feat: add soft expiry logic and tests

Author: nbayati

google/auth/_regional_access_boundary_utils.py

@@ -13,6 +13,10 @@
 # The default lifetime for a cached Regional Access Boundary.
 DEFAULT_REGIONAL_ACCESS_BOUNDARY_TTL = datetime.timedelta(hours=6)
 
+# The period of time prior to the boundary's expiration when a background refresh
+# is proactively triggered.
+REGIONAL_ACCESS_BOUNDARY_REFRESH_THRESHOLD = datetime.timedelta(hours=1)
+
 # The initial cooldown period for a failed Regional Access Boundary lookup.
 DEFAULT_REGIONAL_ACCESS_BOUNDARY_COOLDOWN = datetime.timedelta(minutes=15)
 

google/auth/credentials.py

@@ -390,11 +390,15 @@ def _maybe_start_regional_access_boundary_refresh(self, request, url):
         if not self._is_regional_access_boundary_lookup_required():
             return
 
-        # Don't start a new refresh if the Regional Access Boundary info is still valid.
+        # Don't start a new refresh if the Regional Access Boundary info is still fresh.
+        refresh_threshold = (
+            _regional_access_boundary_utils.REGIONAL_ACCESS_BOUNDARY_REFRESH_THRESHOLD
+        )
         if (
             self._regional_access_boundary
             and self._regional_access_boundary_expiry
-            and _helpers.utcnow() < self._regional_access_boundary_expiry
+            and _helpers.utcnow()
+            < (self._regional_access_boundary_expiry - refresh_threshold)
         ):
             return
 

tests/test_credentials.py

@@ -397,9 +397,9 @@ def test_maybe_start_refresh_is_skipped_if_env_var_not_set(
     )
     def test_maybe_start_refresh_is_skipped_if_not_expired(self, mock_start_refresh):
         creds = CredentialsImpl()
-        creds._regional_access_boundary = {"encodedLocations": "test"}
+        creds._regional_access_boundary = {"encodedLocations": "0xABC"}
         creds._regional_access_boundary_expiry = _helpers.utcnow() + datetime.timedelta(
-            minutes=5
+            hours=2
         )
         with mock.patch.dict(
             os.environ,
@@ -410,6 +410,24 @@ def test_maybe_start_refresh_is_skipped_if_not_expired(self, mock_start_refresh)
             )
         mock_start_refresh.assert_not_called()
 
+    @mock.patch(
+        "google.auth._regional_access_boundary_utils._RegionalAccessBoundaryRefreshManager.start_refresh"
+    )
+    def test_maybe_start_refresh_triggered_if_soft_expired(self, mock_start_refresh):
+        creds = CredentialsImpl()
+        creds._regional_access_boundary = {"encodedLocations": "0xABC"}
+
+        creds._regional_access_boundary_expiry = _helpers.utcnow() + datetime.timedelta(
+            minutes=30
+        )
+        request = mock.Mock()
+        with mock.patch.dict(
+            os.environ,
+            {environment_vars.GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED: "true"},
+        ):
+            creds._maybe_start_regional_access_boundary_refresh(request, "http://example.com")
+        mock_start_refresh.assert_called_once_with(creds, request)
+
     @mock.patch(
         "google.auth._regional_access_boundary_utils._RegionalAccessBoundaryRefreshManager.start_refresh"
     )