Skip to content

feat: Introduce Client-Side Credential Access Boundary (CAB) functionality#1629

Merged
lqiu96 merged 16 commits intomainfrom
client-side-cab
Feb 4, 2025
Merged

feat: Introduce Client-Side Credential Access Boundary (CAB) functionality#1629
lqiu96 merged 16 commits intomainfrom
client-side-cab

Conversation

@nbayati
Copy link
Contributor

@nbayati nbayati commented Jan 23, 2025
edited
Loading

See: go/client-side-cab-design-doc

Notes:

  • This PR merges the feature branch client-side-cab to main.
  • We're targeting the Feb 3rd release.
  • Please ignore the Sonar quality gate failing regarding the code coverage and duplicated code for ClientSideAccessBoundaryProto.java, since it's a generated file.

nbayati and others added 6 commits November 14, 2024 13:20
@nbayati
feat: Implement ClientSideCredentialAccessBoundaryFactory (#1562)
5d32642 
* feat: Implement ClientSideCredentialAccessBoundaryFactory.refreshCredentials()

Set up the ClientSideCredentialAccessBoundaryFactory class and module.
Implement the function to fetch and refresh intermediary tokens from STS.
@huangjiahua
feat: Add the generated ClientSideAccessBoundaryProto class for Clien…
50d9027 
…t-Side CAB feature. (#1571)

Change-Id: Ic7ef3cbd80b2ad778d61b9ccabf780561d3cc709
@nbayati
feat: Implement refreshCredentialsIfRequired for intermediate token r… (
0d96dcf 
#1583)

* feat: Implement refreshCredentialsIfRequired for intermediate token refresh

Implement `refreshCredentialsIfRequired`, called by `generateToken()`, to handle token refresh. It uses `refreshMargin` and `minimumTokenLifetime` to decide on synchronous or asynchronous refresh

* Add unit tests for the builder and refreshCredentials()

* Improve concurrency handling during credential refresh.

Introduced a refresh task to manage concurrent refresh requests, preventing redundant attempts and potential race conditions. This aligns the refresh mechanism with the pattern used in OAuth2Credentials and ensures more robust credential management.

* Update existing unit tests for compatibility and readability.

* Add unit tests for refreshCredentialsIfRequired.

* Fix a merge issue.

* Temporary add sonatype-snapshots repository and cel version to fix the build error.

* Remove duplicated code.

* Fix lint issue.

* Fix: Propagate credential refresh exceptions in blocking refresh.

* Change cel version

* Change cel version

* Add jsr305 dependency

* Fix Javadoc error

* Minor code readability enhancements.

* Revert "Fix Javadoc error"

This reverts commit 2157fdb.

* Address comments (add javadoc and use assertThrows in tests)

* Run format script
@huangjiahua
feat: Implement Client-Side CAB token generation. (#1598)
5573169 
* feat: Implement Client-Side CAB token generation.

Change-Id: I2c217656584cf5805297f02340cbbabca471f609

* Use IllegalStateException(String, Throwable) to capture upstream exception during Tink initialization

Change-Id: I12af5b84eae4dcec5865adfdad1f9396d54c0200

* Rethrow exceptions from tink and CEL

Change-Id: If8c94c786ee39201029d9c27856fd2eafb61e51c

* Add tests for invalid keys from upstream, and rename test cases.

Change-Id: Ib41cb81c779534fc6efd74d66bf4728efd743906

* Add additional throws comment for generatToken method.

Change-Id: I9cfc589ade8a91040fc9c447740493fd49e392af

* Refactor tests for better readability.

Change-Id: Icfd0bc24c1694f220bcbffc6cde41462c59119c4

* Catch and rethrow the exception of session key not being base64 encoded.

Change-Id: I5fa0c25fe020e9612735e4ac5df2b85a2a5aab11

* Format the code using mvn com.coveo:fmt-maven-plugin:format.

Change-Id: I46572488dcd28de450a6b1b2f732bee5baa86910

* Fix a typo in the javadoc comment.

Change-Id: Icef9ef5f7c3567224ec507303543b78e61f43ec1
@nbayati
Merge branch 'main' into new-branch-name
3a90191 
# Conflicts:
#	oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java
#	pom.xml
@nbayati
chore: Update version tag in cab-token-generator pom.xml
3bad66f 
This commit updates the version tag in the pom.xml file.
@nbayati nbayati requested review from a team as code owners January 23, 2025 17:37
@nbayati nbayati requested a review from a team January 23, 2025 17:37
@product-auto-label product-auto-label bot added the size: xl Pull request size is extra large. label Jan 23, 2025
@nbayati nbayati changed the title Add client-side cab token generator feat: add client-side cab token generator Jan 23, 2025
@nbayati nbayati requested review from aeitzman, lqiu96 and lsirac January 23, 2025 17:40
@nbayati
Copy link
Contributor Author

nbayati commented Jan 29, 2025

The coverage and duplication conditions are failing on Sonar because of the generated code in ClientSideAccessBoundaryProto.java. We can ignore these two failed checks.

Screenshot 2025-01-24 at 9 34 15 AM Screenshot 2025-01-29 at 10 14 26 AM

lqiu96
lqiu96 reviewed Jan 30, 2025
View reviewed changes
@nbayati nbayati mentioned this pull request Jan 30, 2025
Merged
11 tasks
lqiu96
lqiu96 reviewed Jan 30, 2025
View reviewed changes
@lqiu96
Copy link
Member

lqiu96 commented Jan 30, 2025

nit: Could we update the PR title to reflect the changes that are coming into main. We try use the PR titles to create release notes for each release.

feat: add client-side cab token generator

Thoughts on something like feat: Introduce Client-Side Certificate Access Boundary (CAB) functionality

lsirac
lsirac reviewed Jan 31, 2025
View reviewed changes
@nbayati nbayati changed the title feat: add client-side cab token generator feat: Introduce Client-Side Credential Access Boundary (CAB) functionality Jan 31, 2025
@nbayati
Docs: Added javadocs
02e939e 
Improvements: Cleaned up code, resolved readability enhancements
@nbayati nbayati requested review from lqiu96 and lsirac January 31, 2025 22:17
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 31, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
45.9% Coverage on New Code (required ≥ 80%)
5.9% Duplication on New Code (required ≤ 3%)
B Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

lqiu96
lqiu96 reviewed Feb 3, 2025
View reviewed changes
pom.xml
<groupId>org.codehaus.mojo</groupId>
<artifactId>clirr-maven-plugin</artifactId>
<configuration>
<ignoredDifferencesFile>clirr-ignored-differences.xml</ignoredDifferencesFile>
Copy link
Member

@lqiu96 lqiu96 Feb 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still needed?

@lqiu96 lqiu96 merged commit f481123 into main Feb 4, 2025
16 of 22 checks passed
@lqiu96 lqiu96 deleted the client-side-cab branch February 4, 2025 18:30
@lqiu96 lqiu96 restored the client-side-cab branch February 4, 2025 18:31
@release-please release-please bot mentioned this pull request Feb 4, 2025
Merged
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Feb 5, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
e697dee 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
| org.flywaydb.flyway | plugin | misk/gradle/libs.versions.toml | gradle
| patch | `11.3.0` -> `11.3.1` |
|
[com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.31.0` -> `1.32.0` |
|
[com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.31.0` -> `1.32.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.12` -> `2.30.13` |

---

### Release Notes

<details>
<summary>googleapis/google-auth-library-java
(com.google.auth:google-auth-library-oauth2-http)</summary>

###
[`v1.32.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1320-2025-02-04)

##### Features

- Introduce Client-Side Credential Access Boundary (CAB) functionality
([#&#8203;1629](googleapis/google-auth-library-java#1629))
([f481123](googleapis/google-auth-library-java@f481123))

##### Bug Fixes

- Handle 404 and non 200 Status Code from MDS Identity Token calls
([#&#8203;1636](googleapis/google-auth-library-java#1636))
([152c851](googleapis/google-auth-library-java@152c851))
- Respect token_uri from json in UserCredentials creation.
([#&#8203;1630](googleapis/google-auth-library-java#1630))
([f92cc4f](googleapis/google-auth-library-java@f92cc4f))

##### Documentation

- Re-organize the README + Add a section on migrating to
GoogleCredentials
([#&#8203;1644](googleapis/google-auth-library-java#1644))
([30b26b2](googleapis/google-auth-library-java@30b26b2))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: f984e57edb0f670423a82dec1bcfe012849eb91d
@release-please release-please bot mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lqiu96 lqiu96 lqiu96 approved these changes

@lsirac lsirac lsirac approved these changes

+1 more reviewer

@aeitzman aeitzman aeitzman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size: xl Pull request size is extra large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nbayati @lqiu96 @aeitzman @lsirac @huangjiahua