Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit324eb74

Browse files
authored
fix: deprecate credentials_file argument (#841)
* fix: deprecate credentials_file argument* lint* cover* fix build
1 parent14a5978 commit324eb74

File tree

8 files changed

+149
-33
lines changed

8 files changed

+149
-33
lines changed

‎google/api_core/client_options.py‎

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ def get_client_cert():
4949
"""
5050

5151
fromtypingimportCallable,Mapping,Optional,Sequence,Tuple
52+
importwarnings
53+
54+
fromgoogle.api_coreimportgeneral_helpers
5255

5356

5457
classClientOptions(object):
@@ -67,8 +70,9 @@ class ClientOptions(object):
6770
and ``client_encrypted_cert_source`` are mutually exclusive.
6871
quota_project_id (Optional[str]): A project name that a client's
6972
quota belongs to.
70-
credentials_file (Optional[str]): A path to a file storing credentials.
71-
``credentials_file` and ``api_key`` are mutually exclusive.
73+
credentials_file (Optional[str]): Deprecated. A path to a file storing credentials.
74+
``credentials_file` and ``api_key`` are mutually exclusive. This argument will be
75+
removed in the next major version of `google-api-core`.
7276
7377
.. warning::
7478
Important: If you accept a credential configuration (credential JSON/File/Stream)
@@ -114,6 +118,9 @@ def __init__(
114118
api_audience:Optional[str]=None,
115119
universe_domain:Optional[str]=None,
116120
):
121+
ifcredentials_fileisnotNone:
122+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
123+
117124
ifclient_cert_sourceandclient_encrypted_cert_source:
118125
raiseValueError(
119126
"client_cert_source and client_encrypted_cert_source are mutually exclusive"

‎google/api_core/general_helpers.py‎

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,39 @@
1414

1515
# This import for backward compatibility only.
1616
fromfunctoolsimportwraps# noqa: F401 pragma: NO COVER
17+
18+
_CREDENTIALS_FILE_WARNING="""\
19+
The `credentials_file` argument is deprecated because of a potential security risk.
20+
21+
The `google.auth.load_credentials_from_file` method does not validate the credential
22+
configuration. The security risk occurs when a credential configuration is accepted
23+
from a source that is not under your control and used without validation on your side.
24+
25+
If you know that you will be loading credential configurations of a
26+
specific type, it is recommended to use a credential-type-specific
27+
load method.
28+
29+
This will ensure that an unexpected credential type with potential for
30+
malicious intent is not loaded unintentionally. You might still have to do
31+
validation for certain credential types. Please follow the recommendations
32+
for that method. For example, if you want to load only service accounts,
33+
you can create the service account credentials explicitly:
34+
35+
```
36+
from google.cloud.vision_v1 import ImageAnnotatorClient
37+
from google.oauth2 import service_account
38+
39+
credentials = service_account.Credentials.from_service_account_file(filename)
40+
client = ImageAnnotatorClient(credentials=credentials)
41+
```
42+
43+
If you are loading your credential configuration from an untrusted source and have
44+
not mitigated the risks (e.g. by validating the configuration yourself), make
45+
these changes as soon as possible to prevent security risks to your environment.
46+
47+
Regardless of the method used, it is always your responsibility to validate
48+
configurations received from external sources.
49+
50+
Refer to https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
51+
for more details.
52+
"""

‎google/api_core/grpc_helpers.py‎

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,20 +13,19 @@
1313
# limitations under the License.
1414

1515
"""Helpers for :mod:`grpc`."""
16-
fromtypingimportGeneric,Iterator,Optional,TypeVar
17-
1816
importcollections
1917
importfunctools
18+
fromtypingimportGeneric,Iterator,Optional,TypeVar
2019
importwarnings
2120

22-
importgrpc
23-
24-
fromgoogle.api_coreimportexceptions
2521
importgoogle.auth
2622
importgoogle.auth.credentials
2723
importgoogle.auth.transport.grpc
2824
importgoogle.auth.transport.requests
2925
importgoogle.protobuf
26+
importgrpc
27+
28+
fromgoogle.api_coreimportexceptions,general_helpers
3029

