementation 'com.google.auth:google-auth-library-appengine:1.11.0'
-    implementation 'com.google.auth:google-auth-library-oauth2-http:1.11.0'
+    implementation 'com.google.auth:google-auth-library-appengine:1.23.0'
+    implementation 'com.google.auth:google-auth-library-oauth2-http:1.23.0'
     implementation 'com.google.cloud.sql:mysql-socket-factory:1.7.0'
     implementation 'com.google.cloud:google-cloud-bigquery:2.25.0'
     implementation 'com.google.cloud:google-cloud-iamcredentials:2.3.6'

api/src/main/java/org/pmiops/workbench/auth/ServiceAccounts.java

@@ -1,5 +1,9 @@
 package org.pmiops.workbench.auth;
 
+import static org.pmiops.workbench.utils.AppEngineUtils.IS_GAE;
+
+import com.google.appengine.api.appidentity.AppIdentityServiceFactory;
+import com.google.auth.appengine.AppEngineCredentials;
 import com.google.auth.oauth2.GoogleCredentials;
 import java.io.IOException;
 import java.util.List;
@@ -34,7 +38,16 @@ public class ServiceAccounts {
    */
   public static GoogleCredentials getScopedServiceCredentials(List<String> scopes)
       throws IOException {
-    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault().createScoped(scopes);
+    GoogleCredentials credentials;
+    if (IS_GAE) {
+      credentials =
+          AppEngineCredentials.newBuilder()
+              .setScopes(scopes)
+              .setAppIdentityService(AppIdentityServiceFactory.getAppIdentityService())
+              .build();
+    } else {
+      credentials = GoogleCredentials.getApplicationDefault().createScoped(scopes);
+    }
     credentials.refreshIfExpired();
     return credentials;
   }

api/src/main/java/org/pmiops/workbench/utils/AppEngineUtils.java

@@ -0,0 +1,7 @@
+package org.pmiops.workbench.utils;
+
+public class AppEngineUtils {
+  public static boolean IS_GAE =
+      System.getProperty("com.google.appengine.runtime.version") != null
+          && !System.getProperty("com.google.appengine.runtime.version").startsWith("dev");
+}

api/src/main/webapp/WEB-INF/appengine-web.xml.template

@@ -13,6 +13,7 @@
     <env-var name="CDR_DB_PASSWORD" value="${CDR_DB_PASSWORD}" />
   </env-variables>
 
+ <app-engine-apis>true</app-engine-apis>
   <system-properties>
     <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
   </system-properties>