From 7c529786275a39b7e00525f7d5e7be0d963e9e15 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Fri, 10 May 2024 14:06:17 -0700
Subject: [PATCH] fix(auth): Enable client certificates by default only for GDU
 (#10151)

---
 auth/internal/transport/cba.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/auth/internal/transport/cba.go b/auth/internal/transport/cba.go
index 75734906259c..6ef88311a249 100644
--- a/auth/internal/transport/cba.go
+++ b/auth/internal/transport/cba.go
@@ -217,7 +217,7 @@ func getTransportConfig(opts *Options) (*transportConfig, error) {
 // encountered while initializing the default source will be reported as client
 // error (ex. corrupt metadata file).
 func getClientCertificateSource(opts *Options) (cert.Provider, error) {
-	if !isClientCertificateEnabled() {
+	if !isClientCertificateEnabled(opts) {
 		return nil, nil
 	} else if opts.ClientCertProvider != nil {
 		return opts.ClientCertProvider, nil
@@ -226,14 +226,14 @@ func getClientCertificateSource(opts *Options) (cert.Provider, error) {
 
 }
 
-// isClientCertificateEnabled returns true by default, unless explicitly set to false via env var.
-func isClientCertificateEnabled() bool {
+// isClientCertificateEnabled returns true by default for all GDU universe domain, unless explicitly overridden by env var
+func isClientCertificateEnabled(opts *Options) bool {
 	if value, ok := os.LookupEnv(googleAPIUseCertSource); ok {
 		// error as false is OK
 		b, _ := strconv.ParseBool(value)
 		return b
 	}
-	return true
+	return opts.isUniverseDomainGDU()
 }
 
 type transportConfig struct {