Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history

…1855)

The `subprocess.run` command was using `.split()` which does not handle
quoted paths with spaces correctly. This would cause a
`FileNotFoundError` when the path to the executable contained spaces.

This change replaces `.split()` with `shlex.split()` to correctly parse
the command string.

A test case has been added to verify the fix and prevent regressions.

This was reported in b/237606033

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

Browse the repository at this point in the history

#1849)

…d to ExternalAccountAuthorizedUser credentials

* Add support for OAuth 2.0 token revocation to the STS client, aligning
with the specification in RFC7009.

* A new revoke_token method is introduced, which makes a POST request to
a revocation endpoint. The underlying request handler has also been
updated to correctly process successful but empty HTTP responses, as
specified by the standard for revocation.

* Building on the STS client's new capabilities, this change exposes a
public revoke() method on the ExternalAccountAuthorizedUser credentials
class.

* This method encapsulates the logic for revoking the refresh token by
calling the underlying STS client's revoke_token function. It simplifies
the process for client applications, like gcloud, to revoke these
specific credentials without needing to interact directly with the STS
client.

* Unit tests are included to verify successful revocation and to ensure
appropriate errors are raised if required fields (like revoke_url) are
missing.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>
Co-authored-by: nbayati <99771966+nbayati@users.noreply.github.com>

3 people authored

Browse the repository at this point in the history

Browse the repository at this point in the history

Use mTLS/HTTPS when connecting to MDS

**Feature Gating**
The `GCE_METADATA_MTLS_MODE` environment variable is introduced, which
can be set to strict, none, or default.

The `should_use_mds_mtls` function determines whether to use mTLS based
on the environment variable and the existence of the certificate files in well-known location ((https://docs.cloud.google.com/compute/docs/metadata/overview#https-mds-certificates).

**Description of changes**
A custom `MdsMtlsAdapter` is implemented to handle the SSL context for mTLS.

MdsMtlsAdapter loads MDS mTLS certificates from well-known location.

MdsMtlsAdapter is mounted into the provided request.Session. 

**Behavior**
If mode == none: Continue to use HTTP.

If mode == default: Use HTTPS if certificates exist. If HTTPS/mTLS fails, falls back to HTTP. 

If mode == strict: Use HTTPS always, even if certificates don't exist (will result in error).

**Integrating with existing code**
compute_engine/_metadata.py:
- The metadata server URL construction is now dynamic, supporting both
http and https schemes based on whether mTLS is enabled.
- ping and get functions are updated to use mTLS when it's enabled.

Browse the repository at this point in the history

Browse the repository at this point in the history

GDC (Google Distributed Cloud) needs to support ECDSA-P384 keys for
compliance. This change creates an EsSigner and EsVerifier class that is
capable of supporting both ECDSA-P256 and ECDSA-P384 keys for backwards
compatibility. The EsSigner and EsVerifier classes are plumbed through
to the GDC service accounts and are used to both sign and verify JWTs.

This implementation was successfully tested against a GDC instance using
both ECDSA-P256 and ECDSA-P384 keys.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

Browse the repository at this point in the history

Browse the repository at this point in the history

…nction (#1877)

get_client_ssl_credentials had a bug that defaulted the cert path to
CERTIFICATE_CONFIGURATION_DEFAULT_PATH if not explicitly specified. The
correct behavior should be to delegate the lookup logic to
"_get_workload_cert_and_key" which also takes into account the cert
config path set by the env var GOOGLE_API_CERTIFICATE_CONFIG.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

Browse the repository at this point in the history

Browse the repository at this point in the history

…loud Run mis-configuration (#1880)

This patch adds a fallback logic to look for Cloud Run cert/keys in the
well-known location if the cert config contains the exact incorrect
cert/key paths AND the incorrect cert/key paths point to non-existent
files.

Note: This patch will be reverted sometime in Jan 2026, after Cloud Run
environment is updated with the correct cert configs. The revert will be
tracked by #1881

Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history