feat(api_core): add mtls and client configuration logic to gapic_v1#17750
feat(api_core): add mtls and client configuration logic to gapic_v1#17750hebaalazzeh wants to merge 31 commits into
Conversation
…public helpers Introduces client_cert and config_helpers modules containing use_client_cert_effective, get_client_cert_source, and read_environment_variables helpers. Exposes these modules as public in gapic_v1.
…public helpers Introduces routing module containing get_api_endpoint, get_default_mtls_endpoint, and get_universe_domain helpers. Exposes the module as public in gapic_v1.
There was a problem hiding this comment.
Code Review
This pull request introduces helper modules client_cert.py and config_helpers.py to handle client certificate loading and environment variable parsing for mTLS, along with corresponding unit tests and test environment isolation. The review feedback advises against silently falling back to standard TLS when mTLS is requested but no certificate source is found, suggesting instead to raise a ValueError and add a test case to verify this behavior.
|
/gemini review |
…ted client helper
There was a problem hiding this comment.
Code Review
This pull request introduces helper modules client_cert and config_helpers under google/api_core/gapic_v1 to manage client certificate handling, mTLS authentication, and parsing of environment variables such as GOOGLE_API_USE_CLIENT_CERTIFICATE, GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN. It also includes comprehensive unit tests and a test fixture to isolate unit tests from workstation mTLS environments. I have no feedback to provide as there are no review comments.
…apic-centralization-api-core-mtls
…nt_utils in routing branch
…rt suffixes in mTLS conversion
…tion leaks (#17689) This PR is fixing two issues found in the auth library: 1. Adapter Connection Leaks Whenever the `configure_mtls_channel()` method was called, the code would create a new mTLS `HTTPAdapter` and mount it to `"https://"`. However, it never closed the *old* adapter it was replacing. Because of how the underlying `requests` and `urllib3` libraries work, the old adapter's connection pool was left open, creating dangling sockets and eventually causing file descriptor exhaustion. **The Fix:** I updated the method to retrieve the existing `"https://"` adapter (via `self.get_adapter()`) before replacing it. If an old adapter is found, we now explicitly call `old_adapter.close()` to shut down its connection pool and cleanly release the sockets back to the OS. 2. Missing Auth Request Session Update (Issue #17680) The `AuthorizedSession` class maintains an internal session called `_auth_request_session`. This hidden session is specifically responsible for doing background work, like fetching new OAuth tokens or signing IAM requests. When mTLS was enabled, the new secure adapter was *only* applied to the main user-facing session, completely missing this internal session. As a result, critical token refreshes were bypassing mTLS and failing when they hit strict Certificate-Based Access (CBA) endpoints. **The Fix:** I added logic to check if `self._auth_request_session` exists during the mTLS configuration. If it does, we now apply the exact same cleanup (closing its old adapter) and then explicitly mount the new mTLS adapter to it. This guarantees that all background token refreshes are routed securely over the mTLS channel. Also added a documentation warning to clarify that dynamically reconfiguring the channel mutates the underlying session and is not natively thread-safe.
…d environment parsing
…apic-centralization-api-core-mtls
…apic-centralization-api-core-mtls
… and remove should_use_mtls_endpoint
Introduces
client_utilscontaininguse_client_cert_effective,get_client_cert_source, andread_environment_variableshelpers. Exposes this module as public ingapic_v1.The unit tests in test_client_utils.py are now identical to the generator's original test template
test_service.py.j2.Specifically, the following tests verify the helpers: