RAB staleness due to Oauth caching and flaky tests fixed.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -111,6 +111,11 @@ String getFileType() {
   private final String universeDomain;
   private final boolean isExplicitUniverseDomain;
 
+  // Note: this is for internal testing use use only.
+  // TODO: Fix unit test mocks so this can be removed
+  // Refer -> https://github.com/googleapis/google-auth-library-java/issues/1898
+  @VisibleForTesting static boolean disableRabRefreshForTest = false;
+
   transient RegionalAccessBoundaryManager regionalAccessBoundaryManager =
       new RegionalAccessBoundaryManager();
 
@@ -361,6 +366,9 @@ void refreshRegionalAccessBoundaryIfExpired(
       @Nullable AccessToken token,
       @Nullable java.util.concurrent.Executor executor)
       throws IOException {
+    if (disableRabRefreshForTest) {
+      return;
+    }
     if (!(this instanceof RegionalAccessBoundaryProvider) || !isDefaultUniverseDomain()) {
       return;
     }
@@ -526,22 +534,22 @@ static Map<String, List<String>> addQuotaProjectIdToRequestMetadata(
   }
 
   /**
-   * Adds Regional Access Boundary header to requestMetadata if available.
+   * Adds Regional Access Boundary header to requestMetadata if available. Overwrites if present.
    *
-   * @return a new map with Regional Access Boundary header added if needed
+   * @return a new map with Regional Access Boundary header added or updated
    */
   Map<String, List<String>> addRegionalAccessBoundaryToRequestMetadata(
       Map<String, List<String>> requestMetadata) {
     Preconditions.checkNotNull(requestMetadata);
     RegionalAccessBoundary rab = getRegionalAccessBoundary();
-    if (rab != null
-        && !requestMetadata.containsKey(RegionalAccessBoundary.X_ALLOWED_LOCATIONS_HEADER_KEY)) {
-      return ImmutableMap.<String, List<String>>builder()
-          .putAll(requestMetadata)
-          .put(
-              RegionalAccessBoundary.X_ALLOWED_LOCATIONS_HEADER_KEY,
-              Collections.singletonList(rab.getEncodedLocations()))
-          .build();
+    if (rab != null) {
+      // Overwrite the header to ensure the most recent async update is used,
+      // preventing staleness if the token itself hasn't expired yet.
+      Map<String, List<String>> newMetadata = new HashMap<>(requestMetadata);
+      newMetadata.put(
+          RegionalAccessBoundary.X_ALLOWED_LOCATIONS_HEADER_KEY,
+          Collections.singletonList(rab.getEncodedLocations()));
+      return ImmutableMap.copyOf(newMetadata);
     }
     return requestMetadata;
   }

oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java

@@ -64,6 +64,16 @@
 @RunWith(JUnit4.class)
 public class AwsCredentialsTest extends BaseSerializationTest {
 
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   private static final String STS_URL = "https://sts.googleapis.com/v1/token";
   private static final String AWS_CREDENTIALS_URL = "https://169.254.169.254";
   private static final String AWS_CREDENTIALS_URL_WITH_ROLE = "https://169.254.169.254/roleName";
@@ -1402,6 +1412,8 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     MockExternalAccountCredentialsTransportFactory transportFactory =
         new MockExternalAccountCredentialsTransportFactory();
 

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -79,6 +79,16 @@
 @RunWith(JUnit4.class)
 public class ComputeEngineCredentialsTest extends BaseSerializationTest {
 
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
   private static final String TOKEN_URL =
@@ -1148,6 +1158,8 @@ public void idTokenWithAudience_503StatusCode() {
 
   @Test
   public void refresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     String defaultAccountEmail = "default@email.com";
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
     RegionalAccessBoundary regionalAccessBoundary =

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentialsTest.java

@@ -128,9 +128,15 @@ public HttpTransport create() {
 
   @Before
   public void setup() {
+    GoogleCredentials.disableRabRefreshForTest = true;
     transportFactory = new MockExternalAccountAuthorizedUserCredentialsTransportFactory();
   }
 
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   @Test
   public void builder_allFields() throws IOException {
     ExternalAccountAuthorizedUserCredentials credentials =
@@ -1217,6 +1223,8 @@ public void toString_expectedFormat() {
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     ExternalAccountAuthorizedUserCredentials credentials =
         ExternalAccountAuthorizedUserCredentials.newBuilder()
             .setClientId(CLIENT_ID)

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java

@@ -89,9 +89,15 @@ public HttpTransport create() {
 
   @Before
   public void setup() {
+    GoogleCredentials.disableRabRefreshForTest = true;
     transportFactory = new MockExternalAccountCredentialsTransportFactory();
   }
 
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   @Test
   public void fromStream_identityPoolCredentials() throws IOException {
     GenericJson json = buildJsonIdentityPoolCredential();
@@ -1305,6 +1311,7 @@ public void getRegionalAccessBoundaryUrl_invalidAudience_throws() {
   @Test
   public void refresh_workload_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     String audience =
         "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/my-pool/providers/my-provider";
 
@@ -1339,6 +1346,7 @@ public String retrieveSubjectToken() throws IOException {
   @Test
   public void refresh_workforce_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     String audience =
         "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider";
 
@@ -1373,6 +1381,7 @@ public String retrieveSubjectToken() throws IOException {
   @Test
   public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     String projectNumber = "12345";
     String poolId = "my-pool";
     String providerId = "my-provider";
@@ -1433,6 +1442,7 @@ public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
   @Test
   public void refresh_impersonated_workforce_regionalAccessBoundarySuccess()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     String poolId = "my-pool";
     String providerId = "my-provider";
     String audience =

oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java

@@ -56,7 +56,6 @@
 import java.util.*;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
-import org.junit.After;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
@@ -100,8 +99,14 @@ public class GoogleCredentialsTest extends BaseSerializationTest {
   private static final String GOOGLE_DEFAULT_UNIVERSE = "googleapis.com";
   private static final String TPC_UNIVERSE = "foo.bar";
 
-  @After
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
   public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
     RegionalAccessBoundary.setClockForTest(Clock.SYSTEM);
     RegionalAccessBoundaryManager.setClockForTest(Clock.SYSTEM);
   }
@@ -948,6 +953,7 @@ public void getCredentialInfo_impersonatedServiceAccount() throws IOException {
   @Test
   public void regionalAccessBoundary_shouldFetchAndReturnRegionalAccessBoundaryDataSuccessfully()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
     RegionalAccessBoundary regionalAccessBoundary =
@@ -981,6 +987,8 @@ public void regionalAccessBoundary_shouldFetchAndReturnRegionalAccessBoundaryDat
   @Test
   public void regionalAccessBoundary_shouldRetryRegionalAccessBoundaryLookupOnFailure()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     // This transport will be used for the regional access boundary lookup.
     // We will configure it to fail on the first attempt.
     MockTokenServerTransport regionalAccessBoundaryTransport = new MockTokenServerTransport();
@@ -1030,6 +1038,7 @@ public com.google.api.client.http.LowLevelHttpRequest buildRequest(
   @Test
   public void regionalAccessBoundary_refreshShouldNotThrowWhenNoValidAccessTokenIsPassed()
       throws IOException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     // Return an expired access token.
     transport.addServiceAccount(SA_CLIENT_EMAIL, "expired-token");
@@ -1052,6 +1061,7 @@ public void regionalAccessBoundary_refreshShouldNotThrowWhenNoValidAccessTokenIs
   @Test
   public void regionalAccessBoundary_cooldownDoublingAndRefresh()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
     // Always fail lookup for now.
@@ -1111,6 +1121,7 @@ public void regionalAccessBoundary_cooldownDoublingAndRefresh()
 
   @Test
   public void regionalAccessBoundary_shouldFailOpenWhenRefreshCannotBeStarted() throws IOException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     // Use a simple AccessToken-based credential that won't try to refresh.
     GoogleCredentials credentials = GoogleCredentials.create(new AccessToken("some-token", null));
 
@@ -1122,6 +1133,7 @@ public void regionalAccessBoundary_shouldFailOpenWhenRefreshCannotBeStarted() th
   @Test
   public void regionalAccessBoundary_deduplicationOfConcurrentRefreshes()
       throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.setRegionalAccessBoundary(
         new RegionalAccessBoundary("valid", Collections.singletonList("us-central1")));
@@ -1150,6 +1162,7 @@ public void regionalAccessBoundary_deduplicationOfConcurrentRefreshes()
 
   @Test
   public void regionalAccessBoundary_shouldSkipRefreshForRegionalEndpoints() throws IOException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     GoogleCredentials credentials = createTestCredentials(transport);
 

oauth2_http/javatests/com/google/auth/oauth2/IdentityPoolCredentialsTest.java

@@ -72,6 +72,16 @@ public class IdentityPoolCredentialsTest extends BaseSerializationTest {
   private static final IdentityPoolSubjectTokenSupplier testProvider =
       (ExternalAccountSupplierContext context) -> "testSubjectToken";
 
