Update mds mtls certificate well-known locations

nolanleastin · nolanleastin · commit e56d7558ceba · 2025-11-05T19:33:23.000Z
diff --git a/google/auth/compute_engine/_mtls.py b/google/auth/compute_engine/_mtls.py
@@ -16,25 +16,46 @@
 #
 """Mutual TLS for Google Compute Engine metadata server."""
 
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 import enum
 import os
-from pathlib import Path
 import ssl
 
 import requests
 from requests.adapters import HTTPAdapter
 
 from google.auth import environment_vars, exceptions
 
+# MDS mTLS certificate paths based on OS.
+# Documentation to well known locations can be found at:
+# https://cloud.google.com/compute/docs/metadata/overview#https-mds-certificates
+
+
+def _get_mds_root_crt_path():
+    if os.name == "nt":
+        return os.path.join(
+            "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-root.crt"
+        )
+    else:
+        return os.path.join("/", "run", "google-mds-mtls", "root.crt")
+
+
+def _get_mds_client_combined_cert_path():
+    if os.name == "nt":
+        return os.path.join(
+            "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-client.key"
+        )
+    else:
+        return os.path.join("/", "run", "google-mds-mtls", "client.key")
+
 
 @dataclass
 class MdsMtlsConfig:
-    ca_cert_path: str = os.path.join(
-        Path.home(), "mtls_mds_certificates", "root.crt"
+    ca_cert_path: str = field(
+        default_factory=_get_mds_root_crt_path
     )  # path to CA certificate
-    client_combined_cert_path: str = os.path.join(
-        Path.home(), "mtls_mds_certificates", "client_creds.key"
+    client_combined_cert_path: str = field(
+        default_factory=_get_mds_client_combined_cert_path
     )  # path to file containing client certificate and key
 
 
diff --git a/tests/compute_engine/test__mtls.py b/tests/compute_engine/test__mtls.py
@@ -15,6 +15,8 @@
 # limitations under the License.
 #
 
+import os
+
 import mock
 import pytest  # type: ignore
 
@@ -29,6 +31,28 @@ def mock_mds_mtls_config():
     )
 
 
+@mock.patch("os.name", "nt")
+def test__MdsMtlsConfig_windows_defaults():
+    config = _mtls.MdsMtlsConfig()
+    assert config.ca_cert_path == os.path.join(
+        "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-root.crt"
+    )
+    assert config.client_combined_cert_path == os.path.join(
+        "C:\\", "ProgramData", "Google", "ComputeEngine", "mds-mtls-client.key"
+    )
+
+
+@mock.patch("os.name", "posix")
+def test__MdsMtlsConfig_non_windows_defaults():
+    config = _mtls.MdsMtlsConfig()
+    assert config.ca_cert_path == os.path.join(
+        "/", "run", "google-mds-mtls", "root.crt"
+    )
+    assert config.client_combined_cert_path == os.path.join(
+        "/", "run", "google-mds-mtls", "client.key"
+    )
+
+
 def test__parse_mds_mode_default(monkeypatch):
     monkeypatch.delenv(environment_vars.GCE_METADATA_MTLS_MODE, raising=False)
     assert _mtls._parse_mds_mode() == _mtls.MdsMtlsMode.DEFAULT
