Const string for Service Account Lookup IAM URI. Network call removed from locking. Other doc changes.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -713,12 +713,10 @@ public HttpTransportFactory getTransportFactory() {
 
   @Override
   public String getTrustBoundaryUrl() throws IOException {
-    if (principal == null) {
-      principal = getDefaultServiceAccount();
-    }
     return String.format(
-        "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations",
-        getUniverseDomain(), principal);
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
   }
 
   /**

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -107,7 +107,7 @@ String getFileType() {
   private final String universeDomain;
   private final boolean isExplicitUniverseDomain;
 
-  private transient TrustBoundary trustBoundary;
+  private TrustBoundary trustBoundary;
 
   protected final String quotaProjectId;
 
@@ -336,6 +336,7 @@ public GoogleCredentials createWithQuotaProject(String quotaProject) {
     return this.toBuilder().setQuotaProjectId(quotaProject).build();
   }
 
+  @VisibleForTesting
   public TrustBoundary getTrustBoundary() {
     return trustBoundary;
   }
@@ -400,25 +401,38 @@ protected void refreshTrustBoundaries(AccessToken newAccessToken) throws IOExcep
     }
 
     TrustBoundaryProvider provider = (TrustBoundaryProvider) this;
+    TrustBoundary cachedTrustBoundary;
+
     synchronized (lock) {
-      // Refresh trust boundaries only if the cached value is not NO_OP.
-      if (this.trustBoundary == null || !this.trustBoundary.isNoOp()) {
-        try {
-          this.trustBoundary =
-              TrustBoundary.refresh(
-                  provider.getTransportFactory(),
-                  provider.getTrustBoundaryUrl(),
-                  newAccessToken,
-                  this.trustBoundary);
-        } catch (IOException e) {
-          // If refresh fails, check for cached value.
-          if (this.trustBoundary == null) {
-            // No cached value, so fail hard.
-            throw new IOException(
-                "Failed to refresh trust boundary and no cached value is available.", e);
-          }
-        }
+      // Do not refresh if the cached value is already NO_OP.
+      if (this.trustBoundary != null && this.trustBoundary.isNoOp()) {
+        return;
+      }
+      cachedTrustBoundary = this.trustBoundary;
+    }
+
+    TrustBoundary newTrustBoundary;
+    try {
+      newTrustBoundary =
+          TrustBoundary.refresh(
+              provider.getTransportFactory(),
+              provider.getTrustBoundaryUrl(),
+              newAccessToken,
+              cachedTrustBoundary);
+    } catch (IOException e) {
+      // If refresh fails, check for a cached value.
+      if (cachedTrustBoundary == null) {
+        // No cached value, so fail hard.
+        throw new IOException(
+            "Failed to refresh trust boundary and no cached value is available.", e);
       }
+
+      return;
+    }
+
+    // A lock is required to safely update the shared field.
+    synchronized (lock) {
+      this.trustBoundary = newTrustBoundary;
     }
   }
 

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -333,8 +333,9 @@ public HttpTransportFactory getTransportFactory() {
   @Override
   public String getTrustBoundaryUrl() throws IOException {
     return String.format(
-        "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations",
-        getUniverseDomain(), getAccount());
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
   }
 
   int getLifetime() {

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -93,6 +93,9 @@ public class OAuth2Utils {
   static final URI TOKEN_SERVER_URI = URI.create("https://oauth2.googleapis.com/token");
 
   static final URI TOKEN_REVOKE_URI = URI.create("https://oauth2.googleapis.com/revoke");
+
+  public static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT =
+      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations";
   static final URI USER_AUTH_URI = URI.create("https://accounts.google.com/o/oauth2/auth");
 
   static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -831,8 +831,9 @@ public HttpTransportFactory getTransportFactory() {
   @Override
   public String getTrustBoundaryUrl() throws IOException {
     return String.format(
-        "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations",
-        getUniverseDomain(), getClientEmail());
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
   }
 