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   @Test
   public void createdScoped_clonedCredentialWithAddedScopes() throws IOException {
     IdentityPoolCredentials credentials =
@@ -1307,6 +1317,8 @@ void setShouldThrowOnGetCertificatePath(boolean shouldThrow) {
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     MockExternalAccountCredentialsTransportFactory transportFactory =
         new MockExternalAccountCredentialsTransportFactory();
     HttpTransportFactory testingHttpTransportFactory = transportFactory;

oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java

@@ -165,10 +165,16 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
 
   @Before
   public void setup() throws IOException {
+    GoogleCredentials.disableRabRefreshForTest = true;
     sourceCredentials = getSourceCredentials();
     mockTransportFactory = new MockIAMCredentialsServiceTransportFactory();
   }
 
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   static GoogleCredentials getSourceCredentials() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     PrivateKey privateKey = OAuth2Utils.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
@@ -1311,6 +1317,7 @@ public void serialize() throws IOException, ClassNotFoundException {
 
   @Test
   public void refresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
     // Mock regional access boundary response
     RegionalAccessBoundary regionalAccessBoundary = REGIONAL_ACCESS_BOUNDARY;
 

oauth2_http/javatests/com/google/auth/oauth2/LoggingTest.java

@@ -64,6 +64,8 @@
 import java.util.Map;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.event.KeyValuePair;
@@ -73,6 +75,7 @@
  * credentials test classes with addition of test logging appender setup and test logic for logging.
  * This duplicates tests setups, but centralizes logging test setup in this class.
  */
+@RunWith(JUnit4.class)
 public class LoggingTest {
 
   private TestAppender setupTestLogger(Class<?> clazz) {
@@ -91,13 +94,24 @@ public static void setup() {
     LoggingUtils.setEnvironmentProvider(testEnvironmentProvider);
   }
 
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   @Test
   public void userCredentials_getRequestMetadata_fromRefreshToken_hasAccessToken()
       throws IOException {
     TestAppender testAppender = setupTestLogger(UserCredentials.class);
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
+
     UserCredentials userCredentials =
         UserCredentials.newBuilder()
             .setClientId(CLIENT_ID)
@@ -210,6 +224,7 @@ public void serviceAccountCredentials_idTokenWithAudience_iamFlow_targetAudience
     transportFactory.getTransport().setTargetPrincipal(CLIENT_EMAIL);
     transportFactory.getTransport().setIdToken(DEFAULT_ID_TOKEN);
     transportFactory.getTransport().addStatusCodeAndMessage(HttpStatusCodes.STATUS_CODE_OK, "");
+
     ServiceAccountCredentials credentials =
         createDefaultBuilder()
             .setScopes(SCOPES)
@@ -441,7 +456,7 @@ public void getRequestMetadata_hasAccessToken() throws IOException {
 
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
 
-    assertEquals(8, testAppender.events.size());
+    assertEquals(6, testAppender.events.size());
 
     ILoggingEvent defaultServiceAccountRequest = testAppender.events.get(0);
     assertEquals(

oauth2_http/javatests/com/google/auth/oauth2/PluggableAuthCredentialsTest.java

@@ -57,6 +57,17 @@
 /** Tests for {@link PluggableAuthCredentials}. */
 @RunWith(JUnit4.class)
 public class PluggableAuthCredentialsTest extends BaseSerializationTest {
+
+  @org.junit.Before
+  public void setUp() {
+    GoogleCredentials.disableRabRefreshForTest = true;
+  }
+
+  @org.junit.After
+  public void tearDown() {
+    GoogleCredentials.disableRabRefreshForTest = false;
+  }
+
   // The default timeout for waiting for the executable to finish (30 seconds).
   private static final int DEFAULT_EXECUTABLE_TIMEOUT_MS = 30 * 1000;
   // The minimum timeout for waiting for the executable to finish (5 seconds).
@@ -608,6 +619,8 @@ public void serialize() throws IOException, ClassNotFoundException {
 
   @Test
   public void testRefresh_regionalAccessBoundarySuccess() throws IOException, InterruptedException {
+    GoogleCredentials.disableRabRefreshForTest = false;
+
     MockExternalAccountCredentialsTransportFactory transportFactory =
         new MockExternalAccountCredentialsTransportFactory();
     transportFactory.transport.setExpireTime(TestUtils.getDefaultExpireTime());