Skip to content

fix(auth): Agentic Identites mTLS gaps fix _is_mtls and SslCredentials.#17387

Merged
vverman merged 9 commits into
googleapis:mainfrom
vverman:agentic-identity-fix-mtls-gaps-1
Jul 1, 2026
Merged

fix(auth): Agentic Identites mTLS gaps fix _is_mtls and SslCredentials.#17387
vverman merged 9 commits into
googleapis:mainfrom
vverman:agentic-identity-fix-mtls-gaps-1

Conversation

@vverman

@vverman vverman commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Resolve some mTLS transport state and gRPC workload certificate issues

  • Fix inconsistent _is_mtls flag in urllib3 on fallback to default HTTP.

  • Reset _is_mtls to False in async sessions if a custom request handler cannot be reconfigured.

  • Update gRPC SslCredentials to recognize workload certificates by checking has_default_client_cert_source instead of only SecureConnect.

@vverman vverman requested review from a team as code owners June 6, 2026 03:56
@vverman vverman requested a review from nbayati June 6, 2026 03:56

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the mTLS configuration logic across the aio, grpc, and urllib3 transports to ensure that _is_mtls is explicitly set to False when falling back to standard connections or when custom requests cannot support mTLS. Additionally, grpc.py now utilizes mtls.has_default_client_cert_source() to determine the mTLS state. Corresponding unit tests have been added to verify these changes. I have no feedback to provide as there are no review comments to evaluate.

Comment on lines +495 to +500
ssl_credentials = google.auth.transport.grpc.SslCredentials()

# If a workload certificate config exists on the device (and use_client_cert is true),
# is_mtls must be True and get_client_ssl_credentials should be invoked.
assert ssl_credentials.ssl_credentials is not None
assert ssl_credentials.is_mtls

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ssl_credentials = google.auth.transport.grpc.SslCredentials()
# If a workload certificate config exists on the device (and use_client_cert is true),
# is_mtls must be True and get_client_ssl_credentials should be invoked.
assert ssl_credentials.ssl_credentials is not None
assert ssl_credentials.is_mtls
ssl_credentials = google.auth.transport.grpc.SslCredentials()
# If a workload certificate config exists on the device (and use_client_cert is true),
# is_mtls must be True and get_client_ssl_credentials should be invoked.
assert ssl_credentials.ssl_credentials is not None
assert ssl_credentials.is_mtls

@nbayati nbayati left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Since this PR resolves existing bugs rather than introducing new features, the PR title prefix should be fix(auth) instead of feat(auth).

Comment thread packages/google-auth/google/auth/transport/grpc.py Outdated
Comment thread packages/google-auth/google/auth/transport/grpc.py
Comment thread packages/google-auth/tests/transport/test_grpc.py
Comment thread packages/google-auth/google/auth/aio/transport/sessions.py Outdated
Comment thread packages/google-auth/google/auth/transport/urllib3.py
@vverman vverman changed the title feat(auth): Agentic Identites mTLS gaps fix _is_mtls and SslCredentials. fix(auth): Agentic Identites mTLS gaps fix _is_mtls and SslCredentials. Jun 22, 2026
@vverman vverman requested a review from nbayati June 23, 2026 01:04

@nbayati nbayati left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! I have completed a review of the changes. Here are some comments regarding potential state leakage, resource leaks, and mismatches when configuration exceptions occur.

Comment thread packages/google-auth/google/auth/aio/transport/sessions.py Outdated
Comment thread packages/google-auth/google/auth/aio/transport/sessions.py Outdated
Comment thread packages/google-auth/google/auth/transport/requests.py Outdated
Comment thread packages/google-auth/google/auth/transport/urllib3.py Outdated
Comment thread packages/google-auth/tests/transport/aio/test_sessions_mtls.py
@vverman vverman requested a review from nbayati June 26, 2026 04:15
Comment thread packages/google-auth/google/auth/transport/urllib3.py Outdated
Comment thread packages/google-auth/google/auth/transport/requests.py Outdated
Comment thread packages/google-auth/google/auth/transport/urllib3.py Outdated
Comment thread packages/google-auth/google/auth/transport/grpc.py Outdated
@vverman vverman force-pushed the agentic-identity-fix-mtls-gaps-1 branch from 87a3463 to e8bb0b7 Compare June 27, 2026 00:29
@vverman vverman force-pushed the agentic-identity-fix-mtls-gaps-1 branch from e8bb0b7 to 19b8120 Compare June 27, 2026 00:32
@vverman vverman requested a review from nbayati June 27, 2026 00:34

@nbayati nbayati left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work Pranav! Before we merge, there are just a few minor cleanups and test coverage gaps we need to address to ensure these fixes remain robust long-term.

Comment thread packages/google-auth/google/auth/aio/transport/sessions.py
Comment thread packages/google-auth/google/auth/transport/grpc.py Outdated
_mtls_helper.CONTEXT_AWARE_METADATA_PATH
)
self._is_mtls = metadata_path is not None
self._is_mtls = mtls.has_default_client_cert_source()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This helper ignores CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH (the context-aware fallback configuration path), so we will have a mismatch state where use_client_cert will return true but has_default_client_cert_source misses that path.
It's an existing issue with has_default_client_cert_source() though, so probably out of scope for this PR.
I'll document this so we can fix it in a future PR.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I'll leave this open!

Comment thread packages/google-auth/google/auth/aio/transport/sessions.py Outdated
Comment thread packages/google-auth/tests/transport/test_grpc.py
Comment thread packages/google-auth/tests/transport/aio/test_sessions_mtls.py
Comment thread packages/google-auth/tests/transport/aio/test_sessions_mtls.py
@vverman vverman requested a review from nbayati June 30, 2026 00:57
Comment thread packages/google-auth/google/auth/aio/transport/sessions.py Outdated
@vverman vverman force-pushed the agentic-identity-fix-mtls-gaps-1 branch from 49899cd to a9b434c Compare June 30, 2026 22:57
@vverman vverman merged commit 7bfa41a into googleapis:main Jul 1, 2026
30 checks passed
@release-please release-please Bot mentioned this pull request Jul 1, 2026
g-husam pushed a commit that referenced this pull request Jul 1, 2026
…s. (#17387)

Resolve some mTLS transport state and gRPC workload certificate issues


- Fix inconsistent `_is_mtls` flag in `urllib3` on fallback to default
HTTP.

- Reset `_is_mtls` to `False` in async `sessions` if a custom request
handler cannot be reconfigured.

- Update gRPC `SslCredentials` to recognize workload certificates by
checking `has_default_client_cert_source` instead of only SecureConnect.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants