feat: implement mtls env variables mentioned in aip.dev/auth/4114 (#39)

This PR was generated using Autosynth. 🌈 Synth log will be available here: https://source.cloud.google.com/results/invocations/eb7165ef-a82f-4002-b64d-f55176216eb7/targets - [ ] To automatically regenerate this PR, check this box.

Author: yoshi-automation

google/cloud/bigquery/reservation_v1/services/reservation_service/async_client.py

@@ -112,16 +112,19 @@ def __init__(
  client_options (ClientOptions): Custom options for the client. It
  won't take effect if a ``transport`` instance is provided.
  (1) The ``api_endpoint`` property can be used to override the
- default endpoint provided by the client. GOOGLE_API_USE_MTLS
+ default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT
  environment variable can also be used to override the endpoint:
  "always" (always use the default mTLS endpoint), "never" (always
- use the default regular endpoint, this is the default value for
- the environment variable) and "auto" (auto switch to the default
- mTLS endpoint if client SSL credentials is present). However,
- the ``api_endpoint`` property takes precedence if provided.
- (2) The ``client_cert_source`` property is used to provide client
- SSL credentials for mutual TLS transport. If not provided, the
- default SSL credentials will be used if present.
+ use the default regular endpoint) and "auto" (auto switch to the
+ default mTLS endpoint if client certificate is present, this is
+ the default value). However, the ``api_endpoint`` property takes
+ precedence if provided.
+ (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable
+ is "true", then the ``client_cert_source`` property can be used
+ to provide client certificate for mutual TLS transport. If
+ not provided, the default SSL client certificate will be used if
+ present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not
+ set, no client certificate will be used.
 
  Raises:
  google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport

google/cloud/bigquery/reservation_v1/services/reservation_service/client.py

@@ -16,6 +16,7 @@
 #
 
 from collections import OrderedDict
+from distutils import util
 import os
 import re
 from typing import Callable, Dict, Sequence, Tuple, Type, Union
@@ -27,6 +28,7 @@
 from google.api_core import retry as retries # type: ignore
 from google.auth import credentials # type: ignore
 from google.auth.transport import mtls # type: ignore
+from google.auth.transport.grpc import SslCredentials # type: ignore
 from google.auth.exceptions import MutualTLSChannelError # type: ignore
 from google.oauth2 import service_account # type: ignore
 
@@ -244,16 +246,19 @@ def __init__(
  client_options (ClientOptions): Custom options for the client. It
  won't take effect if a ``transport`` instance is provided.
  (1) The ``api_endpoint`` property can be used to override the
- default endpoint provided by the client. GOOGLE_API_USE_MTLS
+ default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT
  environment variable can also be used to override the endpoint:
  "always" (always use the default mTLS endpoint), "never" (always
- use the default regular endpoint, this is the default value for
- the environment variable) and "auto" (auto switch to the default
- mTLS endpoint if client SSL credentials is present). However,
- the ``api_endpoint`` property takes precedence if provided.
- (2) The ``client_cert_source`` property is used to provide client
- SSL credentials for mutual TLS transport. If not provided, the
- default SSL credentials will be used if present.
+ use the default regular endpoint) and "auto" (auto switch to the
+ default mTLS endpoint if client certificate is present, this is
+ the default value). However, the ``api_endpoint`` property takes
+ precedence if provided.
+ (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable
+ is "true", then the ``client_cert_source`` property can be used
+ to provide client certificate for mutual TLS transport. If
+ not provided, the default SSL client certificate will be used if
+ present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not
+ set, no client certificate will be used.
  client_info (google.api_core.gapic_v1.client_info.ClientInfo):
  The client info used to send a user-agent string along with
  API requests. If ``None``, then default info will be used.
@@ -269,25 +274,43 @@ def __init__(
  if client_options is None:
  client_options = ClientOptions.ClientOptions()
 
