feat: auto-enable mTLS when supported certificates are detected

[agrawalradhika-cell]

The Python SDK will use a hybrid approach for mTLS enablement:

If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set (either true or false or any value), the SDK will respect that setting. This is necessary for test scenarios and users who need to explicitly control mTLS behavior.
If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set, the SDK will automatically enable mTLS only if it detects Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources. In other cases where the variable is not set, mTLS will remain disabled.

** This change also adds unit test with respect to this change.
** This change is only for Client-Library use-cases

[gemini-code-assist]

Summary of Changes

Hello @agrawalradhika-cell, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the mTLS enablement logic within the Python SDK, introducing a more intelligent and adaptive mechanism. It ensures that mTLS is explicitly controlled when the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is present, but automatically activates mTLS for enhanced security when specific secure identity sources like Managed Workload Identity or X.509 Workforce Identity Federation are detected and the environment variable is absent. This change aims to improve security posture for client-library users by leveraging available identity signals.

Highlights

• Hybrid mTLS Enablement: The Python SDK now employs a hybrid approach for enabling mTLS, prioritizing explicit user configuration via the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable.
• Automatic mTLS Detection: If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set, mTLS will be automatically enabled if Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources are detected.
• Client-Library Specific: This change is specifically implemented for Client-Library use-cases within the SDK.
• New Helper Function: A new internal helper function, _mtls_helper.check_use_client_cert(), is introduced and utilized to determine the mTLS enablement status.
• Unit Test Coverage: New unit tests have been added to validate the behavior of mTLS enablement when the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not explicitly set.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the mTLS enablement logic to use a new _mtls_helper which automatically enables mTLS for MWID/X.509 certificate sources when the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set. The changes are applied across numerous generated client files and templates, and new unit tests are added.

My review has found a couple of critical syntax errors in the test templates that will prevent the code from running. I've also pointed out that the new tests are confusing and contain redundant code. Additionally, there are some medium-severity concerns regarding the use of a private module and an inconsistency in type-hinting ignores. Please see the detailed comments for suggestions on how to address these issues.

[agrawalradhika-cell]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new hybrid approach for mTLS enablement by using a helper function _mtls_helper.check_use_client_cert(). The changes are consistently applied across numerous client templates and generated "golden" files, and new unit tests are added to cover the new logic. My review focuses on improving code style, maintainability, and readability. I've pointed out some trailing whitespace issues, suggested refactoring duplicated test code, and recommended a minor code reordering for better readability.

[daniel-sanche]

/gemini review

[gemini-code-assist]

Code Review

This pull request updates the logic for mTLS enablement to automatically activate it when MWID or X.509 certificate sources are detected and the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set. This logic is encapsulated in a new _mtls_helper.check_use_client_cert() function. The changes are propagated across numerous generated client and test files.

My review focuses on the template files to ensure the consistency and maintainability of the generated code. I've identified a few areas for improvement:

• Inconsistent code formatting (tabs vs. spaces) in some import statements.
• Duplicated code in the newly added unit tests, which could be refactored for better readability and maintenance.
• A slightly misleading comment in the new tests.

Overall, the changes are sound and the new tests cover the intended logic. Addressing the feedback will enhance the quality and consistency of the codebase.

[agrawalradhika-cell]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a hybrid approach for mTLS enablement, using a new _mtls_helper to automatically enable mTLS when MWID or X.509 certificate sources are detected and the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set. The changes are applied across numerous generated client libraries and their tests. While the overall approach is sound, I've identified a critical logic bug in one of the templates that would prevent mTLS from being enabled, a critical syntax error in a test template, and opportunities to reduce code duplication in the updated test files. Please see my detailed comments.

[agrawalradhika-cell]

/gemini review

[gemini-code-assist]

Code Review

This pull request updates the logic for mTLS enablement to use a hybrid approach, automatically enabling it when certain certificate sources are detected but still allowing manual override via an environment variable. The changes are applied across numerous generated client files and templates, and corresponding unit tests are added or updated. My review focuses on improving the robustness of the new logic, reducing code duplication in tests, and removing redundant checks. I've identified a potential bug in the template files' handling of the environment variable when set to an empty string and suggested a fix. I've also recommended refactoring in the test files to improve maintainability.

[agrawalradhika-cell]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a hybrid approach for mTLS enablement, which is a valuable improvement. The changes in the templates correctly use feature detection to decide between the new automatic mTLS logic and the old environment variable-based approach. However, there are several critical issues in the generated 'golden' files. They import a private module _mtls_helper from google-auth, creating a brittle dependency. More critically, the code incorrectly handles the return value from this helper, treating a boolean as a string, which will cause ValueError exceptions at runtime. I've also pointed out an opportunity to reduce code duplication in the templates and a minor style issue. Please address the critical issues in the golden files.

[gemini-code-assist]

Code Review

This pull request introduces a new, more flexible approach for mTLS enablement, which is a valuable enhancement. The code refactoring into a helper method is a good step towards cleaner code. However, I've identified several issues that need attention. There are copy-paste errors in multiple test files that cause them to use the wrong client, invalidating the tests. Additionally, there's significant code duplication in the new tests, with one of the duplicated blocks containing a logical flaw. I also found some formatting issues in docstrings and potentially buggy logic in some of the generated internal client files where a refactoring seems incomplete. Addressing these points will improve the correctness and maintainability of the codebase.

[daniel-sanche]

Changes LGTM. It's not clear to me if the CI failures are related to this change or an infrastructure issue though

[daniel-sanche]

This test (and others) branch on hasattr(google.auth.transport.mtls, "should_use_client_cert"). I think it's important both sides of the branch are covered.

IIUC, I think it will be, because of the testing/constraints files. We run tests against both the most recent supported version of dependencies, and the oldest version, so that will cover both branches.

I'd probably prefer to mention this detail in a comment above this kind of test, something like:

# expect error in google-auth < x.y.z
# these tests will be triggered with oldest and newest versions of the google-auth library

But I'm not sure if this is worth re-generating all the files to add. Just wanted to note it here at least

[agrawalradhika-cell]

This is for ads-templates, don't think they are related to goldens

As plan is to move it off, but I'll add all the testcases here too

[agrawalradhika-cell]

Checked with Daniel, this was for adding comments not testcases, can skip

[daniel-sanche]

Changes LGTM. It's not clear to me if the CI failures are related to this change or an infrastructure issue though

[andyrzhao]

LGTM

[parthea]

We should file a bug to follow up on moving this to a shared file. Each service will have this function repeated which can cause bloat in the generated code when there are many services.

[daniel-sanche]

Sure, opened at #2485

[agrawalradhika-cell]

Changes LGTM. It's not clear to me if the CI failures are related to this change or an infrastructure issue though

#2483 was opened for CL failures