feat(auth): mTLS endpoint for Regional Access Boundaries#13318
feat(auth): mTLS endpoint for Regional Access Boundaries#13318vverman wants to merge 10 commits into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces centralized mTLS enablement checks and adds fallback support for SPIFFE credentials in MtlsUtils and X509Provider, alongside integrating mTLS transport initialization during regional access boundary refreshes. The review feedback suggests optimizing performance by removing redundant configuration checks and file parsing in X509Provider.getKeyStore() and GoogleCredentials.java, and improving robustness in RegionalAccessBoundary.java by replacing only the host name in the IAM credentials URL.
vverman
changed the title
lsirac
left a comment
lsirac
left a comment
There was a problem hiding this comment.
Should we be checking GOOGLE_API_USE_MTLS_ENDPOINT?
| * @throws IOException if the configuration file is present but contains missing or malformed | ||
| * files | ||
| */ | ||
| public static boolean canMtlsBeEnabled( |
There was a problem hiding this comment.
I’m not sure that cert being present == automatically use mTLS. They can be using different credentials / not using it at all. So then we’d be adding mTLS setup and calls for credentials that are not actually using it.
I think the decision should be based on the credential type, and perhaps expose some state from the credential that we can use to check if mTLS should happen for these calls.
Added an E2E test to check the call to RAB mtls endpoint and check x-allowed-locations header. Unified redundant method(s) waitForRegionalAccessBoundary.
vverman
force-pushed
the
regional-access-boundaries
branch
from
2c53152 to
48c3b59
Compare
| * @throws IOException if the configuration file is present but contains missing or malformed | ||
| * files | ||
| */ | ||
| public static boolean canMtlsBeEnabled( |
There was a problem hiding this comment.
nit: can this be updated to canBeEnabled or isEnabled? I think mtls when writing MtlsUtil.canMtlsBeEnabled is a bit redundant and the context exists.
There was a problem hiding this comment.
I think the eventual goal wrt MWLID is to move to a this singular method to be used by all client libraries which depend on google-auth-java to use the canMtlsBeEnabled to determine whether or not they should use mTLS.
There was a problem hiding this comment.
We can rename it later at the new location whenever it comes to that. For now, can we update the name for the existing file (in case the future changes get deprioritized)
| if (policy == MtlsEndpointUsagePolicy.NEVER) { | ||
| return false; | ||
| } | ||
| if (policy == MtlsEndpointUsagePolicy.ALWAYS) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
Can we move the Never policy up so that the method returns fast?
For the Always policy, why do we return true and not check the configs below? Do we only check the configs for auto?
There was a problem hiding this comment.
I think the first priority goes to the GOOGLE_API_USE_CLIENT_CERTIFICATE which is why we check it first.
The reason I chose to keep the Never check down is that it allows us to pair it with the Always check.
There was a problem hiding this comment.
IIUC from the logic, the order shouldn't matter except for ALWAYS. It's just a small nitpick from my end since it makes it easier for me to track the states once we rule out different states at the top.
Bumping the second part of the question: Why does Always simply return true? IIUC, only AUTO ends up checking the state of the config file right? Is that intended?
There was a problem hiding this comment.
IIUC from the logic, the order shouldn't matter except for ALWAYS
As per AIP-4114, we should prioritize GOOGLE_API_USE_CLIENT_CERTIFICATE i.e. if it is set to false, even if GOOGLE_API_USE_MTLS_ENDPOINT is set to ALWAYS, we will not enable mTLS.
Why does
Alwayssimply return true
Yes this is intentional, we will always try to call mTLS endpoint even if the cert hasn't been discovered.
only
AUTOends up checking the config state
That's right, as the default value, only when certs are discovered shall we attempt to switch to mTLS.
| @Override | ||
| public boolean isAvailable() throws IOException { | ||
| try { | ||
| this.getKeyStore(); |
There was a problem hiding this comment.
I vaguely remember this and the unfortunate hack we had to make to determine if each MtlsProvider could be used. I recall that there wasn't a way to determine if it could be used without having to initialize the keystore and create it.
If we change it to MtlsUtils.canMtlsBeEnabled I think it ends up changing how we determine if each provider can be used right?
I just want to check what the exact requirements are for determining if X509PRovider can be used or not. Is it just checking if Mtls can be used and that the files exist and we don't need to create the KeyStore?
There was a problem hiding this comment.
The getKeyStore before was doing the same cert-detection logic that the canMtlsBeEnabled does.
The only addition with the canMtlsBeEnabled is that we're also checking for the GOOGLE_API_USE_MTLS_ENDPOINT env variable. To respect the AIP.
Technically it was a 'bug' in the previous implementation since we weren't checking for it.
There was a problem hiding this comment.
IIUC, for X509 was doing a bit more as it was loading the cert file and the private key path and building the actual keystore. If this extra step isn't actually needed, then I think it can be replaced with canMtlsBeEnabled. I'm not the biggest fan of having to build the keystore to determine if we can use it, so any way to simply it would be better and I would prefer this if possible.
I think I actually prefer to get rid/ not use isAvailable at all if possible
There was a problem hiding this comment.
I think I actually prefer to get rid/ not use
isAvailableat all if possible
We're restricted to this because X509Provider implements MtlsProvider which defines the isAvailable in the contract.
IIUC MtlsProvider used to live in the gax library from whence it was moved to the auth lib and code within gax relies on the isAvailable method.
| MtlsUtils.MtlsEndpointUsagePolicy mtlsPolicy = | ||
| MtlsUtils.getMtlsEndpointUsagePolicy(SystemEnvironmentProvider.getInstance()); | ||
| if (transportFactory instanceof com.google.auth.mtls.MtlsHttpTransportFactory | ||
| || mtlsPolicy == MtlsUtils.MtlsEndpointUsagePolicy.ALWAYS) { | ||
| url = url.replace("iamcredentials.googleapis.com", "iamcredentials.mtls.googleapis.com"); | ||
| } |
There was a problem hiding this comment.
qq, does this need to be done within refresh()? IIUC, the mtls configs should not be changing and I wonder if we can do this once?
There was a problem hiding this comment.
That's a good point, I added a cache for checking the userMtlsPolicy so we check only the first time.
Though this shouldn't have a material effect because we only do the refresh once every 5 hours, still I think this is the right call.
| transportFactory = | ||
| MtlsUtils.prepareTransportFactoryIfMtlsEnabled( | ||
| transportFactory, getEnvironmentProvider(), getPropertyProvider(), null); |
There was a problem hiding this comment.
This looks to be setting the transport only for RAB requests. Is that intended as other auth endpoints may not support mTLS?
I was thinking that we just configure the default http transport to resolve whether mtls or not should be used:
There was a problem hiding this comment.
That is a good suggestion, I believe the python library does something similar where it dynamically switches to the mtls transport for all requests when it discovers that mTLS is enabled.
I think this can be for a future implementation since we are focused on RAB. This change might span across STS and IAM calls as well.
|
|
||
| MtlsEndpointUsagePolicy mtlsPolicy = getMtlsEndpointUsagePolicy(envProvider); | ||
| try { | ||
| boolean canMtls = canMtlsBeEnabled(envProvider, propProvider, certConfigPathOverride); |
There was a problem hiding this comment.
nit: rename boolean field to mtlsEnabled
There was a problem hiding this comment.
I think that'll clash with mtlsutils.canBeEnabled.
Instead changed it to -> userMtlsPolicy
4 participants
Added logic to: