Skip to content

Commit aa1967b

Browse files
nbayatinbayati
committed
Remove volatile keyword and use refreshLock when reading intermediateCredentials.
1 parent 7621caa commit aa1967b

File tree

1 file changed

+12
-20
lines changed

1 file changed

+12
-20
lines changed

cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

Lines changed: 12 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ public class ClientSideCredentialAccessBoundaryFactory {
8989
private final Duration refreshMargin;
9090
private transient RefreshTask refreshTask;
9191
private final Object refreshLock = new byte[0];
92-
private volatile IntermediateCredentials intermediateCredentials = null;
92+
private IntermediateCredentials intermediateCredentials = null;
9393
private final Clock clock;
9494
private final CelCompiler celCompiler;
9595

@@ -127,7 +127,8 @@ private ClientSideCredentialAccessBoundaryFactory(Builder builder) {
127127
/**
128128
* Generates a Client-Side CAB token given the {@link CredentialAccessBoundary}.
129129
*
130-
* @param accessBoundary
130+
* @param accessBoundary The credential access boundary that defines the restrictions for the
131+
* generated CAB token.
131132
* @return The Client-Side CAB token in an {@link AccessToken} object
132133
* @throws IOException If an I/O error occurs while refreshing the source credentials
133134
* @throws CelValidationException If the availability condition is an invalid CEL expression
@@ -220,13 +221,16 @@ void refreshCredentialsIfRequired() throws IOException {
220221
}
221222

222223
private RefreshType determineRefreshType() {
223-
if (intermediateCredentials == null
224-
|| intermediateCredentials.intermediateAccessToken == null) {
225-
// A blocking refresh is needed if the intermediate access token doesn't exist.
226-
return RefreshType.BLOCKING;
224+
AccessToken intermediateAccessToken;
225+
synchronized (refreshLock) {
226+
if (intermediateCredentials == null
227+
|| intermediateCredentials.intermediateAccessToken == null) {
228+
// A blocking refresh is needed if the intermediate access token doesn't exist.
229+
return RefreshType.BLOCKING;
230+
}
231+
intermediateAccessToken = intermediateCredentials.intermediateAccessToken;
227232
}
228233

229-
AccessToken intermediateAccessToken = intermediateCredentials.intermediateAccessToken;
230234
Date expirationTime = intermediateAccessToken.getExpirationTime();
231235
if (expirationTime == null) {
232236
return RefreshType.NONE; // Token does not expire, no refresh needed.
@@ -365,18 +369,6 @@ private void finishRefreshTask(ListenableFuture<IntermediateCredentials> finishe
365369
}
366370
}
367371

368-
@VisibleForTesting
369-
String getAccessBoundarySessionKey() {
370-
return intermediateCredentials != null
371-
? intermediateCredentials.accessBoundarySessionKey
372-
: null;
373-
}
374-
375-
@VisibleForTesting
376-
AccessToken getIntermediateAccessToken() {
377-
return intermediateCredentials != null ? intermediateCredentials.intermediateAccessToken : null;
378-
}
379-
380372
@VisibleForTesting
381373
String getTokenExchangeEndpoint() {
382374
return tokenExchangeEndpoint;
@@ -517,7 +509,7 @@ private byte[] encryptRestrictions(byte[] restriction, String sessionKey)
517509

518510
// For Client-Side CAB token encryption, empty associated data is expected.
519511
// Tink requires a byte[0] to be passed for this case.
520-
return aead.encrypt(restriction, /*associatedData=*/ new byte[0]);
512+
return aead.encrypt(restriction, /* associatedData= */ new byte[0]);
521513
}
522514

523515
public static Builder newBuilder() {

0 commit comments

Comments
 (0)