3130
PROTOBUF_VERSION=google.protobuf.__version__
3231

@@ -213,9 +212,10 @@ def _create_composite_credentials(
213212
credentials (google.auth.credentials.Credentials): The credentials. If
214213
not specified, then this function will attempt to ascertain the
215214
credentials from the environment using :func:`google.auth.default`.
216-
credentials_file (str): A file with credentials that can be loaded with
215+
credentials_file (str):Deprecated.A file with credentials that can be loaded with
217216
:func:`google.auth.load_credentials_from_file`. This argument is
218-
mutually exclusive with credentials.
217+
mutually exclusive with credentials. This argument will be
218+
removed in the next major version of `google-api-core`.
219219
220220
.. warning::
221221
Important: If you accept a credential configuration (credential JSON/File/Stream)
@@ -245,6 +245,9 @@ def _create_composite_credentials(
245245
Raises:
246246
google.api_core.DuplicateCredentialArgs: If both a credentials object and credentials_file are passed.
247247
"""
248+
ifcredentials_fileisnotNone:
249+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
250+
248251
ifcredentialsandcredentials_file:
249252
raiseexceptions.DuplicateCredentialArgs(
250253
"'credentials' and 'credentials_file' are mutually exclusive."

‎google/api_core/grpc_helpers_async.py‎

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,14 @@
2020

2121
importasyncio
2222
importfunctools
23+
importwarnings
2324

2425
fromtypingimportAsyncGenerator,Generic,Iterator,Optional,TypeVar
2526

2627
importgrpc
2728
fromgrpcimportaio
2829

29-
fromgoogle.api_coreimportexceptions,grpc_helpers
30+
fromgoogle.api_coreimportexceptions,general_helpers,grpc_helpers
3031

3132
# denotes the proto response type for grpc calls
3233
P=TypeVar("P")
@@ -233,9 +234,10 @@ def create_channel(
233234
are passed to :func:`google.auth.default`.
234235
ssl_credentials (grpc.ChannelCredentials): Optional SSL channel
235236
credentials. This can be used to specify different certificates.
236-
credentials_file (str): A file with credentials that can be loaded with
237+
credentials_file (str):Deprecated.A file with credentials that can be loaded with
237238
:func:`google.auth.load_credentials_from_file`. This argument is
238-
mutually exclusive with credentials.
239+
mutually exclusive with credentials. This argument will be
240+
removed in the next major version of `google-api-core`.
239241
240242
.. warning::
241243
Important: If you accept a credential configuration (credential JSON/File/Stream)
@@ -280,6 +282,9 @@ def create_channel(
280282
ValueError: If `ssl_credentials` is set and `attempt_direct_path` is set to `True`.
281283
"""
282284

285+
ifcredentials_fileisnotNone:
286+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
287+
283288
# If `ssl_credentials` is set and `attempt_direct_path` is set to `True`,
284289
# raise ValueError as this is not yet supported.
285290
# See https://github.com/googleapis/python-api-core/issues/590

‎google/api_core/operations_v1/transports/base.py‎

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,8 @@
1616
importabc
1717
importre
1818
fromtypingimportAwaitable,Callable,Optional,Sequence,Union
19+
importwarnings
1920

20-
importgoogle.api_core# type: ignore
21-
fromgoogle.api_coreimportexceptionsascore_exceptions# type: ignore
22-
fromgoogle.api_coreimportgapic_v1# type: ignore
23-
fromgoogle.api_coreimportretryasretries# type: ignore
24-
fromgoogle.api_coreimportversion
2521
importgoogle.auth# type: ignore
2622
fromgoogle.authimportcredentialsasga_credentials# type: ignore
2723
fromgoogle.longrunningimportoperations_pb2
@@ -30,6 +26,12 @@
3026
fromgoogle.protobufimportempty_pb2,json_format# type: ignore
3127
fromgrpcimportCompression
3228

29+
importgoogle.api_core# type: ignore
30+
fromgoogle.api_coreimportexceptionsascore_exceptions# type: ignore
31+
fromgoogle.api_coreimportgapic_v1# type: ignore
32+
fromgoogle.api_coreimportgeneral_helpers
33+
fromgoogle.api_coreimportretryasretries# type: ignore
34+
fromgoogle.api_coreimportversion
3335

3436
PROTOBUF_VERSION=google.protobuf.__version__
3537

@@ -69,9 +71,10 @@ def __init__(
6971
credentials identify the application to the service; if none
7072
are specified, the client will attempt to ascertain the
7173
credentials from the environment.
72-
credentials_file (Optional[str]): A file with credentials that can
74+
credentials_file (Optional[str]):Deprecated.A file with credentials that can
7375
be loaded with :func:`google.auth.load_credentials_from_file`.
74-
This argument is mutually exclusive with credentials.
76+
This argument is mutually exclusive with credentials. This argument will be
77+
removed in the next major version of `google-api-core`.
7578
7679
.. warning::
7780
Important: If you accept a credential configuration (credential JSON/File/Stream)
@@ -98,6 +101,9 @@ def __init__(
98101
"https", but for testing or local servers,
99102
"http" can be specified.
100103
"""
104+
ifcredentials_fileisnotNone:
105+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
106+
101107
maybe_url_match=re.match("^(?P<scheme>http(?:s)?://)?(?P<host>.*)$",host)
102108
ifmaybe_url_matchisNone:
103109
raiseValueError(

‎google/api_core/operations_v1/transports/rest.py‎

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -15,23 +15,26 @@
1515
#
1616

1717
fromtypingimportCallable,Dict,Optional,Sequence,Tuple,Union
18+
importwarnings
1819

20+
fromgoogle.authimportcredentialsasga_credentials# type: ignore
21+
fromgoogle.auth.transport.requestsimportAuthorizedSession# type: ignore
22+
fromgoogle.longrunningimportoperations_pb2# type: ignore
23+
importgoogle.protobuf
24+
fromgoogle.protobufimportempty_pb2# type: ignore
25+
fromgoogle.protobufimportjson_format# type: ignore
26+
importgrpc
1927
fromrequestsimport__version__asrequests_version
2028

2129
fromgoogle.api_coreimportexceptionsascore_exceptions# type: ignore
2230
fromgoogle.api_coreimportgapic_v1# type: ignore
31+
fromgoogle.api_coreimportgeneral_helpers
2332
fromgoogle.api_coreimportpath_template# type: ignore
2433
fromgoogle.api_coreimportrest_helpers# type: ignore
2534
fromgoogle.api_coreimportretryasretries# type: ignore
26-
fromgoogle.authimportcredentialsasga_credentials# type: ignore
27-
fromgoogle.auth.transport.requestsimportAuthorizedSession# type: ignore
28-
fromgoogle.longrunningimportoperations_pb2# type: ignore
29-
fromgoogle.protobufimportempty_pb2# type: ignore
30-
fromgoogle.protobufimportjson_format# type: ignore
31-
importgoogle.protobuf
3235

33-
importgrpc
34-
from .baseimportDEFAULT_CLIENT_INFOasBASE_DEFAULT_CLIENT_INFO,OperationsTransport
36+
from .baseimportDEFAULT_CLIENT_INFOasBASE_DEFAULT_CLIENT_INFO
37+
from .baseimportOperationsTransport
3538

3639
PROTOBUF_VERSION=google.protobuf.__version__
3740

@@ -91,19 +94,20 @@ def __init__(
9194
are specified, the client will attempt to ascertain the
9295
credentials from the environment.
9396
94-
credentials_file (Optional[str]): A file with credentials that can
97+
credentials_file (Optional[str]):Deprecated.A file with credentials that can
9598
be loaded with :func:`google.auth.load_credentials_from_file`.
96-
This argument is ignored if ``channel`` is provided.
99+
This argument is ignored if ``channel`` is provided. This argument will be
100+
removed in the next major version of `google-api-core`.
97101
98102
.. warning::
99103
Important: If you accept a credential configuration (credential JSON/File/Stream)
100104
from an external source for authentication to Google Cloud Platform, you must
101105
validate it before providing it to any Google API or client library. Providing an
102106
unvalidated credential configuration to Google APIs or libraries can compromise
103107
the security of your systems and data. For more information, refer to
104-
`Validate credentialconfigurations from external sources`_.
108+
`Validate credentialconfiguration from external sources`_.
105109
106-
.. _Validate credentialconfigurations from external sources:
110+
.. _Validate credentialconfiguration from external sources:
107111
108112
https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
109113
scopes (Optional(Sequence[str])): A list of scopes. This argument is
@@ -130,6 +134,9 @@ def __init__(
130134
"v1" by default.
131135
132136
"""
137+
ifcredentials_fileisnotNone:
138+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
139+
133140
# Run the base constructor
134141
# TODO(yon-mg): resolve other ctor params i.e. scopes, quota, etc.
135142
# TODO: When custom host (api_endpoint) is set, `scopes` must *also* be set on the

‎google/api_core/operations_v1/transports/rest_asyncio.py‎

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616

1717
importjson
1818
fromtypingimportAny,Callable,Coroutine,Dict,Optional,Sequence,Tuple
19+
importwarnings
1920

2021
fromgoogle.authimport__version__asauth_version
2122

@@ -29,6 +30,7 @@
2930

3031
fromgoogle.api_coreimportexceptionsascore_exceptions# type: ignore
3132
fromgoogle.api_coreimportgapic_v1# type: ignore
33+
fromgoogle.api_coreimportgeneral_helpers
3234
fromgoogle.api_coreimportpath_template# type: ignore
3335
fromgoogle.api_coreimportrest_helpers# type: ignore
3436
fromgoogle.api_coreimportretry_asyncasretries_async# type: ignore
@@ -96,6 +98,22 @@ def __init__(
9698
credentials identify the application to the service; if none
9799
are specified, the client will attempt to ascertain the
98100
credentials from the environment.
101+
credentials_file (Optional[str]): Deprecated. A file with credentials that can
102+
be loaded with :func:`google.auth.load_credentials_from_file`.
103+
This argument is ignored if ``channel`` is provided. This argument will be
104+
removed in the next major version of `google-api-core`.
105+
106+
.. warning::
107+
Important: If you accept a credential configuration (credential JSON/File/Stream)
108+
from an external source for authentication to Google Cloud Platform, you must
109+
validate it before providing it to any Google API or client library. Providing an
110+
unvalidated credential configuration to Google APIs or libraries can compromise
111+
the security of your systems and data. For more information, refer to
112+
`Validate credential configurations from external sources`_.
113+
114+
.. _Validate credential configurations from external sources:
115+
116+
https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
99117
client_info (google.api_core.gapic_v1.client_info.ClientInfo):
100118
The client info used to send a user-agent string along with
101119
API requests. If ``None``, then default info will be used.
@@ -113,6 +131,9 @@ def __init__(
113131
"v1" by default.
114132
115133
"""
134+
ifcredentials_fileisnotNone:
135+
warnings.warn(general_helpers._CREDENTIALS_FILE_WARNING,DeprecationWarning)
136+
116137
unsupported_params= {
117138
# TODO(https://github.com/googleapis/python-api-core/issues/715): Add support for `credentials_file` to async REST transport.
118139
"google.api_core.client_options.ClientOptions.credentials_file":credentials_file,

‎tests/unit/operations_v1/test_operations_rest_client.py‎

Lines changed: 33 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -368,6 +368,22 @@ def test_operations_client_client_options(
368368
always_use_jwt_access=True,
369369
)
370370

371+
# Check the case credentials_file is provided
372+
options=client_options.ClientOptions(credentials_file="credentials.json")
373+
withmock.patch.object(transport_class,"__init__")aspatched:
374+
patched.return_value=None
375+
client=client_class(client_options=options,transport=transport_name)
376+
patched.assert_called_once_with(
377+
credentials=None,
378+
credentials_file="credentials.json",
379+
host=client.DEFAULT_ENDPOINT,
380+
scopes=None,
381+
client_cert_source_for_mtls=None,
382+
quota_project_id=None,
383+
client_info=transports.base.DEFAULT_CLIENT_INFO,
384+
always_use_jwt_access=True,
385+
)
386+
371387

372388
# TODO: Add support for mtls in async REST
373389
@pytest.mark.parametrize(
@@ -544,8 +560,23 @@ def test_operations_client_client_options_credentials_file(
544560
)
545561

546562

547-
deftest_list_operations_rest():
548-
client=_get_operations_client(is_async=False)
563+
@pytest.mark.parametrize(
564+
"credentials_file",
565+
[None,"credentials.json"],
566+
)
567+
@mock.patch(
568+
"google.auth.default",
569+
autospec=True,
570+
return_value=(mock.sentinel.credentials,mock.sentinel.project),
571+
)
572+
deftest_list_operations_rest(google_auth_default,credentials_file):
573+
sync_transport=transports.rest.OperationsRestTransport(
574+
credentials_file=credentials_file,
575+
http_options=HTTP_OPTIONS,
576+
)
577+
578+
client=AbstractOperationsClient(transport=sync_transport)
579+
549580
# Mock the http request call within the method and fake a response.
550581
withmock.patch.object(_get_session_type(is_async=False),"request")asreq:
551582
# Designate an appropriate value for the returned response.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp