Added a readObject metod which reinitializes the clock to Clock.system upon deserialization.

vverman · vverman · commit f3f335e4c0f5 · 2026-03-23T12:53:55.000-07:00
diff --git a/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java b/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java
@@ -49,6 +49,7 @@
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Preconditions;
 import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.List;
@@ -76,7 +77,7 @@ public final class RegionalAccessBoundary implements Serializable {
   private final String encodedLocations;
   private final List<String> locations;
   private final long refreshTime;
-  private final transient Clock clock;
+  private transient Clock clock;
 
   private static EnvironmentProvider environmentProvider = SystemEnvironmentProvider.getInstance();
 
@@ -267,4 +268,13 @@ static RegionalAccessBoundary refresh(
     }
     return new RegionalAccessBoundary(encodedLocations, json.getLocations(), clock);
   }
+
+  /**
+   * Initializes the transient clock to Clock.SYSTEM upon deserialization to prevent
+   * NullPointerException when evaluating expiration on deserialized objects.
+   */
+  private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
+    input.defaultReadObject();
+    clock = Clock.SYSTEM;
+  }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/RegionalAccessBoundaryTest.java b/oauth2_http/javatests/com/google/auth/oauth2/RegionalAccessBoundaryTest.java
@@ -39,6 +39,10 @@
 import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.http.HttpTransportFactory;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.util.Collections;
 import java.util.concurrent.atomic.AtomicLong;
 import org.junit.After;
@@ -99,6 +103,30 @@ public void testShouldRefresh() {
     assertFalse(rab.isExpired());
   }
 
+  @Test
+  public void testSerialization() throws Exception {
+    long now = testClock.currentTimeMillis();
+    RegionalAccessBoundary rab =
+        new RegionalAccessBoundary("encoded", Collections.singletonList("loc"), now, testClock);
+
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
+    oos.writeObject(rab);
+    oos.close();
+
+    ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
+    ObjectInputStream ois = new ObjectInputStream(bais);
+    RegionalAccessBoundary deserializedRab = (RegionalAccessBoundary) ois.readObject();
+    ois.close();
+
+    assertEquals("encoded", deserializedRab.getEncodedLocations());
+    assertEquals(1, deserializedRab.getLocations().size());
+    assertEquals("loc", deserializedRab.getLocations().get(0));
+    // The transient clock field should be restored to Clock.SYSTEM upon deserialization,
+    // thereby avoiding a NullPointerException when checking expiration.
+    assertFalse(deserializedRab.isExpired());
+  }
+
   @Test
   public void testManagerTriggersRefreshInGracePeriod() throws InterruptedException {
     final String url =
