Define new default values for refreshMargin and minimumTokenLifetime.

nbayati · nbayati · commit e36392c71fc3 · 2025-01-24T17:21:57.000-08:00
diff --git a/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java b/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
@@ -80,8 +80,8 @@
 import javax.annotation.Nullable;
 
 public class ClientSideCredentialAccessBoundaryFactory {
-  static final Duration DEFAULT_REFRESH_MARGIN = Duration.ofMinutes(30);
-  static final Duration DEFAULT_MINIMUM_TOKEN_LIFETIME = Duration.ofMinutes(3);
+  static final Duration DEFAULT_REFRESH_MARGIN = Duration.ofMinutes(45);
+  static final Duration DEFAULT_MINIMUM_TOKEN_LIFETIME = Duration.ofMinutes(30);
   private final GoogleCredentials sourceCredential;
   private final transient HttpTransportFactory transportFactory;
   private final String tokenExchangeEndpoint;
@@ -103,6 +103,9 @@ private ClientSideCredentialAccessBoundaryFactory(Builder builder) {
     this.transportFactory = builder.transportFactory;
     this.sourceCredential = builder.sourceCredential;
     this.tokenExchangeEndpoint = builder.tokenExchangeEndpoint;
+    this.refreshMargin = builder.refreshMargin;
+    this.minimumTokenLifetime = builder.minimumTokenLifetime;
+    this.clock = builder.clock;
 
     // Initializes the Tink AEAD registry for encrypting the client-side
     // restrictions.
@@ -114,14 +117,6 @@ private ClientSideCredentialAccessBoundaryFactory(Builder builder) {
 
     CelOptions options = CelOptions.current().build();
     this.celCompiler = CelCompilerFactory.standardCelCompilerBuilder().setOptions(options).build();
-
-    this.refreshMargin =
-        builder.refreshMargin != null ? builder.refreshMargin : DEFAULT_REFRESH_MARGIN;
-    this.minimumTokenLifetime =
-        builder.minimumTokenLifetime != null
-            ? builder.minimumTokenLifetime
-            : DEFAULT_MINIMUM_TOKEN_LIFETIME;
-    this.clock = builder.clock;
   }
 
   /**
@@ -379,6 +374,16 @@ HttpTransportFactory getTransportFactory() {
     return transportFactory;
   }
 
+  @VisibleForTesting
+  Duration getRefreshMargin() {
+    return refreshMargin;
+  }
+
+  @VisibleForTesting
+  Duration getMinimumTokenLifetime() {
+    return minimumTokenLifetime;
+  }
+
   /**
    * Holds intermediate credentials obtained from the STS token exchange endpoint.
    *
@@ -645,6 +650,23 @@ public ClientSideCredentialAccessBoundaryFactory build() {
             "Error occurred when attempting to retrieve source credential universe domain.", e);
       }
 
+      // Use default values for refreshMargin if not provided.
+      if (refreshMargin == null) {
+        this.refreshMargin = DEFAULT_REFRESH_MARGIN;
+      }
+
+      // Use default values for minimumTokenLifetime if not provided.
+      if (minimumTokenLifetime == null) {
+        this.minimumTokenLifetime = DEFAULT_MINIMUM_TOKEN_LIFETIME;
+      }
+
+      // Check if refreshMargin is at least one minute longer than minimumTokenLifetime.
+      Duration minRefreshMargin = minimumTokenLifetime.plusMinutes(1);
+      if (refreshMargin.compareTo(minRefreshMargin) < 0) {
+        throw new IllegalArgumentException(
+            "Refresh margin must be at least one minute longer than the minimum token lifetime.");
+      }
+
       this.tokenExchangeEndpoint = String.format(TOKEN_EXCHANGE_URL_FORMAT, universeDomain);
       return new ClientSideCredentialAccessBoundaryFactory(this);
     }
diff --git a/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java b/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
@@ -149,8 +149,7 @@ public void fetchIntermediateCredentials() throws Exception {
   public void fetchIntermediateCredentials_withCustomUniverseDomain() throws IOException {
     String universeDomain = "foobar";
     GoogleCredentials sourceCredentials =
-        getServiceAccountSourceCredentials(mockTokenServerTransportFactory)
-            .toBuilder()
+        getServiceAccountSourceCredentials(mockTokenServerTransportFactory).toBuilder()
             .setUniverseDomain(universeDomain)
             .build();
 
@@ -483,6 +482,58 @@ public void builder_universeDomainMismatch_throws() throws IOException {
         exception.getMessage());
   }
 
+  @Test
+  public void builder_invalidRefreshMarginAndMinimumTokenLifetime_throws() throws IOException {
+    GoogleCredentials sourceCredentials =
+        getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
+
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> {
+              ClientSideCredentialAccessBoundaryFactory.newBuilder()
+                  .setSourceCredential(sourceCredentials)
+                  .setRefreshMargin(Duration.ofMinutes(50))
+                  .setMinimumTokenLifetime(Duration.ofMinutes(50))
+                  .build();
+            });
+    assertEquals(
+        "Refresh margin must be at least one minute longer than the minimum token lifetime.",
+        exception.getMessage());
+  }
+
+  @Test
+  public void builder_minimumTokenLifetimeNotSet_usesDefault() throws IOException {
+    GoogleCredentials sourceCredentials =
+        getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
+
+    ClientSideCredentialAccessBoundaryFactory factory =
+        ClientSideCredentialAccessBoundaryFactory.newBuilder()
+            .setSourceCredential(sourceCredentials)
+            .setRefreshMargin(Duration.ofMinutes(50))
+            .build();
+
+    assertEquals(
+        ClientSideCredentialAccessBoundaryFactory.DEFAULT_MINIMUM_TOKEN_LIFETIME,
+        factory.getMinimumTokenLifetime());
+  }
+
+  @Test
+  public void builder_refreshMarginNotSet_usesDefault() throws IOException {
+    GoogleCredentials sourceCredentials =
+        getServiceAccountSourceCredentials(mockTokenServerTransportFactory);
+
+    ClientSideCredentialAccessBoundaryFactory factory =
+        ClientSideCredentialAccessBoundaryFactory.newBuilder()
+            .setSourceCredential(sourceCredentials)
+            .setMinimumTokenLifetime(Duration.ofMinutes(20))
+            .build();
+
+    assertEquals(
+        ClientSideCredentialAccessBoundaryFactory.DEFAULT_REFRESH_MARGIN,
+        factory.getRefreshMargin());
+  }
+
   private static GoogleCredentials getServiceAccountSourceCredentials(
       MockTokenServerTransportFactory transportFactory) throws IOException {
     String email = "service-account@google.com";
@@ -613,7 +664,7 @@ private static ClientSideAccessBoundary decryptRestriction(String restriction, S
 
     Aead aead = keysetHandle.getPrimitive(RegistryConfiguration.get(), Aead.class);
     byte[] rawRestrictions =
-        aead.decrypt(Base64.getUrlDecoder().decode(restriction), /*associatedData=*/ new byte[0]);
+        aead.decrypt(Base64.getUrlDecoder().decode(restriction), /* associatedData= */ new byte[0]);
 
     return ClientSideAccessBoundary.parseFrom(rawRestrictions);
   }
