fix: Deprecating generic load methods and adding warnings on few cred types

Author: sai-sunder-s

google/auth/_default.py

@@ -59,10 +59,50 @@
 https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds. \
 """
 
+_GENERIC_LOAD_METHOD_WARNING = """\
+The {} method is being deprecated because of a potential security risk.
+
+This method does not validate the credential configuration. The security
+risk occurs when a credential configuration is accepted from a source that
+is not under your control and used without validation on your side.
+
+If you know that you will be loading credential configurations of a
+specific type, it is recommended to use a credential-type-specific
+load method.
+This will ensure that an unexpected credential type with potential for
+malicious intent is not loaded unintentionally. You might still have to do
+validation for certain credential types. Please follow the recommendations
+for that method. For example, if you want to load only service accounts,
+you can create the service account credentials explicitly:
+
+```
+from google.oauth2 import service_account
+creds = service_account.Credentials.from_service_account_file(filename)
+```
+
+If you are loading your credential configuration from an untrusted source and have
+not mitigated the risks (e.g. by validating the configuration yourself), make
+these changes as soon as possible to prevent security risks to your environment.
+
+Regardless of the method used, it is always your responsibility to validate
+configurations received from external sources.
+
+Refer to https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+for more details.
+"""
+
 # The subject token type used for AWS external_account credentials.
 _AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request"
 
 
+class GenericLoadMethodWarning(DeprecationWarning):  # pragma: NO COVER
+    """
+    Deprecation warning raised when a generic load method is used.
+    """
+
+    pass
+
+
 def _warn_about_problematic_credentials(credentials):
     """Determines if the credentials are problematic.
 
@@ -75,6 +115,23 @@ def _warn_about_problematic_credentials(credentials):
     if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
         warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
 
+def _warn_about_generic_load_method(method_name):  # pragma: NO COVER
+    """Warns that a generic load method is being used.
+
+    This is to discourage use of the generic load methods in favor of
+    more specific methods. The generic methods are more likely to lead to
+    security issues if the input is not validated.
+
+    Args:
+        method_name (str): The name of the method being used.
+    """
+
+    
+    warnings.warn(
+        _GENERIC_LOAD_METHOD_WARNING.format(method_name),
+        GenericLoadMethodWarning,
+    )
+
 
 def load_credentials_from_file(
     filename, scopes=None, default_scopes=None, quota_project_id=None, request=None
@@ -121,6 +178,8 @@ def load_credentials_from_file(
         google.auth.exceptions.DefaultCredentialsError: if the file is in the
             wrong format or is missing.
     """
+    _warn_about_generic_load_method("load_credentials_from_file")
+
     if not os.path.exists(filename):
         raise exceptions.DefaultCredentialsError(
             "File {} was not found.".format(filename)
@@ -184,6 +243,7 @@ def load_credentials_from_dict(
         google.auth.exceptions.DefaultCredentialsError: if the file is in the
             wrong format or is missing.
     """
+    _warn_about_generic_load_method("load_credentials_from_dict")
     if not isinstance(info, dict):
         raise exceptions.DefaultCredentialsError(
             "info object was of type {} but dict type was expected.".format(type(info))

google/auth/external_account.py

@@ -89,6 +89,14 @@ class Credentials(
     credentials for Google access token and authorizing requests to Google APIs.
     The base class implements the common logic for exchanging external account
     credentials for Google access tokens.
+
+    **IMPORTANT**:
+    This method does not validate the credential configuration. A security
+    risk occurs when a credential configuration configured with malicious urls
+    is used.
+    When the credential configuration is accepted from an
+    untrusted source, you should validate it before using with this method.
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
     """
 
     def __init__(
@@ -576,6 +584,14 @@ def _get_mtls_cert_and_key_paths(self):
     def from_info(cls, info, **kwargs):
         """Creates a Credentials instance from parsed external account info.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             info (Mapping[str, str]): The external account info in Google
                 format.
@@ -615,6 +631,14 @@ def from_info(cls, info, **kwargs):
     def from_file(cls, filename, **kwargs):
         """Creates a Credentials instance from an external account json file.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             filename (str): The path to the external account json file.
             kwargs: Additional arguments to pass to the constructor.

