NotificationsYou must be signed in to change notification settings
Fork95
Star144

Commitf8bf6f9

authored

feat: Auto enable mTLS when supported certificates are detected (#869)

The Python SDK will use a hybrid approach for mTLS enablement:If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set(either true or false or any value), the SDK will respect that setting.This is necessary for test scenarios and users who need to explicitlycontrol mTLS behavior.If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is notset, the SDK will automatically enable mTLS only if it detects ManagedWorkload Identity (MWID) or X.509 Workforce Identity Federation (WIF)certificate sources. In other cases where the variable is not set, mTLSwill remain disabled.---------Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

1 parentf0188c6 commitf8bf6f9Copy full SHA for f8bf6f9

File tree

2 files changed

+37

-11

lines changed

google/api_core/operations_v1
- abstract_operations_base_client.py
tests/unit/operations_v1
- test_operations_rest_client.py

2 files changed

+37

-11

lines changed

`‎google/api_core/operations_v1/abstract_operations_base_client.py‎`

Lines changed: 14 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -300,16 +300,22 @@ def __init__(`
`300`	`300`	`client_options=client_options_lib.ClientOptions()`
`301`	`301`
`302`	`302`	`# Create SSL credentials for mutual TLS if needed.`
`303`		`-use_client_cert=os.getenv(`
`304`		`-"GOOGLE_API_USE_CLIENT_CERTIFICATE","false"`
`305`		`- ).lower()`
`306`		`-ifuse_client_certnotin ("true","false"):`
`307`		`-raiseValueError(`
`308`		-"Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`"
`309`		`- )`
	`303`	`+ifhasattr(mtls,"should_use_client_cert"):`
	`304`	`+use_client_cert=mtls.should_use_client_cert()`
	`305`	`+else:`
	`306`	`+# if unsupported, fallback to reading from env var`
	`307`	`+use_client_cert_str=os.getenv(`
	`308`	`+"GOOGLE_API_USE_CLIENT_CERTIFICATE","false"`
	`309`	`+ ).lower()`
	`310`	`+ifuse_client_cert_strnotin ("true","false"):`
	`311`	`+raiseValueError(`
	`312`	+"Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be"
	`313`	+" either `true` or `false`"
	`314`	`+ )`
	`315`	`+use_client_cert=use_client_cert_str=="true"`
`310`	`316`	`client_cert_source_func=None`
`311`	`317`	`is_mtls=False`
`312`		`-ifuse_client_cert=="true":`
	`318`	`+ifuse_client_cert:`
`313`	`319`	`ifclient_options.client_cert_source:`
`314`	`320`	`is_mtls=True`
`315`	`321`	`client_cert_source_func=client_options.client_cert_source`

`‎tests/unit/operations_v1/test_operations_rest_client.py‎`

Lines changed: 23 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,13 +35,15 @@`
`35`	`35`	`fromgoogle.api_coreimportclient_options`
`36`	`36`	`fromgoogle.api_coreimportexceptionsascore_exceptions`
`37`	`37`	`fromgoogle.api_coreimportgapic_v1`
	`38`	`+fromgoogle.api_coreimportparse_version_to_tuple`
`38`	`39`	`fromgoogle.api_core.operations_v1importAbstractOperationsClient`
`39`	`40`
`40`	`41`	`importgoogle.auth`
`41`	`42`	`fromgoogle.api_core.operations_v1importpagers`
`42`	`43`	`fromgoogle.api_core.operations_v1importpagers_async`
`43`	`44`	`fromgoogle.api_core.operations_v1importtransports`
`44`	`45`	`fromgoogle.authimportcredentialsasga_credentials`
	`46`	`+fromgoogle.authimport__version__asauth_version`
`45`	`47`	`fromgoogle.auth.exceptionsimportMutualTLSChannelError`
`46`	`48`	`fromgoogle.longrunningimportoperations_pb2`
`47`	`49`	`fromgoogle.oauth2importservice_account`
`@@ -345,12 +347,30 @@ def test_operations_client_client_options(`
`345`	`347`	`withpytest.raises(MutualTLSChannelError):`
`346`	`348`	`client=client_class()`
`347`	`349`
`348`		`-# Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.`
	`350`	`+# Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value`
`349`	`351`	`withmock.patch.dict(`
`350`	`352`	`os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":"Unsupported"}`
`351`	`353`	`):`
`352`		`-withpytest.raises(ValueError):`
`353`		`-client=client_class()`
	`354`	`+# Test behavior for google.auth versions < 2.43.0.`
	`355`	`+# These versions do not have the updated mtls.should_use_client_cert logic.`
	`356`	`+# Verify that a ValueError is raised when GOOGLE_API_USE_CLIENT_CERTIFICATE`
	`357`	`+# is set to an unsupported value, as expected in these older versions.`
	`358`	`+ifparse_version_to_tuple(auth_version)< (2,43,0):`
	`359`	`+withpytest.raises(ValueError):`
	`360`	`+client=client_class()`
	`361`	`+# Test behavior for google.auth versions >= 2.43.0.`
	`362`	`+# In these versions, if GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an`
	`363`	`+# unsupported value (e.g., not 'true' or 'false'), the expected behavior`
	`364`	`+# of the internal google.auth.mtls.should_use_client_cert() function`
	`365`	`+# is to return False. Expect should_use_client_cert to return False, so`
	`366`	`+# client creation should proceed without requiring a client certificate.`
	`367`	`+else:`
	`368`	`+withmock.patch.object(transport_class,"__init__")aspatched:`
	`369`	`+patched.return_value=None`
	`370`	`+client=client_class(`
	`371`	`+credentials=ga_credentials.AnonymousCredentials(),`
	`372`	`+transport=transport_name,`
	`373`	`+ )`
`354`	`374`
`355`	`375`	`# Check the case quota_project_id is provided`
`356`	`376`	`options=client_options.ClientOptions(quota_project_id="octopus")`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf8bf6f9

File tree

2 files changed

2 files changed

`‎google/api_core/operations_v1/abstract_operations_base_client.py‎`

`‎tests/unit/operations_v1/test_operations_rest_client.py‎`

0 commit comments