Skip to content

feat(api_core): add mtls and client configuration logic to gapic_v1#17750

Open
hebaalazzeh wants to merge 31 commits into
mainfrom
feat/gapic-centralization-api-core-mtls
Open

feat(api_core): add mtls and client configuration logic to gapic_v1#17750
hebaalazzeh wants to merge 31 commits into
mainfrom
feat/gapic-centralization-api-core-mtls

Conversation

@hebaalazzeh

@hebaalazzeh hebaalazzeh commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Introduces client_utils containing use_client_cert_effective, get_client_cert_source, and read_environment_variables helpers. Exposes this module as public in gapic_v1.

The unit tests in test_client_utils.py are now identical to the generator's original test template test_service.py.j2.

Specifically, the following tests verify the helpers:

…public helpers

Introduces client_cert and config_helpers modules containing use_client_cert_effective, get_client_cert_source, and read_environment_variables helpers. Exposes these modules as public in gapic_v1.
…public helpers

Introduces routing module containing get_api_endpoint, get_default_mtls_endpoint, and get_universe_domain helpers. Exposes the module as public in gapic_v1.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces helper modules client_cert.py and config_helpers.py to handle client certificate loading and environment variable parsing for mTLS, along with corresponding unit tests and test environment isolation. The review feedback advises against silently falling back to standard TLS when mTLS is requested but no certificate source is found, suggesting instead to raise a ValueError and add a test case to verify this behavior.

Comment thread packages/google-api-core/google/api_core/gapic_v1/client_cert.py Outdated
Comment thread packages/google-api-core/tests/unit/gapic/test_client_cert.py Outdated
@hebaalazzeh
hebaalazzeh marked this pull request as ready for review July 16, 2026 22:03
@hebaalazzeh
hebaalazzeh requested a review from a team as a code owner July 16, 2026 22:03
@hebaalazzeh hebaalazzeh self-assigned this Jul 16, 2026
@hebaalazzeh

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces helper modules client_cert and config_helpers under google/api_core/gapic_v1 to manage client certificate handling, mTLS authentication, and parsing of environment variables such as GOOGLE_API_USE_CLIENT_CERTIFICATE, GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN. It also includes comprehensive unit tests and a test fixture to isolate unit tests from workstation mTLS environments. I have no feedback to provide as there are no review comments.

@daniel-sanche daniel-sanche changed the title chore(api_core): move mtls and client configuration logic to gapic_v1 feat(api_core): add mtls and client configuration logic to gapic_v1 Jul 17, 2026
hebaalazzeh and others added 7 commits July 17, 2026 12:17
…tion leaks (#17689)

This PR is fixing two issues found in the auth library:

 1. Adapter Connection Leaks
Whenever the `configure_mtls_channel()` method was called, the code
would create a new mTLS `HTTPAdapter` and mount it to `"https://"`.
However, it never closed the *old* adapter it was replacing. Because of
how the underlying `requests` and `urllib3` libraries work, the old
adapter's connection pool was left open, creating dangling sockets and
eventually causing file descriptor exhaustion.
**The Fix:** I updated the method to retrieve the existing `"https://"`
adapter (via `self.get_adapter()`) before replacing it. If an old
adapter is found, we now explicitly call `old_adapter.close()` to shut
down its connection pool and cleanly release the sockets back to the OS.

2. Missing Auth Request Session Update (Issue #17680)
The `AuthorizedSession` class maintains an internal session called
`_auth_request_session`. This hidden session is specifically responsible
for doing background work, like fetching new OAuth tokens or signing IAM
requests. When mTLS was enabled, the new secure adapter was *only*
applied to the main user-facing session, completely missing this
internal session. As a result, critical token refreshes were bypassing
mTLS and failing when they hit strict Certificate-Based Access (CBA)
endpoints.
**The Fix:** I added logic to check if `self._auth_request_session`
exists during the mTLS configuration. If it does, we now apply the exact
same cleanup (closing its old adapter) and then explicitly mount the new
mTLS adapter to it. This guarantees that all background token refreshes
are routed securely over the mTLS channel.

Also added a documentation warning to clarify that dynamically
reconfiguring the channel mutates the underlying session and is not
natively thread-safe.
@hebaalazzeh
hebaalazzeh requested a review from a team as a code owner July 17, 2026 19:48
@hebaalazzeh
hebaalazzeh requested a review from a team as a code owner July 17, 2026 19:48
Comment thread packages/google-api-core/google/api_core/gapic_v1/client_utils.py Outdated
Comment thread packages/google-api-core/google/api_core/gapic_v1/client_utils.py Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants