Merge branch 'main' into upgrade-grpc-gcp

Author: blakeli0

gapic-libraries-bom/pom.xml

@@ -133,6 +133,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>com.google.cloud</groupId>
+        <artifactId>google-cloud-appoptimize-bom</artifactId>
+        <version>0.0.1-SNAPSHOT</version><!-- {x-version-update:google-cloud-appoptimize:current} -->
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>google-cloud-artifact-registry-bom</artifactId>

generation_config.yaml

@@ -183,6 +183,23 @@ libraries:
   rpc_documentation: https://cloud.google.com/app-hub/docs/reference/rpc
   GAPICs:
   - proto_path: google/cloud/apphub/v1
+- api_shortname: appoptimize
+  name_pretty: App Optimize API
+  product_documentation: https://docs.cloud.google.com/app-optimize/overview
+  api_description: The App Optimize API provides developers and platform teams with
+    tools to monitor, analyze, and improve the performance and cost-efficiency of
+    their cloud applications. 
+  client_documentation: 
+    https://cloud.google.com/java/docs/reference/google-cloud-appoptimize/latest/overview
+  release_level: preview
+  distribution_name: com.google.cloud:google-cloud-appoptimize
+  api_id: appoptimize.googleapis.com
+  library_type: GAPIC_AUTO
+  group_id: com.google.cloud
+  cloud_api: true
+  GAPICs:
+  - proto_path: google/cloud/appoptimize/v1beta
+  requires_billing: true
 - api_shortname: area120tables
   name_pretty: Area 120 Tables
   product_documentation: https://area120.google.com/

google-auth-library-java/appengine/javatests/com/google/auth/appengine/AppEngineCredentialsTest.java

@@ -36,8 +36,8 @@
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 import com.google.auth.Credentials;
 import com.google.auth.oauth2.AccessToken;
@@ -135,11 +135,7 @@ void createScoped_clonesWithScopes() throws IOException {
             .setAppIdentityService(appIdentity)
             .build();
     assertTrue(credentials.createScopedRequired());
-    try {
-      credentials.getRequestMetadata(CALL_URI);
-      fail("Should not be able to use credential without scopes.");
-    } catch (Exception expected) {
-    }
+    assertThrows(IOException.class, () -> credentials.getRequestMetadata(CALL_URI));
     assertEquals(0, appIdentity.getGetAccessTokenCallCount());
 
     GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);

google-auth-library-java/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

@@ -53,7 +53,6 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.google.common.util.concurrent.AbstractFuture;
-import com.google.common.util.concurrent.FutureCallback;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.ListenableFutureTask;
@@ -79,7 +78,6 @@
 import java.util.Date;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
-import javax.annotation.Nullable;
 
 /**
  * A factory for generating downscoped access tokens using a client-side approach.
@@ -248,7 +246,7 @@ void refreshCredentialsIfRequired() throws IOException {
         }
         try {
           // Wait for the refresh task to complete.
-          currentRefreshTask.task.get();
+          currentRefreshTask.get();
         } catch (InterruptedException e) {
           // Restore the interrupted status and throw an exception.
           Thread.currentThread().interrupt();
@@ -495,31 +493,18 @@ class RefreshTask extends AbstractFuture<IntermediateCredentials> implements Run
       this.task = task;
       this.isNew = isNew;
 
-      // Add listener to update factory's credentials when the task completes.
+      // Single listener to guarantee that finishRefreshTask updates the internal state BEFORE
+      // the outer future completes and unblocks waiters.
       task.addListener(
           () -> {
             try {
               finishRefreshTask(task);
+              RefreshTask.this.set(Futures.getDone(task));
             } catch (ExecutionException e) {
               Throwable cause = e.getCause();
-              RefreshTask.this.setException(cause);
-            }
-          },
-          MoreExecutors.directExecutor());
-
-      // Add callback to set the result or exception based on the outcome.
-      Futures.addCallback(
-          task,
-          new FutureCallback<IntermediateCredentials>() {
-            @Override
-            public void onSuccess(IntermediateCredentials result) {
-              RefreshTask.this.set(result);
-            }
-
-            @Override
-            public void onFailure(@Nullable Throwable t) {
-              RefreshTask.this.setException(
-                  t != null ? t : new IOException("Refresh failed with null Throwable."));
+              RefreshTask.this.setException(cause != null ? cause : e);
+            } catch (Throwable t) {
+              RefreshTask.this.setException(t);
             }
           },
           MoreExecutors.directExecutor());

google-auth-library-java/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java

@@ -988,4 +988,59 @@ void generateToken_withMalformSessionKey_failure() throws Exception {
 
     assertThrows(GeneralSecurityException.class, () -> factory.generateToken(accessBoundary));
   }
+
+  @Test
+  void generateToken_freshInstance_concurrent_noNpe() throws Exception {
+    for (int run = 0; run < 10; run++) { // Run 10 times in a single test instance to save time
+      GoogleCredentials sourceCredentials =
+          getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
+      ClientSideCredentialAccessBoundaryFactory factory =
+          ClientSideCredentialAccessBoundaryFactory.newBuilder()
+              .setSourceCredential(sourceCredentials)
+              .setHttpTransportFactory(mockStsTransportFactory)
+              .build();
+
+      CredentialAccessBoundary.Builder cabBuilder = CredentialAccessBoundary.newBuilder();
+      CredentialAccessBoundary accessBoundary =
+          cabBuilder
+              .addRule(
+                  CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
+                      .setAvailableResource("resource")
+                      .setAvailablePermissions(ImmutableList.of("role"))
+                      .build())
+              .build();
+
+      int numThreads = 5;
+      CountDownLatch latch = new CountDownLatch(numThreads);
+      java.util.concurrent.atomic.AtomicInteger npeCount =
+          new java.util.concurrent.atomic.AtomicInteger();
+      java.util.concurrent.ExecutorService executor =
+          java.util.concurrent.Executors.newFixedThreadPool(numThreads);
+
+      try {
+        for (int i = 0; i < numThreads; i++) {
+          executor.submit(
+              () -> {
+                try {
+                  latch.countDown();
+                  latch.await();
+                  factory.generateToken(accessBoundary);
+                } catch (NullPointerException e) {
+                  npeCount.incrementAndGet();
+                } catch (Exception e) {
+                  // Ignore other exceptions for the sake of the race reproduction
+                }
+              });
+        }
+      } finally {
+        executor.shutdown();
+        executor.awaitTermination(5, java.util.concurrent.TimeUnit.SECONDS);
+      }
+
+      org.junit.jupiter.api.Assertions.assertEquals(
+          0,
+          npeCount.get(),
+          "Expected zero NullPointerExceptions due to the race condition, but some were thrown.");
+    }
+  }
 }

google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.mtls;
+
+import com.google.api.core.InternalApi;
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import com.google.common.base.Strings;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Locale;
+
+/**
+ * Utility class for mTLS related operations.
+ *
+ * <p>For internal use only.
+ */
+@InternalApi
+public class MtlsUtils {
+  static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
+  static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
+  static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
+
+  private MtlsUtils() {
+    // Prevent instantiation for Utility class
+  }
+
+  /**
+   * Returns the path to the client certificate file specified by the loaded workload certificate
+   * configuration.
+   *
+   * @return The path to the certificate file.
+   * @throws IOException if the certificate configuration cannot be found or loaded.
+   */
+  public static String getCertificatePath(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    String certPath =
+        getWorkloadCertificateConfiguration(envProvider, propProvider, certConfigPathOverride)
+            .getCertPath();
+    if (Strings.isNullOrEmpty(certPath)) {
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
+    }
+    return certPath;
+  }
+
+  /**
+   * Resolves and loads the workload certificate configuration.
+   *
+   * <p>The configuration file is resolved in the following order of precedence: 1. The provided
+   * certConfigPathOverride (if not null). 2. The path specified by the
+   * GOOGLE_API_CERTIFICATE_CONFIG environment variable. 3. The well-known certificate configuration
+   * file in the gcloud config directory.
+   *
+   * @param envProvider the environment provider to use for resolving environment variables
+   * @param propProvider the property provider to use for resolving system properties
+   * @param certConfigPathOverride optional override path for the configuration file
+   * @return the loaded WorkloadCertificateConfiguration
+   * @throws IOException if the configuration file cannot be found, read, or parsed
+   */
+  static WorkloadCertificateConfiguration getWorkloadCertificateConfiguration(
+      EnvironmentProvider envProvider, PropertyProvider propProvider, String certConfigPathOverride)
+      throws IOException {
+    File certConfig;
+    if (certConfigPathOverride != null) {
+      certConfig = new File(certConfigPathOverride);
+    } else {
+      String envCredentialsPath = envProvider.getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
+      if (!Strings.isNullOrEmpty(envCredentialsPath)) {
+        certConfig = new File(envCredentialsPath);
+      } else {
+        certConfig = getWellKnownCertificateConfigFile(envProvider, propProvider);
+      }
+    }
+
+    if (!certConfig.isFile()) {
+      throw new CertificateSourceUnavailableException(
+          "Certificate configuration file does not exist or is not a file: "
+              + certConfig.getAbsolutePath());
+    }
+    try (InputStream certConfigStream = new FileInputStream(certConfig)) {
+      return WorkloadCertificateConfiguration.fromCertificateConfigurationStream(certConfigStream);
+    }
+  }
+
+  private static File getWellKnownCertificateConfigFile(
+      EnvironmentProvider envProvider, PropertyProvider propProvider) throws IOException {
+    File cloudConfigPath;
+    String envPath = envProvider.getEnv("CLOUDSDK_CONFIG");
+    if (envPath != null) {
+      cloudConfigPath = new File(envPath);
+    } else {
+      String osName = propProvider.getProperty("os.name", "").toLowerCase(Locale.US);
+      if (osName.indexOf("windows") >= 0) {
+        String appData = envProvider.getEnv("APPDATA");
+        if (Strings.isNullOrEmpty(appData)) {
+          throw new CertificateSourceUnavailableException(
+              "APPDATA environment variable is not set on Windows.");
+        }
+        File appDataPath = new File(appData);
+        cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
+      } else {
+        File configPath = new File(propProvider.getProperty("user.home", ""), ".config");
+        cloudConfigPath = new File(configPath, CLOUDSDK_CONFIG_DIRECTORY);
+      }
+    }
+    return new File(cloudConfigPath, WELL_KNOWN_CERTIFICATE_CONFIG_FILE);
+  }
+}