- if client_options.api_endpoint is None:
- use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS", "never")
+ # Create SSL credentials for mutual TLS if needed.
+ use_client_cert = bool(
+ util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"))
+ )
+
+ ssl_credentials = None
+ is_mtls = False
+ if use_client_cert:
+ if client_options.client_cert_source:
+ import grpc # type: ignore
+
+ cert, key = client_options.client_cert_source()
+ ssl_credentials = grpc.ssl_channel_credentials(
+ certificate_chain=cert, private_key=key
+ )
+ is_mtls = True
+ else:
+ creds = SslCredentials()
+ is_mtls = creds.is_mtls
+ ssl_credentials = creds.ssl_credentials if is_mtls else None
+
+ # Figure out which api endpoint to use.
+ if client_options.api_endpoint is not None:
+ api_endpoint = client_options.api_endpoint
+ else:
+ use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
  if use_mtls_env == "never":
- client_options.api_endpoint = self.DEFAULT_ENDPOINT
+ api_endpoint = self.DEFAULT_ENDPOINT
  elif use_mtls_env == "always":
- client_options.api_endpoint = self.DEFAULT_MTLS_ENDPOINT
+ api_endpoint = self.DEFAULT_MTLS_ENDPOINT
  elif use_mtls_env == "auto":
- has_client_cert_source = (
- client_options.client_cert_source is not None
- or mtls.has_default_client_cert_source()
- )
- client_options.api_endpoint = (
- self.DEFAULT_MTLS_ENDPOINT
- if has_client_cert_source
- else self.DEFAULT_ENDPOINT
+ api_endpoint = (
+ self.DEFAULT_MTLS_ENDPOINT if is_mtls else self.DEFAULT_ENDPOINT
  )
  else:
  raise MutualTLSChannelError(
- "Unsupported GOOGLE_API_USE_MTLS value. Accepted values: never, auto, always"
+ "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted values: never, auto, always"
  )
 
  # Save or instantiate the transport.
@@ -311,10 +334,9 @@ def __init__(
  self._transport = Transport(
  credentials=credentials,
  credentials_file=client_options.credentials_file,
- host=client_options.api_endpoint,
+ host=api_endpoint,
  scopes=client_options.scopes,
- api_mtls_endpoint=client_options.api_endpoint,
- client_cert_source=client_options.client_cert_source,
+ ssl_channel_credentials=ssl_credentials,
  quota_project_id=client_options.quota_project_id,
  client_info=client_info,
  )

google/cloud/bigquery/reservation_v1/services/reservation_service/transports/grpc.py

@@ -15,6 +15,7 @@
 # limitations under the License.
 #
 
+import warnings
 from typing import Callable, Dict, Optional, Sequence, Tuple
 
 from google.api_core import grpc_helpers # type: ignore
@@ -23,7 +24,6 @@
 from google.auth import credentials # type: ignore
 from google.auth.transport.grpc import SslCredentials # type: ignore
 
-
 import grpc # type: ignore
 
 from google.cloud.bigquery.reservation_v1.types import reservation
@@ -74,6 +74,7 @@ def __init__(
  channel: grpc.Channel = None,
  api_mtls_endpoint: str = None,
  client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
+ ssl_channel_credentials: grpc.ChannelCredentials = None,
  quota_project_id: Optional[str] = None,
  client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
  ) -> None:
@@ -94,14 +95,16 @@ def __init__(
  ignored if ``channel`` is provided.
  channel (Optional[grpc.Channel]): A ``Channel`` instance through
  which to make calls.
- api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
- provided, it overrides the ``host`` argument and tries to create
+ api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint.
+ If provided, it overrides the ``host`` argument and tries to create
  a mutual TLS channel with client SSL credentials from
  ``client_cert_source`` or applicatin default SSL credentials.
- client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
- callback to provide client SSL certificate bytes and private key
- bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
- is None.
+ client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]):
+ Deprecated. A callback to provide client SSL certificate bytes and
+ private key bytes, both in PEM format. It is ignored if
+ ``api_mtls_endpoint`` is None.
+ ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials
+ for grpc channel. It is ignored if ``channel`` is provided.
  quota_project_id (Optional[str]): An optional project to use for billing
  and quota.
  client_info (google.api_core.gapic_v1.client_info.ClientInfo):
@@ -124,6 +127,11 @@ def __init__(
  # If a channel was explicitly provided, set it.
  self._grpc_channel = channel
  elif api_mtls_endpoint:
+ warnings.warn(
+ "api_mtls_endpoint and client_cert_source are deprecated",
+ DeprecationWarning,
+ )
+
  host = (
  api_mtls_endpoint
  if ":" in api_mtls_endpoint
@@ -154,6 +162,23 @@ def __init__(
  scopes=scopes or self.AUTH_SCOPES,
  quota_project_id=quota_project_id,
  )
+ else:
+ host = host if ":" in host else host + ":443"
+
+ if credentials is None:
+ credentials, _ = auth.default(
+ scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id
+ )
+
+ # create a new channel. The provided one is ignored.
+ self._grpc_channel = type(self).create_channel(
+ host,
+ credentials=credentials,
+ credentials_file=credentials_file,
+ ssl_credentials=ssl_channel_credentials,
+ scopes=scopes or self.AUTH_SCOPES,
+ quota_project_id=quota_project_id,
+ )
 
  self._stubs = {} # type: Dict[str, Callable]
 
@@ -219,13 +244,6 @@ def grpc_channel(self) -> grpc.Channel:
  This property caches on the instance; repeated calls return
  the same channel.
  """
- # Sanity check: Only create a new channel if we do not already
- # have one.
- if not hasattr(self, "_grpc_channel"):
- self._grpc_channel = self.create_channel(
- self._host, credentials=self._credentials,
- )
-
  # Return the channel from cache.
  return self._grpc_channel
 

google/cloud/bigquery/reservation_v1/services/reservation_service/transports/grpc_asyncio.py

@@ -15,10 +15,12 @@
 # limitations under the License.
 #
 
+import warnings
 from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple
 
 from google.api_core import gapic_v1 # type: ignore
 from google.api_core import grpc_helpers_async # type: ignore
+from google import auth # type: ignore
 from google.auth import credentials # type: ignore
 from google.auth.transport.grpc import SslCredentials # type: ignore
 
@@ -116,6 +118,7 @@ def __init__(
  channel: aio.Channel = None,
  api_mtls_endpoint: str = None,
  client_cert_source: Callable[[], Tuple[bytes, bytes]] = None,
+ ssl_channel_credentials: grpc.ChannelCredentials = None,
  quota_project_id=None,
  client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
  ) -> None:
@@ -137,14 +140,16 @@ def __init__(
  are passed to :func:`google.auth.default`.
  channel (Optional[aio.Channel]): A ``Channel`` instance through
  which to make calls.
- api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If
- provided, it overrides the ``host`` argument and tries to create
+ api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint.
+ If provided, it overrides the ``host`` argument and tries to create
  a mutual TLS channel with client SSL credentials from
  ``client_cert_source`` or applicatin default SSL credentials.
- client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A
- callback to provide client SSL certificate bytes and private key
- bytes, both in PEM format. It is ignored if ``api_mtls_endpoint``
- is None.
+ client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]):
+ Deprecated. A callback to provide client SSL certificate bytes and
+ private key bytes, both in PEM format. It is ignored if
+ ``api_mtls_endpoint`` is None.
+ ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials
+ for grpc channel. It is ignored if ``channel`` is provided.
  quota_project_id (Optional[str]): An optional project to use for billing
  and quota.
  client_info (google.api_core.gapic_v1.client_info.ClientInfo):
@@ -167,12 +172,22 @@ def __init__(
  # If a channel was explicitly provided, set it.
  self._grpc_channel = channel
  elif api_mtls_endpoint:
+ warnings.warn(
+ "api_mtls_endpoint and client_cert_source are deprecated",
+ DeprecationWarning,
+ )
+
  host = (
  api_mtls_endpoint
  if ":" in api_mtls_endpoint
  else api_mtls_endpoint + ":443"
  )
 
+ if credentials is None:
+ credentials, _ = auth.default(
+ scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id
+ )
+
  # Create SSL credentials with client_cert_source or application
  # default SSL credentials.
  if client_cert_source:
@@ -192,6 +207,23 @@ def __init__(
  scopes=scopes or self.AUTH_SCOPES,
  quota_project_id=quota_project_id,
  )
+ else:
+ host = host if ":" in host else host + ":443"
+
+ if credentials is None:
+ credentials, _ = auth.default(
+ scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id
+ )
+
+ # create a new channel. The provided one is ignored.
+ self._grpc_channel = type(self).create_channel(
+ host,
+ credentials=credentials,
+ credentials_file=credentials_file,
+ ssl_credentials=ssl_channel_credentials,
+ scopes=scopes or self.AUTH_SCOPES,
+ quota_project_id=quota_project_id,
+ )
 
  # Run the base constructor.
  super().__init__(
@@ -212,13 +244,6 @@ def grpc_channel(self) -> aio.Channel:
  This property caches on the instance; repeated calls return
  the same channel.
  """
- # Sanity check: Only create a new channel if we do not already
- # have one.
- if not hasattr(self, "_grpc_channel"):
- self._grpc_channel = self.create_channel(
- self._host, credentials=self._credentials,
- )
-
  # Return the channel from cache.
  return self._grpc_channel
 

synth.metadata

@@ -4,7 +4,7 @@
  "git": {
  "name": ".",
  "remote": "https://github.com/googleapis/python-bigquery-reservation.git",
- "sha": "1136cae5bf131f9e6aa54aa081416f7f0848eba1"
+ "sha": "660abdcc27a9c584d9a771dbf80bcc53fb0a5797"
  }
  },
  {