add fallback for http error codes from mds

nolanleastin · nolanleastin · commit 2f1a3b024227 · 2025-11-17T23:09:53.000Z
diff --git a/google/auth/compute_engine/_mtls.py b/google/auth/compute_engine/_mtls.py
@@ -141,8 +141,14 @@ def send(self, request, **kwargs):
 
         # In default mode, attempt mTLS first, then fallback to HTTP on failure
         try:
-            return super(MdsMtlsAdapter, self).send(request, **kwargs)
-        except (ssl.SSLError, requests.exceptions.SSLError) as e:
+            response = super(MdsMtlsAdapter, self).send(request, **kwargs)
+            response.raise_for_status()
+            return response
+        except (
+            ssl.SSLError,
+            requests.exceptions.SSLError,
+            requests.exceptions.HTTPError,
+        ) as e:
             _LOGGER.warning(
                 "mTLS connection to Compute Engine Metadata server failed. "
                 "Falling back to standard HTTP. Reason: %s",
diff --git a/tests/compute_engine/test__mtls.py b/tests/compute_engine/test__mtls.py
@@ -193,6 +193,34 @@ def test_mds_mtls_adapter_send_fallback_default_mode(
     assert fallback_request.url == "http://example.com/"
 
 
+@mock.patch("google.auth.compute_engine._mtls.HTTPAdapter")
+@mock.patch("google.auth.compute_engine._mtls._parse_mds_mode")
+@mock.patch("ssl.create_default_context")
+def test_mds_mtls_adapter_send_fallback_http_error(
+    mock_ssl_context, mock_parse_mds_mode, mock_http_adapter_class, mock_mds_mtls_config
+):
+    mock_parse_mds_mode.return_value = _mtls.MdsMtlsMode.DEFAULT
+    adapter = _mtls.MdsMtlsAdapter(mock_mds_mtls_config)
+
+    mock_fallback_send = mock.Mock()
+    mock_http_adapter_class.return_value.send = mock_fallback_send
+
+    # Simulate HTTPError on the super().send() call
+    mock_mtls_response = requests.Response()
+    mock_mtls_response.status_code = 404
+    with mock.patch(
+        "requests.adapters.HTTPAdapter.send", return_value=mock_mtls_response
+    ):
+        request = requests.Request(method="GET", url="https://example.com").prepare()
+        adapter.send(request)
+
+    # Check that fallback to HTTPAdapter.send occurred
+    mock_http_adapter_class.assert_called_once()
+    mock_fallback_send.assert_called_once()
+    fallback_request = mock_fallback_send.call_args[0][0]
+    assert fallback_request.url == "http://example.com/"
+
+
 @mock.patch("google.auth.compute_engine._mtls._parse_mds_mode")
 @mock.patch("ssl.create_default_context")
 def test_mds_mtls_adapter_send_no_fallback_strict_mode(
