Skip to content

fix(auth): Delegate workload cert and key default lookup to helper function #1877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daniel-sanche merged 3 commits into from
Dec 1, 2025
Merged

fix(auth): Delegate workload cert and key default lookup to helper function #1877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fec2c4f
fix(auth): Delegate workload cert and key default loading to helper
andyrzhao Nov 26, 2025
0b5a5b5
fix(auth): Update unit tests
andyrzhao Nov 26, 2025
135880a
Merge branch 'main' into main
daniel-sanche Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 5 additions & 8 deletions google/auth/transport/_mtls_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ def _run_cert_provider_command(command, expect_encrypted_key=False):
def get_client_ssl_credentials(
generate_encrypted_key=False,
context_aware_metadata_path=CONTEXT_AWARE_METADATA_PATH,
certificate_config_path=CERTIFICATE_CONFIGURATION_DEFAULT_PATH,
certificate_config_path=None,
):
"""Returns the client side certificate, private key and passphrase.

Expand All @@ -306,13 +306,10 @@ def get_client_ssl_credentials(
the cert, key and passphrase.
"""

# 1. Check for certificate config json.
cert_config_path = _check_config_path(certificate_config_path)
if cert_config_path:
# Attempt to retrieve X.509 Workload cert and key.
cert, key = _get_workload_cert_and_key(cert_config_path)
if cert and key:
return True, cert, key, None
# 1. Attempt to retrieve X.509 Workload cert and key.
cert, key = _get_workload_cert_and_key(certificate_config_path)
if cert and key:
return True, cert, key, None

# 2. Check for context aware metadata json
metadata_path = _check_config_path(context_aware_metadata_path)
Expand Down
13 changes: 12 additions & 1 deletion tests/transport/test__mtls_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,9 +334,15 @@ def test_success_with_certificate_config(
assert key == pytest.private_key_bytes
assert passphrase is None

@mock.patch(
"google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
)
@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
def test_success_without_metadata(self, mock_check_config_path):
def test_success_without_metadata(
self, mock_check_config_path, mock_get_workload_cert_and_key
):
mock_check_config_path.return_value = False
mock_get_workload_cert_and_key.return_value = (None, None)
has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
assert not has_cert
assert cert is None
Expand Down Expand Up @@ -395,12 +401,17 @@ def test_missing_cert_command(
)
@mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
@mock.patch(
"google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
)
def test_customize_context_aware_metadata_path(
self,
mock_get_workload_cert_and_key,
mock_check_config_path,
mock_load_json_file,
mock_run_cert_provider_command,
):
mock_get_workload_cert_and_key.return_value = (None, None)
context_aware_metadata_path = "/path/to/metata/data"
mock_check_config_path.return_value = context_aware_metadata_path
mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
Expand Down