Using per-instance clocks.

Author: vverman

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -117,7 +117,7 @@ String getFileType() {
   @VisibleForTesting static boolean disableRabRefreshForTest = false;
 
   transient RegionalAccessBoundaryManager regionalAccessBoundaryManager =
-      new RegionalAccessBoundaryManager();
+      new RegionalAccessBoundaryManager(clock);
 
   protected final String quotaProjectId;
 
@@ -439,7 +439,7 @@ void refreshRegionalAccessBoundaryWithSelfSignedJwtIfExpired(
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
     Map<String, List<String>> metadata = super.getRequestMetadata(uri);
-    metadata = addRegionalAccessBoundaryToRequestMetadata(metadata);
+    metadata = addRegionalAccessBoundaryToRequestMetadata(uri, metadata);
     try {
       // Sets off an async refresh for request-metadata.
       refreshRegionalAccessBoundaryIfExpired(uri, getAccessToken(), null);
@@ -470,7 +470,7 @@ public void getRequestMetadata(
         new RequestMetadataCallback() {
           @Override
           public void onSuccess(Map<String, List<String>> metadata) {
-            metadata = addRegionalAccessBoundaryToRequestMetadata(metadata);
+            metadata = addRegionalAccessBoundaryToRequestMetadata(uri, metadata);
             try {
               refreshRegionalAccessBoundaryIfExpired(uri, getAccessToken(), executor);
             } catch (IOException e) {
@@ -542,11 +542,21 @@ static Map<String, List<String>> addQuotaProjectIdToRequestMetadata(
    * Adds Regional Access Boundary header to requestMetadata if available. Overwrites if present.
    * If the current RAB is null, it removes any stale header that might have survived serialization.
    *
+   * @param uri The URI of the request.
+   * @param requestMetadata The request metadata.
    * @return a new map with Regional Access Boundary header added, updated, or removed
    */
   Map<String, List<String>> addRegionalAccessBoundaryToRequestMetadata(
-      Map<String, List<String>> requestMetadata) {
+      URI uri, Map<String, List<String>> requestMetadata) {
     Preconditions.checkNotNull(requestMetadata);
+
+    if (uri != null && uri.getHost() != null) {
+      String host = uri.getHost();
+      if (host.endsWith(".rep.googleapis.com") || host.endsWith(".rep.sandbox.googleapis.com")) {
+        return requestMetadata;
+      }
+    }
+
     RegionalAccessBoundary rab = getRegionalAccessBoundary();
     if (rab != null) {
       // Overwrite the header to ensure the most recent async update is used,
@@ -684,7 +694,7 @@ public int hashCode() {
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
     input.defaultReadObject();
-    regionalAccessBoundaryManager = new RegionalAccessBoundaryManager();
+    regionalAccessBoundaryManager = new RegionalAccessBoundaryManager(clock);
   }
 
   public static Builder newBuilder() {

oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java

@@ -67,21 +67,25 @@ public final class RegionalAccessBoundary implements Serializable {
 
   static final long TTL_MILLIS = 6 * 60 * 60 * 1000L; // 6 hours
   static final long REFRESH_THRESHOLD_MILLIS = 1 * 60 * 60 * 1000L; // 1 hour
-  private static int maxRetryElapsedTimeMillis = 60000; // 1 minute
 
   private final String encodedLocations;
   private final List<String> locations;
   private final long refreshTime;
-  private static Clock clock = Clock.SYSTEM;
+  private final transient Clock clock;
 
   /**
    * Creates a new RegionalAccessBoundary instance.
    *
    * @param encodedLocations The encoded string representation of the allowed locations.
    * @param locations A list of human-readable location strings.
+   * @param clock The clock used to set the creation time.
    */
-  RegionalAccessBoundary(String encodedLocations, List<String> locations) {
-    this(encodedLocations, locations, clock.currentTimeMillis());
+  RegionalAccessBoundary(String encodedLocations, List<String> locations, Clock clock) {
+    this(
+        encodedLocations,
+        locations,
+        clock != null ? clock.currentTimeMillis() : Clock.SYSTEM.currentTimeMillis(),
+        clock);
   }
 
   /**
@@ -90,14 +94,17 @@ public final class RegionalAccessBoundary implements Serializable {
    * @param encodedLocations The encoded string representation of the allowed locations.
    * @param locations A list of human-readable location strings.
    * @param refreshTime The time at which the information was last refreshed.
+   * @param clock The clock to use for expiration checks.
    */
-  RegionalAccessBoundary(String encodedLocations, List<String> locations, long refreshTime) {
+  RegionalAccessBoundary(
+      String encodedLocations, List<String> locations, long refreshTime, Clock clock) {
     this.encodedLocations = encodedLocations;
     this.locations =
         locations == null
             ? Collections.<String>emptyList()
             : Collections.unmodifiableList(locations);
     this.refreshTime = refreshTime;
+    this.clock = clock != null ? clock : Clock.SYSTEM;
   }
 
   /** Returns the encoded string representation of the allowed locations. */
@@ -157,28 +164,20 @@ public String toString() {
     }
   }
 
-  @VisibleForTesting
-  static void setClockForTest(Clock testClock) {
-    clock = testClock;
-  }
-
-  @VisibleForTesting
-  static void setMaxRetryElapsedTimeMillisForTest(int millis) {
-    maxRetryElapsedTimeMillis = millis;
-  }
-
   /**
    * Refreshes the regional access boundary by making a network call to the lookup endpoint.
    *
    * @param transportFactory The HTTP transport factory to use for the network request.
    * @param url The URL of the regional access boundary endpoint.
    * @param accessToken The access token to authenticate the request.
+   * @param clock The clock to use for expiration checks.
+   * @param maxRetryElapsedTimeMillis The max duration to wait for retries.
    * @return A new RegionalAccessBoundary object containing the refreshed information.
    * @throws IllegalArgumentException If the provided access token is null or expired.
    * @throws IOException If a network error occurs or the response is malformed.
    */
   static RegionalAccessBoundary refresh(
-      HttpTransportFactory transportFactory, String url, AccessToken accessToken)
+      HttpTransportFactory transportFactory, String url, AccessToken accessToken, Clock clock, int maxRetryElapsedTimeMillis)
       throws IOException {
     Preconditions.checkNotNull(accessToken, "The provided access token is null.");
     if (accessToken.getExpirationTimeMillis() != null
@@ -231,6 +230,6 @@ static RegionalAccessBoundary refresh(
       throw new IOException(
           "RegionalAccessBoundary: Malformed response from lookup endpoint - `encodedLocations` was null.");
     }
-    return new RegionalAccessBoundary(encodedLocations, json.getLocations());
+    return new RegionalAccessBoundary(encodedLocations, json.getLocations(), clock);
   }
 }

oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundaryManager.java

@@ -55,6 +55,12 @@ final class RegionalAccessBoundaryManager {
   static final long INITIAL_COOLDOWN_MILLIS = 15 * 60 * 1000L; // 15 minutes
   static final long MAX_COOLDOWN_MILLIS = 6 * 60 * 60 * 1000L; // 6 hours
 
+  /**
+   * The default maximum elapsed time in milliseconds for retrying Regional Access Boundary lookup
+   * requests.
+   */
+  private static final int DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS = 60000;
+
   /**
    * cachedRAB uses AtomicReference to provide thread-safe, lock-free access to the cached data for
    * high-concurrency request threads.
@@ -72,7 +78,23 @@ final class RegionalAccessBoundaryManager {
   private final AtomicReference<CooldownState> cooldownState =
       new AtomicReference<>(new CooldownState(0, INITIAL_COOLDOWN_MILLIS));
 
-  private static Clock clock = Clock.SYSTEM;
+  private final transient Clock clock;
+  private final int maxRetryElapsedTimeMillis;
+
+  /**
+   * Creates a new RegionalAccessBoundaryManager with the default retry timeout of 60 seconds.
+   *
+   * @param clock The clock to use for cooldown and expiration checks.
+   */
+  RegionalAccessBoundaryManager(Clock clock) {
+    this(clock, DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS);
+  }
+
+  @VisibleForTesting
+  RegionalAccessBoundaryManager(Clock clock, int maxRetryElapsedTimeMillis) {
+    this.clock = clock != null ? clock : Clock.SYSTEM;
+    this.maxRetryElapsedTimeMillis = maxRetryElapsedTimeMillis;
+  }
 
   /**
    * Returns the currently cached RegionalAccessBoundary, or null if none is available or if it has
@@ -125,7 +147,8 @@ void triggerAsyncRefresh(
             try {
               String url = provider.getRegionalAccessBoundaryUrl();
               RegionalAccessBoundary newRAB =
-                  RegionalAccessBoundary.refresh(transportFactory, url, accessToken);
+                  RegionalAccessBoundary.refresh(
+                      transportFactory, url, accessToken, clock, maxRetryElapsedTimeMillis);
               cachedRAB.set(newRAB);
               resetCooldown();
               // Complete the future so monitors (like unit tests) know we are done.
@@ -212,11 +235,6 @@ long getCurrentCooldownMillis() {
     return cooldownState.get().durationMillis;
   }
 
-  @VisibleForTesting
-  static void setClockForTest(Clock testClock) {
-    clock = testClock;
-  }
-
   private static class CooldownState {
     /** The time (in milliseconds from epoch) when the current cooldown period expires. */
     final long expiryTime;

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -1147,7 +1147,7 @@ private Map<String, List<String>> getRequestMetadataWithSelfSignedJwt(URI uri)
     }
 
     Map<String, List<String>> requestMetadata = jwtCredentials.getRequestMetadata(null);
-    requestMetadata = addRegionalAccessBoundaryToRequestMetadata(requestMetadata);
+    requestMetadata = addRegionalAccessBoundaryToRequestMetadata(uri, requestMetadata);
     refreshRegionalAccessBoundaryWithSelfSignedJwtIfExpired(uri, requestMetadata, null);
     return addQuotaProjectIdToRequestMetadata(quotaProjectId, requestMetadata);
   }

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -1165,7 +1165,8 @@ public void refresh_regionalAccessBoundarySuccess() throws IOException, Interrup
     RegionalAccessBoundary regionalAccessBoundary =
         new RegionalAccessBoundary(
             TestUtils.REGIONAL_ACCESS_BOUNDARY_ENCODED_LOCATION,
-            TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS);
+            TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS,
+            null);
     transportFactory.transport.setRegionalAccessBoundary(regionalAccessBoundary);
     transportFactory.transport.setServiceAccountEmail(defaultAccountEmail);
 

oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java

@@ -1397,7 +1397,7 @@ public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
         String.format(
             IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL, projectNumber, poolId);
     RegionalAccessBoundary workloadRab =
-        new RegionalAccessBoundary("workload-encoded", Collections.singletonList("workload-loc"));
+        new RegionalAccessBoundary("workload-encoded", Collections.singletonList("workload-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(workloadRabUrl, workloadRab);
 
     String saEmail =
@@ -1406,7 +1406,7 @@ public void refresh_impersonated_workload_regionalAccessBoundarySuccess()
         String.format(IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT, saEmail);
     RegionalAccessBoundary impersonatedRab =
         new RegionalAccessBoundary(
-            "impersonated-encoded", Collections.singletonList("impersonated-loc"));
+            "impersonated-encoded", Collections.singletonList("impersonated-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(impersonatedRabUrl, impersonatedRab);
 
     // Use a URL-based source that the mock transport can handle, to avoid file IO.
@@ -1456,7 +1456,7 @@ public void refresh_impersonated_workforce_regionalAccessBoundarySuccess()
     String workforceRabUrl =
         String.format(IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL, poolId);
     RegionalAccessBoundary workforceRab =
-        new RegionalAccessBoundary("workforce-encoded", Collections.singletonList("workforce-loc"));
+        new RegionalAccessBoundary("workforce-encoded", Collections.singletonList("workforce-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(workforceRabUrl, workforceRab);
 
