Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-google-cloud-secret-manager
for openSUSE:Factory checked in at 2026-01-17 14:54:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-google-cloud-secret-manager (Old)
and
/work/SRC/openSUSE:Factory/.python-google-cloud-secret-manager.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-google-cloud-secret-manager"
Sat Jan 17 14:54:46 2026 rev:7 rq:1327653 version:2.26.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-google-cloud-secret-manager/python-google-cloud-secret-manager.changes
2025-10-17 20:14:38.007848110 +0200
+++
/work/SRC/openSUSE:Factory/.python-google-cloud-secret-manager.new.1928/python-google-cloud-secret-manager.changes
2026-01-17 14:55:53.114021708 +0100
@@ -1,0 +2,7 @@
+Fri Jan 16 08:32:45 UTC 2026 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to 2.26.0
+ * auto-enable mTLS when supported certificates are detected
+ * check Python and dependency versions in generated GAPICs
+
+-------------------------------------------------------------------
Old:
----
google_cloud_secret_manager-2.25.0.tar.gz
New:
----
google_cloud_secret_manager-2.26.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-google-cloud-secret-manager.spec ++++++
--- /var/tmp/diff_new_pack.rGg8Vc/_old 2026-01-17 14:55:53.642043784 +0100
+++ /var/tmp/diff_new_pack.rGg8Vc/_new 2026-01-17 14:55:53.646043950 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-google-cloud-secret-manager
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%{?sle15_python_module_pythons}
Name: python-google-cloud-secret-manager
-Version: 2.25.0
+Version: 2.26.0
Release: 0
Summary: Google Cloud Secret Manager API client library
License: Apache-2.0
++++++ google_cloud_secret_manager-2.25.0.tar.gz ->
google_cloud_secret_manager-2.26.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/google_cloud_secret_manager-2.25.0/PKG-INFO
new/google_cloud_secret_manager-2.26.0/PKG-INFO
--- old/google_cloud_secret_manager-2.25.0/PKG-INFO 2025-10-14
17:24:46.305964200 +0200
+++ new/google_cloud_secret_manager-2.26.0/PKG-INFO 2025-12-18
01:25:44.951634600 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: google-cloud-secret-manager
-Version: 2.25.0
+Version: 2.26.0
Summary: Google Cloud Secret Manager API client library
Home-page:
https://github.com/googleapis/google-cloud-python/tree/main/packages/google-cloud-secret-manager
Author: Google LLC
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager/gapic_version.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager/gapic_version.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager/gapic_version.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager/gapic_version.py
2025-12-18 01:25:14.000000000 +0100
@@ -13,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-__version__ = "2.25.0" # {x-release-please-version}
+__version__ = "2.26.0" # {x-release-please-version}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/__init__.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/__init__.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/__init__.py
2025-10-14 17:22:16.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/__init__.py
2025-12-18 01:25:12.000000000 +0100
@@ -13,10 +13,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+import sys
+
+import google.api_core as api_core
+
from google.cloud.secretmanager_v1 import gapic_version as package_version
__version__ = package_version.__version__
+if sys.version_info >= (3, 8): # pragma: NO COVER
+ from importlib import metadata
+else: # pragma: NO COVER
+ # TODO(https://github.com/googleapis/python-api-core/issues/835): Remove
+ # this code path once we drop support for Python 3.7
+ import importlib_metadata as metadata
from .services.secret_manager_service import (
SecretManagerServiceAsyncClient,
@@ -51,6 +61,100 @@
UpdateSecretRequest,
)
+if hasattr(api_core, "check_python_version") and hasattr(
+ api_core, "check_dependency_versions"
+): # pragma: NO COVER
+ api_core.check_python_version("google.cloud.secretmanager_v1") # type:
ignore
+ api_core.check_dependency_versions("google.cloud.secretmanager_v1") #
type: ignore
+else: # pragma: NO COVER
+ # An older version of api_core is installed which does not define the
+ # functions above. We do equivalent checks manually.
+ try:
+ import sys
+ import warnings
+
+ _py_version_str = sys.version.split()[0]
+ _package_label = "google.cloud.secretmanager_v1"
+ if sys.version_info < (3, 9):
+ warnings.warn(
+ "You are using a non-supported Python version "
+ + f"({_py_version_str}). Google will not post any further "
+ + f"updates to {_package_label} supporting this Python
version. "
+ + "Please upgrade to the latest Python version, or at "
+ + f"least to Python 3.9, and then update {_package_label}.",
+ FutureWarning,
+ )
+ if sys.version_info[:2] == (3, 9):
+ warnings.warn(
+ f"You are using a Python version ({_py_version_str}) "
+ + f"which Google will stop supporting in {_package_label} in "
+ + "January 2026. Please "
+ + "upgrade to the latest Python version, or at "
+ + "least to Python 3.10, before then, and "
+ + f"then update {_package_label}.",
+ FutureWarning,
+ )
+
+ def parse_version_to_tuple(version_string: str):
+ """Safely converts a semantic version string to a comparable tuple
of integers.
+ Example: "4.25.8" -> (4, 25, 8)
+ Ignores non-numeric parts and handles common version formats.
+ Args:
+ version_string: Version string in the format "x.y.z" or
"x.y.z<suffix>"
+ Returns:
+ Tuple of integers for the parsed version string.
+ """
+ parts = []
+ for part in version_string.split("."):
+ try:
+ parts.append(int(part))
+ except ValueError:
+ # If it's a non-numeric part (e.g., '1.0.0b1' -> 'b1'),
stop here.
+ # This is a simplification compared to
'packaging.parse_version', but sufficient
+ # for comparing strictly numeric semantic versions.
+ break
+ return tuple(parts)
+
+ def _get_version(dependency_name):
+ try:
+ version_string: str = metadata.version(dependency_name)
+ parsed_version = parse_version_to_tuple(version_string)
+ return (parsed_version, version_string)
+ except Exception:
+ # Catch exceptions from metadata.version() (e.g.,
PackageNotFoundError)
+ # or errors during parse_version_to_tuple
+ return (None, "--")
+
+ _dependency_package = "google.protobuf"
+ _next_supported_version = "4.25.8"
+ _next_supported_version_tuple = (4, 25, 8)
+ _recommendation = " (we recommend 6.x)"
+ (_version_used, _version_used_string) =
_get_version(_dependency_package)
+ if _version_used and _version_used < _next_supported_version_tuple:
+ warnings.warn(
+ f"Package {_package_label} depends on "
+ + f"{_dependency_package}, currently installed at version "
+ + f"{_version_used_string}. Future updates to "
+ + f"{_package_label} will require {_dependency_package} at "
+ + f"version {_next_supported_version} or
higher{_recommendation}."
+ + " Please ensure "
+ + "that either (a) your Python environment doesn't pin the "
+ + f"version of {_dependency_package}, so that updates to "
+ + f"{_package_label} can require the higher version, or "
+ + "(b) you manually update your Python environment to use at "
+ + f"least version {_next_supported_version} of "
+ + f"{_dependency_package}.",
+ FutureWarning,
+ )
+ except Exception:
+ warnings.warn(
+ "Could not determine the version of Python "
+ + "currently being used. To continue receiving "
+ + "updates for {_package_label}, ensure you are "
+ + "using a supported version of Python; see "
+ + "https://devguide.python.org/versions/";
+ )
+
__all__ = (
"SecretManagerServiceAsyncClient",
"AccessSecretVersionRequest",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/gapic_version.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/gapic_version.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/gapic_version.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/gapic_version.py
2025-12-18 01:25:14.000000000 +0100
@@ -13,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-__version__ = "2.25.0" # {x-release-please-version}
+__version__ = "2.26.0" # {x-release-please-version}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/services/secret_manager_service/client.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/services/secret_manager_service/client.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1/services/secret_manager_service/client.py
2025-10-14 17:22:13.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1/services/secret_manager_service/client.py
2025-12-18 01:25:15.000000000 +0100
@@ -163,6 +163,34 @@
_DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}"
_DEFAULT_UNIVERSE = "googleapis.com"
+ @staticmethod
+ def _use_client_cert_effective():
+ """Returns whether client certificate should be used for mTLS if the
+ google-auth version supports should_use_client_cert automatic mTLS
enablement.
+
+ Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var.
+
+ Returns:
+ bool: whether client certificate should be used for mTLS
+ Raises:
+ ValueError: (If using a version of google-auth without
should_use_client_cert and
+ GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.)
