docs: add warning against accepting untrusted credentials (#8043)

PiperOrigin-RevId: 719330114
Source-Link: googleapis/googleapis@9e0f143
Source-Link: googleapis/googleapis-gen@9612bdf
Copy-Tag: eyJwIjoiT3NDb25maWcvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiT3NMb2dpbi8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiUGFyYWxsZWxzdG9yZS8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiUGFyYW1ldGVyTWFuYWdlci8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiUG9saWN5U2ltdWxhdG9yLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUG9saWN5VHJvdWJsZXNob290ZXIvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUG9saWN5VHJvdWJsZXNob290ZXJJYW0vLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUHJpdmF0ZUNhdGFsb2cvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUHJpdmlsZWdlZEFjY2Vzc01hbmFnZXIvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUHJvZmlsZXIvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUHViU3ViLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUXVvdGFzLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUmFwaWRNaWdyYXRpb25Bc3Nlc3NtZW50Ly5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUmVjYXB0Y2hhRW50ZXJwcmlzZS8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9
Copy-Tag: eyJwIjoiUmVjb21tZW5kYXRpb25FbmdpbmUvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUmVjb21tZW5kZXIvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUmVkaXMvLk93bEJvdC55YW1sIiwiaCI6Ijk2MTJiZGY4NmNkYjFhODk0ODU5ODA2ZjMzOTU4MjlmMWNiYTRmMWMifQ==
Copy-Tag: eyJwIjoiUmVkaXNDbHVzdGVyLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUmVzb3VyY2VNYW5hZ2VyLy5Pd2xCb3QueWFtbCIsImgiOiI5NjEyYmRmODZjZGIxYTg5NDg1OTgwNmYzMzk1ODI5ZjFjYmE0ZjFjIn0=
Copy-Tag: eyJwIjoiUmVzb3VyY2VTZXR0aW5ncy8uT3dsQm90LnlhbWwiLCJoIjoiOTYxMmJkZjg2Y2RiMWE4OTQ4NTk4MDZmMzM5NTgyOWYxY2JhNGYxYyJ9

OsConfig/src/V1/Client/OsConfigServiceClient.php

@@ -215,6 +215,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

OsConfig/src/V1/Client/OsConfigZonalServiceClient.php

@@ -410,6 +410,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

OsLogin/src/V1/Client/OsLoginServiceClient.php

@@ -210,6 +210,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Parallelstore/src/V1/Client/ParallelstoreClient.php

@@ -317,6 +317,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Parallelstore/src/V1beta/Client/ParallelstoreClient.php

@@ -337,6 +337,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

ParameterManager/src/V1/Client/ParameterManagerClient.php

@@ -228,6 +228,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PolicySimulator/src/V1/Client/SimulatorClient.php

@@ -290,6 +290,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PolicyTroubleshooter/src/V1/Client/IamCheckerClient.php

@@ -108,6 +108,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PolicyTroubleshooterIam/src/V3/Client/PolicyTroubleshooterClient.php

@@ -108,6 +108,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PrivateCatalog/src/V1beta1/Client/PrivateCatalogClient.php

@@ -134,6 +134,12 @@ private static function getClientDefaults()
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PrivilegedAccessManager/src/V1/Client/PrivilegedAccessManagerClient.php

@@ -485,6 +485,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Profiler/src/V2/Client/ExportServiceClient.php

@@ -157,6 +157,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

Profiler/src/V2/Client/ProfilerServiceClient.php

@@ -182,6 +182,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see

PubSub/src/V1/Client/PublisherClient.php

@@ -27,6 +27,7 @@
 use Google\ApiCore\ApiException;
 use Google\ApiCore\CredentialsWrapper;
 use Google\ApiCore\GapicClientTrait;
+use Google\ApiCore\InsecureCredentialsWrapper;
 use Google\ApiCore\PagedListResponse;
 use Google\ApiCore\ResourceHelperTrait;
 use Google\ApiCore\RetrySettings;
@@ -49,6 +50,7 @@
 use Google\Cloud\PubSub\V1\PublishResponse;
 use Google\Cloud\PubSub\V1\Topic;
 use Google\Cloud\PubSub\V1\UpdateTopicRequest;
+use Grpc\ChannelCredentials;
 use GuzzleHttp\Promise\PromiseInterface;
 use Psr\Log\LoggerInterface;
 
@@ -252,6 +254,10 @@ public static function parseName(string $formattedName, ?string $template = null
     /**
      * Constructor.
      *
+     * Setting the "PUBSUB_EMULATOR_HOST" environment variable will automatically set
+     * the API Endpoint to the value specified in the variable, as well as ensure that
+     * empty credentials are used in the transport layer.
+     *
      * @param array $options {
      *     Optional. Options for configuring the service API wrapper.
      *
@@ -266,6 +272,12 @@ public static function parseName(string $formattedName, ?string $template = null
      *           {@see \Google\Auth\FetchAuthTokenInterface} object or
      *           {@see \Google\ApiCore\CredentialsWrapper} object. Note that when one of these
      *           objects are provided, any settings in $credentialsConfig will be ignored.
+     *           *Important*: If you accept a credential configuration (credential
+     *           JSON/File/Stream) from an external source for authentication to Google Cloud
+     *           Platform, you must validate it before providing it to any Google API or library.
+     *           Providing an unvalidated credential configuration to Google APIs can compromise
+     *           the security of your systems and data. For more information {@see
+     *           https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
      *     @type array $credentialsConfig
      *           Options used to configure credentials, including auth token caching, for the
      *           client. For a full list of supporting configuration options, see
@@ -308,6 +320,7 @@ public static function parseName(string $formattedName, ?string $template = null
      */
     public function __construct(array $options = [])
     {
+        $options = $this->setDefaultEmulatorConfig($options);
         $clientOptions = $this->buildClientOptions($options);
         $this->setClientOptions($clientOptions);
     }
@@ -657,4 +670,23 @@ public function testIamPermissions(TestIamPermissionsRequest $request, array $ca
     {
         return $this->startApiCall('TestIamPermissions', $request, $callOptions)->wait();
     }
+
+    /** Configure the gapic configuration to use a service emulator. */
+    private function setDefaultEmulatorConfig(array $options): array
+    {
+        $emulatorHost = getenv('PUBSUB_EMULATOR_HOST');
+        if (empty($emulatorHost)) {
+            return $options;
+        }
+
+        if ($scheme = parse_url($emulatorHost, PHP_URL_SCHEME)) {
+            $search = $scheme . '://';
+            $emulatorHost = str_replace($search, '', $emulatorHost);
+        }
+
+        $options['apiEndpoint'] ??= $emulatorHost;
+        $options['transportConfig']['grpc']['stubOpts']['credentials'] ??= ChannelCredentials::createInsecure();
+        $options['credentials'] ??= new InsecureCredentialsWrapper();
+        return $options;
+    }
 }