     String saEmail =
@@ -1465,7 +1465,7 @@ public void refresh_impersonated_workforce_regionalAccessBoundarySuccess()
         String.format(IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT, saEmail);
     RegionalAccessBoundary impersonatedRab =
         new RegionalAccessBoundary(
-            "impersonated-encoded", Collections.singletonList("impersonated-loc"));
+            "impersonated-encoded", Collections.singletonList("impersonated-loc"), null);
     transportFactory.transport.addRegionalAccessBoundary(impersonatedRabUrl, impersonatedRab);
 
     // Use a URL-based source that the mock transport can handle, to avoid file IO.

oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java

@@ -109,8 +109,6 @@ public void setUp() {
   @org.junit.After
   public void tearDown() {
     GoogleCredentials.disableRabRefreshForTest = false;
-    RegionalAccessBoundary.setClockForTest(Clock.SYSTEM);
-    RegionalAccessBoundaryManager.setClockForTest(Clock.SYSTEM);
   }
 
   @Test
@@ -810,7 +808,7 @@ public void serialize_removesStaleRabHeaders() throws Exception {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     RegionalAccessBoundary rab =
         new RegionalAccessBoundary(
-            "test-encoded", Collections.singletonList("test-loc"), System.currentTimeMillis());
+            "test-encoded", Collections.singletonList("test-loc"), System.currentTimeMillis(), null);
     transportFactory.transport.setRegionalAccessBoundary(rab);
     transportFactory.transport.addServiceAccount(SA_CLIENT_EMAIL, ACCESS_TOKEN);
 
@@ -1006,7 +1004,8 @@ public void regionalAccessBoundary_shouldFetchAndReturnRegionalAccessBoundaryDat
     RegionalAccessBoundary regionalAccessBoundary =
         new RegionalAccessBoundary(
             TestUtils.REGIONAL_ACCESS_BOUNDARY_ENCODED_LOCATION,
-            Collections.singletonList("us-central1"));
+            Collections.singletonList("us-central1"),
+            null);
     transport.setRegionalAccessBoundary(regionalAccessBoundary);
 
     ServiceAccountCredentials credentials =
@@ -1044,7 +1043,8 @@ public void regionalAccessBoundary_shouldRetryRegionalAccessBoundaryLookupOnFail
     RegionalAccessBoundary regionalAccessBoundary =
         new RegionalAccessBoundary(
             TestUtils.REGIONAL_ACCESS_BOUNDARY_ENCODED_LOCATION,
-            TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS);
+            TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS,
+            null);
     regionalAccessBoundaryTransport.setRegionalAccessBoundary(regionalAccessBoundary);
 
     // This transport will be used for the access token refresh.
@@ -1124,8 +1124,8 @@ public void regionalAccessBoundary_cooldownDoublingAndRefresh()
             .build();
 
     TestClock testClock = new TestClock();
-    RegionalAccessBoundaryManager.setClockForTest(testClock);
-    RegionalAccessBoundary.setMaxRetryElapsedTimeMillisForTest(100);
+    credentials.clock = testClock;
+    credentials.regionalAccessBoundaryManager = new RegionalAccessBoundaryManager(testClock, 100);
 
     // First attempt: triggers lookup, fails, enters 15m cooldown.
     credentials.getRequestMetadata();
@@ -1155,7 +1155,7 @@ public void regionalAccessBoundary_cooldownDoublingAndRefresh()
 
     // Set successful response.
     transport.setRegionalAccessBoundary(
-        new RegionalAccessBoundary("0x123", Collections.emptyList()));
+        new RegionalAccessBoundary("0x123", Collections.emptyList(), null));
 
