fix(auth): centralize cert discovery logic and steps#17696
Conversation
- Centralize mTLS configuration file path discovery by replacing disparate checks in `check_use_client_cert` and `has_default_client_cert_source` with a unified `_get_cert_config_path` helper. - Ensure X.509 Workload Identity Federation (WIF) takes precedence over SecureConnect by checking `_get_cert_config_path` before `CONTEXT_AWARE_METADATA_PATH` in `has_default_client_cert_source`. - Remove temporary Cloud Run certificate and key path overrides from `_get_workload_cert_and_key_paths`. - Properly honor `CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH` in availability checks, fixing an existing mismatch where auto-enablement would evaluate to true but the downstream source checker would miss the path. - Allow mTLS auto-enablement to properly trigger off the default `gcloud` configuration file (`~/.config/gcloud/certificate_config.json`), resolving previous contradictory behavior. - Ensure strict environment variable precedence: invalid paths supplied via environment variables now correctly result in failures rather than silently falling back to default disk locations. - Update tests to reflect the new centralized resolution and precedence logic.
There was a problem hiding this comment.
Code Review
This pull request removes the temporary Cloud Run certificate path patch and its associated tests. It also refactors and simplifies certificate configuration path resolution in check_use_client_cert and has_default_client_cert_source by utilizing the helper function _get_cert_config_path, updating the corresponding unit tests to match. I have no feedback to provide as there are no review comments.
d91693a to
f95ebd0
Compare
| key_path = workload["key_path"] | ||
|
|
||
| # == BEGIN Temporary Cloud Run PATCH == | ||
| # See https://github.com/googleapis/google-auth-library-python/issues/1881 |
There was a problem hiding this comment.
#15137 ( https://github.com/googleapis/google-auth-library-python/issues/1881) is not yet fixed. Can you clarify if #15137 is fixed or if we still need this temporary patch?
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors mTLS configuration path resolution by centralizing path retrieval in _get_cert_config_path and removing the temporary Cloud Run patch. It also changes mTLS auto-enablement failure logging from warnings to debug messages. The review feedback highlights a potential TypeError crash if the loaded certificate configuration JSON is not a dictionary, and suggests validating the JSON type before accessing its keys.
| try: | ||
| with open(cert_path, "r") as f: | ||
| content = json.load(f) | ||
| except (FileNotFoundError, OSError, json.JSONDecodeError) as e: |
There was a problem hiding this comment.
If the certificate configuration file contains a non-dictionary JSON value (such as null, 123, or true), json.load(f) will return a non-dict type. Checking "cert_configs" in content will raise a TypeError and crash the application.
Furthermore, to prevent security vulnerabilities or confusing downstream authorization errors, we must not silently fall back to standard TLS when mTLS configuration or certificate loading fails. Instead, we should fail fast by raising an appropriate exception.
try:
with open(cert_path, "r") as f:
content = json.load(f)
if not isinstance(content, dict):
raise ValueError("Certificate configuration file is not a JSON object.")
except (FileNotFoundError, OSError, json.JSONDecodeError) as e:References
- Do not silently fall back to standard TLS if mutual TLS (mTLS) configuration or certificate loading fails. Silently falling back can introduce security vulnerabilities or cause confusing downstream authorization errors; instead, fail fast by raising an appropriate exception.
check_use_client_certandhas_default_client_cert_sourcewith a unified_get_cert_config_pathhelper._get_cert_config_pathbeforeCONTEXT_AWARE_METADATA_PATHinhas_default_client_cert_source._get_workload_cert_and_key_paths.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATHin availability checks, fixing an existing mismatch where auto-enablement would evaluate to true but the downstream source checker would miss the path.gcloudconfiguration file (~/.config/gcloud/certificate_config.json), resolving previous contradictory behavior._has_logged_mtls_warningmasks distinct mTLS configuration errors #17697