fix(auth): Use HTTPS/mTLS with MDS only if adapter is mounted#16693
fix(auth): Use HTTPS/mTLS with MDS only if adapter is mounted#16693nolanleastin wants to merge 6 commits intomainfrom
Conversation
Modify the request mounting so that we return whether an adapter is mounted or not. From that, decide whether we should use https or http.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the GCE metadata server mTLS implementation to improve robustness and validation. Key changes include updating _validate_gce_mds_configured_environment to verify the HTTPS scheme in STRICT mode, refactoring request preparation into _try_mount_mds_mtls_adapter to track adapter mounting status, and updating URL generation logic to dynamically select the scheme based on the mTLS mode and mounting status. Review feedback suggests refining the scheme selection in _get_metadata_root and _get_metadata_ip_root to ensure HTTPS is only applied to default hosts when the adapter is mounted, preventing potential connection failures for custom metadata hosts in non-strict modes.
| # Mount the adapter for all default GCE metadata hosts. | ||
| for host in _GCE_DEFAULT_MDS_HOSTS: | ||
| request.session.mount(f"https://{host}/", adapter) | ||
| mds_mtls_adapter_mounted = True |
There was a problem hiding this comment.
Do we also need to mount to _GCE_METADATA_HOST?
There was a problem hiding this comment.
No. It's kind of confusing but _GCE_METADATA_HOST is the "effective" host we will be connecting to.
The variable resolves as follows:
- It checks environment variable
GCE_METADATA_HOST(users can set this) - It checks environment variable
GCE_METADATA_ROOT(users can set this) - Otherwise, defaults to
_GCE_DEFAULT_HOST(this is 'metadata.google.internal')
Since mTLS should only be used with default MDS (case 3), we only mount the adapter to the metadata.googe.internal value.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors the Mutual TLS (mTLS) implementation for the Google Compute Engine metadata server by consolidating root URL generation and updating the MdsMtlsConfig class. The review feedback highlights several issues, including potential silent fallbacks in STRICT mTLS mode, missing certificate checks that could lead to runtime errors, and redundant URL parsing logic. Recommendations are provided to enforce strict mTLS requirements, improve error handling, update function documentation, and simplify the adapter mounting logic.
| use_https = mds_mtls_adapter_mounted or ( | ||
| mds_mtls_config.mode == _mtls.MdsMtlsMode.STRICT | ||
| ) |
There was a problem hiding this comment.
In STRICT mTLS mode, if the adapter cannot be mounted (e.g., because the transport does not support sessions), the code currently falls back to a standard HTTPS request without mTLS. This violates the strict requirement. An exception should be raised if STRICT mode is enabled but the adapter failed to mount.
| use_https = mds_mtls_adapter_mounted or ( | |
| mds_mtls_config.mode == _mtls.MdsMtlsMode.STRICT | |
| ) | |
| if mds_mtls_config.mode == _mtls.MdsMtlsMode.STRICT and not mds_mtls_adapter_mounted: | |
| raise exceptions.MutualTLSChannelError( | |
| "Mutual TLS is required, but the mTLS adapter could not be mounted. " | |
| "This usually happens when the transport does not support sessions." | |
| ) | |
| use_https = mds_mtls_adapter_mounted |
References
- When a function receives parameters of an unsupported type or state, it should raise an error instead of silently returning or falling back to ensure fail-fast behavior.
There was a problem hiding this comment.
An exception is raised.
2 participants
Modify the request mounting so that we return whether an adapter is mounted or not. From that, decide whether we should use https or http.
Fixes #16090