diff --git a/core/packages/google-auth-library-nodejs/src/auth/authclient.ts b/core/packages/google-auth-library-nodejs/src/auth/authclient.ts index ea9ff1abdd3..216e3390fdc 100644 --- a/core/packages/google-auth-library-nodejs/src/auth/authclient.ts +++ b/core/packages/google-auth-library-nodejs/src/auth/authclient.ts @@ -21,7 +21,6 @@ import {log as makeLog} from 'google-logging-utils'; import {PRODUCT_NAME, USER_AGENT} from '../shared.cjs'; import { - isRegionalAccessBoundaryEnabled, RegionalAccessBoundaryData, RegionalAccessBoundaryManager, } from './regionalaccessboundary'; @@ -237,7 +236,6 @@ export abstract class AuthClient eagerRefreshThresholdMillis = DEFAULT_EAGER_REFRESH_THRESHOLD_MILLIS; forceRefreshOnFailure = false; universeDomain = DEFAULT_UNIVERSE; - regionalAccessBoundaryEnabled: boolean; protected regionalAccessBoundaryManager: RegionalAccessBoundaryManager; /** @@ -261,7 +259,6 @@ export abstract class AuthClient this.quotaProjectId = options.get('quota_project_id'); this.credentials = options.get('credentials') ?? {}; this.universeDomain = options.get('universe_domain') ?? DEFAULT_UNIVERSE; - this.regionalAccessBoundaryEnabled = isRegionalAccessBoundaryEnabled(); // Shared client options this.transporter = opts.transporter ?? new Gaxios(opts.transporterOptions); diff --git a/core/packages/google-auth-library-nodejs/src/auth/idtokenclient.ts b/core/packages/google-auth-library-nodejs/src/auth/idtokenclient.ts index 638b6db8a4e..58ed71ae210 100644 --- a/core/packages/google-auth-library-nodejs/src/auth/idtokenclient.ts +++ b/core/packages/google-auth-library-nodejs/src/auth/idtokenclient.ts @@ -85,4 +85,4 @@ export class IdTokenClient extends OAuth2Client { return payload.exp * 1000; } } -} \ No newline at end of file +} diff --git a/core/packages/google-auth-library-nodejs/src/auth/regionalaccessboundary.ts b/core/packages/google-auth-library-nodejs/src/auth/regionalaccessboundary.ts index 8a8b591972c..b2b5c598e09 100644 --- a/core/packages/google-auth-library-nodejs/src/auth/regionalaccessboundary.ts +++ b/core/packages/google-auth-library-nodejs/src/auth/regionalaccessboundary.ts @@ -18,13 +18,13 @@ import {log as makeLog} from 'google-logging-utils'; const log = makeLog('auth'); export const SERVICE_ACCOUNT_LOOKUP_ENDPOINT = - 'https://staging-iamcredentials.sandbox.googleapis.com/v1/projects/-/serviceAccounts/{service_account_email}/allowedLocations'; + 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{service_account_email}/allowedLocations'; export const WORKLOAD_LOOKUP_ENDPOINT = - 'https://staging-iamcredentials.sandbox.googleapis.com/v1/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/allowedLocations'; + 'https://iamcredentials.googleapis.com/v1/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/allowedLocations'; export const WORKFORCE_LOOKUP_ENDPOINT = - 'https://staging-iamcredentials.sandbox.googleapis.com/v1/locations/global/workforcePools/{pool_id}/allowedLocations'; + 'https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/{pool_id}/allowedLocations'; /** * RAB is considered valid for 6 hours. @@ -63,19 +63,6 @@ export interface RegionalAccessBoundaryData { encodedLocations: string; } -export function isRegionalAccessBoundaryEnabled() { - const rabEnabled = - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; - if (rabEnabled === undefined || rabEnabled === null) { - return false; - } - const lowercasedRabEnabled = rabEnabled.toLowerCase(); - if (lowercasedRabEnabled === 'true' || rabEnabled === '1') { - return true; - } - return false; -} - export interface RegionalAccessBoundaryManagerOptions { transporter: Gaxios; getLookupUrl: () => Promise; @@ -94,10 +81,6 @@ export class RegionalAccessBoundaryManager { this.options = options; } - get enabled(): boolean { - return isRegionalAccessBoundaryEnabled(); - } - /** * @internal */ @@ -122,7 +105,7 @@ export class RegionalAccessBoundaryManager { url: string | URL | undefined, headers: Headers, ): string | null { - if (!this.enabled || !this.options.isUniverseDomainDefault()) { + if (!this.options.isUniverseDomainDefault()) { return null; } @@ -275,4 +258,4 @@ export class RegionalAccessBoundaryManager { return regionalAccessBoundaryData; } -} \ No newline at end of file +} diff --git a/core/packages/google-auth-library-nodejs/src/util.ts b/core/packages/google-auth-library-nodejs/src/util.ts index d965887f5d5..0d9081c4c2d 100644 --- a/core/packages/google-auth-library-nodejs/src/util.ts +++ b/core/packages/google-auth-library-nodejs/src/util.ts @@ -336,4 +336,4 @@ export function getWorkloadPoolIdFromAudience(audience: string): string | null { /\/workloadIdentityPools\/(?[^/]+)\/providers\//, )?.groups?.workloadPool ?? null ); -} \ No newline at end of file +} diff --git a/core/packages/google-auth-library-nodejs/test/test.authclient.ts b/core/packages/google-auth-library-nodejs/test/test.authclient.ts index 7c4748f5e79..892fafe3b0e 100644 --- a/core/packages/google-auth-library-nodejs/test/test.authclient.ts +++ b/core/packages/google-auth-library-nodejs/test/test.authclient.ts @@ -417,14 +417,6 @@ describe('AuthClient', () => { ); } - beforeEach(() => { - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; - }); - - afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; - }); - it('should trigger asynchronous background refresh and not block', async () => { const compute = new Compute({ serviceAccountEmail: SERVICE_ACCOUNT_EMAIL, @@ -613,4 +605,4 @@ describe('AuthClient', () => { }); }); }); -}); \ No newline at end of file +}); diff --git a/core/packages/google-auth-library-nodejs/test/test.baseexternalclient.ts b/core/packages/google-auth-library-nodejs/test/test.baseexternalclient.ts index 573a4df0083..112da7c6016 100644 --- a/core/packages/google-auth-library-nodejs/test/test.baseexternalclient.ts +++ b/core/packages/google-auth-library-nodejs/test/test.baseexternalclient.ts @@ -162,11 +162,20 @@ describe('BaseExternalAccountClient', () => { '//iam.googleapis.com/projects_suffix/123456', ]; + let sandbox: sinon.SinonSandbox; + beforeEach(() => { + sandbox = sinon.createSandbox(); + sandbox + .stub(BaseExternalAccountClient.prototype, 'getRegionalAccessBoundaryUrl') + .resolves(undefined); + }); + afterEach(() => { nock.cleanAll(); if (clock) { clock.restore(); } + sandbox.restore(); }); describe('Constructor', () => { @@ -2723,11 +2732,13 @@ describe('BaseExternalAccountClient', () => { }; beforeEach(() => { - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; + ( + BaseExternalAccountClient.prototype + .getRegionalAccessBoundaryUrl as sinon.SinonStub + ).restore(); }); afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; nock.cleanAll(); }); diff --git a/core/packages/google-auth-library-nodejs/test/test.compute.ts b/core/packages/google-auth-library-nodejs/test/test.compute.ts index 301a75691c1..52c6ae85cf4 100644 --- a/core/packages/google-auth-library-nodejs/test/test.compute.ts +++ b/core/packages/google-auth-library-nodejs/test/test.compute.ts @@ -17,7 +17,7 @@ import {describe, it, beforeEach, afterEach} from 'mocha'; import {BASE_PATH, HEADERS, HOST_ADDRESS} from 'gcp-metadata'; import * as nock from 'nock'; import * as sinon from 'sinon'; -import { Compute, gcpMetadata } from '../src'; +import {Compute, gcpMetadata} from '../src'; import { SERVICE_ACCOUNT_LOOKUP_ENDPOINT, RegionalAccessBoundaryData, @@ -48,6 +48,9 @@ describe('compute', () => { let compute: Compute; beforeEach(() => { compute = new Compute(); + sandbox + .stub(Compute.prototype, 'getRegionalAccessBoundaryUrl') + .resolves(undefined); }); afterEach(() => { @@ -266,8 +269,6 @@ describe('compute', () => { assert.fail('failed to throw'); }); describe('regional access boundaries', () => { - let sandbox: sinon.SinonSandbox; - const MOCK_ACCESS_TOKEN = 'abc123'; const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`; const EXPECTED_RAB_DATA: RegionalAccessBoundaryData = { @@ -284,7 +285,7 @@ describe('compute', () => { .get(tokenPath) .reply( 200, - { access_token: MOCK_ACCESS_TOKEN, expires_in: 10000 }, + {access_token: MOCK_ACCESS_TOKEN, expires_in: 10000}, HEADERS, ); } @@ -304,13 +305,12 @@ describe('compute', () => { } beforeEach(() => { - sandbox = sinon.createSandbox(); - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; + ( + Compute.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub + ).restore(); }); afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; - sandbox.restore(); nock.cleanAll(); }); diff --git a/core/packages/google-auth-library-nodejs/test/test.externalaccountauthorizeduserclient.ts b/core/packages/google-auth-library-nodejs/test/test.externalaccountauthorizeduserclient.ts index cefe14e0fce..ee46da87740 100644 --- a/core/packages/google-auth-library-nodejs/test/test.externalaccountauthorizeduserclient.ts +++ b/core/packages/google-auth-library-nodejs/test/test.externalaccountauthorizeduserclient.ts @@ -909,11 +909,9 @@ describe('ExternalAccountAuthorizedUserClient', () => { beforeEach(() => { clock.restore(); - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; }); afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; nock.cleanAll(); }); diff --git a/core/packages/google-auth-library-nodejs/test/test.impersonated.ts b/core/packages/google-auth-library-nodejs/test/test.impersonated.ts index b8ea708414d..e97d77c74a3 100644 --- a/core/packages/google-auth-library-nodejs/test/test.impersonated.ts +++ b/core/packages/google-auth-library-nodejs/test/test.impersonated.ts @@ -74,8 +74,15 @@ interface ImpersonatedCredentialRequest { } describe('impersonated', () => { + beforeEach(() => { + sinon + .stub(Impersonated.prototype, 'getRegionalAccessBoundaryUrl') + .resolves(undefined); + }); + afterEach(() => { nock.cleanAll(); + sinon.restore(); }); it('should request impersonated credentials on first request', async () => { @@ -596,7 +603,6 @@ describe('impersonated', () => { }); describe('regional access boundaries', () => { - let sandbox: sinon.SinonSandbox; const TARGET_PRINCIPAL_EMAIL = 'target@project.iam.gserviceaccount.com'; const MOCK_ACCESS_TOKEN = 'abc123'; const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`; @@ -621,13 +627,12 @@ describe('impersonated', () => { } beforeEach(() => { - sandbox = sinon.createSandbox(); - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; + ( + Impersonated.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub + ).restore(); }); afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; - sandbox.restore(); nock.cleanAll(); }); diff --git a/core/packages/google-auth-library-nodejs/test/test.jwt.ts b/core/packages/google-auth-library-nodejs/test/test.jwt.ts index 338de68c44f..d9c4f93cc3b 100644 --- a/core/packages/google-auth-library-nodejs/test/test.jwt.ts +++ b/core/packages/google-auth-library-nodejs/test/test.jwt.ts @@ -72,6 +72,9 @@ describe('jwt', () => { json = createJSON(); jwt = new JWT(); sandbox = sinon.createSandbox(); + sandbox + .stub(JWT.prototype, 'getRegionalAccessBoundaryUrl') + .resolves(undefined); }); afterEach(() => { @@ -1250,7 +1253,6 @@ describe('jwt', () => { }); describe('regional access boundaries', () => { - let sandbox: sinon.SinonSandbox; const SERVICE_ACCOUNT_EMAIL = 'service-account@example.com'; const MOCK_ACCESS_TOKEN = 'abc123'; const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`; @@ -1276,13 +1278,10 @@ describe('jwt', () => { } beforeEach(() => { - sandbox = sinon.createSandbox(); - process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true'; + (JWT.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub).restore(); }); afterEach(() => { - delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT']; - sandbox.restore(); nock.cleanAll(); }); @@ -1293,9 +1292,9 @@ describe('jwt', () => { scopes: ['http://bar', 'http://foo'], subject: 'bar@subjectaccount.com', }); - jwt.credentials = { refresh_token: 'jwt-placeholder' }; + jwt.credentials = {refresh_token: 'jwt-placeholder'}; - const tokenScope = createGTokenMock({ access_token: MOCK_ACCESS_TOKEN }); + const tokenScope = createGTokenMock({access_token: MOCK_ACCESS_TOKEN}); let rabLookupCalled = false; const rabScope = setupRegionalAccessBoundaryNock(SERVICE_ACCOUNT_EMAIL); @@ -1335,7 +1334,7 @@ describe('jwt', () => { email: SERVICE_ACCOUNT_EMAIL, key: keys.private, }); - jwt.credentials = { refresh_token: 'jwt-placeholder' }; + jwt.credentials = {refresh_token: 'jwt-placeholder'}; const lookupUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace( '{service_account_email}', @@ -1379,13 +1378,13 @@ describe('jwt', () => { const jwt = new JWT({ email: SERVICE_ACCOUNT_EMAIL, key: PEM_CONTENTS, - additionalClaims: { target_audience: 'some-audience' }, + additionalClaims: {target_audience: 'some-audience'}, }); // Setup a RAB lookup mock that should NOT be hit const rabScope = setupRegionalAccessBoundaryNock(SERVICE_ACCOUNT_EMAIL); - const scope = createGTokenMock({ id_token: 'id-token-abc' }); + const scope = createGTokenMock({id_token: 'id-token-abc'}); const headers = await jwt.getRequestHeaders( 'https://pubsub.googleapis.com', );