fix(auth): try talk to plaintext S2A if credentials can not be found …

…for mTLS-S2A (#10941)
googleapis · Oct 8, 2024 · 0f0bf2d · 0f0bf2d
1 parent 1a11675
commit 0f0bf2d
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 2 deletions.
diff --git a/auth/internal/transport/cba.go b/auth/internal/transport/cba.go
@@ -133,7 +133,11 @@ func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCrede
 		transportCredsForS2A, err = loadMTLSMDSTransportCreds(mtlsMDSRoot, mtlsMDSKey)
 		if err != nil {
 			log.Printf("Loading MTLS MDS credentials failed: %v", err)
-			return defaultTransportCreds, config.endpoint, nil
+			if config.s2aAddress != "" {
+				s2aAddr = config.s2aAddress
+			} else {
+				return defaultTransportCreds, config.endpoint, nil
+			}
 		}
 	} else if config.s2aAddress != "" {
 		s2aAddr = config.s2aAddress
@@ -177,7 +181,11 @@ func GetHTTPTransportConfig(opts *Options) (cert.Provider, func(context.Context,
 		transportCredsForS2A, err = loadMTLSMDSTransportCreds(mtlsMDSRoot, mtlsMDSKey)
 		if err != nil {
 			log.Printf("Loading MTLS MDS credentials failed: %v", err)
-			return config.clientCertSource, nil, nil
+			if config.s2aAddress != "" {
+				s2aAddr = config.s2aAddress
+			} else {
+				return config.clientCertSource, nil, nil
+			}
 		}
 	} else if config.s2aAddress != "" {
 		s2aAddr = config.s2aAddress

diff --git a/auth/internal/transport/cba_test.go b/auth/internal/transport/cba_test.go
@@ -63,6 +63,20 @@ var (
 		return string(configStr), nil
 	}
 
+	validConfigRespDualS2A = func() (string, error) {
+		validConfig := mtlsConfig{
+			S2A: &s2aAddresses{
+				PlaintextAddress: testS2AAddr,
+				MTLSAddress:      testMTLSS2AAddr,
+			},
+		}
+		configStr, err := json.Marshal(validConfig)
+		if err != nil {
+			return "", err
+		}
+		return string(configStr), nil
+	}
+
 	errorConfigResp = func() (string, error) {
 		return "", fmt.Errorf("error getting config")
 	}
@@ -346,6 +360,15 @@ func TestGetGRPCTransportConfigAndEndpoint_S2A(t *testing.T) {
 			validConfigRespMTLSS2A,
 			testRegularEndpoint,
 		},
+		{
+			"no client cert, dual S2A addresses, no MTLS MDS cert",
+			&Options{
+				DefaultMTLSEndpoint:     testMTLSEndpoint,
+				DefaultEndpointTemplate: testEndpointTemplate,
+			},
+			validConfigRespDualS2A,
+			testMTLSEndpoint,
+		},
 	}
 	defer setupTest(t)()
 	for _, tc := range testCases {
@@ -445,6 +468,16 @@ func TestGetHTTPTransportConfig_S2A(t *testing.T) {
 			want:        testRegularEndpoint,
 			isDialFnNil: true,
 		},
+		{
+			name: "no client cert, dual S2A addresses, no MTLS MDS cert",
+			opts: &Options{
+				DefaultMTLSEndpoint:     testMTLSEndpoint,
+				DefaultEndpointTemplate: testEndpointTemplate,
+			},
+			s2ARespFn:   validConfigRespDualS2A,
+			want:        testMTLSEndpoint,
+			isDialFnNil: false,
+		},
 	}
 	defer setupTest(t)()
 	for _, tc := range testCases {