Remove manual override and reactie reftesh

Author: nbayati

google/auth/credentials.py

@@ -294,7 +294,7 @@ def with_universe_domain(self, universe_domain):
 
 
 class CredentialsWithRegionalAccessBoundary(Credentials):
-    """Abstract base for credentials supporting ``with_regional_access_boundary`` factory"""
+    """Abstract base for credentials supporting regional access boundary configuration."""
 
     def __init__(self, *args, **kwargs):
         super(CredentialsWithRegionalAccessBoundary, self).__init__(*args, **kwargs)
@@ -323,28 +323,16 @@ def _perform_refresh_token(self, request):
         """
         raise NotImplementedError("_perform_refresh_token must be implemented")
 
-    def with_regional_access_boundary(self, regional_access_boundary):
+    def _with_regional_access_boundary(self, regional_access_boundary):
         """Returns a copy of these credentials with a modified Regional Access Boundary.
-
-        This method allows for manually providing the Regional Access Boundary
-        information, which will be cached with a 6-hour lifetime. This bypasses
-        the initial asynchronous lookup. After the cache expires, the library
-        will trigger a background refresh on the next request.
-
+        This is an internal method used by credential factory methods (e.g., from_info)
+        to seed the RAB cache. The provided value is cached with the default TTL.
         Args:
-            regional_access_boundary (Mapping[str, str]): The Regional Access Boundary
-                to use for the credential. This should be a map with an
-                "encodedLocations" key that maps to a hex string. Optionally,
-                it can also contain a "locations" key with a list of GCP regions.
-                Example: `{"locations": ["us-central1"], "encodedLocations": "0xA30"}`
-
+            regional_access_boundary (dict): Must contain an "encodedLocations" key.
         Returns:
-            google.auth.credentials.Credentials: A new credentials instance
-                with the specified Regional Access Boundary.
-
+            google.auth.credentials.Credentials: A new credentials instance.
         Raises:
-            google.auth.exceptions.InvalidValue: If `regional_access_boundary`
-                is not a dictionary or does not contain the "encodedLocations" key.
+            google.auth.exceptions.InvalidValue: If the input is malformed.
         """
         if (
             not isinstance(regional_access_boundary, dict)
@@ -377,28 +365,6 @@ def _copy_regional_access_boundary_state(self, target):
         # Create a new lock for the target instance to ensure independent thread-safety.
         target._stale_boundary_lock = threading.Lock()
 
-    def handle_stale_regional_access_boundary(self, request):
-        """Handles a stale regional access boundary error.
-        This method is thread-safe and will only initiate a single refresh
-        even if called concurrently.
-        Args:
-            request (google.auth.transport.Request): The object used to make
-                HTTP requests.
-        """
-        with self._stale_boundary_lock:
-            # Another thread might have already handled the stale boundary.
-            if self._regional_access_boundary is None:
-                return
-
-            _LOGGER.info("Stale regional access boundary detected. Refreshing.")
-
-            # Clear the cached boundary.
-            self._regional_access_boundary = None
-            self._regional_access_boundary_expiry = None
-
-            # Start the background refresh.
-            self._regional_access_boundary_refresh_manager.start_refresh(self, request)
-
     def _maybe_start_regional_access_boundary_refresh(self, request, url):
         """
         Starts a background thread to refresh the Regional Access Boundary if needed.

google/auth/external_account.py

@@ -675,7 +675,7 @@ def from_info(cls, info, **kwargs):
 
         regional_access_boundary = info.get("regional_access_boundary")
         if regional_access_boundary:
-            initial_creds = initial_creds.with_regional_access_boundary(
+            initial_creds = initial_creds._with_regional_access_boundary(
                 regional_access_boundary
             )
 

google/auth/external_account_authorized_user.py

@@ -441,7 +441,7 @@ def from_info(cls, info, **kwargs):
 
         regional_access_boundary = info.get("regional_access_boundary")
         if regional_access_boundary:
-            initial_creds = initial_creds.with_regional_access_boundary(
+            initial_creds = initial_creds._with_regional_access_boundary(
                 regional_access_boundary
             )
 

google/auth/impersonated_credentials.py

@@ -360,8 +360,10 @@ def _build_regional_access_boundary_lookup_url(self):
                 "Service account email is required to build the Regional Access Boundary lookup URL for impersonated credentials."
             )
             return None
-        return _constants._SERVICE_ACCOUNT_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINT.format(
-            service_account_email=self.service_account_email
+        return (
+            _constants._SERVICE_ACCOUNT_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINT.format(
+                service_account_email=self.service_account_email
+            )
         )
 
     def sign_bytes(self, message):
@@ -530,7 +532,7 @@ def from_impersonated_service_account_info(cls, info, scopes=None):
 
         regional_access_boundary = info.get("regional_access_boundary")
         if regional_access_boundary:
-            initial_creds = initial_creds.with_regional_access_boundary(
+            initial_creds = initial_creds._with_regional_access_boundary(
                 regional_access_boundary
             )
 

google/auth/transport/requests.py

@@ -476,18 +476,6 @@ def configure_mtls_channel(self, client_cert_callback=None):
             new_exc = exceptions.MutualTLSChannelError(caught_exc)
             raise new_exc from caught_exc
 
-    def _is_stale_regional_access_boundary_error(self, response):
-        """Checks if the response indicates a stale regional access boundary."""
-        if response.status_code != 406:
-            return False
-
-        try:
-            # The response data is bytes, decode it to a string.
-            response_text = response.content.decode("utf-8")
-            return "stale regional access boundary" in response_text.lower()
-        except (UnicodeDecodeError, AttributeError):
-            return False
-
     def request(
         self,
         method,
@@ -531,7 +519,6 @@ def request(
         # Use a kwarg for this instead of an attribute to maintain
         # thread-safety.
         _credential_refresh_attempt = kwargs.pop("_credential_refresh_attempt", 0)
-        _stale_boundary_retried = kwargs.pop("_stale_boundary_retried", False)
 
         # Make a copy of the headers. They will be modified by the credentials
         # and we want to pass the original headers if we recurse.
@@ -634,28 +621,6 @@ def request(
                 **kwargs
             )
 
-        # If the response indicated a stale regional access boundary, clear the
-        # cached boundary and re-attempt the request. This is only done once.
-        if (
-            self._is_stale_regional_access_boundary_error(response)
-            and not _stale_boundary_retried
-        ):
-            _LOGGER.info(
-                "Stale regional access boundary detected, clearing and retrying."
-            )
-            self.credentials.handle_stale_regional_access_boundary(auth_request)
-            # Recurse, passing in the original headers and marking that we have retried.
-            return self.request(
-                method,
-                url,
-                data=data,
-                headers=headers,
-                max_allowed_time=remaining_time,
-                timeout=timeout,
-                _stale_boundary_retried=True,
-                **kwargs
-            )
-
         return response
 
     @property

google/oauth2/service_account.py

@@ -227,7 +227,7 @@ def _from_signer_and_info(cls, signer, info, **kwargs):
         )
         regional_access_boundary = info.get("regional_access_boundary")
         if regional_access_boundary:
-            initial_creds = initial_creds.with_regional_access_boundary(
+            initial_creds = initial_creds._with_regional_access_boundary(
                 regional_access_boundary
             )
         return initial_creds