-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
batch requests never use mTLS URLs #2440
Comments
Can someone help me understand why all of the mTLS cert logic in
logic right here? It means that if you pass an http object into
out of the |
Here's a simple script that demonstrates this issue. The script should list the latest versions of Chrome across OS platforms. It makes one non-batch call to the API to get a list of platforms and then it makes a batch call retrieving the latest release of Chrome per-platform. I've included a sample client key and certificate that are necessary for mTLS, just put them in the same folder as the script. You need to remove the .txt suffix from each file, it was needed to make GitHub happy. You should notice that with the current googleapiclient, the first call to retrieve platforms will use mTLS while the batch call will use the non-mTLS endpoint. Also, if you uncomment the |
Could you comment on the impact of this deficiency? Is it blocking your work. That information can help us prioritize looking into this. |
Yes, I'm working on adding mTLS client certificates and Chrome Enterprise Premium / Context Aware Access rules to restrict Google service access to a select list of client certificates, thus the need for mTLS to function properly. My app is already using the batch endpoint. https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview |
@clundin25 @westarle @parthea Thoughts on this approach? |
There is active work for mTLS but I don't believe anyone is looking at the discovery SDK. When using a custom HTTP object, could you directly load the mTLS credentials? It seems that the intent for the check is to avoid making any assumptions about the transport that was passed in. |
@clundin25 that makes sense. Do you think it'd make sense to keep all the client cert selection code which leads up to and includes:
within the |
That's a good question. I am going to reach out to my colleagues and see if they remember the context for this flow. IIRC it is safe to use mTLS endpoints without actually performing mTLS in the handshake so I don't think such a change would necessarily break any code. As a workaround, would setting the |
Coming back to this after a couple weeks off. On further consideration I do think if a custom http object is being passed to build_from_document() we shouldn't be trying to set the client certificate on it. As you said, the user can do that themselves when building the custom object. I do think it's worth us performing the To answer your question, attempting to send mTLS client certificates to a web server that does not support/request mTLS generally has no impact and the web request shouldn't fail due to that setting. Attempting to contact a mTLS web server such as www.mtls.googleapis.com WITHOUT sending mTLS client certificate will fail. Generally though anyone using the library who has setup these environmental parameters that the code depends on is clearly indicating they want mTLS to work so I think there's generally low risk of breaking anything with a change here. I've updated my pull request here: so that only the mTLS URL logic now gets executed if a custom Can someone review this change? |
At:
https://github.com/googleapis/google-api-python-client/blob/main/googleapiclient/discovery.py#L1495-L1497
we build
batch_uri
based off the hard-codedrootUrl
discovery doc parameter. We do this even if mTLS endpoint was previously configured onbuild()
thus using batch methods never actually uses the mTLS endpoint.is_mtls
to theResource
object so we have a simple boolean to determine mTLS status._add_basic_methods
could then use theis_mtls
boolean to determine whether to userootUrl
ormtlsRootUrl
from the discovery data.The text was updated successfully, but these errors were encountered: