Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 7f7d92d63ffee91859fc819416af78cef3baf574^! / . / google
commit7f7d92d63ffee91859fc819416af78cef3baf574[log] [tgz]
authorZev Goldstein <zev.goldstein@gmail.com>Fri Jul 23 15:52:46 2021 -0400
committerGitHub <noreply@github.com>Fri Jul 23 12:52:46 2021 -0700
tree0afe23d1c0b591dd6776c73bf54cf6e2761a91e5
parent3a0325f7adcb4082bccdb05b31af297b1526b2d1 [diff]
fix: do not use the GAE APIs on gen2+ runtimes (#807)

* fix: do not use the GAE APIs on gen2+ runtimes

Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard

In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() must never return an
app_engine.Credental on GAE gen2+.Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard

In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() should not return an
app_engine.Credental on GAE gen2+.

* blacken

Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
diff --git a/google/auth/_default.py b/google/auth/_default.py
index 4dc0725..f7e308f 100644
--- a/google/auth/_default.py
+++ b/google/auth/_default.py

@@ -230,6 +230,11 @@
 
 def _get_gae_credentials():
     """Gets Google App Engine App Identity credentials and project ID."""
+    # If not GAE gen1, prefer the metadata service even if the GAE APIs are
+    # available as per https://google.aip.dev/auth/4115.
+    if os.environ.get(environment_vars.LEGACY_APPENGINE_RUNTIME) != "python27":
+        return None, None
+
     # While this library is normally bundled with app_engine, there are
     # some cases where it's not available, so we tolerate ImportError.
     try:

diff --git a/google/auth/environment_vars.py b/google/auth/environment_vars.py
index f027741..d36d6c4 100644
--- a/google/auth/environment_vars.py
+++ b/google/auth/environment_vars.py

@@ -60,6 +60,12 @@
 The default value is false. Users have to explicitly set this value to true
 in order to use client certificate to establish a mutual TLS channel."""
 
+LEGACY_APPENGINE_RUNTIME = "APPENGINE_RUNTIME"
+"""Gen1 environment variable defining the App Engine Runtime.
+
+Used to distinguish between GAE gen1 and GAE gen2+.
+"""
+
 # AWS environment variables used with AWS workload identity pools to retrieve
 # AWS security credentials and the AWS region needed to create a serialized
 # signed requests to the AWS STS GetCalledIdentity API that can be exchanged