Port MTLS functionality to AsyncClient

gapic/templates/%namespace/%name_%version/%sub/services/%service/async_client.py.j2

@@ -2,6 +2,7 @@
 
 {% block content %}
 from collections import OrderedDict
+import re
 from typing import Dict, {% if service.any_server_streaming %}AsyncIterable, {% endif %}{% if service.any_client_streaming %}AsyncIterator, {% endif %}Sequence, Tuple, Type, Union
 import pkg_resources
 
@@ -57,7 +58,40 @@ class {{ service.async_client_name }}Meta(type):
 class {{ service.async_client_name }}(metaclass={{ service.async_client_name }}Meta):
  """{{ service.meta.doc|rst(width=72, indent=4) }}"""
 
- DEFAULT_OPTIONS = ClientOptions.ClientOptions({% if service.host %}api_endpoint='{{ service.host }}'{% endif %})
+ @staticmethod
+ def _get_default_mtls_endpoint(api_endpoint):
+ """Convert api endpoint to mTLS endpoint.
+ Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to
+ "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively.
+ Args:
+ api_endpoint (Optional[str]): the api endpoint to convert.
+ Returns:
+ str: converted mTLS api endpoint.
+ """
+ if not api_endpoint:
+ return api_endpoint
+
+ mtls_endpoint_re = re.compile(
+ r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?"
+ )
+
+ m = mtls_endpoint_re.match(api_endpoint)
+ name, mtls, sandbox, googledomain = m.groups()
+ if mtls or not googledomain:
+ return api_endpoint
+
+ if sandbox:
+ return api_endpoint.replace(
+ "sandbox.googleapis.com", "mtls.sandbox.googleapis.com"
+ )
+
+ return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com")
+
+ DEFAULT_ENDPOINT = {% if service.host %}'{{ service.host }}'{% else %}None{% endif %}
+ DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore
+ DEFAULT_ENDPOINT
+ )
+ DEFAULT_MTLS_TRANSPORT = {{ service.grpc_asyncio_transport_name }}
 
  @classmethod
  def from_service_account_file(cls, filename: str, *args, **kwargs):
@@ -92,9 +126,9 @@ class {{ service.async_client_name }}(metaclass={{ service.async_client_name }}M
  def __init__(self, *,
  credentials: credentials.Credentials = None,
  transport: Union[str, {{ service.name }}Transport] = None,
- client_options: ClientOptions = DEFAULT_OPTIONS,
+ client_options: ClientOptions = None,
  ) -> None:
- """Instantiate the {{ (service.async_client_name|snake_case).replace('_', ' ') }}.
+ """Instantiate the {{ (service.client_name|snake_case).replace('_', ' ') }}.
 
  Args:
  credentials (Optional[google.auth.credentials.Credentials]): The
@@ -106,6 +140,17 @@ class {{ service.async_client_name }}(metaclass={{ service.async_client_name }}M
  transport to use. If set to None, a transport is chosen
  automatically.
  client_options (ClientOptions): Custom options for the client.
+ (1) The ``api_endpoint`` property can be used to override the
+ default endpoint provided by the client.
+ (2) If ``transport`` argument is None, ``client_options`` can be
+ used to create a mutual TLS transport. If ``client_cert_source``
+ is provided, mutual TLS transport will be created with the given
+ ``api_endpoint`` or the default mTLS endpoint, and the client
+ SSL credentials obtained from ``client_cert_source``.
+
+ Raises:
+ google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport
+ creation failed for any reason.
  """
  if isinstance(client_options, dict):
  client_options = ClientOptions.from_dict(client_options)
@@ -114,15 +159,44 @@ class {{ service.async_client_name }}(metaclass={{ service.async_client_name }}M
  # Ordinarily, we provide the transport, but allowing a custom transport
  # instance provides an extensibility point for unusual situations.
  if isinstance(transport, {{ service.name }}Transport):
+ # transport is a {{ service.name }}Transport instance.
  if credentials:
  raise ValueError('When providing a transport instance, '
  'provide its credentials directly.')
  self._transport = transport
- else:
+ elif client_options is None or (
+ client_options.api_endpoint == None
+ and client_options.client_cert_source is None
+ ):
+ # Don't trigger mTLS if we get an empty ClientOptions.
  Transport = type(self).get_transport_class(transport)
  self._transport = Transport(
+ credentials=credentials, host=self.DEFAULT_ENDPOINT
+ )
+ else:
+ # We have a non-empty ClientOptions. If client_cert_source is
+ # provided, trigger mTLS with user provided endpoint or the default
+ # mTLS endpoint.
+ if client_options.client_cert_source:
+ api_mtls_endpoint = (
+ client_options.api_endpoint
+ if client_options.api_endpoint
+ else self.DEFAULT_MTLS_ENDPOINT
+ )
+ else:
+ api_mtls_endpoint = None
+
+ api_endpoint = (
+ client_options.api_endpoint
+ if client_options.api_endpoint
+ else self.DEFAULT_ENDPOINT
+ )
+
+ self._transport = self.DEFAULT_MTLS_TRANSPORT(
  credentials=credentials,
- host=client_options.api_endpoint{% if service.host %} or '{{ service.host }}'{% endif %},
+ host=api_endpoint,
+ api_mtls_endpoint=api_mtls_endpoint,
+ client_cert_source=client_options.client_cert_source,
  )
 
  {% for method in service.methods.values() -%}

gapic/templates/%namespace/%name_%version/%sub/services/%service/client.py.j2

@@ -91,6 +91,7 @@ class {{ service.client_name }}(metaclass={{ service.client_name }}Meta):
  DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore
  DEFAULT_ENDPOINT
  )
+ DEFAULT_MTLS_TRANSPORT = {{ service.grpc_transport_name }}
 
  @classmethod
  def from_service_account_file(cls, filename: str, *args, **kwargs):
@@ -191,7 +192,7 @@ class {{ service.client_name }}(metaclass={{ service.client_name }}Meta):
  else self.DEFAULT_ENDPOINT
  )
 
- self._transport = {{ service.name }}GrpcTransport(
+ self._transport = self.DEFAULT_MTLS_TRANSPORT(
  credentials=credentials,
  host=api_endpoint,
  api_mtls_endpoint=api_mtls_endpoint,