feat: Recognize workload certificate config in has_default_client_cer… · googleapis/google-auth-library-python@0b9107d

@@ -21,26 +21,93 @@

2121from google.auth.transport import mtls2222232324-@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)25-def test_has_default_client_cert_source(check_config_path):26-def return_path_for_metadata(path):27-return mock.Mock() if path == _mtls_helper.CONTEXT_AWARE_METADATA_PATH else None24+@mock.patch("google.auth.transport._mtls_helper._check_config_path")25+def test_has_default_client_cert_source_with_context_aware_metadata(mock_check):26+"""27+ Directly tests the logic: if CONTEXT_AWARE_METADATA_PATH is found, return True.28+ """282929-check_config_path.side_effect = return_path_for_metadata30-assert mtls.has_default_client_cert_source()30+# Setup: Return a path only for the Context Aware Metadata Path31+def side_effect(path):32+if path == _mtls_helper.CONTEXT_AWARE_METADATA_PATH:33+return "/path/to/context_aware_metadata.json"34+return None35+36+mock_check.side_effect = side_effect37+38+# Execute39+result = mtls.has_default_client_cert_source()40+41+# Assert42+assert result is True43+mock_check.assert_any_call(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)44+assert side_effect("non-matching-path") is None45+46+47+@mock.patch("google.auth.transport._mtls_helper._check_config_path")48+def test_has_default_client_cert_source_falls_back(mock_check):49+"""50+ Tests that it skips CONTEXT_AWARE_METADATA_PATH if None, and checks the next path.51+ """52+53+# Setup: First path is None, second path is valid54+def side_effect(path):55+if path == _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH:56+return "/path/to/default_cert.json"57+return None58+59+mock_check.side_effect = side_effect316032-def return_path_for_cert_config(path):33-return (34-mock.Mock()35-if path == _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH36-else None37- )61+# Execute62+result = mtls.has_default_client_cert_source()386339-check_config_path.side_effect = return_path_for_cert_config64+# Assert65+assert result is True66+# Verify the sequence of calls67+expected_calls = [68+mock.call(_mtls_helper.CONTEXT_AWARE_METADATA_PATH),69+mock.call(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH),70+ ]71+mock_check.assert_has_calls(expected_calls)72+73+74+@mock.patch("google.auth.transport.mtls.getenv", autospec=True)75+@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)76+def test_has_default_client_cert_source_env_var_success(check_config_path, mock_getenv):77+# 1. Mock getenv to return our test path78+mock_getenv.side_effect = (79+lambda var: "path/to/cert.json"80+if var == "GOOGLE_API_CERTIFICATE_CONFIG"81+else None82+ )83+84+# 2. Mock _check_config_path side effect85+def side_effect(path):86+# Return None for legacy paths to ensure we reach the env var logic87+if path == "path/to/cert.json":88+return "/absolute/path/to/cert.json"89+return None90+91+check_config_path.side_effect = side_effect92+93+# 3. This should now return True4094assert mtls.has_default_client_cert_source()419542-check_config_path.side_effect = None96+# 4. Verify the env var path was checked97+check_config_path.assert_called_with("path/to/cert.json")98+99+100+@mock.patch("google.auth.transport.mtls.getenv", autospec=True)101+@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)102+def test_has_default_client_cert_source_env_var_invalid_config_path(103+check_config_path, mock_getenv104+):105+# Set the env var but make the check fail106+mock_getenv.side_effect = (107+lambda var: "invalid/path" if var == "GOOGLE_API_CERTIFICATE_CONFIG" else None108+ )43109check_config_path.return_value = None110+44111assert not mtls.has_default_client_cert_source()4511246113