Added changes to always call mTLS RAB endpoint. Removed SPIFFE fallback.

Author: vverman

google-auth-library-java/oauth2_http/java/com/google/auth/mtls/MtlsUtils.java

@@ -51,16 +51,18 @@ public class MtlsUtils {
   static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
   static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
 
-  @com.google.common.annotations.VisibleForTesting
-  static String spiffeDirectory = "/var/run/secrets/workload-spiffe-credentials/";
-
-  static final String SPIFFE_CREDENTIAL_BUNDLE_FILE = "credentialbundle.pem";
-  static final String SPIFFE_CERTIFICATE_FILE = "certificates.pem";
-  static final String SPIFFE_PRIVATE_KEY_FILE = "private_key.pem";
-
+  /**
+   * The policy determining when to use mutual TLS (mTLS) endpoints.
+   *
+   * <p>See <a href="https://google.aip.dev/auth/4114">AIP-4114</a> for the specification on mTLS
+   * endpoint usage.
+   */
   public enum MtlsEndpointUsagePolicy {
+    /** Always use the mTLS endpoint, and fail if client certificates are not configured. */
     ALWAYS,
+    /** Never use the mTLS endpoint. */
     NEVER,
+    /** Use the mTLS endpoint if client certificates are configured (auto-discovery). */
     AUTO
   }
 
@@ -167,13 +169,21 @@ public static boolean canMtlsBeEnabled(
 
     // Check if client certificate usage is allowed
     String useClientCertificate = envProvider.getEnv("GOOGLE_API_USE_CLIENT_CERTIFICATE");
+    MtlsEndpointUsagePolicy policy = getMtlsEndpointUsagePolicy(envProvider);
     if ("false".equalsIgnoreCase(useClientCertificate)) {
+      if (policy == MtlsEndpointUsagePolicy.ALWAYS) {
+        throw new CertificateSourceUnavailableException(
+            "mTLS is configured to ALWAYS, but client certificate usage was explicitly disabled via GOOGLE_API_USE_CLIENT_CERTIFICATE=false.");
+      }
       return false;
     }
 
-    if (getMtlsEndpointUsagePolicy(envProvider) == MtlsEndpointUsagePolicy.NEVER) {
+    if (policy == MtlsEndpointUsagePolicy.NEVER) {
       return false;
     }
+    if (policy == MtlsEndpointUsagePolicy.ALWAYS) {
+      return true;
+    }
 
     // Locate and process the certificate configuration file
     String envPath = envProvider.getEnv(CERTIFICATE_CONFIGURATION_ENV_VARIABLE);
@@ -185,44 +195,16 @@ public static boolean canMtlsBeEnabled(
             "Certificate configuration file does not exist or is not a file: "
                 + certConfigFile.getAbsolutePath());
       }
-    }
-
-    WorkloadCertificateConfiguration workloadCertConfig = null;
-    try {
-      workloadCertConfig =
-          getWorkloadCertificateConfiguration(envProvider, propProvider, certConfigPathOverride);
-    } catch (CertificateSourceUnavailableException e) {
-      // Config file is simply not present. This is fine, fallback to SPIFFE.
-    } catch (IOException e) {
-      // Config file exists but is malformed or points to invalid paths -> throw hard error
-      throw e;
-    }
-
-    if (workloadCertConfig != null) {
-      // Validate referenced files exist
-      File certFile = new File(workloadCertConfig.getCertPath());
-      File keyFile = new File(workloadCertConfig.getPrivateKeyPath());
-      if (!certFile.isFile() || !keyFile.isFile()) {
-        throw new IOException(
-            String.format(
-                "Certificate configuration exists but referenced files are missing: cert_path=%s, key_path=%s",
-                workloadCertConfig.getCertPath(), workloadCertConfig.getPrivateKeyPath()));
-      }
       return true;
     }
 
