fix(auth): align mTLS discovery and enforce fail-fast transport configuration.#17470
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces auto-enablement of mTLS when workload certificates are discovered (including at a well-known SPIFFE path) and changes the library's behavior to fail fast with a MutualTLSChannelError instead of silently falling back to standard TLS when mTLS is expected but certificates cannot be loaded. The review feedback suggests several improvements: aligning the environment variable checks in _agent_identity_utils.py to treat any value other than 'true' as disabled, correcting a misleading exception message in sessions.py when a custom request handler is used, and making the SPIFFE certificate path check more robust by using path.isfile and handling potential OSError exceptions.
|
Summary of Changes Aligned with PR 17387:
New fixes addressing PR 17470 comments:
|
nbayati
left a comment
There was a problem hiding this comment.
Just left a comment on the docstring update, otherwise LGTM!
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors mTLS configuration and client certificate checks across multiple transports (aio, requests, urllib3) to respect explicit opt-outs and handle custom transports gracefully by setting _is_mtls to False and logging warnings. It also improves error handling for missing workload certificate paths and introduces corresponding unit tests. The reviewer feedback recommends correcting a docstring mismatch in a new test that incorrectly states an exception is raised, and improving test isolation by clearing all relevant environment variables in the auto-enablement test.
🤖 I have created a release *beep* *boop* --- <details><summary>db-dtypes: 1.7.1</summary> ## [1.7.1](db-dtypes-v1.7.0...db-dtypes-v1.7.1) (2026-07-07) ### Bug Fixes * avoid deprecated unitless operations for NumPy 2.5 compatibility ([#17589](#17589)) ([d0b2abc](d0b2abc)) </details> <details><summary>gapic-generator: 1.37.0</summary> ## [1.37.0](gapic-generator-v1.36.0...gapic-generator-v1.37.0) (2026-07-07) ### Features * implement native PEP 0810 lazy loading ([#17591](#17591)) ([8a1270c](8a1270c)) ### Bug Fixes * **deps:** bump google-api-core to 2.25.0 ([#17599](#17599)) ([8b359e2](8b359e2)) * **tests:** add --cov-append to gapic-generator and proto-plus to preserve monorepo coverage ([#17603](#17603)) ([2ddcf4d](2ddcf4d)) </details> <details><summary>google-auth: 2.55.2</summary> ## [2.55.2](google-auth-v2.55.1...google-auth-v2.55.2) (2026-07-07) ### Bug Fixes * **auth:** Agentic Identites mTLS gaps fix _is_mtls and SslCredentials. ([#17387](#17387)) ([7bfa41a](7bfa41a)) * **auth:** align mTLS discovery and enforce fail-fast transport configuration. ([#17470](#17470)) ([f492d3d](f492d3d)) * **auth:** handle PermissionError on workload certificates to avoid startup hang and crash ([#17568](#17568)) ([f538ad8](f538ad8)) </details> <details><summary>google-cloud-agentregistry: 0.1.0</summary> ## 0.1.0 (2026-07-07) ### Features * **google/cloud/agentregistry/v1:** add google-cloud-agentregistry ([#17565](#17565)) ([f479800](f479800)) </details> <details><summary>google-cloud-biglake-hive: 0.3.1</summary> ## [0.3.1](google-cloud-biglake-hive-v0.3.0...google-cloud-biglake-hive-v0.3.1) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-bigquery: 3.42.2</summary> ## [3.42.2](google-cloud-bigquery-v3.42.1...google-cloud-bigquery-v3.42.2) (2026-07-07) ### Bug Fixes * **bigquery:** avoid SSLError retry loop ([#17489](#17489)) ([8248d8e](8248d8e)) * include amended user agent in read client ([#17592](#17592)) ([c43caee](c43caee)) </details> <details><summary>google-cloud-binary-authorization: 1.18.0</summary> ## [1.18.0](google-cloud-binary-authorization-v1.17.0...google-cloud-binary-authorization-v1.18.0) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-chronicle: 0.6.2</summary> ## [0.6.2](google-cloud-chronicle-v0.6.1...google-cloud-chronicle-v0.6.2) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-dataform: 0.11.2</summary> ## [0.11.2](google-cloud-dataform-v0.11.1...google-cloud-dataform-v0.11.2) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-dataproc: 5.30.0</summary> ## [5.30.0](google-cloud-dataproc-v5.29.0...google-cloud-dataproc-v5.30.0) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-datastore: 2.26.0</summary> ## [2.26.0](google-cloud-datastore-v2.25.0...google-cloud-datastore-v2.26.0) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-dialogflow: 2.50.0</summary> ## [2.50.0](google-cloud-dialogflow-v2.49.0...google-cloud-dialogflow-v2.50.0) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-kms: 3.15.0</summary> ## [3.15.0](google-cloud-kms-v3.14.0...google-cloud-kms-v3.15.0) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-logging: 3.16.1</summary> ## [3.16.1](google-cloud-logging-v3.16.0...google-cloud-logging-v3.16.1) (2026-07-07) ### Documentation * **logging:** fix StructuredLogHandler docstring parameter name ([#17625](#17625)) ([32862f0](32862f0)), closes [#17604](#17604) </details> <details><summary>google-cloud-modelarmor: 0.7.1</summary> ## [0.7.1](google-cloud-modelarmor-v0.7.0...google-cloud-modelarmor-v0.7.1) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-network-security: 0.13.3</summary> ## [0.13.3](google-cloud-network-security-v0.13.2...google-cloud-network-security-v0.13.3) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-saasplatform-saasservicemgmt: 0.7.1</summary> ## [0.7.1](google-cloud-saasplatform-saasservicemgmt-v0.7.0...google-cloud-saasplatform-saasservicemgmt-v0.7.1) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-securesourcemanager: 0.6.1</summary> ## [0.6.1](google-cloud-securesourcemanager-v0.6.0...google-cloud-securesourcemanager-v0.6.1) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>google-cloud-storage: 3.12.1</summary> ## [3.12.1](google-cloud-storage-v3.12.0...google-cloud-storage-v3.12.1) (2026-07-07) ### Bug Fixes * **storage:** log occasional (1 in 5 million) additional bytes received from GCS in read path ([#17423](#17423)) ([335c12f](335c12f)) </details> <details><summary>google-cloud-support: 0.5.1</summary> ## [0.5.1](google-cloud-support-v0.5.0...google-cloud-support-v0.5.1) (2026-07-07) ### Features * update googleapis and regenerate ([#17635](#17635)) ([9638879](9638879)) </details> <details><summary>proto-plus: 1.28.1</summary> ## [1.28.1](proto-plus-v1.28.0...proto-plus-v1.28.1) (2026-07-07) ### Bug Fixes * **tests:** add --cov-append to gapic-generator and proto-plus to preserve monorepo coverage ([#17603](#17603)) ([2ddcf4d](2ddcf4d)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
This PR resolves two mTLS issues:
(1) it synchronizes the transport and token discovery paths to check for workload certs and library support, preventing mismatched bound tokens, and
(2) it enforces fail-fast error behavior in all transports if mTLS configuration fails, avoiding silent fallback to insecure TLS. These align token and transport states securely.