google/auth/external_account_authorized_user.py

@@ -60,6 +60,14 @@ class Credentials(
     The credentials are considered immutable. If you want to modify the
     quota project, use `with_quota_project` and if you want to modify the token
     uri, use `with_token_uri`.
+
+    **IMPORTANT**:
+    This method does not validate the credential configuration. A security
+    risk occurs when a credential configuration configured with malicious urls
+    is used.
+    When the credential configuration is accepted from an
+    untrusted source, you should validate it before using with this method.
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
     """
 
     def __init__(
@@ -328,6 +336,14 @@ def with_universe_domain(self, universe_domain):
     def from_info(cls, info, **kwargs):
         """Creates a Credentials instance from parsed external account info.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             info (Mapping[str, str]): The external account info in Google
                 format.
@@ -367,6 +383,14 @@ def from_info(cls, info, **kwargs):
     def from_file(cls, filename, **kwargs):
         """Creates a Credentials instance from an external account json file.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             filename (str): The path to the external account json file.
             kwargs: Additional arguments to pass to the constructor.

google/auth/identity_pool.py

@@ -497,6 +497,14 @@ def _validate_single_source(self):
     def from_info(cls, info, **kwargs):
         """Creates an Identity Pool Credentials instance from parsed external account info.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             info (Mapping[str, str]): The Identity Pool external account info in Google
                 format.
@@ -517,6 +525,14 @@ def from_info(cls, info, **kwargs):
     def from_file(cls, filename, **kwargs):
         """Creates an IdentityPool Credentials instance from an external account json file.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             filename (str): The path to the IdentityPool external account json file.
             kwargs: Additional arguments to pass to the constructor.

google/auth/impersonated_credentials.py

@@ -184,6 +184,14 @@ class Credentials(
         buckets = client.list_buckets(project='your_project')
         for bucket in buckets:
           print(bucket.name)
+
+    **IMPORTANT**:
+    This method does not validate the credential configuration. A security
+    risk occurs when a credential configuration configured with malicious urls
+    is used.
+    When the credential configuration is accepted from an
+    untrusted source, you should validate it before using with this method.
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
     """
 
     def __init__(
@@ -454,6 +462,14 @@ def with_scopes(self, scopes, default_scopes=None):
     def from_impersonated_service_account_info(cls, info, scopes=None):
         """Creates a Credentials instance from parsed impersonated service account credentials info.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             info (Mapping[str, str]): The impersonated service account credentials info in Google
                 format.

google/auth/pluggable.py

@@ -57,7 +57,15 @@
 
 
 class Credentials(external_account.Credentials):
-    """External account credentials sourced from executables."""
+    """External account credentials sourced from executables.
+
+    **IMPORTANT**:
+    This method does not validate the credential configuration. A security
+    risk occurs when a credential configuration configured with malicious urls
+    is used.
+    When the credential configuration is accepted from an
+    untrusted source, you should validate it before using with this method.
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details."""
 
     def __init__(
         self,
@@ -300,6 +308,14 @@ def external_account_id(self):
     def from_info(cls, info, **kwargs):
         """Creates a Pluggable Credentials instance from parsed external account info.
 
+         **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             info (Mapping[str, str]): The Pluggable external account info in Google
                 format.
@@ -319,6 +335,14 @@ def from_info(cls, info, **kwargs):
     def from_file(cls, filename, **kwargs):
         """Creates an Pluggable Credentials instance from an external account json file.
 
+        **IMPORTANT**:
+        This method does not validate the credential configuration. A security
+        risk occurs when a credential configuration configured with malicious urls
+        is used.
+        When the credential configuration is accepted from an
+        untrusted source, you should validate it before using with this method.
+        Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+
         Args:
             filename (str): The path to the Pluggable external account json file.
             kwargs: Additional arguments to pass to the constructor.