google.auth.transport.mtls module¶
Utilites for mutual TLS.
- has_default_client_cert_source(include_context_aware=True)[source]¶
Check if default client SSL credentials exists on the device.
- default_client_cert_source()[source]¶
Get a callback which returns the default client SSL credentials.
- Returns:
- A callback which returns the default
client certificate bytes and private key bytes, both in PEM format.
- Return type:
- Raises:
google.auth.exceptions.MutualTLSChannelError – If the default client SSL credentials don’t exist or are malformed.
- default_client_encrypted_cert_source(cert_path, key_path)[source]¶
Get a callback which returns the default encrpyted client SSL credentials.
- Parameters:
- Returns:
- A callback which generates the default
client certificate, encrpyted private key and passphrase. It writes the certificate and private key into the cert_path and key_path, and returns the cert_path, key_path and passphrase bytes.
- Return type:
- Raises:
google.auth.exceptions.MutualTLSChannelError – If any problem occurs when loading or saving the client certificate and key.
- should_use_client_cert()[source]¶
Returns boolean for whether the client certificate should be used for mTLS.
This is a wrapper around _mtls_helper.check_use_client_cert(). If GOOGLE_API_USE_CLIENT_CERTIFICATE is set to true or false, a corresponding bool value will be returned If GOOGLE_API_USE_CLIENT_CERTIFICATE is unset, the value will be inferred by reading a file pointed at by GOOGLE_API_CERTIFICATE_CONFIG, and verifying it contains a “workload” section. If so, the function will return True, otherwise False.
- Returns:
indicating whether the client certificate should be used for mTLS.
- Return type:
- load_default_client_cert(ctx: SSLContext) bool[source]¶
Load the default client certificate and key into an SSL context if configured.
If client certificates are enabled and a default client certificate source is found, the certificate and key are loaded into the SSL context.
- Parameters:
ctx (ssl.SSLContext) – The SSL context to load the default client certificate and key into.
- Returns:
- True if client certificates are enabled and the default client
certificate was successfully loaded. False if client certificates are disabled or if no default certificate source is configured.
- Return type:
- Raises:
google.auth.exceptions.MutualTLSChannelError – If the default client certificate or key is malformed.
- get_default_ssl_context() SSLContext | None[source]¶
Get a default SSL context loaded with the default client certificate.
- Returns:
- An SSL context loaded with the default client
certificate, or None if client certificates are not configured or available.
- Return type:
- Raises:
google.auth.exceptions.MutualTLSChannelError – If the default client certificate or key is malformed.
- should_use_mtls_endpoint(client_cert_available: bool | None = None) bool[source]¶
Determine whether to use an mTLS endpoint.
This relies on the GOOGLE_API_USE_MTLS_ENDPOINT environment variable. If set to “always”, returns True. If set to “never”, returns False. If set to “auto” or unset, returns whether a client certificate is available.
- Parameters:
client_cert_available (
Optionalbool) – indicating if a client certificate is available. If None, this is determined by checking if client certificates are enabled usingshould_use_client_cert().- Returns:
indicating if an mTLS endpoint should be used.
- Return type: