# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Utilites for mutual TLS."""
import enum
import logging
from os import getenv
import ssl
from typing import Optional
from google.auth import environment_vars
from google.auth import exceptions
from google.auth.transport import _mtls_helper
_LOGGER = logging.getLogger(__name__)
[docs]
class UseMtlsEndpointMode(enum.Enum):
ALWAYS = "always"
NEVER = "never"
AUTO = "auto"
[docs]
def has_default_client_cert_source(include_context_aware=True):
"""Check if default client SSL credentials exists on the device.
Args:
include_context_aware (bool): include_context_aware indicates if context_aware
path location will be checked or should it be skipped.
Returns:
bool: indicating if the default client cert source exists.
"""
if (
include_context_aware
and _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
is not None
):
return True
if (
_mtls_helper._check_config_path(
_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
)
is not None
):
return True
cert_config_path = getenv("GOOGLE_API_CERTIFICATE_CONFIG")
if (
cert_config_path
and _mtls_helper._check_config_path(cert_config_path) is not None
):
return True
return False
[docs]
def default_client_cert_source():
"""Get a callback which returns the default client SSL credentials.
Returns:
Callable[[], [bytes, bytes]]: A callback which returns the default
client certificate bytes and private key bytes, both in PEM format.
Raises:
google.auth.exceptions.MutualTLSChannelError: If the default
client SSL credentials don't exist or are malformed.
"""
if not has_default_client_cert_source(include_context_aware=True):
raise exceptions.MutualTLSChannelError(
"Default client cert source doesn't exist"
)
def callback():
try:
_, cert_bytes, key_bytes = _mtls_helper.get_client_cert_and_key()
except (OSError, RuntimeError, ValueError) as caught_exc:
new_exc = exceptions.MutualTLSChannelError(caught_exc)
raise new_exc from caught_exc
return cert_bytes, key_bytes
return callback
[docs]
def default_client_encrypted_cert_source(cert_path, key_path):
"""Get a callback which returns the default encrpyted client SSL credentials.
Args:
cert_path (str): The cert file path. The default client certificate will
be written to this file when the returned callback is called.
key_path (str): The key file path. The default encrypted client key will
be written to this file when the returned callback is called.
Returns:
Callable[[], [str, str, bytes]]: A callback which generates the default
client certificate, encrpyted private key and passphrase. It writes
the certificate and private key into the cert_path and key_path, and
returns the cert_path, key_path and passphrase bytes.
Raises:
google.auth.exceptions.MutualTLSChannelError: If any problem
occurs when loading or saving the client certificate and key.
"""
if not has_default_client_cert_source(include_context_aware=True):
raise exceptions.MutualTLSChannelError(
"Default client encrypted cert source doesn't exist"
)
def callback():
try:
(
_,
cert_bytes,
key_bytes,
passphrase_bytes,
) = _mtls_helper.get_client_ssl_credentials(generate_encrypted_key=True)
with open(cert_path, "wb") as cert_file:
cert_file.write(cert_bytes)
with open(key_path, "wb") as key_file:
key_file.write(key_bytes)
except (exceptions.ClientCertError, OSError) as caught_exc:
new_exc = exceptions.MutualTLSChannelError(caught_exc)
raise new_exc from caught_exc
return cert_path, key_path, passphrase_bytes
return callback
[docs]
def should_use_client_cert():
"""Returns boolean for whether the client certificate should be used for mTLS.
This is a wrapper around _mtls_helper.check_use_client_cert().
If GOOGLE_API_USE_CLIENT_CERTIFICATE is set to true or false, a corresponding
bool value will be returned
If GOOGLE_API_USE_CLIENT_CERTIFICATE is unset, the value will be inferred by
reading a file pointed at by GOOGLE_API_CERTIFICATE_CONFIG, and verifying it
contains a "workload" section. If so, the function will return True,
otherwise False.
Returns:
bool: indicating whether the client certificate should be used for mTLS.
"""
return _mtls_helper.check_use_client_cert()
def _load_client_cert_into_context(
ctx: ssl.SSLContext,
cert_bytes: bytes,
key_bytes: bytes,
passphrase: Optional[bytes] = None,
) -> None:
"""Load a client certificate and key into an SSL context.
