fix(bqjdbc): support Service Account Impersonation in ADC

java-bigquery/google-cloud-bigquery-jdbc/pom.xml

@@ -307,6 +307,11 @@
       <artifactId>mockito-core</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-inline</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-junit-jupiter</artifactId>

java-bigquery/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcOAuthUtility.java

@@ -230,26 +230,22 @@ static Map<String, String> parseOAuthProperties(DataSource ds, String callerClas
         break;
     }
 
-    if (authType == AuthType.GOOGLE_SERVICE_ACCOUNT
-        || authType == AuthType.GOOGLE_USER_ACCOUNT
-        || authType == AuthType.PRE_GENERATED_TOKEN) {
-      oauthProperties.put(
-          BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_EMAIL_PROPERTY_NAME,
-          ds.getOAuthSAImpersonationEmail());
-      oauthProperties.put(
-          BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_CHAIN_PROPERTY_NAME,
-          ds.getOAuthSAImpersonationChain());
-      oauthProperties.put(
-          BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_SCOPES_PROPERTY_NAME,
-          ds.getOAuthSAImpersonationScopes() != null
-              ? ds.getOAuthSAImpersonationScopes()
-              : BIGQUERY_SCOPE);
-      oauthProperties.put(
-          BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_TOKEN_LIFETIME_PROPERTY_NAME,
-          ds.getOAuthSAImpersonationTokenLifetime() != null
-              ? ds.getOAuthSAImpersonationTokenLifetime()
-              : BigQueryJdbcUrlUtility.DEFAULT_OAUTH_SA_IMPERSONATION_TOKEN_LIFETIME_VALUE);
-    }
+    oauthProperties.put(
+        BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_EMAIL_PROPERTY_NAME,
+        ds.getOAuthSAImpersonationEmail());
+    oauthProperties.put(
+        BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_CHAIN_PROPERTY_NAME,
+        ds.getOAuthSAImpersonationChain());
+    oauthProperties.put(
+        BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_SCOPES_PROPERTY_NAME,
+        ds.getOAuthSAImpersonationScopes() != null
+            ? ds.getOAuthSAImpersonationScopes()
+            : BIGQUERY_SCOPE);
+    oauthProperties.put(
+        BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_TOKEN_LIFETIME_PROPERTY_NAME,
+        ds.getOAuthSAImpersonationTokenLifetime() != null
+            ? ds.getOAuthSAImpersonationTokenLifetime()
+            : BigQueryJdbcUrlUtility.DEFAULT_OAUTH_SA_IMPERSONATION_TOKEN_LIFETIME_VALUE);
     return oauthProperties;
   }
 
@@ -284,12 +280,9 @@ static GoogleCredentials getCredentials(
             getPreGeneratedTokensCredentials(authProperties, overrideProperties, callerClassName);
         break;
       case APPLICATION_DEFAULT_CREDENTIALS:
-        // This auth method doesn't support service account impersonation
-
         credentials = getApplicationDefaultCredentials(callerClassName);
         break;
       case EXTERNAL_ACCOUNT_AUTH:
-        // This auth method doesn't support service account impersonation
         credentials = getExternalAccountAuthCredentials(authProperties, callerClassName);
         break;
       default:

java-bigquery/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/BigQueryCallableStatementTest.java

@@ -914,7 +914,7 @@ public void testSetDateCalParamByName() throws SQLException {
     Calendar expectedCal = mock(Calendar.class);
 
     doReturn(1L).when(expectedDate).getTime();
-    doReturn(1L).when(expectedCal).getTime();
+    doReturn(new java.util.Date(1L)).when(expectedCal).getTime();
     doReturn(1L).when(expectedCal).getTimeInMillis();
     statement.setDate(PARAM_KEY, expectedDate, expectedCal);
     Date actual = statement.getDate(PARAM_KEY);
@@ -1033,7 +1033,7 @@ public void testSetTimeCalParamByName() throws SQLException {
     Calendar expectedCal = mock(Calendar.class);
 