     // Fourth attempt: triggers lookup, succeeds, resets cooldown.
     credentials.getRequestMetadata();
@@ -1183,7 +1183,7 @@ public void regionalAccessBoundary_deduplicationOfConcurrentRefreshes()
     GoogleCredentials.disableRabRefreshForTest = false;
     MockTokenServerTransport transport = new MockTokenServerTransport();
     transport.setRegionalAccessBoundary(
-        new RegionalAccessBoundary("valid", Collections.singletonList("us-central1")));
+        new RegionalAccessBoundary("valid", Collections.singletonList("us-central1"), null));
     // Add delay to lookup to ensure threads overlap.
     transport.setResponseDelayMillis(500);
 

oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java

@@ -158,7 +158,8 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
   public static final RegionalAccessBoundary REGIONAL_ACCESS_BOUNDARY =
       new RegionalAccessBoundary(
           TestUtils.REGIONAL_ACCESS_BOUNDARY_ENCODED_LOCATION,
-          TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS);
+          TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS,
+          null);
 
   private GoogleCredentials sourceCredentials;
   private MockIAMCredentialsServiceTransportFactory mockTransportFactory;

oauth2_http/javatests/com/google/auth/oauth2/MockExternalAccountCredentialsTransport.java

@@ -210,7 +210,8 @@ public LowLevelHttpResponse execute() throws IOException {
                   rab =
                       new RegionalAccessBoundary(
                           TestUtils.REGIONAL_ACCESS_BOUNDARY_ENCODED_LOCATION,
-                          TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS);
+                          TestUtils.REGIONAL_ACCESS_BOUNDARY_LOCATIONS,
+                          null);
                 }
                 GenericJson responseJson = new GenericJson();
                 responseJson.setFactory(OAuth2Utils.JSON_FACTORY);

oauth2_http/javatests/com/google/auth/oauth2/RegionalAccessBoundaryTest.java

@@ -58,21 +58,17 @@ public class RegionalAccessBoundaryTest {
   @Before
   public void setUp() {
     testClock = new TestClock();
-    RegionalAccessBoundary.setClockForTest(testClock);
-    RegionalAccessBoundaryManager.setClockForTest(testClock);
   }
 
   @After
   public void tearDown() {
-    RegionalAccessBoundary.setClockForTest(Clock.SYSTEM);
-    RegionalAccessBoundaryManager.setClockForTest(Clock.SYSTEM);
   }
 
   @Test
   public void testIsExpired() {
     long now = testClock.currentTimeMillis();
     RegionalAccessBoundary rab =
-        new RegionalAccessBoundary("encoded", Collections.singletonList("loc"), now);
+        new RegionalAccessBoundary("encoded", Collections.singletonList("loc"), now, testClock);
 
     assertFalse(rab.isExpired());
 
@@ -87,7 +83,7 @@ public void testIsExpired() {
   public void testShouldRefresh() {
     long now = testClock.currentTimeMillis();
     RegionalAccessBoundary rab =
-        new RegionalAccessBoundary("encoded", Collections.singletonList("loc"), now);
+        new RegionalAccessBoundary("encoded", Collections.singletonList("loc"), now, testClock);
 
     // Initial state: fresh
     assertFalse(rab.shouldRefresh());
@@ -127,7 +123,7 @@ public void testManagerTriggersRefreshInGracePeriod() throws InterruptedExceptio
     HttpTransportFactory transportFactory = () -> transport;
     RegionalAccessBoundaryProvider provider = () -> url;
 
-    RegionalAccessBoundaryManager manager = new RegionalAccessBoundaryManager();
+    RegionalAccessBoundaryManager manager = new RegionalAccessBoundaryManager(testClock);
 
     // 1. Let's first get a RAB into the cache
     manager.triggerAsyncRefresh(transportFactory, provider, token, null);
@@ -184,7 +180,7 @@ public void testManagerTriggersRefreshInGracePeriod() throws InterruptedExceptio
 
   @Test
   public void testManagerReleasesLockOnSchedulingFailure() {
-    RegionalAccessBoundaryManager manager = new RegionalAccessBoundaryManager();
+    RegionalAccessBoundaryManager manager = new RegionalAccessBoundaryManager(testClock);
     HttpTransportFactory transportFactory = () -> new MockHttpTransport();
     RegionalAccessBoundaryProvider provider = () -> "https://dummy";
     AccessToken token =