Reintroduced env variables.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -111,11 +111,6 @@ String getFileType() {
   private final String universeDomain;
   private final boolean isExplicitUniverseDomain;
 
-  // Note: this is for internal testing use use only.
-  // TODO: Fix unit test mocks so this can be removed
-  // Refer -> https://github.com/googleapis/google-auth-library-java/issues/1898
-  @VisibleForTesting static boolean disableRabRefreshForTest = false;
-
   transient RegionalAccessBoundaryManager regionalAccessBoundaryManager =
       new RegionalAccessBoundaryManager(clock);
 
@@ -366,10 +361,9 @@ void refreshRegionalAccessBoundaryIfExpired(
       @Nullable AccessToken token,
       @Nullable java.util.concurrent.Executor executor)
       throws IOException {
-    if (disableRabRefreshForTest) {
-      return;
-    }
-    if (!(this instanceof RegionalAccessBoundaryProvider) || !isDefaultUniverseDomain()) {
+    if (!(this instanceof RegionalAccessBoundaryProvider)
+        || !RegionalAccessBoundary.isEnabled()
+        || !isDefaultUniverseDomain()) {
       return;
     }
 
@@ -539,8 +533,8 @@ static Map<String, List<String>> addQuotaProjectIdToRequestMetadata(
   }
 
   /**
-   * Adds Regional Access Boundary header to requestMetadata if available. Overwrites if present.
-   * If the current RAB is null, it removes any stale header that might have survived serialization.
+   * Adds Regional Access Boundary header to requestMetadata if available. Overwrites if present. If
+   * the current RAB is null, it removes any stale header that might have survived serialization.
    *
    * @param uri The URI of the request.
    * @param requestMetadata The request metadata.

oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java

@@ -52,6 +52,7 @@
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.List;
+import javax.annotation.Nullable;
 
 /**
  * Represents the regional access boundary configuration for a credential. This class holds the
@@ -65,6 +66,10 @@ public final class RegionalAccessBoundary implements Serializable {
   public static final String X_ALLOWED_LOCATIONS_HEADER_KEY = "x-allowed-locations";
   private static final long serialVersionUID = -2428522338274020302L;
 
+  // Note: this is for internal testing use use only.
+  // TODO: Fix unit test mocks so this can be removed
+  // Refer -> https://github.com/googleapis/google-auth-library-java/issues/1898
+  static final String ENABLE_EXPERIMENT_ENV_VAR = "GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT";
   static final long TTL_MILLIS = 6 * 60 * 60 * 1000L; // 6 hours
   static final long REFRESH_THRESHOLD_MILLIS = 1 * 60 * 60 * 1000L; // 1 hour
 
@@ -73,6 +78,8 @@ public final class RegionalAccessBoundary implements Serializable {
   private final long refreshTime;
   private final transient Clock clock;
 
+  private static EnvironmentProvider environmentProvider = SystemEnvironmentProvider.getInstance();
+
   /**
    * Creates a new RegionalAccessBoundary instance.
    *
@@ -164,6 +171,30 @@ public String toString() {
     }
   }
 
+  @VisibleForTesting
+  static void setEnvironmentProviderForTest(@Nullable EnvironmentProvider provider) {
+    environmentProvider = provider == null ? SystemEnvironmentProvider.getInstance() : provider;
+  }
+
+  /**
+   * Checks if the regional access boundary feature is enabled. The feature is enabled if the
+   * environment variable or system property "GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT" is set
+   * to "true" or "1" (case-insensitive).
+   *
+   * @return True if the regional access boundary feature is enabled, false otherwise.
+   */
+  static boolean isEnabled() {
+    String enabled = environmentProvider.getEnv(ENABLE_EXPERIMENT_ENV_VAR);
+    if (enabled == null) {
+      enabled = System.getProperty(ENABLE_EXPERIMENT_ENV_VAR);
+    }
+    if (enabled == null) {
+      return false;
+    }
+    String lowercased = enabled.toLowerCase();
+    return "true".equals(lowercased) || "1".equals(enabled);
+  }
+
   /**
    * Refreshes the regional access boundary by making a network call to the lookup endpoint.
    *
@@ -177,7 +208,11 @@ public String toString() {
    * @throws IOException If a network error occurs or the response is malformed.
    */
   static RegionalAccessBoundary refresh(
-      HttpTransportFactory transportFactory, String url, AccessToken accessToken, Clock clock, int maxRetryElapsedTimeMillis)
+      HttpTransportFactory transportFactory,
+      String url,
+      AccessToken accessToken,
+      Clock clock,
+      int maxRetryElapsedTimeMillis)
       throws IOException {
     Preconditions.checkNotNull(accessToken, "The provided access token is null.");
     if (accessToken.getExpirationTimeMillis() != null

oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java

@@ -65,13 +65,11 @@
 public class AwsCredentialsTest extends BaseSerializationTest {
 
   @org.junit.Before
-  public void setUp() {
-    GoogleCredentials.disableRabRefreshForTest = true;
-  }
+  public void setUp() {}
 
   @org.junit.After
   public void tearDown() {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    RegionalAccessBoundary.setEnvironmentProviderForTest(null);
   }
 
   private static final String STS_URL = "https://sts.googleapis.com/v1/token";
@@ -1412,7 +1410,9 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
 
     MockExternalAccountCredentialsTransportFactory transportFactory =
         new MockExternalAccountCredentialsTransportFactory();

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -80,13 +80,11 @@
 public class ComputeEngineCredentialsTest extends BaseSerializationTest {
 
   @org.junit.Before
-  public void setUp() {
-    GoogleCredentials.disableRabRefreshForTest = true;
-  }
+  public void setUp() {}
 
   @org.junit.After
   public void tearDown() {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    RegionalAccessBoundary.setEnvironmentProviderForTest(null);
   }
 
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
@@ -1158,7 +1156,9 @@ public void idTokenWithAudience_503StatusCode() {
 
   @Test
   public void refresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
 
     String defaultAccountEmail = "default@email.com";
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java

@@ -128,13 +128,12 @@ public HttpTransport create() {
 
   @Before
   public void setup() {
-    GoogleCredentials.disableRabRefreshForTest = true;
     transportFactory = new MockExternalAccountAuthorizedUserCredentialsTransportFactory();
   }
 
   @org.junit.After
   public void tearDown() {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    RegionalAccessBoundary.setEnvironmentProviderForTest(null);
   }
 
   @Test
@@ -1223,7 +1222,9 @@ public void toString_expectedFormat() {
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
 
     ExternalAccountAuthorizedUserCredentials credentials =
         ExternalAccountAuthorizedUserCredentials.newBuilder()

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java

@@ -89,13 +89,12 @@ public HttpTransport create() {
 
   @Before
   public void setup() {
-    GoogleCredentials.disableRabRefreshForTest = true;
     transportFactory = new MockExternalAccountCredentialsTransportFactory();
   }
 
   @org.junit.After
   public void tearDown() {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    RegionalAccessBoundary.setEnvironmentProviderForTest(null);
   }
 
   @Test
@@ -1311,7 +1310,9 @@ public void getRegionalAccessBoundaryUrl_invalidAudience_throws() {
   @Test
   public void refresh_workload_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     String audience =
         "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/my-pool/providers/my-provider";
 
@@ -1346,7 +1347,9 @@ public String retrieveSubjectToken() throws IOException {
   @Test
   public void refresh_workforce_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     String audience =
         "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider";
 
@@ -1381,7 +1384,9 @@ public String retrieveSubjectToken() throws IOException {
   @Test
   public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     String projectNumber = "12345";
     String poolId = "my-pool";
     String providerId = "my-provider";
@@ -1397,7 +1402,8 @@ public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
         String.format(
             IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL, projectNumber, poolId);
     RegionalAccessBoundary workloadRab =
-        new RegionalAccessBoundary("workload-encoded", Collections.singletonList("workload-loc"), null);
+        new RegionalAccessBoundary(
+            "workload-encoded", Collections.singletonList("workload-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(workloadRabUrl, workloadRab);
 
     String saEmail =
@@ -1442,7 +1448,9 @@ public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
   @Test
   public void refresh_impersonated_workforce_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     String poolId = "my-pool";
     String providerId = "my-provider";
     String audience =
@@ -1456,7 +1464,8 @@ public void refresh_impersonated_workforce_regionalAccessBoundarySuccess()
     String workforceRabUrl =
         String.format(IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, poolId);
     RegionalAccessBoundary workforceRab =
-        new RegionalAccessBoundary("workforce-encoded", Collections.singletonList("workforce-loc"), null);
+        new RegionalAccessBoundary(
+            "workforce-encoded", Collections.singletonList("workforce-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(workforceRabUrl, workforceRab);
 
