Remove unused _trust_boundary field and update unit tests.

Author: nbayati

google/auth/credentials.py

@@ -61,10 +61,6 @@ def __init__(self):
         If this is None, the token is assumed to never expire."""
         self._quota_project_id = None
         """Optional[str]: Project to use for quota and billing purposes."""
-        self._trust_boundary = None
-        """Optional[dict]: Cache of a trust boundary response which has a list
-        of allowed regions and an encoded string representation of credentials
-        trust boundary."""
         self._universe_domain = DEFAULT_UNIVERSE_DOMAIN
         """Optional[str]: The universe domain value, default is googleapis.com
         """

google/oauth2/credentials.py

@@ -87,7 +87,6 @@ def __init__(
         refresh_handler=None,
         enable_reauth_refresh=False,
         granted_scopes=None,
-        trust_boundary=None,
         universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN,
         account=None,
     ):
@@ -131,7 +130,6 @@ def __init__(
             granted_scopes (Optional[Sequence[str]]): The scopes that were consented/granted by the user.
                 This could be different from the requested scopes and it could be empty if granted
                 and requested scopes were same.
-            trust_boundary (str): String representation of trust boundary meta.
             universe_domain (Optional[str]): The universe domain. The default
                 universe domain is googleapis.com.
             account (Optional[str]): The account associated with the credential.
@@ -154,7 +152,6 @@ def __init__(
         self._rapt_token = rapt_token
         self.refresh_handler = refresh_handler
         self._enable_reauth_refresh = enable_reauth_refresh
-        self._trust_boundary = trust_boundary
         self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN
         self._account = account or ""
         self._cred_file_path = None
@@ -192,7 +189,6 @@ def __setstate__(self, d):
         self._quota_project_id = d.get("_quota_project_id")
         self._rapt_token = d.get("_rapt_token")
         self._enable_reauth_refresh = d.get("_enable_reauth_refresh")
-        self._trust_boundary = d.get("_trust_boundary")
         self._universe_domain = (
             d.get("_universe_domain") or credentials.DEFAULT_UNIVERSE_DOMAIN
         )
@@ -300,7 +296,6 @@ def _make_copy(self):
             quota_project_id=self.quota_project_id,
             rapt_token=self.rapt_token,
             enable_reauth_refresh=self._enable_reauth_refresh,
-            trust_boundary=self._trust_boundary,
             universe_domain=self._universe_domain,
             account=self._account,
         )
@@ -494,7 +489,6 @@ def from_authorized_user_info(cls, info, scopes=None):
             quota_project_id=info.get("quota_project_id"),  # may not exist
             expiry=expiry,
             rapt_token=info.get("rapt_token"),  # may not exist
-            trust_boundary=info.get("trust_boundary"),  # may not exist
             universe_domain=info.get("universe_domain"),  # may not exist
             account=info.get("account", ""),  # may not exist
         )

tests/oauth2/test_service_account.py

@@ -529,10 +529,6 @@ def test_refresh_success(self, jwt_grant):
         # Check that the credentials are valid (have a token and are not expired).
         assert credentials.valid
 
-        # Trust boundary should be None since env var is not set and no initial
-        # boundary was provided.
-        assert credentials._trust_boundary is None
-
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_before_request_refreshes(self, jwt_grant):
         credentials = self.make_credentials()

tests/test_aws.py

@@ -2053,9 +2053,6 @@ def test_refresh_success_with_impersonation_ignore_default_scopes(
             "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]),
             "x-goog-user-project": QUOTA_PROJECT_ID,
             "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE,
-            # TODO(negarb): Uncomment and update when trust boundary is supported
-            # for external account credentials.
-            # "x-allowed-locations": "0x0",
         }
         impersonation_request_data = {
             "delegates": None,
@@ -2148,7 +2145,6 @@ def test_refresh_success_with_impersonation_use_default_scopes(
             "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]),
             "x-goog-user-project": QUOTA_PROJECT_ID,
             "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE,
-            # "x-allowed-locations": "0x0",
         }
         impersonation_request_data = {
             "delegates": None,
@@ -2343,7 +2339,6 @@ def test_refresh_success_with_supplier_with_impersonation(
             "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]),
             "x-goog-user-project": QUOTA_PROJECT_ID,
             "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE,
-            # "x-allowed-locations": "0x0",
         }
         impersonation_request_data = {
             "delegates": None,

tests/test_credentials.py

@@ -533,20 +533,14 @@ def test_maybe_start_refresh_is_skipped_if_non_default_universe_domain(
     @mock.patch(
         "google.auth._regional_access_boundary_utils._RegionalAccessBoundaryRefreshManager.start_refresh"
     )
-    @mock.patch("urllib.parse.urlparse")
-    def test_maybe_start_refresh_handles_url_parse_errors(
-        self, mock_urlparse, mock_start_refresh
-    ):
-        mock_urlparse.side_effect = ValueError("Malformed URL")
+    def test_maybe_start_refresh_handles_url_parse_errors(self, mock_start_refresh):
         creds = CredentialsImpl()
         request = mock.Mock()
         with mock.patch.dict(
             os.environ,
             {environment_vars.GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED: "true"},
         ):
-            creds._maybe_start_regional_access_boundary_refresh(
-                request, "http://malformed-url"
-            )
+            creds._maybe_start_regional_access_boundary_refresh(request, "http://[")
         mock_start_refresh.assert_called_once_with(creds, request)
 
     @mock.patch("google.oauth2._client._lookup_regional_access_boundary")

tests/test_identity_pool.py

@@ -385,9 +385,6 @@ def assert_underlying_credentials_refresh(
                 "Content-Type": "application/json",
                 "authorization": "Bearer {}".format(token_response["access_token"]),
                 "x-goog-api-client": metrics_header_value,
-                # TODO(negarb): Uncomment and update when trust boundary is supported
-                # for external account credentials.
-                # "x-allowed-locations": "0x0",
             }
             impersonation_request_data = {
                 "delegates": None,

tests/test_impersonated_credentials.py

@@ -324,8 +324,8 @@ def test_refresh_success(self, use_data_bytes, mock_donor_credentials):
             == ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE
         )
 
-    def test_refresh_source_creds_no_trust_boundary(self):
-        # Use a source credential that does not support trust boundaries.
+    def test_refresh_source_creds_no_regional_access_boundary(self):
+        # Use a source credential that does not support regional access boundaries.
         source_credentials = credentials.Credentials(token="source_token")
         creds = self.make_credentials(source_credentials=source_credentials)
         token = "impersonated_token"