Args:
ctx (ssl.SSLContext): The SSL context to load the certificate and key into.
cert_bytes (bytes): The client certificate bytes in PEM format.
key_bytes (bytes): The client private key bytes in PEM format.
passphrase (Optional[bytes]): The passphrase for the client private key.
Raises:
google.auth.exceptions.MutualTLSChannelError: If the SSL context is invalid,
or if loading the certificate and key fails.
"""
if not isinstance(ctx, ssl.SSLContext):
raise exceptions.MutualTLSChannelError(
"Failed to load client certificate and key for mTLS. The provided context "
"object is invalid or does not support loading certificate chains."
)
try:
with _mtls_helper.secure_cert_key_paths(
cert_bytes, key_bytes, passphrase=passphrase
) as (
cert_path,
key_path,
passphrase_val,
):
if cert_path is None or key_path is None:
raise exceptions.MutualTLSChannelError(
"Failed to generate temporary file paths for the client certificate and key."
)
ctx.load_cert_chain(
certfile=cert_path, keyfile=key_path, password=passphrase_val
)
except (
ssl.SSLError,
OSError,
ValueError,
RuntimeError,
TypeError,
) as caught_exc:
new_exc = exceptions.MutualTLSChannelError(caught_exc)
raise new_exc from caught_exc
[docs]
def load_default_client_cert(ctx: ssl.SSLContext) -> bool:
"""Load the default client certificate and key into an SSL context if configured.
If client certificates are enabled and a default client certificate source is
found, the certificate and key are loaded into the SSL context.
Args:
ctx (ssl.SSLContext): The SSL context to load the default client certificate
and key into.
Returns:
bool: True if client certificates are enabled and the default client
certificate was successfully loaded. False if client certificates
are disabled or if no default certificate source is configured.
Raises:
google.auth.exceptions.MutualTLSChannelError: If the default client certificate
or key is malformed.
"""
if not should_use_client_cert() or not has_default_client_cert_source():
return False
try:
(
has_cert,
cert_bytes,
key_bytes,
passphrase,
) = _mtls_helper.get_client_ssl_credentials()
except (
exceptions.ClientCertError,
OSError,
RuntimeError,
ValueError,
) as caught_exc:
new_exc = exceptions.MutualTLSChannelError(caught_exc)
raise new_exc from caught_exc
else:
if not has_cert:
return False
_load_client_cert_into_context(ctx, cert_bytes, key_bytes, passphrase)
return True
[docs]
def get_default_ssl_context() -> Optional[ssl.SSLContext]:
"""Get a default SSL context loaded with the default client certificate.
Returns:
ssl.SSLContext: An SSL context loaded with the default client
certificate, or None if client certificates are not configured
or available.
Raises:
google.auth.exceptions.MutualTLSChannelError: If the default client certificate
or key is malformed.
"""
if not should_use_client_cert() or not has_default_client_cert_source():
return None
ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
return ctx if load_default_client_cert(ctx) else None
[docs]
def should_use_mtls_endpoint(
client_cert_available: Optional[bool] = None,
) -> bool:
"""Determine whether to use an mTLS endpoint.
This relies on the GOOGLE_API_USE_MTLS_ENDPOINT environment variable. If set to
"always", returns True. If set to "never", returns False. If set to "auto"
or unset, returns whether a client certificate is available.
Args:
client_cert_available (Optional[bool]): indicating if a client certificate
is available. If None, this is determined by checking if client
certificates are enabled using :func:`should_use_client_cert`.
Returns:
bool: indicating if an mTLS endpoint should be used.
"""
if client_cert_available is None:
client_cert_available = should_use_client_cert()
use_mtls_endpoint = getenv(environment_vars.GOOGLE_API_USE_MTLS_ENDPOINT)
use_mtls_endpoint = (use_mtls_endpoint or "auto").strip().lower()
try:
mode = UseMtlsEndpointMode(use_mtls_endpoint)
except ValueError:
raise exceptions.MutualTLSChannelError(
f"Unsupported {environment_vars.GOOGLE_API_USE_MTLS_ENDPOINT} value "
f"'{use_mtls_endpoint}'. Accepted values: never, auto, always."
)
if mode == UseMtlsEndpointMode.ALWAYS:
return True
if mode == UseMtlsEndpointMode.NEVER:
return False
if mode == UseMtlsEndpointMode.AUTO:
return client_cert_available