Merge branch 'main' into parthea-patch-1

Author: parthea

.github/.OwlBot.lock.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 docker:
   image: gcr.io/cloud-devrel-public-resources/owlbot-python:latest
-  digest: sha256:5efdf8d38e5a22c1ec9e5541cbdfde56399bdffcb6f531183f84ac66052a8024
-# created: 2024-10-25
+  digest: sha256:023a21377a2a00008057f99f0118edadc30a19d1636a3fee47189ebec2f3921c
+# created: 2025-03-31T16:51:40.130756953Z

.kokoro/build-systests.sh

@@ -28,7 +28,7 @@ export PYTHONUNBUFFERED=1
 python3 -m pip uninstall --yes --quiet nox-automation
 
 # Install nox
-python3 -m pip install --upgrade --quiet nox
+python3 -m pip install nox==2024.10.9
 python3 -m nox --version
 
 # Setup service account credentials.

.kokoro/test-samples-impl.sh

@@ -33,7 +33,8 @@ export PYTHONUNBUFFERED=1
 env | grep KOKORO
 
 # Install nox
-python3.9 -m pip install --upgrade --quiet nox
+# `virtualenv==20.26.6` is added for Python 3.7 compatibility
+python3.9 -m pip install --upgrade --quiet nox virtualenv==20.26.6
 
 # Use secrets acessor service account to get secrets
 if [[ -f "${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" ]]; then

google/auth/compute_engine/_metadata.py

@@ -159,6 +159,7 @@ def get(
     retry_count=5,
     headers=None,
     return_none_for_not_found_error=False,
+    timeout=_METADATA_DEFAULT_TIMEOUT,
 ):
     """Fetch a resource from the metadata server.
 
@@ -178,6 +179,7 @@ def get(
         headers (Optional[Mapping[str, str]]): Headers for the request.
         return_none_for_not_found_error (Optional[bool]): If True, returns None
             for 404 error instead of throwing an exception.
+        timeout (int): How long to wait, in seconds for the metadata server to respond.
 
     Returns:
         Union[Mapping, str]: If the metadata server returns JSON, a mapping of
@@ -204,7 +206,9 @@ def get(
     failure_reason = None
     for attempt in backoff:
         try:
-            response = request(url=url, method="GET", headers=headers_to_use)
+            response = request(
+                url=url, method="GET", headers=headers_to_use, timeout=timeout
+            )
             if response.status in transport.DEFAULT_RETRYABLE_STATUS_CODES:
                 _LOGGER.warning(
                     "Compute Engine Metadata server unavailable on "

google/auth/identity_pool.py

@@ -41,6 +41,7 @@
 except ImportError:  # pragma: NO COVER
     from collections import Mapping  # type: ignore
 import abc
+import base64
 import json
 import os
 from typing import NamedTuple
@@ -145,9 +146,88 @@ def get_subject_token(self, context, request):
 class _X509Supplier(SubjectTokenSupplier):
     """Internal supplier for X509 workload credentials. This class is used internally and always returns an empty string as the subject token."""
 
+    def __init__(self, trust_chain_path, leaf_cert_callback):
+        self._trust_chain_path = trust_chain_path
+        self._leaf_cert_callback = leaf_cert_callback
+
     @_helpers.copy_docstring(SubjectTokenSupplier)
     def get_subject_token(self, context, request):
-        return ""
+        # Import OpennSSL inline because it is an extra import only required by customers
+        # using mTLS.
+        from OpenSSL import crypto
+
+        leaf_cert = crypto.load_certificate(
+            crypto.FILETYPE_PEM, self._leaf_cert_callback()
+        )
+        trust_chain = self._read_trust_chain()
+        cert_chain = []
+
+        cert_chain.append(_X509Supplier._encode_cert(leaf_cert))
+
+        if trust_chain is None or len(trust_chain) == 0:
+            return json.dumps(cert_chain)
+
+        # Append the first cert if it is not the leaf cert.
+        first_cert = _X509Supplier._encode_cert(trust_chain[0])
+        if first_cert != cert_chain[0]:
+            cert_chain.append(first_cert)
+
+        for i in range(1, len(trust_chain)):
+            encoded = _X509Supplier._encode_cert(trust_chain[i])
+            # Check if the current cert is the leaf cert and raise an exception if it is.
+            if encoded == cert_chain[0]:
+                raise exceptions.RefreshError(
+                    "The leaf certificate must be at the top of the trust chain file"
+                )
+            else:
+                cert_chain.append(encoded)
+        return json.dumps(cert_chain)
+
+    def _read_trust_chain(self):
+        # Import OpennSSL inline because it is an extra import only required by customers
+        # using mTLS.
+        from OpenSSL import crypto
+
+        certificate_trust_chain = []
+        # If no trust chain path was provided, return an empty list.
+        if self._trust_chain_path is None or self._trust_chain_path == "":
+            return certificate_trust_chain
+        try:
+            # Open the trust chain file.
+            with open(self._trust_chain_path, "rb") as f:
+                trust_chain_data = f.read()
+                # Split PEM data into individual certificates.
+                cert_blocks = trust_chain_data.split(b"-----BEGIN CERTIFICATE-----")
+                for cert_block in cert_blocks:
+                    # Skip empty blocks.
+                    if cert_block.strip():
+                        cert_data = b"-----BEGIN CERTIFICATE-----" + cert_block
+                        try:
+                            # Load each certificate and add it to the trust chain.
+                            cert = crypto.load_certificate(
+                                crypto.FILETYPE_PEM, cert_data
+                            )
+                            certificate_trust_chain.append(cert)
+                        except Exception as e:
+                            raise exceptions.RefreshError(
+                                "Error loading PEM certificates from the trust chain file '{}'".format(
+                                    self._trust_chain_path
+                                )
+                            ) from e
+                return certificate_trust_chain
+        except FileNotFoundError:
+            raise exceptions.RefreshError(
+                "Trust chain file '{}' was not found.".format(self._trust_chain_path)
+            )
+
+    def _encode_cert(cert):
+        # Import OpennSSL inline because it is an extra import only required by customers
+        # using mTLS.
+        from OpenSSL import crypto
+
+        return base64.b64encode(
+            crypto.dump_certificate(crypto.FILETYPE_ASN1, cert)
+        ).decode("utf-8")
 