-    // Fallback to SPIFFE discovery if the directory exists
-    File spiffeDir = new File(spiffeDirectory);
-    if (spiffeDir.isDirectory()) {
-      File credentialBundle = new File(spiffeDir, SPIFFE_CREDENTIAL_BUNDLE_FILE);
-      if (credentialBundle.isFile()) {
-        return true;
-      }
-      File certsFile = new File(spiffeDir, SPIFFE_CERTIFICATE_FILE);
-      File keyFile = new File(spiffeDir, SPIFFE_PRIVATE_KEY_FILE);
-      if (certsFile.isFile() && keyFile.isFile()) {
+    try {
+      File wellKnownConfig = getWellKnownCertificateConfigFile(envProvider, propProvider);
+      if (wellKnownConfig.isFile()) {
         return true;
       }
+    } catch (IOException e) {
+      // ignore if well-known directory resolution fails (e.g. APPDATA not set on Windows)
     }
 
     return false;

google-auth-library-java/oauth2_http/java/com/google/auth/mtls/X509Provider.java

@@ -36,7 +36,6 @@
 import com.google.auth.oauth2.PropertyProvider;
 import com.google.auth.oauth2.SystemEnvironmentProvider;
 import com.google.auth.oauth2.SystemPropertyProvider;
-import com.google.common.base.Strings;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -107,9 +106,6 @@ public X509Provider() {
    *   <li>The well known gcloud location for the certificate configuration file.
    * </ul>
    *
-   * <p>If none of the above are available, it will attempt to discover and load certificates from
-   * SPIFFE credentials located under "/var/run/secrets/workload-spiffe-credentials/".
-   *
    * @return a KeyStore containing the X.509 certificate specified by the certificate configuration.
    * @throws CertificateSourceUnavailableException if the certificate source is unavailable (ex.
    *     missing configuration file)
@@ -118,64 +114,19 @@ public X509Provider() {
   @Override
   public KeyStore getKeyStore() throws CertificateSourceUnavailableException, IOException {
     // Attempt to load from resolved Config File
-    WorkloadCertificateConfiguration workloadCertConfig = null;
-    try {
-      workloadCertConfig =
-          MtlsUtils.getWorkloadCertificateConfiguration(
-              envProvider, propProvider, certConfigPathOverride);
-    } catch (CertificateSourceUnavailableException e) {
-      // Ignore config-not-found error to fall back to SPIFFE discovery ONLY if not explicitly
-      // configured.
-      boolean isExplicitlyConfigured =
-          certConfigPathOverride != null
-              || !Strings.isNullOrEmpty(
-                  envProvider.getEnv(MtlsUtils.CERTIFICATE_CONFIGURATION_ENV_VARIABLE));
-      if (isExplicitlyConfigured) {
-        throw e;
-      }
-    }
-
-    if (workloadCertConfig != null) {
-      try (InputStream certStream =
-              new FileInputStream(new File(workloadCertConfig.getCertPath()));
-          InputStream privateKeyStream =
-              new FileInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
-          SequenceInputStream certAndPrivateKeyStream =
-              new SequenceInputStream(certStream, privateKeyStream)) {
-        return SecurityUtils.createMtlsKeyStore(certAndPrivateKeyStream);
-      } catch (Exception e) {
-        throw new IOException("X509Provider: Unexpected error loading from config file:", e);
-      }
-    }
-
-    // Fallback: Load from SPIFFE Credentials
-    File spiffeDir = new File(MtlsUtils.spiffeDirectory);
-    if (spiffeDir.isDirectory()) {
-      File credentialBundle = new File(spiffeDir, MtlsUtils.SPIFFE_CREDENTIAL_BUNDLE_FILE);
-      if (credentialBundle.isFile()) {
-        try (InputStream bundleStream = new FileInputStream(credentialBundle)) {
-          return SecurityUtils.createMtlsKeyStore(bundleStream);
-        } catch (Exception e) {
-          throw new IOException("X509Provider: Unexpected error loading from SPIFFE bundle:", e);
-        }
-      }
+    WorkloadCertificateConfiguration workloadCertConfig =
+        MtlsUtils.getWorkloadCertificateConfiguration(
+            envProvider, propProvider, certConfigPathOverride);
 
-      File certsFile = new File(spiffeDir, MtlsUtils.SPIFFE_CERTIFICATE_FILE);
-      File keyFile = new File(spiffeDir, MtlsUtils.SPIFFE_PRIVATE_KEY_FILE);
-      if (certsFile.isFile() && keyFile.isFile()) {
-        try (InputStream certStream = new FileInputStream(certsFile);
-            InputStream privateKeyStream = new FileInputStream(keyFile);
-            SequenceInputStream certAndPrivateKeyStream =
-                new SequenceInputStream(certStream, privateKeyStream)) {
-          return SecurityUtils.createMtlsKeyStore(certAndPrivateKeyStream);
-        } catch (Exception e) {
-          throw new IOException(
-              "X509Provider: Unexpected error loading from separate SPIFFE files:", e);
-        }
-      }
+    try (InputStream certStream = new FileInputStream(new File(workloadCertConfig.getCertPath()));
+        InputStream privateKeyStream =
+            new FileInputStream(new File(workloadCertConfig.getPrivateKeyPath()));
+        SequenceInputStream certAndPrivateKeyStream =
+            new SequenceInputStream(certStream, privateKeyStream)) {
+      return SecurityUtils.createMtlsKeyStore(certAndPrivateKeyStream);
+    } catch (Exception e) {
+      throw new IOException("X509Provider: Unexpected error loading from config file:", e);
     }
-
-    throw new CertificateSourceUnavailableException("No certificate source was resolved.");
   }
 
   @Override

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -401,17 +401,27 @@ void refreshRegionalAccessBoundaryIfExpired(@Nullable URI uri, @Nullable AccessT
       return;
     }
 
+    MtlsUtils.MtlsEndpointUsagePolicy mtlsPolicy =
+        MtlsUtils.getMtlsEndpointUsagePolicy(getEnvironmentProvider());
     try {
-      if (!(transportFactory instanceof MtlsHttpTransportFactory)
-          && MtlsUtils.canMtlsBeEnabled(getEnvironmentProvider(), getPropertyProvider(), null)) {
+      boolean canMtls =
+          MtlsUtils.canMtlsBeEnabled(getEnvironmentProvider(), getPropertyProvider(), null);
+      // Initialize mTLS transport factory if mTLS can be enabled and the user hasn't already
+      // configured a custom MtlsHttpTransportFactory.
+      if (!(transportFactory instanceof MtlsHttpTransportFactory) && canMtls) {
         X509Provider x509Provider =
             new X509Provider(getEnvironmentProvider(), getPropertyProvider(), null);
         KeyStore mtlsKeyStore = x509Provider.getKeyStore();
-        if (mtlsKeyStore != null) {
-          transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
-        }
+        transportFactory = new MtlsHttpTransportFactory(mtlsKeyStore);
       }
     } catch (Exception e) {
+      if (mtlsPolicy == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) {
+        if (e instanceof IOException) {
+          throw (IOException) e;
+        }
+        throw new IOException(
+            "mTLS is configured to ALWAYS, but initialization failed: " + e.getMessage(), e);
+      }
       // Graceful fallback to standard transport if mTLS initialization fails
     }
 
@@ -463,6 +473,10 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
       // Sets off an async refresh for request-metadata.
       refreshRegionalAccessBoundaryIfExpired(uri, getAccessToken());
     } catch (IOException e) {
+      if (MtlsUtils.getMtlsEndpointUsagePolicy(getEnvironmentProvider())
+          == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) {
+        throw e;
+      }
       // Ignore failure in async refresh trigger.
     }
     return metadata;
@@ -493,6 +507,11 @@ public void onSuccess(Map<String, List<String>> metadata) {
             try {
               refreshRegionalAccessBoundaryIfExpired(uri, getAccessToken());
             } catch (IOException e) {
+              if (MtlsUtils.getMtlsEndpointUsagePolicy(getEnvironmentProvider())
+                  == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) {
+                callback.onFailure(e);
+                return;
+              }
               // Ignore failure in async refresh trigger.
             }
             callback.onSuccess(metadata);

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java

@@ -45,6 +45,7 @@
 import com.google.api.client.util.ExponentialBackOff;
 import com.google.api.client.util.Key;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.auth.mtls.MtlsUtils;
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Preconditions;
 import java.io.IOException;
@@ -189,7 +190,10 @@ static RegionalAccessBoundary refresh(
       throw new IllegalArgumentException("The provided access token is expired.");
     }
 
-    if (transportFactory instanceof com.google.auth.mtls.MtlsHttpTransportFactory) {
+    MtlsUtils.MtlsEndpointUsagePolicy mtlsPolicy =
+        MtlsUtils.getMtlsEndpointUsagePolicy(SystemEnvironmentProvider.getInstance());
+    if (transportFactory instanceof com.google.auth.mtls.MtlsHttpTransportFactory
+        || mtlsPolicy == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) {
       url = url.replace("iamcredentials.googleapis.com", "iamcredentials.mtls.googleapis.com");
     }
 

google-auth-library-java/oauth2_http/javatests/com/google/auth/mtls/MtlsUtilsTest.java

@@ -351,81 +351,23 @@ public String getProperty(String name, String def) {
     assertTrue(MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
   }
 
-  // If the configuration file exists but the certificate path it references does not exist,
-  // canMtlsBeEnabled should throw an IOException.
   @Test
-  void canMtlsBeEnabled_configMissingCertFile_throwsIOException() throws IOException {
-    Path configFile = tempDir.resolve("config.json");
-    Path nonExistentCert = tempDir.resolve("non_existent_cert.pem");
-    Path keyFile = tempDir.resolve("key.pem");
-    Files.createFile(keyFile);
-    Files.write(configFile, createJsonConfigString(nonExistentCert, keyFile).getBytes());
-
-    EnvironmentProvider envProvider =
-        name -> "GOOGLE_API_CERTIFICATE_CONFIG".equals(name) ? configFile.toString() : null;
-    PropertyProvider propProvider = (name, def) -> def;
-
-    assertThrows(
-        IOException.class, () -> MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
-  }
-
-  // If the configuration file exists but the private key path it references does not exist,
-  // canMtlsBeEnabled should throw an IOException.
-  @Test
-  void canMtlsBeEnabled_configMissingKeyFile_throwsIOException() throws IOException {
-    Path configFile = tempDir.resolve("config.json");
-    Path certFile = tempDir.resolve("cert.pem");
-    Path nonExistentKey = tempDir.resolve("non_existent_key.pem");
-    Files.createFile(certFile);
-    Files.write(configFile, createJsonConfigString(certFile, nonExistentKey).getBytes());
-
+  void canMtlsBeEnabled_alwaysPolicy_clientCertDisabled_throwsException() {
     EnvironmentProvider envProvider =
-        name -> "GOOGLE_API_CERTIFICATE_CONFIG".equals(name) ? configFile.toString() : null;
+        name -> {
+          if ("GOOGLE_API_USE_CLIENT_CERTIFICATE".equals(name)) {
+            return "false";
+          }
+          if ("GOOGLE_API_USE_MTLS_ENDPOINT".equals(name)) {
+            return "always";
+          }
+          return null;
+        };
     PropertyProvider propProvider = (name, def) -> def;
 
     assertThrows(
-        IOException.class, () -> MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
-  }
-
-  // If no configuration file exists but a SPIFFE credential bundle file is present,
-  // canMtlsBeEnabled should return true.
-  @Test
-  void canMtlsBeEnabled_unset_spiffeBundlePresent_returnsTrue() throws IOException {
-    Path spiffeDir = tempDir.resolve("spiffe_workload_bundle");
-    Files.createDirectory(spiffeDir);
-    Files.createFile(spiffeDir.resolve("credentialbundle.pem"));
-
-    String originalSpiffeDir = MtlsUtils.spiffeDirectory;
-    MtlsUtils.spiffeDirectory = spiffeDir.toString() + "/";
-    try {
-      EnvironmentProvider envProvider = name -> null;
-      PropertyProvider propProvider = (name, def) -> def;
-
-      assertTrue(MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
-    } finally {
-      MtlsUtils.spiffeDirectory = originalSpiffeDir;
-    }
-  }
-
-  // If no configuration file exists but separate SPIFFE certificate and key files are present,
-  // canMtlsBeEnabled should return true.
-  @Test
-  void canMtlsBeEnabled_unset_spiffeCertsPresent_returnsTrue() throws IOException {
-    Path spiffeDir = tempDir.resolve("spiffe_workload_certs");
-    Files.createDirectory(spiffeDir);
-    Files.createFile(spiffeDir.resolve("certificates.pem"));
-    Files.createFile(spiffeDir.resolve("private_key.pem"));
-
-    String originalSpiffeDir = MtlsUtils.spiffeDirectory;
-    MtlsUtils.spiffeDirectory = spiffeDir.toString() + "/";
-    try {
-      EnvironmentProvider envProvider = name -> null;
-      PropertyProvider propProvider = (name, def) -> def;
-
-      assertTrue(MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
-    } finally {
-      MtlsUtils.spiffeDirectory = originalSpiffeDir;
-    }
+        CertificateSourceUnavailableException.class,
+        () -> MtlsUtils.canMtlsBeEnabled(envProvider, propProvider, null));
   }
 
   @Test