feat(auth): add mTLS helper methods and endpoint configuration for ha…#1
Closed
nbayati wants to merge 1 commit into
Closed
feat(auth): add mTLS helper methods and endpoint configuration for ha…#1nbayati wants to merge 1 commit into
nbayati wants to merge 1 commit into
Conversation
…ndwritten SDK mTLS support - Introduced `GOOGLE_API_USE_MTLS_ENDPOINT` environment variable to control whether an mTLS endpoint should be used (`always`, `never`, or `auto`). - Added several new helper functions in `google.auth.transport.mtls` to facilitate SSL context creation and client certificate loading: - `load_client_cert_into_context`: Loads a client certificate and key into a provided SSL context. - `make_client_cert_ssl_context`: Creates a default SSL context loaded with a specific client certificate and key. - `load_default_client_cert`: Discovers and loads the default client certificate into a provided SSL context if mTLS is enabled. - `get_default_ssl_context`: Returns a default SSL context pre-loaded with the default client certificate, or `None` if unavailable. - `should_use_mtls_endpoint`: Determines if an mTLS endpoint should be used based on the new environment variable and certificate availability. - Fixed outdated docstrings for `default_client_cert_source` and `default_client_encrypted_cert_source` to correctly state they raise `MutualTLSChannelError` instead of `DefaultClientCertSourceError`. - Updated `default_client_cert_source` to also catch `ClientCertError` when loading credentials. - Added comprehensive unit tests for the new mTLS helper methods.
nbayati
force-pushed
the
implement-python-mtls-helpers
branch
from
ab43dea to
bc6d2b8
Compare
Owner
Author
|
closing as the base has to be upstream not my fork and it cannot be changed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR builds on top of PR googleapis#16976. It provides helper methods to allow custom HTTP and WebSocket connection pools (such as those in google-genai and google-adk) to load default client certificates and resolve the GOOGLE_API_USE_MTLS_ENDPOINT env var. Changes include:
GOOGLE_API_USE_MTLS_ENDPOINTenvironment variable to control whether an mTLS endpoint should be used (always,never, orauto).google.auth.transport.mtlsto facilitate SSL context creation and client certificate loading:load_client_cert_into_context: Loads a client certificate and key into a provided SSL context.make_client_cert_ssl_context: Creates a default SSL context loaded with a specific client certificate and key.load_default_client_cert: Discovers and loads the default client certificate into a provided SSL context if mTLS is enabled.get_default_ssl_context: Returns a default SSL context pre-loaded with the default client certificate, orNoneif unavailable.should_use_mtls_endpoint: Determines if an mTLS endpoint should be used based on the new environment variable and certificate availability.default_client_cert_sourceanddefault_client_encrypted_cert_sourceto correctly state they raiseMutualTLSChannelErrorinstead ofDefaultClientCertSourceError.default_client_cert_sourceto also catchClientCertErrorwhen loading credentials.