diff --git a/google/auth/transport/_mtls_helper.py b/google/auth/transport/_mtls_helper.py index e1c816f71..c518cc821 100644 --- a/google/auth/transport/_mtls_helper.py +++ b/google/auth/transport/_mtls_helper.py @@ -125,9 +125,9 @@ def get_client_cert_and_key(client_cert_callback=None): default SSL credentials. Args: - client_cert_callback (Optional[Callable[[], (bool, bytes, bytes)]]): A - callback which returns a bool indicating if the call is successful, - and client certificate bytes and private key bytes both in PEM format. + client_cert_callback (Optional[Callable[[], (bytes, bytes)]]): An + optional callback which returns client certificate bytes and private + key bytes both in PEM format. Returns: Tuple[bool, bytes, bytes]: @@ -142,7 +142,8 @@ def get_client_cert_and_key(client_cert_callback=None): and client key. """ if client_cert_callback: - return client_cert_callback() + cert, key = client_cert_callback() + return True, cert, key metadata_path = _check_dca_metadata_path(CONTEXT_AWARE_METADATA_PATH) if metadata_path: diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py index 3d24a551d..2d31d962e 100644 --- a/google/auth/transport/requests.py +++ b/google/auth/transport/requests.py @@ -249,11 +249,11 @@ class AuthorizedSession(requests.Session): credentials' headers to the request and refreshing credentials as needed. This class also supports mutual TLS via :meth:`configure_mtls_channel` - method. This method first tries to load client certificate and private key - using the given client_cert_callabck; if callback is None or fails, it tries - to load application default SSL credentials. Exceptions are raised if there - are problems with the certificate, private key, or the loading process, so - it should be called within a try/except block. + method. If client_cert_callabck is provided, client certificate and private + key are loaded using the callback; if client_cert_callabck is None, + application default SSL credentials will be used. Exceptions are raised if + there are problems with the certificate, private key, or the loading process, + so it should be called within a try/except block. First we create an :class:`AuthorizedSession` instance and specify the endpoints:: @@ -269,9 +269,8 @@ def my_cert_callback(): # PEM format. some_code_to_load_client_cert_and_key() if loaded: - return True, cert, key - else: - return False, None, None + return cert, key + raise MyClientCertFailureException() # Always call configure_mtls_channel within a try/except block. try: @@ -349,11 +348,10 @@ def configure_mtls_channel(self, client_cert_callback=None): :class:`_MutualTlsAdapter` instance will be mounted to "https://" prefix. Args: - client_cert_callabck (Optional[Callable[[], (bool, bytes, bytes)]]): - The optional callback returns a boolean indicating if the call - is successful, and the client certificate and private key bytes - both in PEM format. - If the call is not succesful, application default SSL credentials + client_cert_callabck (Optional[Callable[[], (bytes, bytes)]]): + The optional callback returns the client certificate and private + key bytes both in PEM format. + If the callback is None, application default SSL credentials will be used. Raises: diff --git a/google/auth/transport/urllib3.py b/google/auth/transport/urllib3.py index cc21e773f..3b2ba28bc 100644 --- a/google/auth/transport/urllib3.py +++ b/google/auth/transport/urllib3.py @@ -202,11 +202,11 @@ class AuthorizedHttp(urllib3.request.RequestMethods): credentials' headers to the request and refreshing credentials as needed. This class also supports mutual TLS via :meth:`configure_mtls_channel` - method. This method first tries to load client certificate and private key - using the given client_cert_callabck; if callback is None or fails, it tries - to load application default SSL credentials. Exceptions are raised if there - are problems with the certificate, private key, or the loading process, so - it should be called within a try/except block. + method. If client_cert_callabck is provided, client certificate and private + key are loaded using the callback; if client_cert_callabck is None, + application default SSL credentials will be used. Exceptions are raised if + there are problems with the certificate, private key, or the loading process, + so it should be called within a try/except block. First we create an :class:`AuthorizedHttp` instance and specify the endpoints:: @@ -222,9 +222,8 @@ def my_cert_callback(): # PEM format. some_code_to_load_client_cert_and_key() if loaded: - return True, cert, key - else: - return False, None, None + return cert, key + raise MyClientCertFailureException() # Always call configure_mtls_channel within a try/except block. try: @@ -288,11 +287,10 @@ def configure_mtls_channel(self, client_cert_callabck=None): constructor will be overwritten. Args: - client_cert_callabck (Optional[Callable[[], (bool, bytes, bytes)]]): - The optional callback returns a boolean indicating if the call - is successful, and the client certificate and private key bytes - both in PEM format. - If the call is not succesful, application default SSL credentials + client_cert_callabck (Optional[Callable[[], (bytes, bytes)]]): + The optional callback returns the client certificate and private + key bytes both in PEM format. + If the callback is None, application default SSL credentials will be used. Returns: diff --git a/tests/transport/test__mtls_helper.py b/tests/transport/test__mtls_helper.py index d14ac4744..5bf196797 100644 --- a/tests/transport/test__mtls_helper.py +++ b/tests/transport/test__mtls_helper.py @@ -190,11 +190,7 @@ def test_popen_raise_exception(self, mock_popen): class TestGetClientCertAndKey(object): def test_callback_success(self): callback = mock.Mock() - callback.return_value = ( - True, - pytest.public_cert_bytes, - pytest.private_key_bytes, - ) + callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes) found_cert_key, cert, key = _mtls_helper.get_client_cert_and_key(callback) assert found_cert_key diff --git a/tests/transport/test_requests.py b/tests/transport/test_requests.py index 46d9a7bc8..3f3e14c05 100644 --- a/tests/transport/test_requests.py +++ b/tests/transport/test_requests.py @@ -360,7 +360,6 @@ def test_request_timeout_w_refresh_timeout_timeout_error(self, frozen_time): def test_configure_mtls_channel_with_callback(self): mock_callback = mock.Mock() mock_callback.return_value = ( - True, pytest.public_cert_bytes, pytest.private_key_bytes, ) diff --git a/tests/transport/test_urllib3.py b/tests/transport/test_urllib3.py index 67833c3a8..0452e9187 100644 --- a/tests/transport/test_urllib3.py +++ b/tests/transport/test_urllib3.py @@ -166,11 +166,8 @@ def test_proxies(self): @mock.patch("google.auth.transport.urllib3._make_mutual_tls_http", autospec=True) def test_configure_mtls_channel_with_callback(self, mock_make_mutual_tls_http): callback = mock.Mock() - callback.return_value = ( - True, - pytest.public_cert_bytes, - pytest.private_key_bytes, - ) + callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes) + authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock(), http=mock.Mock() )