Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(auth): mTLS endpoint for Regional Access Boundaries#13318

Open
vverman wants to merge 16 commits into
googleapis:regional-access-boundariesfrom
vverman:regional-access-boundaries
Open

feat(auth): mTLS endpoint for Regional Access Boundaries#13318
vverman wants to merge 16 commits into
googleapis:regional-access-boundariesfrom
vverman:regional-access-boundaries

Conversation

@vverman

@vverman vverman commented May 31, 2026

Copy link
Copy Markdown
Contributor

Added logic to:

  1. Centralize mTLS enablement logic within the auth library.
  2. Based on 1. determine whether mtls or regular RAB lookup endpoint should be called.
  3. Added tests for the same.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces centralized mTLS enablement checks and adds fallback support for SPIFFE credentials in MtlsUtils and X509Provider, alongside integrating mTLS transport initialization during regional access boundary refreshes. The review feedback suggests optimizing performance by removing redundant configuration checks and file parsing in X509Provider.getKeyStore() and GoogleCredentials.java, and improving robustness in RegionalAccessBoundary.java by replacing only the host name in the IAM credentials URL.

@vverman vverman changed the title Regional access boundaries feat(auth): mTLS endpoint for Regional Access Boundaries Jun 1, 2026
@vverman vverman marked this pull request as ready for review June 4, 2026 08:45
@vverman vverman requested review from a team as code owners June 4, 2026 08:45
@vverman vverman marked this pull request as draft June 4, 2026 08:46
@vverman vverman marked this pull request as ready for review June 4, 2026 22:05
@vverman vverman requested review from lqiu96 and nbayati June 4, 2026 22:05

@lsirac lsirac left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be checking GOOGLE_API_USE_MTLS_ENDPOINT?

* @throws IOException if the configuration file is present but contains missing or malformed
* files
*/
public static boolean canMtlsBeEnabled(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not sure that cert being present == automatically use mTLS. They can be using different credentials / not using it at all. So then we’d be adding mTLS setup and calls for credentials that are not actually using it.

I think the decision should be based on the credential type, and perhaps expose some state from the credential that we can use to check if mTLS should happen for these calls.

Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/X509Provider.java Outdated
@vverman vverman force-pushed the regional-access-boundaries branch from 2c53152 to 48c3b59 Compare June 11, 2026 02:13
@vverman vverman requested review from lqiu96 and nbayati June 11, 2026 03:16
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
@vverman vverman requested a review from lqiu96 June 15, 2026 18:07
Comment on lines +195 to +202
if (userMtlsPolicy == null) {
userMtlsPolicy =
MtlsUtils.getMtlsEndpointUsagePolicy(SystemEnvironmentProvider.getInstance());
}
if (transportFactory instanceof com.google.auth.mtls.MtlsHttpTransportFactory
|| userMtlsPolicy == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) {
url = url.replace("iamcredentials.googleapis.com", "iamcredentials.mtls.googleapis.com");
}

@lqiu96 lqiu96 Jun 15, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, how about this:

Every GoogleCredential has one RegionalAccessBoundaryManager. We put the transportFactory, url, and mtlsPolicy inside there (since these only need to be initialized once). The constructor can resolve the mtlsPolicy and cache it, use it to determine the HttpTransportFactory and cache it, and the updated endpoint can be cached as well.

Eventually, I think it might make sense for getREgionalAccessBoundaryUrl() to return the mtls vs non-mtls endpoint automatically, but can be outside of this PR.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since RegionalAccessBoundaryManager is initialized in the instance variables of the superclass (GoogleCredentials), subclass-specific fields like this.transportFactory have not yet been assigned when the manager is constructed. Calling getTransportFactory() at that point would return null.

Also, evaluating the mTLS policy dynamically via the injected EnvironmentProvider is safer for testing. It prevents test pollution and allows us to verify different env configurations without reconstructing the credential hierarchy.

@lqiu96

lqiu96 commented Jun 16, 2026

Copy link
Copy Markdown
Member

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces comprehensive support for mutual TLS (mTLS) endpoint discovery and policy enforcement across Google credentials and regional access boundaries. Key changes include adding utility methods in MtlsUtils to resolve certificate configurations and prepare transport factories, refactoring X509Provider to use these helpers, and upgrading the IAM credentials URL to its mTLS counterpart when applicable. The review feedback highlights critical improvement opportunities: resolving a potential NullPointerException in MtlsUtils when the base transport factory is null, avoiding thread-safety issues in GoogleCredentials by not mutating the shared transportFactory field, and preventing test flakiness in RegionalAccessBoundary by dynamically evaluating the mTLS policy instead of caching it in a static field.

Comment thread google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java Outdated
vverman added 6 commits June 24, 2026 16:13
…TLS refresh

- MtlsUtils:
  - Validate custom transport factory outside try-block to prevent swallowing exceptions.
  - Add null check for baseTransportFactory to prevent NullPointerException.
  - Wrap getWellKnownCertificateConfigFile call to enforce the exception contract.
  - Use case-insensitive matching for GOOGLE_API_USE_MTLS_ENDPOINT.
- RegionalAccessBoundary & Manager:
  - Remove JVM-wide userMtlsPolicy static cache to prevent test pollution.
  - Inject EnvironmentProvider dynamically to refresh methods.
- MockExternalAccountCredentialsTransport:
  - Strip .mtls. subdomain before looking up regional access boundaries.
  - Define host-only IAM_ENDPOINT and MTLS_IAM_ENDPOINT constants.
- GoogleCredentialsTest:
  - Add test asserting boundary refresh hits .mtls. subdomain when required.
- oauth2_http/pom.xml:
  - Set GOOGLE_API_USE_CLIENT_CERTIFICATE=false in surefire config to isolate tests.
@vverman vverman requested review from lqiu96 and nbayati July 1, 2026 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants