Skip to content

feat(auth): Regional access boundaries main merge#8769

Open
vverman wants to merge 5 commits into
googleapis:mainfrom
vverman:regional-access-boundaries-main-merge
Open

feat(auth): Regional access boundaries main merge#8769
vverman wants to merge 5 commits into
googleapis:mainfrom
vverman:regional-access-boundaries-main-merge

Conversation

@vverman

@vverman vverman commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

The Regional Access Boundaries PR to main. Contains all the changes merged to the feature branch "regional-access-boundaries" rebased on top of main.

vverman added 5 commits June 16, 2026 17:37
@vverman
feat: Regional Access Boundary Migration. (googleapis#8043)
9cbebcc
@vverman
feat: Update Regional Access Boundaries (googleapis#8099)
07c8a5b 
* RAB endpoints changed from staging to prod; Removed RAB env variable gate; updated tests.

* removed sinon.createSandbox from nested beforeEach blocks in test.compute.ts, test.jwt.ts, and test.impersonated.ts.
@vverman
feat(auth): Skip RAB lookup if MDS returns a non-email. (googleapis#8440
9b490cf 
)

* feat(auth): Skip RAB lookup if MDS returns a non-email.

* Added logic to skip MDS calls in case non-email is returned. Added tests.

* Added email regex as a const.

* Simplified logic.
@vverman
Addressed comments.
6b2764f
@vverman
Changed log levels to debug.
02db3e6
@vverman vverman added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jun 26, 2026
@vverman vverman marked this pull request as ready for review June 26, 2026 21:16
@vverman vverman requested a review from a team as a code owner June 26, 2026 21:16
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 26, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Regional Access Boundary (RAB) support to the Google Auth Library for Node.js, adding a RegionalAccessBoundaryManager to fetch, cache, and apply regional access boundary rules (such as the x-allowed-locations header) across various auth clients. Feedback on the changes includes correcting swapped comments for workload and workforce identity pools in baseexternalclient.ts, and replacing flaky polling loops with direct awaits on the internal refresh promise in the test suite.

Comment thread core/packages/google-auth-library-nodejs/src/auth/baseexternalclient.ts
Comment on lines +750 to +767
// Check if the audience corresponds to a workload identity pool.
const wfPoolId = getWorkforcePoolIdFromAudience(this.audience);
if (wfPoolId) {
return WORKFORCE_LOOKUP_ENDPOINT.replace(
'{pool_id}',
encodeURIComponent(wfPoolId),
);
}

// Check if the audience corresponds to a workforce identity pool.
const wlPoolId = getWorkloadPoolIdFromAudience(this.audience);
const projectNumber = this.getProjectNumber(this.audience);
if (wlPoolId && projectNumber) {
return WORKLOAD_LOOKUP_ENDPOINT.replace(
'{project_id}',
projectNumber,
).replace('{pool_id}', wlPoolId);
}

@gemini-code-assist gemini-code-assist Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comments for workload and workforce identity pools are swapped. The comment on line 750 refers to a workload identity pool but the code checks for a workforce pool, and vice versa on line 759. Swapping them back will improve code readability and maintainability.

Suggested change
// Check if the audience corresponds to a workload identity pool.
const wfPoolId = getWorkforcePoolIdFromAudience(this.audience);
if (wfPoolId) {
return WORKFORCE_LOOKUP_ENDPOINT.replace(
'{pool_id}',
encodeURIComponent(wfPoolId),
);
}
// Check if the audience corresponds to a workforce identity pool.
const wlPoolId = getWorkloadPoolIdFromAudience(this.audience);
const projectNumber = this.getProjectNumber(this.audience);
if (wlPoolId && projectNumber) {
return WORKLOAD_LOOKUP_ENDPOINT.replace(
'{project_id}',
projectNumber,
).replace('{pool_id}', wlPoolId);
}
// Check if the audience corresponds to a workforce identity pool.
const wfPoolId = getWorkforcePoolIdFromAudience(this.audience);
if (wfPoolId) {
return WORKFORCE_LOOKUP_ENDPOINT.replace(
'{pool_id}',
encodeURIComponent(wfPoolId),
);
}
// Check if the audience corresponds to a workload identity pool.
const wlPoolId = getWorkloadPoolIdFromAudience(this.audience);
const projectNumber = this.getProjectNumber(this.audience);
if (wlPoolId && projectNumber) {
return WORKLOAD_LOOKUP_ENDPOINT.replace(
'{project_id}',
projectNumber,
).replace('{pool_id}', wlPoolId);
}

Comment thread core/packages/google-auth-library-nodejs/test/test.authclient.ts
Comment on lines +447 to +453
// Wait for the background task to complete (not ideal but necessary for testing side effect)
// In a real scenario we'd use a better way to wait for the internal promise
let attempts = 0;
while (!rabLookupCalled && attempts < 10) {
await new Promise(r => setTimeout(r, 50));
attempts++;
}

@gemini-code-assist gemini-code-assist Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of using a polling loop with setTimeout to wait for the background task to complete, you can directly await the internal regionalAccessBoundaryRefreshPromise from the manager. This is cleaner, faster, and avoids potential test flakiness in slow CI environments.

Suggested change
// Wait for the background task to complete (not ideal but necessary for testing side effect)
// In a real scenario we'd use a better way to wait for the internal promise
let attempts = 0;
while (!rabLookupCalled && attempts < 10) {
await new Promise(r => setTimeout(r, 50));
attempts++;
}
await (compute as any).regionalAccessBoundaryManager
.regionalAccessBoundaryRefreshPromise;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do not merge Indicates a pull request not ready for merge, due to either quality or timing.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vverman