Skip to content

feat: implement Regional Access Boundary#569

Open
quartzmo wants to merge 38 commits into
googleapis:mainfrom
quartzmo:regional-access-boundary
Open

feat: implement Regional Access Boundary#569
quartzmo wants to merge 38 commits into
googleapis:mainfrom
quartzmo:regional-access-boundary

Conversation

@quartzmo

Copy link
Copy Markdown
Member

Restrict credential usage to specific regions by attaching the x-allowed-locations header to requests to global endpoints.

  • Add internal RAB data structure and cache.
  • Add lookup client (Fetcher) with retry and cooldown logic.
  • Integrate into BaseClient and gate unsupported usages.
  • Add URL lookup/construction for Service Account, GCE, Workload, and Workforce Identity.
  • Add samples in samples/regional_access_boundary for demos and manual testing.

@quartzmo quartzmo marked this pull request as ready for review June 2, 2026 18:04
@quartzmo quartzmo requested a review from a team as a code owner June 2, 2026 18:04
@quartzmo quartzmo force-pushed the regional-access-boundary branch from c7efe2a to ce88163 Compare June 5, 2026 18:29
quartzmo added 23 commits June 8, 2026 20:33
Restrict credential usage to specific regions by attaching the `x-allowed-locations` header to requests to global endpoints.

* Add internal RAB data structure and cache.
* Add lookup client (Fetcher) with retry and cooldown logic.
* Integrate into BaseClient and gate unsupported usages.
* Add URL lookup/construction for Service Account, GCE, Workload, and Workforce Identity.
* Add samples in `samples/regional_access_boundary` for demos and manual testing.
@quartzmo quartzmo force-pushed the regional-access-boundary branch 2 times, most recently from 0eca008 to 31ed48d Compare June 11, 2026 23:26
@quartzmo quartzmo force-pushed the regional-access-boundary branch from 31ed48d to ec4dc2e Compare June 12, 2026 22:56
Comment thread lib/googleauth/regional_access_boundary.rb
Comment thread lib/googleauth/base_client.rb Outdated
quartzmo added 5 commits June 17, 2026 22:11
If the default service account email retrieved from GCE metadata does not
contain an "@" (e.g. on GKE workload federation), the identity is permanently
unsupported by the allowedLocations endpoint.

This commit:
1. Returns `:unsupported` from `ComputeEngine#regional_access_boundary_url` when email lacks "@".
2. Adds `mark_unsupported!` to `RegionalAccessBoundary::Cache` to set a permanent `@unsupported = true` state.
3. Updates `Cache#get` and `Cache#should_fetch?` to return `nil`/`false` immediately when `@unsupported` is true.
4. Logs a single warning and sets the unsupported bypass state in `BaseClient#trigger_async_rab_fetch`.

refs: googleapis/google-cloud-go#19920
…ential pollution

Refactor `RegionalAccessBoundary::Cache` to store entries in a thread-safe Hash
keyed by the allowedLocations lookup URL (or `:unsupported` sentinel).

This ensures that multiple credentials running concurrently in the same application
do not pollute each other's allowed locations, preventing security policy bypasses
and data-isolation violations.
Wrap the regional access boundary background thread logic in an `ensure` block
using a `success` tracking flag. If the thread crashes (e.g. on a non-StandardError)
or is killed, the ensure block resets the fetching flag and initiates a cooldown,
preventing permanent hangs.

@aandreassa aandreassa left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG @quartzmo! I will take another good look tomorrow, but a few nits for now

Comment thread spec/spec_helper.rb
Comment thread lib/googleauth/base_client.rb Outdated
Comment thread lib/googleauth/regional_access_boundary/cache.rb
Comment thread samples/regional_access_boundary/default_universe.rb Outdated
Comment thread spec/googleauth/regional_access_boundary/integration_spec.rb
quartzmo added 7 commits June 18, 2026 15:42
Refactor the conditional logic in should_apply_rab? to use a simpler `if`
expression instead of a double negative `unless` check.

Test coverage: Verified that all conditional branches (ID token, supports RAB, regional URLs, and excluded service URLs) are fully covered by existing integration specs.
…ng to DEBUG

Aligns with the Go reference implementation by disabling Regional Access Boundary
checks entirely when a non-default universe domain (not googleapis.com) is used.
Also downgrades background thread warnings to DEBUG level to eliminate the risk
of nuisance console logging in production.
Simplifies the universe domain validation in base_credentials.rb to check
that only the parsed audience domain is in the default googleapis.com
universe. Refactors the error message to be clear about GDU restriction
and updates unit test expectations. Also removes the stale samples
exclusion reference from .rubocop.yml and aligns concatenated string indent.
@quartzmo quartzmo force-pushed the regional-access-boundary branch from 9202889 to 47bb362 Compare June 18, 2026 22:36
@quartzmo quartzmo added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jun 26, 2026
@quartzmo

Copy link
Copy Markdown
Member Author

Adding do not merge pending approval by @nbayati.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do not merge Indicates a pull request not ready for merge, due to either quality or timing.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants