fix: revert templates for iam endpoints (#1614)

* fix: revert templates for iam endpoints

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* tests update

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: TimurSadykov

google/auth/iam.py

@@ -25,6 +25,7 @@
 
 from google.auth import _exponential_backoff
 from google.auth import _helpers
+from google.auth import credentials
 from google.auth import crypt
 from google.auth import exceptions
 
@@ -38,16 +39,18 @@
 _IAM_SCOPE = ["https://www.googleapis.com/auth/iam"]
 
 _IAM_ENDPOINT = (
-    "https://iamcredentials.{}/v1/projects/-"
+    "https://iamcredentials.googleapis.com/v1/projects/-"
     + "/serviceAccounts/{}:generateAccessToken"
 )
 
 _IAM_SIGN_ENDPOINT = (
-    "https://iamcredentials.{}/v1/projects/-" + "/serviceAccounts/{}:signBlob"
+    "https://iamcredentials.googleapis.com/v1/projects/-"
+    + "/serviceAccounts/{}:signBlob"
 )
 
 _IAM_IDTOKEN_ENDPOINT = (
-    "https://iamcredentials.{}/v1/" + "projects/-/serviceAccounts/{}:generateIdToken"
+    "https://iamcredentials.googleapis.com/v1/"
+    + "projects/-/serviceAccounts/{}:generateIdToken"
 )
 
 
@@ -87,9 +90,9 @@ def _make_signing_request(self, message):
         message = _helpers.to_bytes(message)
 
         method = "POST"
-        url = _IAM_SIGN_ENDPOINT.format(
-            self._credentials.universe_domain, self._service_account_email
-        )
+        url = _IAM_SIGN_ENDPOINT.replace(
+            credentials.DEFAULT_UNIVERSE_DOMAIN, self._credentials.universe_domain
+        ).format(self._service_account_email)
         headers = {"Content-Type": "application/json"}
         body = json.dumps(
             {"payload": base64.b64encode(message).decode("utf-8")}

google/auth/impersonated_credentials.py

@@ -67,9 +67,9 @@ def _make_iam_token_request(
             `iamcredentials.googleapis.com` is not enabled or the
             `Service Account Token Creator` is not assigned
     """
-    iam_endpoint = iam_endpoint_override or iam._IAM_ENDPOINT.format(
-        universe_domain, principal
-    )
+    iam_endpoint = iam_endpoint_override or iam._IAM_ENDPOINT.replace(
+        credentials.DEFAULT_UNIVERSE_DOMAIN, universe_domain
+    ).format(principal)
 
     body = json.dumps(body).encode("utf-8")
 
@@ -282,9 +282,9 @@ def _update_token(self, request):
     def sign_bytes(self, message):
         from google.auth.transport.requests import AuthorizedSession
 
-        iam_sign_endpoint = iam._IAM_SIGN_ENDPOINT.format(
-            self.universe_domain, self._target_principal
-        )
+        iam_sign_endpoint = iam._IAM_SIGN_ENDPOINT.replace(
+            credentials.DEFAULT_UNIVERSE_DOMAIN, self.universe_domain
+        ).format(self._target_principal)
 
         body = {
             "payload": base64.b64encode(message).decode("utf-8"),
@@ -434,10 +434,10 @@ def with_quota_project(self, quota_project_id):
     def refresh(self, request):
         from google.auth.transport.requests import AuthorizedSession
 
-        iam_sign_endpoint = iam._IAM_IDTOKEN_ENDPOINT.format(
+        iam_sign_endpoint = iam._IAM_IDTOKEN_ENDPOINT.replace(
+            credentials.DEFAULT_UNIVERSE_DOMAIN,
             self._target_credentials.universe_domain,
-            self._target_credentials.signer_email,
-        )
+        ).format(self._target_credentials.signer_email)
 
         body = {
             "audience": self._target_audience,

google/oauth2/_client.py

@@ -30,6 +30,7 @@
 
 from google.auth import _exponential_backoff
 from google.auth import _helpers
+from google.auth import credentials
 from google.auth import exceptions
 from google.auth import jwt
 from google.auth import metrics
@@ -344,7 +345,9 @@ def call_iam_generate_id_token_endpoint(
 
     response_data = _token_endpoint_request(
         request,
-        iam_id_token_endpoint.format(universe_domain, signer_email),
+        iam_id_token_endpoint.replace(
+            credentials.DEFAULT_UNIVERSE_DOMAIN, universe_domain
+        ).format(signer_email),
         body,
         access_token=access_token,
         use_json=True,

tests/oauth2/test_service_account.py

@@ -798,7 +798,6 @@ def test_refresh_iam_flow(self, call_iam_generate_id_token_endpoint):
         assert target_audience == "https://example.com"
         decoded_access_token = jwt.decode(access_token, verify=False)
         assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam"
-        assert universe_domain == "googleapis.com"
 
     @mock.patch(
         "google.oauth2._client.call_iam_generate_id_token_endpoint", autospec=True
@@ -818,13 +817,12 @@ def test_refresh_iam_flow_non_gdu(self, call_iam_generate_id_token_endpoint):
         assert req == request
         assert (
             iam_endpoint
-            == "https://iamcredentials.{}/v1/projects/-/serviceAccounts/{}:generateIdToken"
+            == "https://iamcredentials.fake-universe/v1/projects/-/serviceAccounts/{}:generateIdToken"
         )
         assert signer_email == "service-account@example.com"
         assert target_audience == "https://example.com"
         decoded_access_token = jwt.decode(access_token, verify=False)
         assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam"
-        assert universe_domain == "fake-universe"
 
     @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True)
     def test_before_request_refreshes(self, id_token_jwt_grant):