 
 def _parse_token_data(token_content, format_type="text", subject_token_field_name=None):
@@ -296,7 +376,9 @@ def __init__(
                     self._credential_source_headers,
                 )
             else:  # self._credential_source_certificate
-                self._subject_token_supplier = _X509Supplier()
+                self._subject_token_supplier = _X509Supplier(
+                    self._trust_chain_path, self._get_cert_bytes
+                )
 
     @_helpers.copy_docstring(external_account.Credentials)
     def retrieve_subject_token(self, request):
@@ -314,6 +396,10 @@ def _get_mtls_cert_and_key_paths(self):
                 self._certificate_config_location
             )
 
+    def _get_cert_bytes(self):
+        cert_path, _ = self._get_mtls_cert_and_key_paths()
+        return _mtls_helper._read_cert_file(cert_path)
+
     def _mtls_required(self):
         return self._credential_source_certificate is not None
 
@@ -350,6 +436,9 @@ def _validate_certificate_config(self):
         use_default = self._credential_source_certificate.get(
             "use_default_certificate_config"
         )
+        self._trust_chain_path = self._credential_source_certificate.get(
+            "trust_chain_path"
+        )
         if self._certificate_config_location and use_default:
             raise exceptions.MalformedError(
                 "Invalid certificate configuration, certificate_config_location cannot be specified when use_default_certificate_config = true."

google/auth/transport/urllib3.py

@@ -34,13 +34,21 @@
 try:
     import urllib3  # type: ignore
     import urllib3.exceptions  # type: ignore
+    from packaging import version  # type: ignore
 except ImportError as caught_exc:  # pragma: NO COVER
     raise ImportError(
-        "The urllib3 library is not installed from please install the "
-        "urllib3 package to use the urllib3 transport."
+        ""
+        f"Error: {caught_exc}."
+        " The 'google-auth' library requires the extras installed "
+        "for urllib3 network transport."
+        "\n"
+        "Please install the necessary dependencies using pip:\n"
+        "  pip install google-auth[urllib3]\n"
+        "\n"
+        "(Note: Using '[urllib3]' ensures the specific dependencies needed for this feature are installed. "
+        "We recommend running this command in your virtual environment.)"
     ) from caught_exc
 
-from packaging import version  # type: ignore
 
 from google.auth import environment_vars
 from google.auth import exceptions
@@ -414,7 +422,7 @@ def urlopen(self, method, url, body=None, headers=None, **kwargs):
                 body=body,
                 headers=headers,
                 _credential_refresh_attempt=_credential_refresh_attempt + 1,
-                **kwargs
+                **kwargs,
             )
 
         return response

noxfile.py

@@ -89,8 +89,7 @@ def unit(session):
     constraints_path = str(
         CURRENT_DIRECTORY / "testing" / f"constraints-{session.python}.txt"
     )
-    session.install("-r", "testing/requirements.txt", "-c", constraints_path)
-    session.install("-e", ".", "-c", constraints_path)
+    session.install("-e", ".[testing]", "-c", constraints_path)
     session.run(
         "pytest",
         f"--junitxml=unit_{session.python}_sponge_log.xml",
@@ -105,8 +104,7 @@ def unit(session):
 
