refactor: Use new ConnectSettings.DnsNames field to validate the server TLS certificate.

hessjcg · hessjcg · commit 73246b880944 · 2025-03-12T12:49:21.000-06:00
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ venv
 .python-version
 cloud_sql_python_connector.egg-info/
 dist/
+.idea
diff --git a/google/cloud/sql/connector/client.py b/google/cloud/sql/connector/client.py
@@ -157,8 +157,19 @@ async def _get_metadata(
         # Note that we have to check for PSC enablement also because CAS
         # instances also set the dnsName field.
         # Remove trailing period from DNS name. Required for SSL in Python
-        dns_name = ret_dict.get("dnsName", "").rstrip(".")
-        if dns_name and ret_dict.get("pscEnabled"):
+        if ret_dict.get("pscEnabled"):
+            psc_dns_names = [
+                d["name"]
+                for d in ret_dict.get("dnsNames", [])
+                if d["connectionType"] == "PRIVATE_SERVICE_CONNECT"
+                and d["dnsScope"] == "INSTANCE"
+            ]
+
+            dns_name = psc_dns_names[0] if psc_dns_names else None
+
+            if dns_name is None:
+                dns_name = ret_dict.get("dnsName", "").rstrip(".")
+
             ip_addresses["PSC"] = dns_name
 
         return {
diff --git a/tests/unit/mocks.py b/tests/unit/mocks.py
@@ -256,6 +256,13 @@ async def connect_settings(self, request: Any) -> web.Response:
                 "expirationTime": str(self.cert_expiration),
             },
             "dnsName": "abcde.12345.us-central1.sql.goog",
+            "dnsNames": [
+                {
+                    "name": "abcde.12345.us-central1.sql.goog",
+                    "connectionType": "PRIVATE_SERVICE_CONNECT",
+                    "dnsScope": "INSTANCE",
+                }
+            ],
             "pscEnabled": self.psc_enabled,
             "ipAddresses": ip_addrs,
             "region": self.region,
