feat: Add TrustBoundaries support for ServiceAccounts (#1808)

Added support for trust boundaries for service accounts, impersonated and GCE flows.

# Conflicts:
#	oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

* Added changes to authenticate TB endpoint, add correct TB headers.

* Corrected Response Struct for TB Look up. Fixed Trust Boundary Enabled Logic.

* Added separate refreshTrustBoundaryAndGetAdditionalHeaders in OAuth2Credentials.

* TB Refresh Now happens in each token refresh.

* Removed unnecessary refreshTrustBoundaryAndGetAdditionalHeaders as tb refresh now happens within access token refresh of individual classes.

* Added unit tests for Trust Boundary for Service accounts. Updated. the trust boundary enabler env variable

* Formatting changes

* Trust Boundary Recovery

* Changed key for encodedLocations and changed tests.

* minor fixes

* Const string for Service Account Lookup IAM URI. Network call removed from locking. Other doc changes.

* Added docs for public methods

* Addressed PR comments. All refresh logic within Google Credentials. Use supportsTrustBoundary to identify whether a child class supports tb prior to refresh.

* Formatting changes

* AssertNull and AssertThrows changes. Documentation changes.

* Reinstated TrustBoundaryProvider.java and addressed PR comments.

* Update Copyright TrustBoundaryProvider.java

* getTrustBoundaryUrl now called within refreshTrustBoundaries(...)

* lint change

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -41,6 +41,7 @@
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.Credentials;
 import com.google.auth.Retryable;
@@ -82,7 +83,7 @@
  * <p>These credentials use the IAM API to sign data. See {@link #sign(byte[])} for more details.
  */
 public class ComputeEngineCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider {
+    implements ServiceAccountSigner, IdTokenProvider, TrustBoundaryProvider {
 
   static final String METADATA_RESPONSE_EMPTY_CONTENT_ERROR_MESSAGE =
       "Empty content from metadata token server request.";
@@ -385,8 +386,11 @@ public AccessToken refreshAccessToken() throws IOException {
     int expiresInSeconds =
         OAuth2Utils.validateInt32(responseData, "expires_in", PARSE_ERROR_PREFIX);
     long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000;
+    AccessToken newAccessToken = new AccessToken(accessToken, new Date(expiresAtMilliseconds));
 
-    return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
+    refreshTrustBoundary(newAccessToken, transportFactory);
+
+    return newAccessToken;
   }
 
   /**
@@ -703,6 +707,15 @@ public String getAccount() {
     return principal;
   }
 
+  @InternalApi
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    return String.format(
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
+  }
+
   /**
    * Signs the provided bytes using the private key associated with the service account.
    *

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -35,6 +35,7 @@
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.Preconditions;
+import com.google.api.core.InternalApi;
 import com.google.api.core.ObsoleteApi;
 import com.google.auth.Credentials;
 import com.google.auth.http.HttpTransportFactory;
@@ -107,6 +108,8 @@ String getFileType() {
   private final String universeDomain;
   private final boolean isExplicitUniverseDomain;
 
+  private TrustBoundary trustBoundary;
+
   protected final String quotaProjectId;
 
   private static final DefaultCredentialsProvider defaultCredentialsProvider =
@@ -331,6 +334,60 @@ public GoogleCredentials createWithQuotaProject(String quotaProject) {
     return this.toBuilder().setQuotaProjectId(quotaProject).build();
   }
 
+  @VisibleForTesting
+  TrustBoundary getTrustBoundary() {
+    return trustBoundary;
+  }
+
+  /**
+   * Refreshes the trust boundary by making a call to the trust boundary URL.
+   *
+   * @param newAccessToken The new access token to be used for the refresh.
+   * @param transportFactory The HTTP transport factory to be used for the refresh.
+   * @throws IOException If the refresh fails and no cached value is available.
+   */
+  @InternalApi
+  void refreshTrustBoundary(AccessToken newAccessToken, HttpTransportFactory transportFactory)
+      throws IOException {
+
+    if (!(this instanceof TrustBoundaryProvider)
+        || !TrustBoundary.isTrustBoundaryEnabled()
+        || !isDefaultUniverseDomain()) {
+      return;
+    }
+
+    String trustBoundaryUrl = ((TrustBoundaryProvider) this).getTrustBoundaryUrl();
+    TrustBoundary cachedTrustBoundary;
+
+    synchronized (lock) {
+      // Do not refresh if the cached value is already NO_OP.
+      if (trustBoundary != null && trustBoundary.isNoOp()) {
+        return;
+      }
+      cachedTrustBoundary = trustBoundary;
+    }
+
+    TrustBoundary newTrustBoundary;
+    try {
+      newTrustBoundary =
+          TrustBoundary.refresh(
+              transportFactory, trustBoundaryUrl, newAccessToken, cachedTrustBoundary);
+    } catch (IOException e) {
+      // If refresh fails, check for a cached value.
+      if (cachedTrustBoundary == null) {
+        // No cached value, so fail hard.
+        throw new IOException(
+            "Failed to refresh trust boundary and no cached value is available.", e);
+      }
+      return;
+    }
+
+    // A lock is required to safely update the shared field.
+    synchronized (lock) {
+      trustBoundary = newTrustBoundary;
+    }
+  }
+
   /**
    * Gets the universe domain for the credential.
    *
@@ -384,12 +441,15 @@ static Map<String, List<String>> addQuotaProjectIdToRequestMetadata(
 