 @nox.session(python="3.8")
 def cover(session):
-    session.install("-r", "testing/requirements.txt")
-    session.install("-e", ".")
+    session.install("-e", ".[testing]")
     session.run(
         "pytest",
         "--cov=google.auth",
@@ -144,8 +142,7 @@ def docs(session):
 
 @nox.session(python="pypy")
 def pypy(session):
-    session.install("-r", "testing/requirements.txt")
-    session.install("-e", ".")
+    session.install("-e", ".[testing]")
     session.run(
         "pytest",
         f"--junitxml=unit_{session.python}_sponge_log.xml",

renovate.json

@@ -5,7 +5,7 @@
     ":preserveSemverRanges",
     ":disableDependencyDashboard"
   ],
-  "ignorePaths": [".pre-commit-config.yaml", ".kokoro/requirements.txt", "setup.py"],
+  "ignorePaths": [".pre-commit-config.yaml", ".kokoro/requirements.txt", "setup.py", ".github/workflows/unittest.yml"],
   "pip_requirements": {
     "fileMatch": ["requirements-test.txt", "samples/[\\S/]*constraints.txt", "samples/[\\S/]*constraints-test.txt"]
   }

setup.py

@@ -27,13 +27,70 @@
     "rsa>=3.1.4,<5",
 )
 
+# TODO(https://github.com/googleapis/google-auth-library-python/issues/1737): Unit test fails with
+#  `No module named 'cryptography.hazmat.backends.openssl.x509' for Python 3.7``.
+cryptography_base_require = [
+    "cryptography >= 38.0.3",
+    "cryptography < 39.0.0; python_version < '3.8'",
+]
+
+requests_extra_require = ["requests >= 2.20.0, < 3.0.0"]
+
+aiohttp_extra_require = ["aiohttp >= 3.6.2, < 4.0.0", *requests_extra_require]
+
+pyjwt_extra_require = ["pyjwt>=2.0", *cryptography_base_require]
+
+reauth_extra_require = ["pyu2f>=0.1.5"]
+
+# TODO(https://github.com/googleapis/google-auth-library-python/issues/1738): Add bounds for cryptography and pyopenssl dependencies.
+enterprise_cert_extra_require = ["cryptography", "pyopenssl"]
+
+pyopenssl_extra_require = ["pyopenssl>=20.0.0", cryptography_base_require]
+
+# TODO(https://github.com/googleapis/google-auth-library-python/issues/1739): Add bounds for urllib3 and packaging dependencies.
+urllib3_extra_require = ["urllib3", "packaging"]
+
+# Unit test requirements.
+testing_extra_require = [
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1735): Remove `grpcio` from testing requirements once an extra is added for `grpcio` dependency.
+    "grpcio",
+    "flask",
+    "freezegun",
+    "mock",
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1736): Remove `oauth2client` from testing requirements once an extra is added for `oauth2client` dependency.
+    "oauth2client",
+    *pyjwt_extra_require,
+    "pytest",
+    "pytest-cov",
+    "pytest-localserver",
+    *pyopenssl_extra_require,
+    *reauth_extra_require,
+    "responses",
+    *urllib3_extra_require,
+    # Async Dependencies
+    *aiohttp_extra_require,
+    "aioresponses",
+    "pytest-asyncio",
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1665): Remove the pinned version of pyopenssl
+    # once `TestDecryptPrivateKey::test_success` is updated to remove the deprecated `OpenSSL.crypto.sign` and
+    # `OpenSSL.crypto.verify` methods. See: https://www.pyopenssl.org/en/latest/changelog.html#id3.
+    "pyopenssl < 24.3.0",
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1722): `test_aiohttp_requests` depend on
+    # aiohttp < 3.10.0 which is a bug. Investigate and remove the pinned aiohttp version.
+    "aiohttp < 3.10.0",
+]
+
 extras = {
-    "aiohttp": ["aiohttp >= 3.6.2, < 4.0.0.dev0", "requests >= 2.20.0, < 3.0.0.dev0"],
-    "pyopenssl": ["pyopenssl>=20.0.0", "cryptography>=38.0.3"],
-    "requests": "requests >= 2.20.0, < 3.0.0.dev0",
-    "reauth": "pyu2f>=0.1.5",
-    "enterprise_cert": ["cryptography", "pyopenssl"],
-    "pyjwt": ["pyjwt>=2.0", "cryptography>=38.0.3"],
+    "aiohttp": aiohttp_extra_require,
+    "enterprise_cert": enterprise_cert_extra_require,
+    "pyopenssl": pyopenssl_extra_require,
+    "pyjwt": pyjwt_extra_require,
+    "reauth": reauth_extra_require,
+    "requests": requests_extra_require,
+    "testing": testing_extra_require,
+    "urllib3": urllib3_extra_require,
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1735): Add an extra for `grpcio` dependency.
+    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1736): Add an extra for `oauth2client` dependency.
 }
 
 with io.open("README.rst", "r") as fh: