feat(auth): mTLS endpoint for Regional Access Boundaries#13318
feat(auth): mTLS endpoint for Regional Access Boundaries#13318vverman wants to merge 16 commits into
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces centralized mTLS enablement checks and adds fallback support for SPIFFE credentials in MtlsUtils and X509Provider, alongside integrating mTLS transport initialization during regional access boundary refreshes. The review feedback suggests optimizing performance by removing redundant configuration checks and file parsing in X509Provider.getKeyStore() and GoogleCredentials.java, and improving robustness in RegionalAccessBoundary.java by replacing only the host name in the IAM credentials URL.
lsirac
left a comment
There was a problem hiding this comment.
Should we be checking GOOGLE_API_USE_MTLS_ENDPOINT?
| * @throws IOException if the configuration file is present but contains missing or malformed | ||
| * files | ||
| */ | ||
| public static boolean canMtlsBeEnabled( |
There was a problem hiding this comment.
I’m not sure that cert being present == automatically use mTLS. They can be using different credentials / not using it at all. So then we’d be adding mTLS setup and calls for credentials that are not actually using it.
I think the decision should be based on the credential type, and perhaps expose some state from the credential that we can use to check if mTLS should happen for these calls.
Added an E2E test to check the call to RAB mtls endpoint and check x-allowed-locations header. Unified redundant method(s) waitForRegionalAccessBoundary.
2c53152 to
48c3b59
Compare
| if (userMtlsPolicy == null) { | ||
| userMtlsPolicy = | ||
| MtlsUtils.getMtlsEndpointUsagePolicy(SystemEnvironmentProvider.getInstance()); | ||
| } | ||
| if (transportFactory instanceof com.google.auth.mtls.MtlsHttpTransportFactory | ||
| || userMtlsPolicy == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) { | ||
| url = url.replace("iamcredentials.googleapis.com", "iamcredentials.mtls.googleapis.com"); | ||
| } |
There was a problem hiding this comment.
Ok, how about this:
Every GoogleCredential has one RegionalAccessBoundaryManager. We put the transportFactory, url, and mtlsPolicy inside there (since these only need to be initialized once). The constructor can resolve the mtlsPolicy and cache it, use it to determine the HttpTransportFactory and cache it, and the updated endpoint can be cached as well.
Eventually, I think it might make sense for getREgionalAccessBoundaryUrl() to return the mtls vs non-mtls endpoint automatically, but can be outside of this PR.
There was a problem hiding this comment.
Since RegionalAccessBoundaryManager is initialized in the instance variables of the superclass (GoogleCredentials), subclass-specific fields like this.transportFactory have not yet been assigned when the manager is constructed. Calling getTransportFactory() at that point would return null.
Also, evaluating the mTLS policy dynamically via the injected EnvironmentProvider is safer for testing. It prevents test pollution and allows us to verify different env configurations without reconstructing the credential hierarchy.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces comprehensive support for mutual TLS (mTLS) endpoint discovery and policy enforcement across Google credentials and regional access boundaries. Key changes include adding utility methods in MtlsUtils to resolve certificate configurations and prepare transport factories, refactoring X509Provider to use these helpers, and upgrading the IAM credentials URL to its mTLS counterpart when applicable. The review feedback highlights critical improvement opportunities: resolving a potential NullPointerException in MtlsUtils when the base transport factory is null, avoiding thread-safety issues in GoogleCredentials by not mutating the shared transportFactory field, and preventing test flakiness in RegionalAccessBoundary by dynamically evaluating the mTLS policy instead of caching it in a static field.
…TLS refresh - MtlsUtils: - Validate custom transport factory outside try-block to prevent swallowing exceptions. - Add null check for baseTransportFactory to prevent NullPointerException. - Wrap getWellKnownCertificateConfigFile call to enforce the exception contract. - Use case-insensitive matching for GOOGLE_API_USE_MTLS_ENDPOINT. - RegionalAccessBoundary & Manager: - Remove JVM-wide userMtlsPolicy static cache to prevent test pollution. - Inject EnvironmentProvider dynamically to refresh methods. - MockExternalAccountCredentialsTransport: - Strip .mtls. subdomain before looking up regional access boundaries. - Define host-only IAM_ENDPOINT and MTLS_IAM_ENDPOINT constants. - GoogleCredentialsTest: - Add test asserting boundary refresh hits .mtls. subdomain when required. - oauth2_http/pom.xml: - Set GOOGLE_API_USE_CLIENT_CERTIFICATE=false in surefire config to isolate tests.
Added logic to: