Skip to content

feat: Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the MWID/X.509 cert sources detected #1848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 4, 2025
Merged

feat: Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the MWID/X.509 cert sources detected #1848

merged 12 commits into from
Nov 4, 2025

Conversation

@agrawalradhika-cell
Copy link
Contributor

@agrawalradhika-cell agrawalradhika-cell commented Oct 27, 2025
edited
Loading

The Python SDK will use a hybrid approach for mTLS enablement:

  • If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set (either true or false), the SDK will respect that setting. This is necessary for test scenarios and users who need to explicitly control mTLS behavior.
  • If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set, the SDK will automatically enable mTLS only if it detects Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources. In other cases where the variable is not set, mTLS will remain disabled.

** This change also adds the helper method check_use_client_cert and it's unit test, which will be used for checking the criteria for setting the mTLS to true
** This change is only for Auth-Library, other changes will be created for Client-Library use-cases.

@agrawalradhika-cell agrawalradhika-cell marked this pull request as ready for review October 27, 2025 23:56
@agrawalradhika-cell agrawalradhika-cell requested review from a team as code owners October 27, 2025 23:56
@agrawalradhika-cell agrawalradhika-cell changed the title feat: Autoupdate the GOOGLE_API_USE_CLIENT_CERTIFICATE flag to true if not set, if the MWID/X.509 cert sources detected feat: Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the MWID/X.509 cert sources detected Oct 28, 2025
sai-sunder-s
sai-sunder-s previously approved these changes Oct 28, 2025
View reviewed changes
daniel-sanche
daniel-sanche requested changes Oct 29, 2025
View reviewed changes
daniel-sanche
daniel-sanche reviewed Oct 29, 2025
View reviewed changes
@nbayati nbayati self-requested a review October 30, 2025 18:07
sai-sunder-s
sai-sunder-s previously approved these changes Oct 31, 2025
View reviewed changes
nbayati
nbayati requested changes Oct 31, 2025
View reviewed changes
@nbayati nbayati added the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 1, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 1, 2025
@agrawalradhika-cell
feat: Autoupdate the GOOGLE_API_USE_CLIENT_CERTIFICATE flag to true i…
3c09d57 
…f not set, if the MWID/X.509 cert sources detected

Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
feat: Update the helper for use_client_cert and add support for grpc.py
de40fef 
Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
fix: Minor typo in grpc.py
798a0f5 
Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
chore: Use json.load to read the config, instead of file.read and min…
6781100 
…or updates to docsting and indentation

Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
feat: Update the check_use_client_cert helper method to make use of t…
c33c192 
…he json and return the exact value set by user, and not handling the case when user is setting value to an unsupported value

Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
ore: Update the docstring to remove mention of ValueError exception
30d75d1 
Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
fix: fix an indentation in helper method
18fc66c 
Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
fix: As both conditions are checked, added falsy check
a06bcb1 
Signed-off-by: Radhika Agrawal <[email protected]>
@agrawalradhika-cell
fix: Use monkeypatch in test to update env variable, update helper me…
09b6a1e 
…thod to catch exceptions and update docstring

Signed-off-by: Radhika Agrawal <[email protected]>
@nbayati nbayati added the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 3, 2025
daniel-sanche
daniel-sanche reviewed Nov 3, 2025
View reviewed changes
andyrzhao
andyrzhao previously approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Please address other reviewer's comments. Thanks!

@andyrzhao andyrzhao self-requested a review November 3, 2025 20:32
andyrzhao
andyrzhao previously approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@andyrzhao andyrzhao added the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 3, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 3, 2025
daniel-sanche
daniel-sanche previously approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@daniel-sanche daniel-sanche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple suggestions to consider, but LGTM

@nbayati nbayati added the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 3, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 3, 2025
agrawalradhika-cell
agrawalradhika-cell commented Nov 3, 2025
View reviewed changes
google/auth/transport/_mtls_helper.py
return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)


def check_use_client_cert():
Copy link
Contributor Author

@agrawalradhika-cell agrawalradhika-cell Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note: That here the function is emitting str instead of boolean because we want to also consider the value set by user for GOOGLE_API_USE_CLIENT_CERTIFICATE

@nbayati nbayati added the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 4, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:run Add this label to force Kokoro to re-run the tests. label Nov 4, 2025
@nbayati nbayati enabled auto-merge (squash) November 4, 2025 00:26
@nbayati nbayati merged commit 395e405 into googleapis:main Nov 4, 2025
12 checks passed
@agrawalradhika-cell agrawalradhika-cell mentioned this pull request Nov 4, 2025
Merged
agrawalradhika-cell added a commit that referenced this pull request Nov 5, 2025
@agrawalradhika-cell @daniel-sanche
feat: Add public wrapper for _mtls_helper.check_use_client_cert which…
1535ecc 
… enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert sources detected (#1859)

Add public wrapper for check_use_client_cert which enables mTLS if
GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert
sources detected. Also, fix check_use_client_cert to return boolean
value.

Change #1848 added the check_use_client_cert method that helps know if
client cert should be used for mTLS connection. However, that was in a
private class, thus, created a public wrapper of the same function so
that it can be used by python Client Libraries. Also, updated
check_use_client_cert to return a boolean value instead of existing
string value for better readability and future scope.

---------

Signed-off-by: Radhika Agrawal <[email protected]>
Co-authored-by: Daniel Sanche <[email protected]>
This was referenced Nov 5, 2025
Closed
Merged
Linchin added a commit that referenced this pull request Nov 5, 2025
@Linchin
chore: librarian release pull request: 20251105T230735Z (#1863)
89a8838 
Librarian Version: v0.5.0
Language Image:
us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest
<details><summary>google-auth: 2.43.0</summary>

##
[2.43.0](v2.42.1...v2.43.0)
(2025-11-05)

### Features

* Add public wrapper for _mtls_helper.check_use_client_cert which
enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the
MWID/X.509 cert sources detected (#1859)
([1535ecc](1535eccb))

* Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the
MWID/X.509 cert sources detected (#1848)
([395e405](395e405b))

* onboard `google-auth` to librarian (#1838)
([c503eaa](c503eaa5))

</details>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-sanche daniel-sanche daniel-sanche approved these changes

@sai-sunder-s sai-sunder-s sai-sunder-s approved these changes

@nbayati nbayati nbayati approved these changes

@andyrzhao andyrzhao andyrzhao left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@agrawalradhika-cell @daniel-sanche @sai-sunder-s @andyrzhao @nbayati @yoshi-kokoro