add fallback to mds mtls

nolanleastin · nolanleastin · commit 3cc910979945 · 2025-11-17T20:07:02.000Z
diff --git a/google/auth/compute_engine/_metadata.py b/google/auth/compute_engine/_metadata.py
@@ -142,7 +142,7 @@ def detect_gce_residency_linux():
 def _prepare_request_for_mds(request, use_mtls=False):
     """Prepares a request for the metadata server.
 
-    This will check if mTLS should be used and return a new request object if so.
+    This will check if mTLS should be used and mount the mTLS adapter if needed.
 
     Args:
         request (google.auth.transport.Request): A callable used to make
@@ -151,8 +151,8 @@ def _prepare_request_for_mds(request, use_mtls=False):
 
     Returns:
         google.auth.transport.Request: A request object to use.
-            If mTLS is enabled, this will be a new request object with mTLS session configured.
-            Otherwise, it will be the same as the input request.
+            If mTLS is enabled, the request will have the mTLS adapter mounted.
+            Otherwise, the original request will be returned unchanged.
     """
     if not use_mtls:
         return request
diff --git a/google/auth/compute_engine/_mtls.py b/google/auth/compute_engine/_mtls.py
@@ -18,9 +18,13 @@
 
 from dataclasses import dataclass, field
 import enum
+import logging
 import os
+from pathlib import Path
 import ssl
+from urllib.parse import urlparse, urlunparse
 
+import requests
 from requests.adapters import HTTPAdapter
 
 from google.auth import environment_vars, exceptions
@@ -30,22 +34,26 @@
 # https://cloud.google.com/compute/docs/metadata/overview#https-mds-certificates
 
 
+_WINDOWS_OS_NAME = "nt"
+# _WINDOWS_MTLS_COMPONENTS_BASE_PATH = os.path.join("C:\\", "ProgramData", "Google", "ComputeEngine")
+# _MTLS_COMPONENTS_BASE_PATH = os.path.join("/", "run", "google-mds-mtls")
+
+_WINDOWS_MTLS_COMPONENTS_BASE_PATH = Path("C:/ProgramData/Google/ComputeEngine")
+_MTLS_COMPONENTS_BASE_PATH = Path("/run/google-mds-mtls")
+
+
 def _get_mds_root_crt_path():
-    if os.name == "nt":
-        return os.path.join(
-            "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-root.crt"
-        )
+    if os.name == _WINDOWS_OS_NAME:
+        return _WINDOWS_MTLS_COMPONENTS_BASE_PATH / "mds-mtls-root.crt"
     else:
-        return os.path.join("/", "run", "google-mds-mtls", "root.crt")
+        return _MTLS_COMPONENTS_BASE_PATH / "root.crt"
 
 
 def _get_mds_client_combined_cert_path():
-    if os.name == "nt":
-        return os.path.join(
-            "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-client.key"
-        )
+    if os.name == _WINDOWS_OS_NAME:
+        return _WINDOWS_MTLS_COMPONENTS_BASE_PATH / "mds-mtls-client.key"
     else:
-        return os.path.join("/", "run", "google-mds-mtls", "client.key")
+        return _MTLS_COMPONENTS_BASE_PATH / "client.key"
 
 
 @dataclass
@@ -106,6 +114,9 @@ def should_use_mds_mtls(mds_mtls_config: MdsMtlsConfig = MdsMtlsConfig()):
         return _certs_exist(mds_mtls_config)
 
 
+_LOGGER = logging.getLogger(__name__)
+
+
 class MdsMtlsAdapter(HTTPAdapter):
     """An HTTP adapter that uses mTLS for the metadata server."""
 
@@ -126,3 +137,26 @@ def init_poolmanager(self, *args, **kwargs):
     def proxy_manager_for(self, *args, **kwargs):
         kwargs["ssl_context"] = self.ssl_context
         return super(MdsMtlsAdapter, self).proxy_manager_for(*args, **kwargs)
+
+    def send(self, request, **kwargs):
+        # If we are in strict mode, always use mTLS (no HTTP fallback)
+        if _parse_mds_mode() == MdsMtlsMode.STRICT:
+            return super(MdsMtlsAdapter, self).send(request, **kwargs)
+
+        # In default mode, attempt mTLS first, then fallback to HTTP on failure
+        try:
+            return super(MdsMtlsAdapter, self).send(request, **kwargs)
+        except (ssl.SSLError, requests.exceptions.SSLError) as e:
+            _LOGGER.warning(
+                "mTLS connection to Compute Engine Metadata server failed. "
+                "Falling back to standard HTTP. Reason: %s",
+                e,
+            )
+            # Fallback to standard HTTP
+            parsed_original_url = urlparse(request.url)
+            http_fallback_url = urlunparse(parsed_original_url._replace(scheme="http"))
+            request.url = http_fallback_url
+
+            # Use a standard HTTPAdapter for the fallback
+            http_adapter = HTTPAdapter()
+            return http_adapter.send(request, **kwargs)
diff --git a/tests/compute_engine/test__mtls.py b/tests/compute_engine/test__mtls.py
@@ -15,8 +15,6 @@
 # limitations under the License.
 #
 
-import os
-
 import mock
 import pytest  # type: ignore
 import requests
@@ -35,23 +33,21 @@ def mock_mds_mtls_config():
 @mock.patch("os.name", "nt")
 def test__MdsMtlsConfig_windows_defaults():
     config = _mtls.MdsMtlsConfig()
-    assert config.ca_cert_path == os.path.join(
-        "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-root.crt"
+    assert (
+        str(config.ca_cert_path)
+        == "C:/ProgramData/Google/ComputeEngine/mds-mtls-root.crt"
     )
-    assert config.client_combined_cert_path == os.path.join(
-        "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-client.key"
+    assert (
+        str(config.client_combined_cert_path)
+        == "C:/ProgramData/Google/ComputeEngine/mds-mtls-client.key"
     )
 
 
 @mock.patch("os.name", "posix")
 def test__MdsMtlsConfig_non_windows_defaults():
     config = _mtls.MdsMtlsConfig()
-    assert config.ca_cert_path == os.path.join(
-        "/", "run", "google-mds-mtls", "root.crt"
-    )
-    assert config.client_combined_cert_path == os.path.join(
-        "/", "run", "google-mds-mtls", "client.key"
-    )
+    assert str(config.ca_cert_path) == "/run/google-mds-mtls/root.crt"
+    assert str(config.client_combined_cert_path) == "/run/google-mds-mtls/client.key"
 
 
 def test__parse_mds_mode_default(monkeypatch):
@@ -157,7 +153,7 @@ def test_mds_mtls_adapter_session_request(mock_ssl_context, mock_mds_mtls_config
     session = requests.Session()
     session.mount("https://", adapter)
 
-    # Mock the adapter's send method to avoid actual network requests
+    # Mock the adapter\'s send method to avoid actual network requests
     adapter.send = mock.Mock()
     response = requests.Response()
     response.status_code = 200
@@ -169,3 +165,67 @@ def test_mds_mtls_adapter_session_request(mock_ssl_context, mock_mds_mtls_config
     # Assert that the request was successful
     assert response.status_code == 200
     adapter.send.assert_called_once()
+
+
+@mock.patch("google.auth.compute_engine._mtls.HTTPAdapter")
+@mock.patch("google.auth.compute_engine._mtls._parse_mds_mode")
+@mock.patch("ssl.create_default_context")
+def test_mds_mtls_adapter_send_fallback_default_mode(
+    mock_ssl_context, mock_parse_mds_mode, mock_http_adapter_class, mock_mds_mtls_config
+):
+    mock_parse_mds_mode.return_value = _mtls.MdsMtlsMode.DEFAULT
+    adapter = _mtls.MdsMtlsAdapter(mock_mds_mtls_config)
+
+    mock_fallback_send = mock.Mock()
+    mock_http_adapter_class.return_value.send = mock_fallback_send
+
+    # Simulate SSLError on the super().send() call
+    with mock.patch(
+        "requests.adapters.HTTPAdapter.send", side_effect=requests.exceptions.SSLError
+    ):
+        request = requests.Request(method="GET", url="https://example.com").prepare()
+        adapter.send(request)
+
+    # Check that fallback to HTTPAdapter.send occurred
+    mock_http_adapter_class.assert_called_once()
+    mock_fallback_send.assert_called_once()
+    fallback_request = mock_fallback_send.call_args[0][0]
+    assert fallback_request.url == "http://example.com/"
+
+
+@mock.patch("google.auth.compute_engine._mtls._parse_mds_mode")
+@mock.patch("ssl.create_default_context")
+def test_mds_mtls_adapter_send_no_fallback_strict_mode(
+    mock_ssl_context, mock_parse_mds_mode, mock_mds_mtls_config
+):
+    mock_parse_mds_mode.return_value = _mtls.MdsMtlsMode.STRICT
+    adapter = _mtls.MdsMtlsAdapter(mock_mds_mtls_config)
+
+    # Simulate SSLError on the super().send() call
+    with mock.patch(
+        "requests.adapters.HTTPAdapter.send", side_effect=requests.exceptions.SSLError
+    ):
+        request = requests.Request(method="GET", url="https://example.com").prepare()
+        with pytest.raises(requests.exceptions.SSLError):
+            adapter.send(request)
+
+
+@mock.patch("requests.adapters.HTTPAdapter.send")
+@mock.patch("google.auth.compute_engine._mtls._parse_mds_mode")
+@mock.patch("ssl.create_default_context")
+def test_mds_mtls_adapter_send_no_fallback_other_exception(
+    mock_ssl_context, mock_parse_mds_mode, mock_http_adapter_send, mock_mds_mtls_config
+):
+    mock_parse_mds_mode.return_value = _mtls.MdsMtlsMode.DEFAULT
+    adapter = _mtls.MdsMtlsAdapter(mock_mds_mtls_config)
+
+    # Simulate a different exception
+    with mock.patch(
+        "requests.adapters.HTTPAdapter.send",
+        side_effect=requests.exceptions.ConnectionError,
+    ):
+        request = requests.Request(method="GET", url="https://example.com").prepare()
+        with pytest.raises(requests.exceptions.ConnectionError):
+            adapter.send(request)
+
+    mock_http_adapter_send.assert_not_called()
