Reinstated TrustBoundaryProvider.java and addressed PR comments.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -41,6 +41,7 @@
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.Credentials;
 import com.google.auth.Retryable;
@@ -82,7 +83,7 @@
  * <p>These credentials use the IAM API to sign data. See {@link #sign(byte[])} for more details.
  */
 public class ComputeEngineCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider {
+    implements ServiceAccountSigner, IdTokenProvider, TrustBoundaryProvider {
 
   static final String METADATA_RESPONSE_EMPTY_CONTENT_ERROR_MESSAGE =
       "Empty content from metadata token server request.";
@@ -706,12 +707,9 @@ public String getAccount() {
     return principal;
   }
 
+  @InternalApi
   @Override
-  boolean supportsTrustBoundary() {
-    return true;
-  }
-
-  String getTrustBoundaryUrl() throws IOException {
+  public String getTrustBoundaryUrl() throws IOException {
     return String.format(
         OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
         getUniverseDomain(),

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -339,22 +339,9 @@ TrustBoundary getTrustBoundary() {
     return trustBoundary;
   }
 
-  /**
-   * Returns whether the credentials support trust boundary.
-   *
-   * @return {@code true} if the credentials support trust boundary, {@code false} otherwise.
-   */
-  boolean supportsTrustBoundary() {
-    return false;
-  }
-
   /**
    * Refreshes the trust boundary by making a call to the trust boundary URL.
    *
-   * <p>This method is for internal use only and should not be called by users directly. It is used
-   * to enforce security policies by ensuring that the credentials used to access Google Cloud APIs
-   * are not used outside a trusted environment.
-   *
    * @param newAccessToken The new access token to be used for the refresh.
    * @param trustBoundaryUrl The URL of the trust boundary service.
    * @param transportFactory The HTTP transport factory to be used for the refresh.
@@ -365,7 +352,7 @@ void refreshTrustBoundary(
       AccessToken newAccessToken, String trustBoundaryUrl, HttpTransportFactory transportFactory)
       throws IOException {
 
-    if (!supportsTrustBoundary()
+    if (!(this instanceof TrustBoundaryProvider)
         || !TrustBoundary.isTrustBoundaryEnabled()
         || !isDefaultUniverseDomain()) {
       return;
@@ -456,17 +443,14 @@ static Map<String, List<String>> addQuotaProjectIdToRequestMetadata(
   @Override
   protected Map<String, List<String>> getAdditionalHeaders() {
     Map<String, List<String>> headers = new HashMap<>(super.getAdditionalHeaders());
-    String quotaProjectId = this.getQuotaProjectId();
-    if (quotaProjectId != null) {
-      headers.put(QUOTA_PROJECT_ID_HEADER_KEY, Collections.singletonList(quotaProjectId));
-    }
 
     if (this.trustBoundary != null) {
       String headerValue = trustBoundary.isNoOp() ? "" : trustBoundary.getEncodedLocations();
       headers.put(TrustBoundary.TRUST_BOUNDARY_KEY, Collections.singletonList(headerValue));
     }
 
-    return Collections.unmodifiableMap(headers);
+    String quotaProjectId = this.getQuotaProjectId();
+    return addQuotaProjectIdToRequestMetadata(quotaProjectId, headers);
   }
 
   /** Default constructor. */

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -43,6 +43,7 @@
 import com.google.api.client.http.json.JsonHttpContent;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpCredentialsAdapter;
@@ -93,7 +94,7 @@
  * </pre>
  */
 public class ImpersonatedCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider {
+    implements ServiceAccountSigner, IdTokenProvider, TrustBoundaryProvider {
 
   private static final long serialVersionUID = -2133257318957488431L;
   private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ssX";
@@ -325,12 +326,9 @@ public GoogleCredentials getSourceCredentials() {
     return sourceCredentials;
   }
 
+  @InternalApi
   @Override
-  boolean supportsTrustBoundary() {
-    return true;
-  }
-
-  String getTrustBoundaryUrl() throws IOException {
+  public String getTrustBoundaryUrl() throws IOException {
     return String.format(
         OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
         getUniverseDomain(),

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -51,6 +51,7 @@
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Joiner;
 import com.google.api.client.util.Preconditions;
+import com.google.api.core.InternalApi;
 import com.google.auth.CredentialTypeForMetrics;
 import com.google.auth.Credentials;
 import com.google.auth.RequestMetadataCallback;
@@ -89,7 +90,7 @@
  * <p>By default uses a JSON Web Token (JWT) to fetch access tokens.
  */
 public class ServiceAccountCredentials extends GoogleCredentials
-    implements ServiceAccountSigner, IdTokenProvider, JwtProvider {
+    implements ServiceAccountSigner, IdTokenProvider, JwtProvider, TrustBoundaryProvider {
 
   private static final long serialVersionUID = 7807543542681217978L;
   private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
@@ -823,12 +824,9 @@ public boolean getUseJwtAccessWithScope() {
     return useJwtAccessWithScope;
   }
 
+  @InternalApi
   @Override
-  boolean supportsTrustBoundary() {
-    return true;
-  }
-
-  String getTrustBoundaryUrl() throws IOException {
+  public String getTrustBoundaryUrl() throws IOException {
     return String.format(
         OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT,
         getUniverseDomain(),

oauth2_http/java/com/google/auth/oauth2/TrustBoundary.java

@@ -54,8 +54,11 @@
 import javax.annotation.Nullable;
 
 /**
- * Represents a trust boundary that can be used to restrict access to resources. This is an
- * experimental feature.
+ * Represents the trust boundary configuration for a credential. This class holds the information
+ * retrieved from the IAM `allowedLocations` endpoint. This data is then used to populate the
+ * `x-allowed-locations` header in outgoing API requests, which in turn allows Google's
+ * infrastructure to enforce regional security restrictions. This class does not perform any
+ * client-side validation or enforcement.
  */
 final class TrustBoundary {
 
@@ -72,7 +75,7 @@ final class TrustBoundary {
    * @param encodedLocations The encoded string representation of the allowed locations.
    * @param locations A list of human-readable location strings.
    */
-  public TrustBoundary(String encodedLocations, List<String> locations) {
+  TrustBoundary(String encodedLocations, List<String> locations) {
     this.encodedLocations = encodedLocations;
     this.locations =
         locations == null
@@ -177,13 +180,13 @@ static TrustBoundary refresh(
 
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
     HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
-    request.getHeaders().setAuthorization("Bearer " + accessToken.getTokenValue());
+    //    request.getHeaders().setAuthorization("Bearer " + accessToken.getTokenValue());
 
     // Add the cached trust boundary header, if available.
     if (cachedTrustBoundary != null) {
       String headerValue =
           cachedTrustBoundary.isNoOp() ? "" : cachedTrustBoundary.getEncodedLocations();
-      request.getHeaders().set(TRUST_BOUNDARY_KEY, headerValue);
+      //      request.getHeaders().set(TRUST_BOUNDARY_KEY, headerValue);
     }
 
     // Add retry logic

oauth2_http/java/com/google/auth/oauth2/TrustBoundaryProvider.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2024, Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import com.google.api.core.InternalApi;
+import java.io.IOException;
+
+/**
+ * An interface for providing trust boundary information. It is used to provide a common interface
+ * for credentials that support trust boundary checks.
+ */
+@InternalApi
+interface TrustBoundaryProvider {
+
+  /**
+   * Returns the trust boundary URI.
+   *
+   * @return The trust boundary URI.
+   */
+  String getTrustBoundaryUrl() throws IOException;
+}