don't use ADC if have client_cert_callback

googleapis · Mar 19, 2020 · fca841d · fca841d
1 parent 912caf0
commit fca841d
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 41 deletions.
diff --git a/google/auth/transport/_mtls_helper.py b/google/auth/transport/_mtls_helper.py
@@ -125,9 +125,9 @@ def get_client_cert_and_key(client_cert_callback=None):
     default SSL credentials.
 
     Args:
-        client_cert_callback (Optional[Callable[[], (bool, bytes, bytes)]]): A
-            callback which returns a bool indicating if the call is successful,
-            and client certificate bytes and private key bytes both in PEM format.
+        client_cert_callback (Optional[Callable[[], (bytes, bytes)]]): An
+            optional callback which returns client certificate bytes and private
+            key bytes both in PEM format.
 
     Returns:
         Tuple[bool, bytes, bytes]:
@@ -142,7 +142,8 @@ def get_client_cert_and_key(client_cert_callback=None):
             and client key.
     """
     if client_cert_callback:
-        return client_cert_callback()
+        cert, key = client_cert_callback()
+        return True, cert, key
 
     metadata_path = _check_dca_metadata_path(CONTEXT_AWARE_METADATA_PATH)
     if metadata_path:

diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py
@@ -249,11 +249,11 @@ class AuthorizedSession(requests.Session):
     credentials' headers to the request and refreshing credentials as needed.
 
     This class also supports mutual TLS via :meth:`configure_mtls_channel`
-    method. This method first tries to load client certificate and private key
-    using the given client_cert_callabck; if callback is None or fails, it tries
-    to load application default SSL credentials. Exceptions are raised if there
-    are problems with the certificate, private key, or the loading process, so
-    it should be called within a try/except block.
+    method. If client_cert_callabck is provided, client certificate and private
+    key are loaded using the callback; if client_cert_callabck is None,
+    application default SSL credentials will be used. Exceptions are raised if
+    there are problems with the certificate, private key, or the loading process,
+    so it should be called within a try/except block.
 
     First we create an :class:`AuthorizedSession` instance and specify the endpoints::
 
@@ -269,9 +269,8 @@ def my_cert_callback():
             # PEM format.
             some_code_to_load_client_cert_and_key()
             if loaded:
-                return True, cert, key
-            else:
-                return False, None, None
+                return cert, key
+            raise MyClientCertFailureException()
 
         # Always call configure_mtls_channel within a try/except block.
         try:
@@ -349,11 +348,10 @@ def configure_mtls_channel(self, client_cert_callback=None):
         :class:`_MutualTlsAdapter` instance will be mounted to "https://" prefix.
 
         Args:
-            client_cert_callabck (Optional[Callable[[], (bool, bytes, bytes)]]):
-                The optional callback returns a boolean indicating if the call
-                is successful, and the client certificate and private key bytes
-                both in PEM format.
-                If the call is not succesful, application default SSL credentials
+            client_cert_callabck (Optional[Callable[[], (bytes, bytes)]]):
+                The optional callback returns the client certificate and private
+                key bytes both in PEM format.
+                If the callback is None, application default SSL credentials
                 will be used.
 
         Raises:

diff --git a/google/auth/transport/urllib3.py b/google/auth/transport/urllib3.py
@@ -202,11 +202,11 @@ class AuthorizedHttp(urllib3.request.RequestMethods):
     credentials' headers to the request and refreshing credentials as needed.
 
     This class also supports mutual TLS via :meth:`configure_mtls_channel`
-    method. This method first tries to load client certificate and private key
-    using the given client_cert_callabck; if callback is None or fails, it tries
-    to load application default SSL credentials. Exceptions are raised if there
-    are problems with the certificate, private key, or the loading process, so
-    it should be called within a try/except block.
+    method. If client_cert_callabck is provided, client certificate and private
+    key are loaded using the callback; if client_cert_callabck is None,
+    application default SSL credentials will be used. Exceptions are raised if
+    there are problems with the certificate, private key, or the loading process,
+    so it should be called within a try/except block.
 
     First we create an :class:`AuthorizedHttp` instance and specify the endpoints::
 
@@ -222,9 +222,8 @@ def my_cert_callback():
             # PEM format.
             some_code_to_load_client_cert_and_key()
             if loaded:
-                return True, cert, key
-            else:
-                return False, None, None
+                return cert, key
+            raise MyClientCertFailureException()
 
         # Always call configure_mtls_channel within a try/except block.
         try:
@@ -288,11 +287,10 @@ def configure_mtls_channel(self, client_cert_callabck=None):
         constructor will be overwritten.
 
         Args:
-            client_cert_callabck (Optional[Callable[[], (bool, bytes, bytes)]]):
-                The optional callback returns a boolean indicating if the call
-                is successful, and the client certificate and private key bytes
-                both in PEM format.
-                If the call is not succesful, application default SSL credentials
+            client_cert_callabck (Optional[Callable[[], (bytes, bytes)]]):
+                The optional callback returns the client certificate and private
+                key bytes both in PEM format.
+                If the callback is None, application default SSL credentials
                 will be used.
 
         Returns:

diff --git a/tests/transport/test__mtls_helper.py b/tests/transport/test__mtls_helper.py
@@ -190,11 +190,7 @@ def test_popen_raise_exception(self, mock_popen):
 class TestGetClientCertAndKey(object):
     def test_callback_success(self):
         callback = mock.Mock()
-        callback.return_value = (
-            True,
-            pytest.public_cert_bytes,
-            pytest.private_key_bytes,
-        )
+        callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes)
 
         found_cert_key, cert, key = _mtls_helper.get_client_cert_and_key(callback)
         assert found_cert_key

diff --git a/tests/transport/test_requests.py b/tests/transport/test_requests.py
@@ -360,7 +360,6 @@ def test_request_timeout_w_refresh_timeout_timeout_error(self, frozen_time):
     def test_configure_mtls_channel_with_callback(self):
         mock_callback = mock.Mock()
         mock_callback.return_value = (
-            True,
             pytest.public_cert_bytes,
             pytest.private_key_bytes,
         )

diff --git a/tests/transport/test_urllib3.py b/tests/transport/test_urllib3.py
@@ -166,11 +166,8 @@ def test_proxies(self):
     @mock.patch("google.auth.transport.urllib3._make_mutual_tls_http", autospec=True)
     def test_configure_mtls_channel_with_callback(self, mock_make_mutual_tls_http):
         callback = mock.Mock()
-        callback.return_value = (
-            True,
-            pytest.public_cert_bytes,
-            pytest.private_key_bytes,
-        )
+        callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes)
+
         authed_http = google.auth.transport.urllib3.AuthorizedHttp(
             credentials=mock.Mock(), http=mock.Mock()
         )