…1798)

Since ReAuth is a second factor credential, it is not necessary to
require UV here. This was discussed with ReAuth folks.

Also, in practice, downstream clients disregard this because the U2F
protocol doesn't expose UV enforcement.

---------

Co-authored-by: Kevin Zheng <147537668+gkevinzheng@users.noreply.github.com>
Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

4 people authored

Browse the repository at this point in the history

addresses #1781 

* Moves away from using `utcfromtimestamp()` in the `datetime` library
due to deprecation.
* Adds a new helper function to manage internal handling of timezone
aware versus timezone naive timestamps.

```
DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).
```

---------

Co-authored-by: Kevin Zheng <147537668+gkevinzheng@users.noreply.github.com>
Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>

3 people authored

Browse the repository at this point in the history

Currently, `google.auth.default()` always attempts to authenticate using
the Google Compute Engine (GCE) metadata service as a fallback. There is
no easy way to prevent this behavior, leading to unnecessary delays and
unhelpful exceptions, particularly in cases where GCE-based
authentication is pointless or undesired.

This pull request introduces a `NO_GCE_CHECK` environment variable,
allowing users to explicitly skip GCE metadata service authentication.
This implementation mirrors `NO_GCE_CHECK` in
[googleapis/google-auth-library-java](https://github.com/googleapis/google-auth-library-java/blob/f154edb3d8503d29f0020b6904dfa40e034ded93/README.md?plain=1#L106-L119):

> _The following are searched (in order) to find the Application Default
Credentials:_
>
> [...]
>
> 5. Google Compute Engine built-in credentials
> - Skip this check by setting the environment variable
`NO_GCE_CHECK=true`

> [!NOTE]
> Other clouds also provide similar environment variables, such as
`AWS_EC2_METADATA_DISABLED` on AWS.

This change is also tangentially related to the following pull requests:
- #1488
- #1481

---------

Co-authored-by: Anthonios Partheniou <partheniou@google.com>
Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>

3 people authored

Browse the repository at this point in the history

Browse the repository at this point in the history

The `rsa` library is archived, and scheduled to be removed.
`google-auth` already supports an alternate implementation, using
`cryptography`. This PR adds a warning to users still relying on the old
library, and adds `rsa` as an optional dependency to allow users to
continue to opt-in to rsa during deprecation persion

After release, a follow-up version will remove rsa as a required
dependency, leaving it only for opt-in users

Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history

When performing a IMDS request, the code incorrectly adds a content-type
header to the request:

`content-type: application/json` to AWS metadata (IMDS) GET requests.`

Some services at AWS (such as AWS SageMaker Jupyter notebook) have a
stricter than normal metadata server (IMDS, both v1 and v2) when it
comes to handling incoming http requests.

This PR removes the default content-header and replaces it with `None`.

NOTE: initializing headers to `None` (instead of an empty `dict`) when
no session token is present matches the existing behavior in
`_get_metadata_role_name` and allows the transport adapter to handle
default headers cleanly.

This PR updates existing unit tests (`tests/test_aws.py`) to match the
new behavior.

NOTE: closing PR #1489 due to inactivity as we make the push to migrate
this library to the `google-cloud-python` monorepo

For more information about the genesis of this, see the following issue:
https://issuetracker.google.com/issues/328089077

Browse the repository at this point in the history

Browse the repository at this point in the history

The indentation and leading/trailing newlines made it a little harder than necessary to `filterwarnings` the deprecation warning.

(For instance, for pytest's filterwarnings, you'd need `"ignore:\\s+You are using a Python version 3.8:FutureWarning",`...)

Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history

This PR fixes flaky system tests that fail when `google.auth.default()`
picks up expired User Credentials.

The previous logic only exempted failures if the
`GOOGLE_APPLICATION_CREDENTIALS` environment variable pointed to a file
ending in "authorized_user.json". However, User Credentials can be
loaded from other locations (e.g., gcloud config), causing the test to
fail with `RefreshError` instead of ignoring it as intended.

Changes:
- Added `isinstance` check for `google.oauth2.credentials.Credentials`
to robustly identify User Credentials.
- Added `invalid_client` to the list of ignored error messages, as this
error can also occur with invalid tokens.
- Applied these fixes to both sync and async system tests.

---
*PR created automatically by Jules for task
[13051961428180802207](https://jules.google.com/task/13051961428180802207)
started by @chalmerlowe*

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>

Browse the repository at this point in the history

We have a couple circular imports in the library:
- _mtls_helper and _agent_identity_utils both require each other
- credentials and _default form a cycle

This makes it difficult to import the library into google3

This PR resolved the import issues

Browse the repository at this point in the history

Some google3 tests were failing due to timeouts. It seems like there
were some tests that preformed up to 10 retries, with exponential
backoff between each one

This PR mocks out sleep, so these tests will complete ~ instantly,
rather than > 10 mins

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Browse the repository at this point in the history

Browse the repository at this point in the history

The `rsa` library has been deprecated and archived. This PR adds
`cryptography` as a the new preferred backend for RSA operations

In the short term, both `rsa` and `cryptography` will be listed as
dependencies. Soon, `rsa` will be removed, but still supported as an
optional dependency. Eventually, it will be completely removed from the
codebase.

As a part of this change, I introduced new RSASigner and RSAVerifier
wrapper classes, that can use either cryptography or rsa
implementations. Previously, the library would only import one or the
other, depending on if cryptography was installed. This simplifies the
import structure, and puts rsa and cryptography on equal footing

Fixes
#912
Towards
https://github.com/googleapis/google-auth-library-python/issues/1810
Towards
#941

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Browse the repository at this point in the history

Browse the repository at this point in the history

Browse the repository at this point in the history