chore(auth): Porting the changes from the old RAB PR #13559#13713
chore(auth): Porting the changes from the old RAB PR #13559#13713vverman wants to merge 8 commits into
Conversation
googleapis#12787) Migrates RAB changes from the older repo -> https://github.com/googleapis/google-auth-library-java/tree/feat-tb-sa
…gleapis#12867) 1. The RAB refresh uses a direct executor with a fixed thread pool as opposed to instantiating a new thread each time. 2. The RAB env gate -> GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT has been removed. This means RAB refresh triggers by default. 3. Added other fixes/suggestions made in the previous Java [PR](googleapis/google-auth-library-java#1880).
…oogleapis#13331) In ComputeEngineCredentials when running on GKE platform, the getAccount() call may return a value which isn't an email. In this case the right behaviour is to skip RAB lookup which is what this PR does. Added tests.
There was a problem hiding this comment.
Code Review
This pull request introduces a Regional Access Boundary (RAB) mechanism to the Google Auth Library, allowing credentials to fetch and include 'x-allowed-locations' headers in API requests for regional security enforcement. The changes include the addition of a 'RegionalAccessBoundaryManager' for caching and asynchronous refreshing, and updates to various credential classes to integrate this functionality. The reviewer identified a critical issue regarding audience mismatch in the self-signed JWT flow and suggested skipping the RAB refresh in that scenario. Additionally, the reviewer recommended performance and correctness improvements, such as using case-insensitive hostname comparisons, removing redundant null checks, and optimizing map operations to reduce unnecessary object allocations.
No description provided.