     String saEmail =

oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java

@@ -102,13 +102,11 @@ public class GoogleCredentialsTest extends BaseSerializationTest {
   private static final String TPC_UNIVERSE = "foo.bar";
 
   @org.junit.Before
-  public void setUp() {
-    GoogleCredentials.disableRabRefreshForTest = true;
-  }
+  public void setUp() {}
 
   @org.junit.After
   public void tearDown() {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    RegionalAccessBoundary.setEnvironmentProviderForTest(null);
   }
 
   @Test
@@ -803,12 +801,17 @@ public void serialize() throws IOException, ClassNotFoundException {
 
   @Test
   public void serialize_removesStaleRabHeaders() throws Exception {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
 
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     RegionalAccessBoundary rab =
         new RegionalAccessBoundary(
-            "test-encoded", Collections.singletonList("test-loc"), System.currentTimeMillis(), null);
+            "test-encoded",
+            Collections.singletonList("test-loc"),
+            System.currentTimeMillis(),
+            null);
     transportFactory.transport.setRegionalAccessBoundary(rab);
     transportFactory.transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
 
@@ -842,8 +845,7 @@ public void serialize_removesStaleRabHeaders() throws Exception {
 
     // The metadata should NOT contain the RAB header anymore, preventing stale headers.
     Map<String, List<String>> deserializedMetadata = deserialized.getRequestMetadata();
-    assertNull(
-        deserializedMetadata.get(RegionalAccessBoundary.X_ALLOWED_LOCATIONS_HEADER_KEY));
+    assertNull(deserializedMetadata.get(RegionalAccessBoundary.X_ALLOWED_LOCATIONS_HEADER_KEY));
   }
 
   @Test
@@ -998,7 +1000,9 @@ public void getCredentialInfo_impersonatedServiceAccount() throws IOException {
   @Test
   public void regionalAccessBoundary_shouldFetchAndReturnRegionalAccessBoundaryDataSuccessfully()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
     RegionalAccessBoundary regionalAccessBoundary =
@@ -1033,7 +1037,9 @@ public void regionalAccessBoundary_shouldFetchAndReturnRegionalAccessBoundaryDat
   @Test
   public void regionalAccessBoundary_shouldRetryRegionalAccessBoundaryLookupOnFailure()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
 
     // This transport will be used for the regional access boundary lookup.
     // We will configure it to fail on the first attempt.
@@ -1085,7 +1091,9 @@ public com.google.api.client.http.LowLevelHttpRequest buildRequest(
   @Test
   public void regionalAccessBoundary_refreshShouldNotThrowWhenNoValidAccessTokenIsPassed()
       throws IOException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     MockTokenServerTransport transport = new MockTokenServerTransport();
     // Return an expired access token.
     transport.addServiceAccount(SA_CLIENT_EMAIL, "expired-token");
@@ -1108,7 +1116,9 @@ public void regionalAccessBoundary_refreshShouldNotThrowWhenNoValidAccessTokenIs
   @Test
   public void regionalAccessBoundary_cooldownDoublingAndRefresh()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
     // Always fail lookup for now.
@@ -1168,7 +1178,9 @@ public void regionalAccessBoundary_cooldownDoublingAndRefresh()
 
   @Test
   public void regionalAccessBoundary_shouldFailOpenWhenRefreshCannotBeStarted() throws IOException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     // Use a simple AccessToken-based credential that won't try to refresh.
     GoogleCredentials credentials = GoogleCredentials.create(new AccessToken("some-token", null));
 
@@ -1180,7 +1192,9 @@ public void regionalAccessBoundary_shouldFailOpenWhenRefreshCannotBeStarted() th
   @Test
   public void regionalAccessBoundary_deduplicationOfConcurrentRefreshes()
       throws IOException, InterruptedException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.setRegionalAccessBoundary(
         new RegionalAccessBoundary("valid", Collections.singletonList("us-central1"), null));
@@ -1209,7 +1223,9 @@ public void regionalAccessBoundary_deduplicationOfConcurrentRefreshes()
 
   @Test
   public void regionalAccessBoundary_shouldSkipRefreshForRegionalEndpoints() throws IOException {
-    GoogleCredentials.disableRabRefreshForTest = false;
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    RegionalAccessBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv(RegionalAccessBoundary.ENABLE_EXPERIMENT_ENV_VAR, "1");
     MockTokenServerTransport transport = new MockTokenServerTransport();
     GoogleCredentials credentials = createTestCredentials(transport);