feat: implement updated design for regional access boundary

[nbayati]

Make the fetching async and non blocking.
Implement proactive refresh every 6 hours.
Centralize the logic in a new class.
Remove no-op signal and checks.
Refactor to Regional Access Boundary name.

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
• Ensure the tests and linter pass
• Code coverage does not decrease (if any source code was changed)
• Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly overhauls the internal handling of regional access boundaries within the authentication library. The primary goal is to enhance the reliability and performance of this feature by introducing an asynchronous, non-blocking data fetching mechanism with proactive background refreshes. This refactoring centralizes the complex logic, streamlines error handling, and sets the stage for more robust regional access control.

Highlights

• Refactored Regional Access Boundary: The "Trust Boundary" feature has been renamed and refactored to "Regional Access Boundary" for clarity and consistency across the codebase.
• Asynchronous and Non-Blocking Fetching: The process of fetching Regional Access Boundary information is now asynchronous and non-blocking, improving application responsiveness and preventing UI freezes.
• Proactive Refresh Mechanism: Regional Access Boundary data is proactively refreshed every 6 hours in the background to ensure up-to-date information without requiring explicit calls.
• Centralized Logic: All core logic for managing Regional Access Boundaries has been centralized into a new utility module, _regional_access_boundary_utils.py, enhancing maintainability and modularity.
• Deprecated Parameters and Methods: The trust_boundary parameter and with_trust_boundary methods have been deprecated across various credential types, with warnings issued upon their use to guide developers towards the new design.
• Simplified Error Handling and Retries: Regional Access Boundary lookup failures now log errors and return None instead of raising exceptions, and HTTP 502 (Bad Gateway) errors are now considered retryable, making the system more resilient.

Changelog

• packages/google-auth/google/auth/_constants.py
  • Updated endpoint names and removed universe_domain from format strings.
• packages/google-auth/google/auth/_helpers.py
  • Removed the get_bool_from_env utility function.
• packages/google-auth/google/auth/_regional_access_boundary_utils.py
  • Added a new module to centralize Regional Access Boundary management logic, including data structures, manager, and refresh thread.
• packages/google-auth/google/auth/compute_engine/credentials.py
  • Updated to use the new CredentialsWithRegionalAccessBoundary base class.
  • Deprecated trust_boundary parameter.
  • Renamed lookup URL builder.
  • Refined error handling.
• packages/google-auth/google/auth/credentials.py
  • Replaced CredentialsWithTrustBoundary with CredentialsWithRegionalAccessBoundary.
  • Deprecated with_trust_boundary.
  • Introduced a new _rab_manager for state.
  • Refactored refresh and header application logic.
• packages/google-auth/google/auth/external_account.py
  • Migrated to CredentialsWithRegionalAccessBoundary.
  • Deprecated trust_boundary parameter.
  • Updated Regional Access Boundary lookup URL construction and error handling.
• packages/google-auth/google/auth/external_account_authorized_user.py
  • Migrated to CredentialsWithRegionalAccessBoundary.
  • Removed trust_boundary parameter.
  • Updated Regional Access Boundary lookup URL construction and error handling.
• packages/google-auth/google/auth/identity_pool.py
  • Removed the explicit call to handle trust boundary refresh.
• packages/google-auth/google/auth/impersonated_credentials.py
  • Migrated to CredentialsWithRegionalAccessBoundary.
  • Deprecated trust_boundary parameter.
  • Updated Regional Access Boundary lookup URL construction and error handling.
• packages/google-auth/google/oauth2/_client.py
  • Renamed trust boundary lookup functions to regional access boundary.
  • Improved error logging.
  • Increased retry attempts.
  • Added HTTP 502 as a retryable status.
• packages/google-auth/google/oauth2/_service_account_async.py
  • Added before_request overrides to bypass synchronous Regional Access Boundary refresh for async credentials.
• packages/google-auth/google/oauth2/credentials.py
  • Deprecated the trust_boundary parameter in the constructor.
• packages/google-auth/google/oauth2/service_account.py
  • Migrated to CredentialsWithRegionalAccessBoundary.
  • Deprecated trust_boundary parameter.
  • Updated Regional Access Boundary lookup URL construction and error handling.
• packages/google-auth/tests/compute_engine/test_credentials.py
  • Removed deprecated trust boundary tests.
  • Updated regional access boundary lookup URL tests.
• packages/google-auth/tests/oauth2/test__client.py
  • Renamed and updated tests for regional access boundary lookup, including new error handling and retry logic.
• packages/google-auth/tests/oauth2/test_service_account.py
  • Removed deprecated trust boundary tests.
  • Added a test for regional access boundary lookup URL.
• packages/google-auth/tests/test__helpers.py
  • Removed tests for the get_bool_from_env function.
• packages/google-auth/tests/test__regional_access_boundary_utils.py
  • Added a new test file for the _regional_access_boundary_utils module, covering its core functionalities.
• packages/google-auth/tests/test_aws.py
  • Removed trust_boundary parameter from from_info and from_file test calls.
• packages/google-auth/tests/test_credentials.py
  • Updated CredentialsImpl to reflect the new CredentialsWithRegionalAccessBoundary base class and its associated manager.
  • Removed old trust boundary tests.
• packages/google-auth/tests/test_external_account.py
  • Removed deprecated trust boundary tests.
  • Updated regional access boundary lookup URL tests.
• packages/google-auth/tests/test_external_account_authorized_user.py
  • Removed deprecated trust boundary tests.
  • Updated regional access boundary lookup URL tests.
• packages/google-auth/tests/test_identity_pool.py
  • Removed trust_boundary parameter from from_info and from_file test calls.
• packages/google-auth/tests/test_impersonated_credentials.py
  • Removed deprecated trust boundary tests.
  • Updated regional access boundary lookup URL tests.
• packages/google-auth/tests/test_pluggable.py
  • Removed trust_boundary parameter from from_info and from_file test calls.

Activity

• The author, nbayati, opened this pull request with a clear intent to implement an updated design for regional access boundary. The description outlines the key changes: making fetching async and non-blocking, implementing proactive refresh, centralizing logic in a new class, removing no-op signals, and refactoring to the new name. There are no other comments or reviews mentioned in the provided context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a significant and well-executed refactoring of the regional access boundary feature. The changes implement a more robust design with non-blocking, asynchronous fetching, proactive refresh, and exponential backoff on failure. The logic has been effectively centralized into new utility classes, and the feature has been consistently renamed from "Trust Boundary" to "Regional Access Boundary" across the codebase. The implementation appears solid and greatly improves the feature's resilience. I have a couple of minor suggestions to modernize the Python syntax for super() calls in the new and modified code.

[gemini-code-assist]

For better maintainability and consistency with modern Python 3 practices, it's recommended to use the argument-less super() call.

Suggested change

	super(_RegionalAccessBoundaryRefreshThread, self).__init__()
	super().__init__()

[gemini-code-assist]

To align with modern Python 3 syntax, it's preferable to use the argument-less super() call here.

Suggested change

	super(CredentialsWithRegionalAccessBoundary, self).__init__(*args, **kwargs)
	super().__init__(*args, **kwargs)