   @VisibleForTesting
@@ -1160,7 +1161,6 @@ public static class Builder extends GoogleCredentials.Builder {
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
     private boolean useJwtAccessWithScope = false;
     private boolean defaultRetriesEnabled = true;
-    private TrustBoundary trustBoundary;
 
     protected Builder() {}
 
@@ -1179,7 +1179,6 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.lifetime = credentials.lifetime;
       this.useJwtAccessWithScope = credentials.useJwtAccessWithScope;
       this.defaultRetriesEnabled = credentials.defaultRetriesEnabled;
-      this.trustBoundary = credentials.getTrustBoundary();
     }
 
     @CanIgnoreReturnValue

oauth2_http/java/com/google/auth/oauth2/TrustBoundary.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024, Google LLC
+ * Copyright 2025, Google LLC
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -44,6 +44,7 @@
 import com.google.api.client.util.ExponentialBackOff;
 import com.google.api.client.util.Key;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 import java.io.IOException;
 import java.util.Collections;
@@ -55,7 +56,7 @@
  * Represents a trust boundary that can be used to restrict access to resources. This is an
  * experimental feature.
  */
-public final class TrustBoundary {
+final class TrustBoundary {
 
   static final String TRUST_BOUNDARY_KEY = "x-allowed-locations";
   static final String GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED_ENV_VAR =
@@ -111,27 +112,19 @@ public String toString() {
     }
   }
 
-  // expose this setter only for testing purposes
-  public static void setEnvironmentProviderForTest(@Nullable EnvironmentProvider provider) {
+  @VisibleForTesting
+  static void setEnvironmentProviderForTest(@Nullable EnvironmentProvider provider) {
     environmentProvider = provider == null ? SystemEnvironmentProvider.getInstance() : provider;
   }
 
-  static boolean isTrustBoundaryEnabled() throws IOException {
-    String tbEnabled = environmentProvider.getEnv(GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED_ENV_VAR);
-    if (tbEnabled == null) {
+  static boolean isTrustBoundaryEnabled() {
+    String trustBoundaryEnabled =
+        environmentProvider.getEnv(GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED_ENV_VAR);
+    if (trustBoundaryEnabled == null) {
       return false;
     }
-    String lowercasedTbEnabled = tbEnabled.toLowerCase();
-    if ("true".equals(lowercasedTbEnabled) || "1".equals(tbEnabled)) {
-      return true;
-    }
-    if ("false".equals(lowercasedTbEnabled) || "0".equals(tbEnabled)) {
-      return false;
-    }
-    throw new IOException(
-        String.format(
-            "Invalid value for %s environment variable: \"%s\". Supported values are 'true', '1', 'false', or '0'.",
-            GOOGLE_AUTH_TRUST_BOUNDARY_ENABLED_ENV_VAR, tbEnabled));
+    String lowercasedTrustBoundaryEnabled = trustBoundaryEnabled.toLowerCase();
+    return "true".equals(lowercasedTrustBoundaryEnabled) || "1".equals(trustBoundaryEnabled);
   }
 
   static TrustBoundary refresh(
@@ -141,11 +134,11 @@ static TrustBoundary refresh(
       @Nullable TrustBoundary cachedTrustBoundary)
       throws IOException {
     if (accessToken == null) {
-      throw new IOException("The provided access token is null.");
+      throw new IllegalArgumentException("The provided access token is null.");
     }
     if (accessToken.getExpirationTime() != null
         && accessToken.getExpirationTime().before(new Date())) {
-      throw new IOException("The provided access token is expired.");
+      throw new IllegalArgumentException("The provided access token is expired.");
     }
 
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();

oauth2_http/java/com/google/auth/oauth2/TrustBoundaryProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024, Google LLC
+ * Copyright 2025, Google LLC
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -31,10 +31,12 @@
 
 package com.google.auth.oauth2;
 
+import com.google.api.core.BetaApi;
 import com.google.auth.http.HttpTransportFactory;
 import java.io.IOException;
 
 /** An interface for credentials that support trust boundaries. This is an experimental feature. */
+@BetaApi
 public interface TrustBoundaryProvider {
 
   /** Returns the transport factory. */