   @Override
   protected Map<String, List<String>> getAdditionalHeaders() {
-    Map<String, List<String>> headers = super.getAdditionalHeaders();
-    String quotaProjectId = this.getQuotaProjectId();
-    if (quotaProjectId != null) {
-      return addQuotaProjectIdToRequestMetadata(quotaProjectId, headers);
+    Map<String, List<String>> headers = new HashMap<>(super.getAdditionalHeaders());
+
+    if (this.trustBoundary != null) {
+      String headerValue = trustBoundary.isNoOp() ? "" : trustBoundary.getEncodedLocations();
+      headers.put(TrustBoundary.TRUST_BOUNDARY_KEY, Collections.singletonList(headerValue));
     }
-    return headers;
+
+    String quotaProjectId = this.getQuotaProjectId();
+    return addQuotaProjectIdToRequestMetadata(quotaProjectId, headers);
   }
 
   /** Default constructor. */

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -43,6 +43,7 @@
 import com.google.api.client.http.json.JsonHttpContent;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpCredentialsAdapter;
@@ -95,7 +96,7 @@
  * </pre>
  */
 public class ImpersonatedCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider {
+    implements ServiceAccountSigner, IdTokenProvider, TrustBoundaryProvider {
 
   private static final long serialVersionUID = -2133257318957488431L;
   private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ssX";
@@ -325,6 +326,15 @@ public GoogleCredentials getSourceCredentials() {
     return sourceCredentials;
   }
 
+  @InternalApi
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    return String.format(
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
+  }
+
   int getLifetime() {
     return this.lifetime;
   }
@@ -593,7 +603,11 @@ public AccessToken refreshAccessToken() throws IOException {
     format.setCalendar(calendar);
     try {
       Date date = format.parse(expireTime);
-      return new AccessToken(accessToken, date);
+      AccessToken newAccessToken = new AccessToken(accessToken, date);
+
+      refreshTrustBoundary(newAccessToken, transportFactory);
+
+      return newAccessToken;
     } catch (ParseException pe) {
       throw new IOException("Error parsing expireTime: " + pe.getMessage());
     }

oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -59,7 +59,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.ServiceLoader;
-import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Executor;
 import javax.annotation.Nullable;
@@ -264,11 +263,8 @@ private AsyncRefreshResult getOrCreateRefreshTask() {
 
       final ListenableFutureTask<OAuthValue> task =
           ListenableFutureTask.create(
-              new Callable<OAuthValue>() {
-                @Override
-                public OAuthValue call() throws Exception {
-                  return OAuthValue.create(refreshAccessToken(), getAdditionalHeaders());
-                }
+              () -> {
+                return OAuthValue.create(refreshAccessToken(), getAdditionalHeaders());
               });
 
       refreshTask = new RefreshTask(task, new RefreshTaskListener(task));
@@ -373,7 +369,7 @@ public AccessToken refreshAccessToken() throws IOException {
   /**
    * Provide additional headers to return as request metadata.
    *
-   * @return additional headers
+   * @return additional headers.
    */
   protected Map<String, List<String>> getAdditionalHeaders() {
     return EMPTY_EXTRA_HEADERS;

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -93,6 +93,9 @@ public class OAuth2Utils {
   static final URI TOKEN_SERVER_URI = URI.create("https://oauth2.googleapis.com/token");
 
   static final URI TOKEN_REVOKE_URI = URI.create("https://oauth2.googleapis.com/revoke");
+
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT =
+      "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations";
   static final URI USER_AUTH_URI = URI.create("https://accounts.google.com/o/oauth2/auth");
 
   public static final String CLOUD_PLATFORM_SCOPE =

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -51,6 +51,7 @@
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Joiner;
 import com.google.api.client.util.Preconditions;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.Credentials;
 import com.google.auth.RequestMetadataCallback;
@@ -89,7 +90,7 @@
  * <p>By default uses a JSON Web Token (JWT) to fetch access tokens.
  */
 public class ServiceAccountCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider, JwtProvider {
+    implements ServiceAccountSigner, IdTokenProvider, JwtProvider, TrustBoundaryProvider {
 
   private static final long serialVersionUID = 7807543542681217978L;
   private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
@@ -580,7 +581,11 @@ public AccessToken refreshAccessToken() throws IOException {
     int expiresInSeconds =
         OAuth2Utils.validateInt32(responseData, "expires_in", PARSE_ERROR_PREFIX);
     long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000L;
-    return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
+    AccessToken newAccessToken = new AccessToken(accessToken, new Date(expiresAtMilliseconds));
+
+    refreshTrustBoundary(newAccessToken, transportFactory);
+
+    return newAccessToken;
   }
 
   /**
@@ -823,6 +828,15 @@ public boolean getUseJwtAccessWithScope() {
     return useJwtAccessWithScope;
   }
 
+  @InternalApi
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    return String.format(
+        OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
+        getUniverseDomain(),
+        getAccount());
+  }
+
   @VisibleForTesting
   JwtCredentials getSelfSignedJwtCredentialsWithScope() {
     return selfSignedJwtCredentialsWithScope;