feat: Async Refresh for Regional Access Boundaries (#1880)

* Added async logic for RAB refresh/ Now self-signed JWT are in RAB scope. Updated tests.

* Lint fixes.

* Url for RAB to include only GDU. Only 500, 502, 503 and 504 lookup errors are now retryable.

* Addressed some PR comments.

* Made cooldown into an AtomicReference removed the synchronized reference.

* Exclude user-seeded RAB and stale RAB error handling

* Removed the user-seeded and stale RAB errors. Soft-expiry now implemented. Nit fixes.

* getRAB() made package-private

* RAB headers now uses guava.ImmutableMap.

* Self-signed JWT now carry RAB headers, unit test updated. RABManager now considers expiryTime as opposed to start time. Minor fixes.

* forkJoin.common pool is no longer used -> now using the executor (in case of async token refresh) or instantiate a new thread.

* Removed Env variables gating RAB.

* Test fix to account for RAB refresh.

* self-signed RAB refresh moved to a helper. Added comments to explain thread vs CompletebleFuture.runAsync.

* Added doc for cooldown logic.

* RAB staleness due to Oauth caching and flaky tests fixed.

* Fixed -> 1. getRequestMetadata calls refreshTrustBoundaryIfExpired without a try catch block. 2. Lock acquiral for refreshFuture.compareAndSet(null, future) now fixed. 3. Oauth2Credentials isn't caching RAB which was earlier leading to serialization issues.

* Using per-instance clocks.

* Reintroduced env variables.

* lint fix.

* Added a readObject metod which reinitializes the clock to Clock.system upon deserialization.

* Changed to guava future.

* Executor is no longer used to execute RAB refresh.

* Addressed Lawrence's comments on RAB PR.

Author: vverman

.gitignore

@@ -16,4 +16,8 @@ target/
 .vscode/
 
 # MacOS
-.DS_Store
+.DS_Store
+
+# Conductor and Gemini
+conductor/
+Gemini/

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -83,7 +83,7 @@
  * <p>These credentials use the IAM API to sign data. See {@link #sign(byte[])} for more details.
  */
 public class ComputeEngineCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider, TrustBoundaryProvider {
+    implements ServiceAccountSigner, IdTokenProvider, RegionalAccessBoundaryProvider {
 
   static final String METADATA_RESPONSE_EMPTY_CONTENT_ERROR_MESSAGE =
       "Empty content from metadata token server request.";
@@ -386,11 +386,7 @@ public AccessToken refreshAccessToken() throws IOException {
     int expiresInSeconds =
         OAuth2Utils.validateInt32(responseData, "expires_in", PARSE_ERROR_PREFIX);
     long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000;
-    AccessToken newAccessToken = new AccessToken(accessToken, new Date(expiresAtMilliseconds));
-
-    refreshTrustBoundary(newAccessToken, transportFactory);
-
-    return newAccessToken;
+    return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
   /**
@@ -694,6 +690,11 @@ public static Builder newBuilder() {
    *
    * @throws RuntimeException if the default service account cannot be read
    */
+  @Override
+  HttpTransportFactory getTransportFactory() {
+    return transportFactory;
+  }
+
   @Override
   // todo(#314) getAccount should not throw a RuntimeException
   public String getAccount() {
@@ -709,11 +710,9 @@ public String getAccount() {
 
   @InternalApi
   @Override
-  public String getTrustBoundaryUrl() throws IOException {
+  public String getRegionalAccessBoundaryUrl() throws IOException {
     return String.format(
-        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
-        getUniverseDomain(),
-        getAccount());
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT, getAccount());
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -80,7 +80,7 @@
  * </pre>
  */
 public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials
-    implements TrustBoundaryProvider {
+    implements RegionalAccessBoundaryProvider {
 
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
 
@@ -214,28 +214,28 @@ public AccessToken refreshAccessToken() throws IOException {
       this.refreshToken = refreshToken;
     }
 
-    AccessToken newAccessToken =
-        AccessToken.newBuilder()
-            .setExpirationTime(expiresAtMilliseconds)
-            .setTokenValue(accessToken)
-            .build();
-
-    refreshTrustBoundary(newAccessToken, transportFactory);
-    return newAccessToken;
+    return AccessToken.newBuilder()
+        .setExpirationTime(expiresAtMilliseconds)
+        .setTokenValue(accessToken)
+        .build();
   }
 
   @InternalApi
   @Override
-  public String getTrustBoundaryUrl() throws IOException {
+  public String getRegionalAccessBoundaryUrl() throws IOException {
     Matcher matcher = WORKFORCE_AUDIENCE_PATTERN.matcher(getAudience());
     if (!matcher.matches()) {
       throw new IllegalStateException(
           "The provided audience is not in the correct format for a workforce pool. "
               + "Refer: https://docs.cloud.google.com/iam/docs/principal-identifiers");
     }
     String poolId = matcher.group("pool");
-    return String.format(
-        IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, getUniverseDomain(), poolId);
+    return String.format(IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, poolId);
+  }
+
+  @Override
+  HttpTransportFactory getTransportFactory() {
+    return transportFactory;
   }
 
   @Nullable

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -69,7 +69,7 @@
  * account impersonation.
  */
 public abstract class ExternalAccountCredentials extends GoogleCredentials
-    implements TrustBoundaryProvider {
+    implements RegionalAccessBoundaryProvider {
 
   private static final long serialVersionUID = 8049126194174465023L;
 
@@ -532,11 +532,7 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
       this.impersonatedCredentials = this.buildImpersonatedCredentials();
     }
     if (this.impersonatedCredentials != null) {
-      AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
-      // After the impersonated credential refreshes, its trust boundary is
-      // also refreshed. That is the trust boundary we will use.
-      this.trustBoundary = this.impersonatedCredentials.getTrustBoundary();
-      return accessToken;
+      return this.impersonatedCredentials.refreshAccessToken();
     }
 
     StsRequestHandler.Builder requestHandler =
@@ -565,9 +561,7 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
     }
 
     StsTokenExchangeResponse response = requestHandler.build().exchangeToken();
-    AccessToken accessToken = response.getAccessToken();
-    refreshTrustBoundary(accessToken, transportFactory);
-    return accessToken;
+    return response.getAccessToken();
   }
 
   /**
@@ -581,6 +575,11 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
    */
   public abstract String retrieveSubjectToken() throws IOException;
 
+  @Override
+  HttpTransportFactory getTransportFactory() {
+    return transportFactory;
+  }
+
   public String getAudience() {
     return audience;
   }
@@ -626,14 +625,18 @@ public String getServiceAccountEmail() {
 
   @InternalApi
   @Override
-  public String getTrustBoundaryUrl() {
+  public String getRegionalAccessBoundaryUrl() throws IOException {
+    if (getServiceAccountEmail() != null) {
+      return String.format(
+          OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+          getServiceAccountEmail());
+    }
+
     Matcher workforceMatcher = WORKFORCE_AUDIENCE_PATTERN.matcher(getAudience());
     if (workforceMatcher.matches()) {
       String poolId = workforceMatcher.group("pool");
       return String.format(
-          OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL,
-          getUniverseDomain(),
-          poolId);
+          OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, poolId);
     }
 
     Matcher workloadMatcher = WORKLOAD_AUDIENCE_PATTERN.matcher(getAudience());
@@ -642,7 +645,6 @@ public String getTrustBoundaryUrl() {
       String poolId = workloadMatcher.group("pool");
       return String.format(
           OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL,
-          getUniverseDomain(),
           projectNumber,
           poolId);
     }