     doReturn(1L).when(expectedTime).getTime();
-    doReturn(1L).when(expectedCal).getTime();
+    doReturn(new java.util.Date(1L)).when(expectedCal).getTime();
     doReturn(1L).when(expectedCal).getTimeInMillis();
     statement.setTime(PARAM_KEY, expectedTime, expectedCal);
     Time actual = statement.getTime(PARAM_KEY);
@@ -1062,7 +1062,7 @@ public void testSetTimestampCalParamByName() throws SQLException {
     Calendar expectedCal = mock(Calendar.class);
 
     doReturn(1L).when(expectedTimestamp).getTime();
-    doReturn(1L).when(expectedCal).getTime();
+    doReturn(new java.util.Date(1L)).when(expectedCal).getTime();
     doReturn(1L).when(expectedCal).getTimeInMillis();
     statement.setTimestamp(PARAM_KEY, expectedTimestamp, expectedCal);
     Timestamp actual = statement.getTimestamp(PARAM_KEY);

java-bigquery/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcOAuthUtilityTest.java

@@ -377,6 +377,48 @@ public void testParseUserImpersonationNonDefault() {
         result.get(BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_TOKEN_LIFETIME_PROPERTY_NAME));
   }
 
+  @Test
+  public void testParseUserImpersonationForADC() {
+    Map<String, String> result =
+        BigQueryJdbcOAuthUtility.parseOAuthProperties(
+            DataSource.fromUrl(
+                "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;"
+                    + "OAuthType=3;ProjectId=MyBigQueryProject;"
+                    + "ServiceAccountImpersonationEmail=impersonated@email.com;"),
+            "");
+
+    assertEquals("APPLICATION_DEFAULT_CREDENTIALS", result.get("OAuthType"));
+    assertEquals(
+        "impersonated@email.com",
+        result.get(BigQueryJdbcUrlUtility.OAUTH_SA_IMPERSONATION_EMAIL_PROPERTY_NAME));
+  }
+
+  @Test
+  public void testGetServiceAccountImpersonatedCredentialsForADC() throws Exception {
+    GoogleCredentials dummySourceCredentials = GoogleCredentials.newBuilder().build();
+
+    try (org.mockito.MockedStatic<GoogleCredentials> mockedCreds =
+        org.mockito.Mockito.mockStatic(GoogleCredentials.class)) {
+      mockedCreds.when(GoogleCredentials::getApplicationDefault).thenReturn(dummySourceCredentials);
+
+      Map<String, String> authProperties =
+          BigQueryJdbcOAuthUtility.parseOAuthProperties(
+              DataSource.fromUrl(
+                  "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;"
+                      + "OAuthType=3;ProjectId=MyBigQueryProject;"
+                      + "ServiceAccountImpersonationEmail=impersonated@email.com;"),
+              "");
+
+      GoogleCredentials credentials =
+          BigQueryJdbcOAuthUtility.getCredentials(
+              authProperties, java.util.Collections.EMPTY_MAP, false, null);
+
+      assertThat(credentials).isInstanceOf(ImpersonatedCredentials.class);
+      assertThat(((ImpersonatedCredentials) credentials).getSourceCredentials())
+          .isEqualTo(dummySourceCredentials);
+    }
+  }
+
   @Test
   public void testGetServiceAccountImpersonatedCredentials() {
     Map<String, String> authProperties =

java-bigquery/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/it/ITAuthTests.java

@@ -371,4 +371,15 @@ public void testServiceAccountAuthenticationWithChainedImpersonation()
             .toString();
     validateConnection(connection_uri);
   }
+
+  @Test
+  public void testADCAuthenticationWithImpersonation() throws IOException, SQLException {
+    final JsonObject authJson = getAuthJson();
+
+    String connection_uri =
+        getBaseUri(3, authJson.get("project_id").getAsString())
+            .append("ServiceAccountImpersonationEmail", authJson.get("client_email").getAsString())
+            .toString();
+    validateConnection(connection_uri);
+  }
 }