Refreshes that failed to schedule are not entered into cooldown.

Author: vverman

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundary.java

@@ -199,6 +199,8 @@ static RegionalAccessBoundary refresh(
 
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
     HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
+    // Disable automatic logging by google-http-java-client to prevent leakage of sensitive tokens.
+    request.setLoggingEnabled(false);
     request.getHeaders().setAuthorization("Bearer " + accessToken.getTokenValue());
 
     // Add retry logic

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundaryManager.java

@@ -64,7 +64,7 @@ final class RegionalAccessBoundaryManager {
    * The default maximum elapsed time in milliseconds for retrying Regional Access Boundary lookup
    * requests.
    */
-  private static final int DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS = 60000;
+  static final int DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS = 60000;
 
   /**
    * cachedRAB uses AtomicReference to provide thread-safe, lock-free access to the cached data for
@@ -94,7 +94,7 @@ final class RegionalAccessBoundaryManager {
   private static final int EXECUTOR_POOL_SIZE = 5;
   private static final int EXECUTOR_QUEUE_CAPACITY = 100;
 
-  private static final ExecutorService EXECUTOR;
+  private static final ExecutorService DEFAULT_SHARED_EXECUTOR;
 
   static {
     ThreadPoolExecutor executor =
@@ -112,25 +112,33 @@ final class RegionalAccessBoundaryManager {
     // Allow core threads to time out so the executor can shrink to 0 when idle.
     // Ensures threads are released when idle to avoid unnecessary resource usage.
     executor.allowCoreThreadTimeOut(true);
-    EXECUTOR = executor;
+    DEFAULT_SHARED_EXECUTOR = executor;
   }
 
   private final transient Clock clock;
   private final int maxRetryElapsedTimeMillis;
+  private final ExecutorService executor;
 
   /**
    * Creates a new RegionalAccessBoundaryManager with the default retry timeout of 60 seconds.
    *
    * @param clock The clock to use for cooldown and expiration checks.
    */
   RegionalAccessBoundaryManager(Clock clock) {
-    this(clock, DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS);
+    this(clock, DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS, DEFAULT_SHARED_EXECUTOR);
   }
 
   @VisibleForTesting
   RegionalAccessBoundaryManager(Clock clock, int maxRetryElapsedTimeMillis) {
+    this(clock, maxRetryElapsedTimeMillis, DEFAULT_SHARED_EXECUTOR);
+  }
+
+  @VisibleForTesting
+  RegionalAccessBoundaryManager(
+      Clock clock, int maxRetryElapsedTimeMillis, ExecutorService executor) {
     this.clock = clock != null ? clock : Clock.SYSTEM;
     this.maxRetryElapsedTimeMillis = maxRetryElapsedTimeMillis;
+    this.executor = executor;
   }
 
   /**
@@ -203,12 +211,15 @@ void triggerAsyncRefresh(
           };
 
       try {
-        EXECUTOR.submit(refreshTask);
+        this.executor.submit(refreshTask);
       } catch (Exception | Error e) {
         // If scheduling fails (e.g., RejectedExecutionException, OutOfMemoryError for threads),
         // the task's finally block will never execute. We must release the lock here.
-        handleRefreshFailure(
-            new Exception("Regional Access Boundary background refresh failed to schedule", e));
+        LoggingUtils.log(
+            LOGGER_PROVIDER,
+            java.util.logging.Level.WARNING,
+            null,
+            "Regional Access Boundary background refresh failed to schedule: " + e.getMessage());
         future.setException(e);
         refreshFuture.set(null);
       }

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/RegionalAccessBoundaryTest.java

@@ -236,6 +236,19 @@ public void testExecutorQueueCapacityLimit() throws Exception {
     int queueCapacity = 100;
     int totalCapacity = poolSize + queueCapacity;
 
+    java.util.concurrent.ThreadPoolExecutor testExecutor =
+        new java.util.concurrent.ThreadPoolExecutor(
+            poolSize,
+            poolSize,
+            1,
+            java.util.concurrent.TimeUnit.HOURS,
+            new java.util.concurrent.LinkedBlockingQueue<>(queueCapacity),
+            r -> {
+              Thread t = new Thread(r, "test-RAB-refresh");
+              t.setDaemon(true);
+              return t;
+            });
+
     CountDownLatch latch = new CountDownLatch(1);
 
     java.io.InputStream blockingStream =
@@ -270,20 +283,29 @@ public int read() throws java.io.IOException {
 
     RegionalAccessBoundaryManager[] managers = new RegionalAccessBoundaryManager[totalCapacity];
     for (int i = 0; i < totalCapacity; i++) {
-      managers[i] = new RegionalAccessBoundaryManager(testClock);
+      managers[i] =
+          new RegionalAccessBoundaryManager(
+              testClock,
+              RegionalAccessBoundaryManager.DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS,
+              testExecutor);
       managers[i].triggerAsyncRefresh(transportFactory, provider, token);
     }
 
-    RegionalAccessBoundaryManager extraManager = new RegionalAccessBoundaryManager(testClock);
+    RegionalAccessBoundaryManager extraManager =
+        new RegionalAccessBoundaryManager(
+            testClock,
+            RegionalAccessBoundaryManager.DEFAULT_MAX_RETRY_ELAPSED_TIME_MILLIS,
+            testExecutor);
     assertFalse(extraManager.isCooldownActive());
 
     extraManager.triggerAsyncRefresh(transportFactory, provider, token);
 
-    assertTrue(
+    assertFalse(
         extraManager.isCooldownActive(),
-        "106th task should have been rejected and entered cooldown");
+        "106th task should NOT have entered cooldown on scheduling failure");
 
     latch.countDown();
+    testExecutor.shutdownNow();
   }
 
   private static class TestClock implements Clock {