Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Add support for mTLS authentication via X.509 certificates #1736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
May 6, 2025
Merged

feat: Add support for mTLS authentication via X.509 certificates #1736

merged 16 commits into from
May 6, 2025

Conversation

nbayati
Copy link
Contributor

@nbayati nbayati commented Apr 22, 2025

This commit introduces a new credential source type, 'certificate', enabling the use of mTLS for authentication with X.509 certificates. It includes the necessary logic to load certificate configurations (both explicit paths and default locations) and establish an mTLS-enabled transport.

@nbayati
feat: Add support for mTLS authentication via X.509 certificates
fb3d375 
This commit introduces a new credential source type, 'certificate', enabling the use of mTLS for authentication with X.509 certificates. It includes the necessary logic to load certificate configurations (both explicit paths and default locations) and establish an mTLS-enabled transport.
@product-auto-label product-auto-label bot added the size: l Pull request size is large. label Apr 22, 2025
lqiu96
lqiu96 reviewed Apr 23, 2025
View reviewed changes
lqiu96
lqiu96 reviewed Apr 23, 2025
View reviewed changes
@lqiu96 lqiu96 requested a review from zhumin8 April 24, 2025 15:31
@nbayati nbayati marked this pull request as ready for review April 26, 2025 00:05
@nbayati nbayati requested review from a team as code owners April 26, 2025 00:05
@product-auto-label product-auto-label bot added size: xl Pull request size is extra large. and removed size: l Pull request size is large. labels Apr 29, 2025
@nbayati nbayati requested a review from lqiu96 April 29, 2025 23:38
lqiu96
lqiu96 reviewed Apr 30, 2025
View reviewed changes
lqiu96
lqiu96 reviewed Apr 30, 2025
View reviewed changes
lqiu96
lqiu96 reviewed Apr 30, 2025
View reviewed changes
lqiu96
lqiu96 reviewed Apr 30, 2025
View reviewed changes
lqiu96
lqiu96 reviewed Apr 30, 2025
View reviewed changes
@nbayati nbayati requested a review from lqiu96 April 30, 2025 22:09
lqiu96
lqiu96 reviewed May 1, 2025
View reviewed changes
lqiu96
lqiu96 approved these changes May 1, 2025
View reviewed changes
Copy link
Member

@lqiu96 lqiu96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think things LGTM. Added a few additional comments.

nbayati
nbayati commented May 1, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentialSource.java
IdentityPoolCredentialSourceType credentialSourceType;
CredentialFormatType credentialFormatType;
String credentialLocation;
private String credentialLocation;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made credentialLocation and certificateConfig fields private and added public getters to improve encapsulation and provide the ability to properly mock the object.

andyrzhao
andyrzhao requested changes May 2, 2025
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Small comment about X509Provider caching.

oauth2_http/java/com/google/auth/mtls/X509Provider.java
* configuration file does not specify a certificate path.
* @throws CertificateSourceUnavailableException if the configuration file is not found.
*/
public String getCertificatePath() throws IOException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we previously envisioned X509Provider will implement an "MtlsProvider" interface with a single "getKeyStore()" public method exposed. (SecureConnectProvider will also implement the same interface) As such, it doesn't feel like the getCertificatePath() helper should live inside the X509Provider. I don't see a lot of value with caching the cert config loading (this pattern is not common in client libraries IMO given the low anticipated QPS for auth or setting up an mTLS transport) Furthermore, having 2 separate public methods sharing this internal state could make code execution unpredictable - what if the underlying cert config changed between the call between getCertificatePath and getKeyStore()? And getKeyStore() may be stuck with an outdated loadedConfig in memory as long is the object instance is alive with no way to refresh the internal state. We have to handle cert rotation in the future as well. IMO, it's much safer to call getWorkloadCertificateConfiguration on demand instead of attempting to cache the result. Rest of your PR looks good!

Copy link
Contributor Author

@nbayati nbayati May 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. I've removed the caching, but I realized that if I want to move getCertificatePath() out of X509Provider, I'd need to move getWorkloadCertificateConfiguration() as well. I've created an issue to refactor the class in a separate PR.

lsirac
lsirac approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor

@lsirac lsirac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@nbayati nbayati requested a review from andyrzhao May 5, 2025 21:01
andyrzhao
andyrzhao approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thanks for working on this PR!

@nbayati nbayati merged commit b347603 into googleapis:main May 6, 2025
19 of 20 checks passed
@release-please release-please bot mentioned this pull request May 2, 2025
Merged
@nbayati nbayati removed the request for review from zhumin8 May 7, 2025 18:58
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request May 13, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
e9a4c6b 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.34.0` -> `1.35.0` |
|
[com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.34.0` -> `1.35.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
| [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.40` -> `2.31.41` |

---

### Release Notes

<details>
<summary>googleapis/google-auth-library-java
(com.google.auth:google-auth-library-oauth2-http)</summary>

###
[`v1.35.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1350-2025-05-12)

##### Features

- Add support for mTLS authentication via X.509 certificates
([#&#8203;1736](googleapis/google-auth-library-java#1736))
([b347603](googleapis/google-auth-library-java@b347603))
- Return X509 certificate chain as the subject token.
([#&#8203;1746](googleapis/google-auth-library-java#1746))
([6d05be8](googleapis/google-auth-library-java@6d05be8))

##### Bug Fixes

- Handle optional fields in ExternalAccountCredentials with null JSON
value gracefully
([#&#8203;1706](googleapis/google-auth-library-java#1706))
([f1f306d](googleapis/google-auth-library-java@f1f306d))

</details>

---

### Configuration

πŸ“… **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Enabled.

β™» **Rebasing**: Never, or you tick the rebase/retry checkbox.

πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: abc60fba8102e94da5ecb2e7537ccaf5d3d8628f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lqiu96 lqiu96 lqiu96 approved these changes

@lsirac lsirac lsirac approved these changes

@andyrzhao andyrzhao andyrzhao approved these changes

Assignees
No one assigned
Labels
size: xl Pull request size is extra large.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nbayati @lqiu96 @lsirac @andyrzhao