+ """
+ # check if google-auth version supports should_use_client_cert for
automatic mTLS enablement
+ if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER
+ return mtls.should_use_client_cert()
+ else: # pragma: NO COVER
+ # if unsupported, fallback to reading from env var
+ use_client_cert_str = os.getenv(
+ "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
+ ).lower()
+ if use_client_cert_str not in ("true", "false"):
+ raise ValueError(
+ "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be"
+ " either `true` or `false`"
+ )
+ return use_client_cert_str == "true"
+
@classmethod
def from_service_account_info(cls, info: dict, *args, **kwargs):
"""Creates an instance of this client using the provided credentials
@@ -384,12 +412,8 @@
)
if client_options is None:
client_options = client_options_lib.ClientOptions()
- use_client_cert = os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE",
"false")
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
@@ -397,7 +421,7 @@
# Figure out the client cert source to use.
client_cert_source = None
- if use_client_cert == "true":
+ if use_client_cert:
if client_options.client_cert_source:
client_cert_source = client_options.client_cert_source
elif mtls.has_default_client_cert_source():
@@ -429,20 +453,14 @@
google.auth.exceptions.MutualTLSChannelError: If
GOOGLE_API_USE_MTLS_ENDPOINT
is not any of ["auto", "never", "always"].
"""
- use_client_cert = os.getenv(
- "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
- ).lower()
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT",
"auto").lower()
universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- return use_client_cert == "true", use_mtls_endpoint,
universe_domain_env
+ return use_client_cert, use_mtls_endpoint, universe_domain_env
@staticmethod
def _get_client_cert_source(provided_cert_source, use_cert_flag):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/__init__.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/__init__.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/__init__.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/__init__.py
2025-12-18 01:25:12.000000000 +0100
@@ -13,10 +13,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+import sys
+
+import google.api_core as api_core
+
from google.cloud.secretmanager_v1beta1 import gapic_version as package_version
__version__ = package_version.__version__
+if sys.version_info >= (3, 8): # pragma: NO COVER
+ from importlib import metadata
+else: # pragma: NO COVER
+ # TODO(https://github.com/googleapis/python-api-core/issues/835): Remove
+ # this code path once we drop support for Python 3.7
+ import importlib_metadata as metadata
from .services.secret_manager_service import (
SecretManagerServiceAsyncClient,
@@ -41,6 +51,100 @@
UpdateSecretRequest,
)
+if hasattr(api_core, "check_python_version") and hasattr(
+ api_core, "check_dependency_versions"
+): # pragma: NO COVER
+ api_core.check_python_version("google.cloud.secretmanager_v1beta1") #
type: ignore
+ api_core.check_dependency_versions("google.cloud.secretmanager_v1beta1")
# type: ignore
+else: # pragma: NO COVER
+ # An older version of api_core is installed which does not define the
+ # functions above. We do equivalent checks manually.
+ try:
+ import sys
+ import warnings
+
+ _py_version_str = sys.version.split()[0]
+ _package_label = "google.cloud.secretmanager_v1beta1"
+ if sys.version_info < (3, 9):
+ warnings.warn(
+ "You are using a non-supported Python version "
+ + f"({_py_version_str}). Google will not post any further "
+ + f"updates to {_package_label} supporting this Python
version. "
+ + "Please upgrade to the latest Python version, or at "
+ + f"least to Python 3.9, and then update {_package_label}.",
+ FutureWarning,
+ )
+ if sys.version_info[:2] == (3, 9):
+ warnings.warn(
+ f"You are using a Python version ({_py_version_str}) "
+ + f"which Google will stop supporting in {_package_label} in "
+ + "January 2026. Please "
+ + "upgrade to the latest Python version, or at "
+ + "least to Python 3.10, before then, and "
+ + f"then update {_package_label}.",
+ FutureWarning,
+ )
+
+ def parse_version_to_tuple(version_string: str):
+ """Safely converts a semantic version string to a comparable tuple
of integers.
+ Example: "4.25.8" -> (4, 25, 8)
+ Ignores non-numeric parts and handles common version formats.
+ Args:
+ version_string: Version string in the format "x.y.z" or
"x.y.z<suffix>"
+ Returns:
+ Tuple of integers for the parsed version string.
+ """
+ parts = []
+ for part in version_string.split("."):
+ try:
+ parts.append(int(part))
+ except ValueError:
+ # If it's a non-numeric part (e.g., '1.0.0b1' -> 'b1'),
stop here.
+ # This is a simplification compared to
'packaging.parse_version', but sufficient
+ # for comparing strictly numeric semantic versions.
+ break
+ return tuple(parts)
+
+ def _get_version(dependency_name):
+ try:
+ version_string: str = metadata.version(dependency_name)
+ parsed_version = parse_version_to_tuple(version_string)
+ return (parsed_version, version_string)
+ except Exception:
+ # Catch exceptions from metadata.version() (e.g.,
PackageNotFoundError)
+ # or errors during parse_version_to_tuple
+ return (None, "--")
+
+ _dependency_package = "google.protobuf"
+ _next_supported_version = "4.25.8"
+ _next_supported_version_tuple = (4, 25, 8)
+ _recommendation = " (we recommend 6.x)"
+ (_version_used, _version_used_string) =
_get_version(_dependency_package)
+ if _version_used and _version_used < _next_supported_version_tuple:
+ warnings.warn(
+ f"Package {_package_label} depends on "
+ + f"{_dependency_package}, currently installed at version "
+ + f"{_version_used_string}. Future updates to "
+ + f"{_package_label} will require {_dependency_package} at "
+ + f"version {_next_supported_version} or
higher{_recommendation}."
+ + " Please ensure "
+ + "that either (a) your Python environment doesn't pin the "
+ + f"version of {_dependency_package}, so that updates to "
+ + f"{_package_label} can require the higher version, or "
+ + "(b) you manually update your Python environment to use at "
+ + f"least version {_next_supported_version} of "
+ + f"{_dependency_package}.",
+ FutureWarning,
+ )
+ except Exception:
+ warnings.warn(
+ "Could not determine the version of Python "
+ + "currently being used. To continue receiving "
+ + "updates for {_package_label}, ensure you are "
+ + "using a supported version of Python; see "
+ + "https://devguide.python.org/versions/";
+ )
+
__all__ = (
"SecretManagerServiceAsyncClient",
"AccessSecretVersionRequest",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/gapic_version.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/gapic_version.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/gapic_version.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/gapic_version.py
2025-12-18 01:25:14.000000000 +0100
@@ -13,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-__version__ = "2.25.0" # {x-release-please-version}
+__version__ = "2.26.0" # {x-release-please-version}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py
2025-10-14 17:22:13.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py
2025-12-18 01:25:12.000000000 +0100
@@ -162,6 +162,34 @@
_DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}"
_DEFAULT_UNIVERSE = "googleapis.com"
+ @staticmethod
+ def _use_client_cert_effective():
+ """Returns whether client certificate should be used for mTLS if the
+ google-auth version supports should_use_client_cert automatic mTLS
enablement.
+
+ Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var.
+
+ Returns:
+ bool: whether client certificate should be used for mTLS
+ Raises:
+ ValueError: (If using a version of google-auth without
should_use_client_cert and
+ GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.)
+ """
+ # check if google-auth version supports should_use_client_cert for
automatic mTLS enablement
+ if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER
+ return mtls.should_use_client_cert()
+ else: # pragma: NO COVER
+ # if unsupported, fallback to reading from env var
+ use_client_cert_str = os.getenv(
+ "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
+ ).lower()
+ if use_client_cert_str not in ("true", "false"):
+ raise ValueError(
+ "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be"
+ " either `true` or `false`"
+ )
+ return use_client_cert_str == "true"
+
@classmethod
def from_service_account_info(cls, info: dict, *args, **kwargs):
"""Creates an instance of this client using the provided credentials
@@ -366,12 +394,8 @@
)
if client_options is None:
client_options = client_options_lib.ClientOptions()
- use_client_cert = os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE",
"false")
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
@@ -379,7 +403,7 @@
# Figure out the client cert source to use.
client_cert_source = None
- if use_client_cert == "true":
+ if use_client_cert:
if client_options.client_cert_source:
client_cert_source = client_options.client_cert_source
elif mtls.has_default_client_cert_source():
@@ -411,20 +435,14 @@
google.auth.exceptions.MutualTLSChannelError: If
GOOGLE_API_USE_MTLS_ENDPOINT
is not any of ["auto", "never", "always"].
"""
- use_client_cert = os.getenv(
- "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
- ).lower()
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT",
"auto").lower()
universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- return use_client_cert == "true", use_mtls_endpoint,
universe_domain_env
+ return use_client_cert, use_mtls_endpoint, universe_domain_env
@staticmethod
def _get_client_cert_source(provided_cert_source, use_cert_flag):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/__init__.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/__init__.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/__init__.py
2025-10-14 17:22:13.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/__init__.py
2025-12-18 01:25:13.000000000 +0100
@@ -13,10 +13,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+import sys
+
+import google.api_core as api_core
+
from google.cloud.secretmanager_v1beta2 import gapic_version as package_version
__version__ = package_version.__version__
+if sys.version_info >= (3, 8): # pragma: NO COVER
+ from importlib import metadata
+else: # pragma: NO COVER
+ # TODO(https://github.com/googleapis/python-api-core/issues/835): Remove
+ # this code path once we drop support for Python 3.7
+ import importlib_metadata as metadata
from .services.secret_manager_service import (
SecretManagerServiceAsyncClient,
@@ -51,6 +61,100 @@
UpdateSecretRequest,
)
+if hasattr(api_core, "check_python_version") and hasattr(
+ api_core, "check_dependency_versions"
+): # pragma: NO COVER
+ api_core.check_python_version("google.cloud.secretmanager_v1beta2") #
type: ignore
+ api_core.check_dependency_versions("google.cloud.secretmanager_v1beta2")
# type: ignore
+else: # pragma: NO COVER
+ # An older version of api_core is installed which does not define the
+ # functions above. We do equivalent checks manually.
+ try:
+ import sys
+ import warnings
+
+ _py_version_str = sys.version.split()[0]
+ _package_label = "google.cloud.secretmanager_v1beta2"
+ if sys.version_info < (3, 9):
+ warnings.warn(
+ "You are using a non-supported Python version "
+ + f"({_py_version_str}). Google will not post any further "
+ + f"updates to {_package_label} supporting this Python
version. "
+ + "Please upgrade to the latest Python version, or at "
+ + f"least to Python 3.9, and then update {_package_label}.",
+ FutureWarning,
+ )
+ if sys.version_info[:2] == (3, 9):
+ warnings.warn(
+ f"You are using a Python version ({_py_version_str}) "
+ + f"which Google will stop supporting in {_package_label} in "
+ + "January 2026. Please "
+ + "upgrade to the latest Python version, or at "
+ + "least to Python 3.10, before then, and "
+ + f"then update {_package_label}.",
+ FutureWarning,
+ )
+
+ def parse_version_to_tuple(version_string: str):
+ """Safely converts a semantic version string to a comparable tuple
of integers.
+ Example: "4.25.8" -> (4, 25, 8)
+ Ignores non-numeric parts and handles common version formats.
+ Args:
+ version_string: Version string in the format "x.y.z" or
"x.y.z<suffix>"
+ Returns:
+ Tuple of integers for the parsed version string.
+ """
+ parts = []
+ for part in version_string.split("."):
+ try:
+ parts.append(int(part))
+ except ValueError:
+ # If it's a non-numeric part (e.g., '1.0.0b1' -> 'b1'),
stop here.
+ # This is a simplification compared to
'packaging.parse_version', but sufficient
+ # for comparing strictly numeric semantic versions.
+ break
+ return tuple(parts)
+
+ def _get_version(dependency_name):
+ try:
+ version_string: str = metadata.version(dependency_name)
+ parsed_version = parse_version_to_tuple(version_string)
+ return (parsed_version, version_string)
+ except Exception:
+ # Catch exceptions from metadata.version() (e.g.,
PackageNotFoundError)
+ # or errors during parse_version_to_tuple
+ return (None, "--")
+
+ _dependency_package = "google.protobuf"
+ _next_supported_version = "4.25.8"
+ _next_supported_version_tuple = (4, 25, 8)
+ _recommendation = " (we recommend 6.x)"
+ (_version_used, _version_used_string) =
_get_version(_dependency_package)
+ if _version_used and _version_used < _next_supported_version_tuple:
+ warnings.warn(
+ f"Package {_package_label} depends on "
+ + f"{_dependency_package}, currently installed at version "
+ + f"{_version_used_string}. Future updates to "
+ + f"{_package_label} will require {_dependency_package} at "
+ + f"version {_next_supported_version} or
higher{_recommendation}."
+ + " Please ensure "
+ + "that either (a) your Python environment doesn't pin the "
+ + f"version of {_dependency_package}, so that updates to "
+ + f"{_package_label} can require the higher version, or "
+ + "(b) you manually update your Python environment to use at "
+ + f"least version {_next_supported_version} of "
+ + f"{_dependency_package}.",
+ FutureWarning,
+ )
+ except Exception:
+ warnings.warn(
+ "Could not determine the version of Python "
+ + "currently being used. To continue receiving "
+ + "updates for {_package_label}, ensure you are "
+ + "using a supported version of Python; see "
+ + "https://devguide.python.org/versions/";
+ )
+
__all__ = (
"SecretManagerServiceAsyncClient",
"AccessSecretVersionRequest",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/gapic_version.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/gapic_version.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/gapic_version.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/gapic_version.py
2025-12-18 01:25:14.000000000 +0100
@@ -13,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-__version__ = "2.25.0" # {x-release-please-version}
+__version__ = "2.26.0" # {x-release-please-version}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/services/secret_manager_service/client.py
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/services/secret_manager_service/client.py
---
old/google_cloud_secret_manager-2.25.0/google/cloud/secretmanager_v1beta2/services/secret_manager_service/client.py
2025-10-14 17:22:15.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google/cloud/secretmanager_v1beta2/services/secret_manager_service/client.py
2025-12-18 01:25:11.000000000 +0100
@@ -163,6 +163,34 @@
_DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}"
_DEFAULT_UNIVERSE = "googleapis.com"
+ @staticmethod
+ def _use_client_cert_effective():
+ """Returns whether client certificate should be used for mTLS if the
+ google-auth version supports should_use_client_cert automatic mTLS
enablement.
+
+ Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var.
+
+ Returns:
+ bool: whether client certificate should be used for mTLS
+ Raises:
+ ValueError: (If using a version of google-auth without
should_use_client_cert and
+ GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.)
+ """
+ # check if google-auth version supports should_use_client_cert for
automatic mTLS enablement
+ if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER
+ return mtls.should_use_client_cert()
+ else: # pragma: NO COVER
+ # if unsupported, fallback to reading from env var
+ use_client_cert_str = os.getenv(
+ "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
+ ).lower()
+ if use_client_cert_str not in ("true", "false"):
+ raise ValueError(
+ "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be"
+ " either `true` or `false`"
+ )
+ return use_client_cert_str == "true"
+
@classmethod
def from_service_account_info(cls, info: dict, *args, **kwargs):
"""Creates an instance of this client using the provided credentials
@@ -384,12 +412,8 @@
)
if client_options is None:
client_options = client_options_lib.ClientOptions()
- use_client_cert = os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE",
"false")
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
@@ -397,7 +421,7 @@
# Figure out the client cert source to use.
client_cert_source = None
- if use_client_cert == "true":
+ if use_client_cert:
if client_options.client_cert_source:
client_cert_source = client_options.client_cert_source
elif mtls.has_default_client_cert_source():
@@ -429,20 +453,14 @@
google.auth.exceptions.MutualTLSChannelError: If
GOOGLE_API_USE_MTLS_ENDPOINT
is not any of ["auto", "never", "always"].
"""
- use_client_cert = os.getenv(
- "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
- ).lower()
+ use_client_cert =
SecretManagerServiceClient._use_client_cert_effective()
use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT",
"auto").lower()
universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN")
- if use_client_cert not in ("true", "false"):
- raise ValueError(
- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
if use_mtls_endpoint not in ("auto", "never", "always"):
raise MutualTLSChannelError(
"Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- return use_client_cert == "true", use_mtls_endpoint,
universe_domain_env
+ return use_client_cert, use_mtls_endpoint, universe_domain_env
@staticmethod
def _get_client_cert_source(provided_cert_source, use_cert_flag):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/google_cloud_secret_manager.egg-info/PKG-INFO
new/google_cloud_secret_manager-2.26.0/google_cloud_secret_manager.egg-info/PKG-INFO
---
old/google_cloud_secret_manager-2.25.0/google_cloud_secret_manager.egg-info/PKG-INFO
2025-10-14 17:24:46.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/google_cloud_secret_manager.egg-info/PKG-INFO
2025-12-18 01:25:44.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: google-cloud-secret-manager
-Version: 2.25.0
+Version: 2.26.0
Summary: Google Cloud Secret Manager API client library
Home-page:
https://github.com/googleapis/google-cloud-python/tree/main/packages/google-cloud-secret-manager
Author: Google LLC
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1/test_secret_manager_service.py
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1/test_secret_manager_service.py
---
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1/test_secret_manager_service.py
2025-10-14 17:22:16.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1/test_secret_manager_service.py
2025-12-18 01:25:12.000000000 +0100
@@ -170,12 +170,19 @@
with mock.patch.dict(
os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
):
- with pytest.raises(ValueError) as excinfo:
- SecretManagerServiceClient._read_environment_variables()
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with pytest.raises(ValueError) as excinfo:
+ SecretManagerServiceClient._read_environment_variables()
+ assert (
+ str(excinfo.value)
+ == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be either `true` or `false`"
+ )
+ else:
+ assert SecretManagerServiceClient._read_environment_variables() ==
(
+ False,
+ "auto",
+ None,
+ )
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
assert SecretManagerServiceClient._read_environment_variables() == (
@@ -214,6 +221,105 @@
)
+def test_use_client_cert_effective():
+ # Test case 1: Test when `should_use_client_cert` returns True.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=True
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 2: Test when `should_use_client_cert` returns False.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should NOT be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=False
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 3: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"true".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"true"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 4: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "false"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 5: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"True".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"True"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 6: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"False".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "False"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 7: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"TRUE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"TRUE"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 8: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"FALSE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "FALSE"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 9: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not set.
+ # In this case, the method should return False, which is the default value.
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, clear=True):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 10: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should raise a ValueError as the environment variable must be
either
+ # "true" or "false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ with pytest.raises(ValueError):
+ SecretManagerServiceClient._use_client_cert_effective()
+
+ # Test case 11: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should return False as the environment variable is set to an
invalid value.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 12: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is unset. Also,
+ # the GOOGLE_API_CONFIG environment variable is unset.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
""}):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
""}):
+ assert SecretManagerServiceClient._use_client_cert_effective()
is False
+
+
def test__get_client_cert_source():
mock_provided_cert_source = mock.Mock()
mock_default_cert_source = mock.Mock()
@@ -601,17 +707,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client = client_class(transport=transport_name)
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
-
# Check the case quota_project_id is provided
options = client_options.ClientOptions(quota_project_id="octopus")
with mock.patch.object(transport_class, "__init__") as patched:
@@ -847,6 +942,119 @@
assert api_endpoint == mock_api_endpoint
assert cert_source is None
+ # Test the case GOOGLE_API_USE_CLIENT_CERTIFICATE is "Unsupported".
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
+ ):
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ mock_client_cert_source = mock.Mock()
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source(
+ options
+ )
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is None
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset.
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", None)
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset(empty).
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", "")
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
# Test the case GOOGLE_API_USE_MTLS_ENDPOINT is "never".
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source()
@@ -897,18 +1105,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client_class.get_mtls_endpoint_and_cert_source()
-
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
-
@pytest.mark.parametrize(
"client_class", [SecretManagerServiceClient,
SecretManagerServiceAsyncClient]
@@ -13049,6 +13245,7 @@
# Remove this test when deprecated arguments (api_mtls_endpoint,
client_cert_source) are
# removed from grpc/grpc_asyncio transport constructor.
[email protected]("ignore::FutureWarning")
@pytest.mark.parametrize(
"transport_class",
[
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1beta1/test_secret_manager_service.py
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1beta1/test_secret_manager_service.py
---
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1beta1/test_secret_manager_service.py
2025-10-14 17:22:12.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1beta1/test_secret_manager_service.py
2025-12-18 01:25:13.000000000 +0100
@@ -169,12 +169,19 @@
with mock.patch.dict(
os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
):
- with pytest.raises(ValueError) as excinfo:
- SecretManagerServiceClient._read_environment_variables()
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with pytest.raises(ValueError) as excinfo:
+ SecretManagerServiceClient._read_environment_variables()
+ assert (
+ str(excinfo.value)
+ == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be either `true` or `false`"
+ )
+ else:
+ assert SecretManagerServiceClient._read_environment_variables() ==
(
+ False,
+ "auto",
+ None,
+ )
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
assert SecretManagerServiceClient._read_environment_variables() == (
@@ -213,6 +220,105 @@
)
+def test_use_client_cert_effective():
+ # Test case 1: Test when `should_use_client_cert` returns True.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=True
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 2: Test when `should_use_client_cert` returns False.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should NOT be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=False
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 3: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"true".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"true"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 4: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "false"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 5: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"True".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"True"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 6: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"False".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "False"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 7: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"TRUE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"TRUE"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 8: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"FALSE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "FALSE"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 9: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not set.
+ # In this case, the method should return False, which is the default value.
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, clear=True):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 10: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should raise a ValueError as the environment variable must be
either
+ # "true" or "false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ with pytest.raises(ValueError):
+ SecretManagerServiceClient._use_client_cert_effective()
+
+ # Test case 11: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should return False as the environment variable is set to an
invalid value.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 12: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is unset. Also,
+ # the GOOGLE_API_CONFIG environment variable is unset.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
""}):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
""}):
+ assert SecretManagerServiceClient._use_client_cert_effective()
is False
+
+
def test__get_client_cert_source():
mock_provided_cert_source = mock.Mock()
mock_default_cert_source = mock.Mock()
@@ -600,17 +706,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client = client_class(transport=transport_name)
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
-
# Check the case quota_project_id is provided
options = client_options.ClientOptions(quota_project_id="octopus")
with mock.patch.object(transport_class, "__init__") as patched:
@@ -846,6 +941,119 @@
assert api_endpoint == mock_api_endpoint
assert cert_source is None
+ # Test the case GOOGLE_API_USE_CLIENT_CERTIFICATE is "Unsupported".
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
+ ):
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ mock_client_cert_source = mock.Mock()
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source(
+ options
+ )
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is None
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset.
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", None)
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset(empty).
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", "")
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
# Test the case GOOGLE_API_USE_MTLS_ENDPOINT is "never".
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source()
@@ -896,18 +1104,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client_class.get_mtls_endpoint_and_cert_source()
-
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
-
@pytest.mark.parametrize(
"client_class", [SecretManagerServiceClient,
SecretManagerServiceAsyncClient]
@@ -12911,6 +13107,7 @@
# Remove this test when deprecated arguments (api_mtls_endpoint,
client_cert_source) are
# removed from grpc/grpc_asyncio transport constructor.
[email protected]("ignore::FutureWarning")
@pytest.mark.parametrize(
"transport_class",
[
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1beta2/test_secret_manager_service.py
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1beta2/test_secret_manager_service.py
---
old/google_cloud_secret_manager-2.25.0/tests/unit/gapic/secretmanager_v1beta2/test_secret_manager_service.py
2025-10-14 17:22:16.000000000 +0200
+++
new/google_cloud_secret_manager-2.26.0/tests/unit/gapic/secretmanager_v1beta2/test_secret_manager_service.py
2025-12-18 01:25:12.000000000 +0100
@@ -170,12 +170,19 @@
with mock.patch.dict(
os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
):
- with pytest.raises(ValueError) as excinfo:
- SecretManagerServiceClient._read_environment_variables()
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with pytest.raises(ValueError) as excinfo:
+ SecretManagerServiceClient._read_environment_variables()
+ assert (
+ str(excinfo.value)
+ == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE`
must be either `true` or `false`"
+ )
+ else:
+ assert SecretManagerServiceClient._read_environment_variables() ==
(
+ False,
+ "auto",
+ None,
+ )
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
assert SecretManagerServiceClient._read_environment_variables() == (
@@ -214,6 +221,105 @@
)
+def test_use_client_cert_effective():
+ # Test case 1: Test when `should_use_client_cert` returns True.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=True
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 2: Test when `should_use_client_cert` returns False.
+ # We mock the `should_use_client_cert` function to simulate a scenario
where
+ # the google-auth library supports automatic mTLS and determines that a
+ # client certificate should NOT be used.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch(
+ "google.auth.transport.mtls.should_use_client_cert",
return_value=False
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 3: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"true".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"true"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 4: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "false"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 5: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"True".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"True"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 6: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"False".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "False"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 7: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"TRUE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
"TRUE"}):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
True
+
+ # Test case 8: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
"FALSE".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "FALSE"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 9: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not set.
+ # In this case, the method should return False, which is the default value.
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, clear=True):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 10: Test when `should_use_client_cert` is unavailable and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should raise a ValueError as the environment variable must be
either
+ # "true" or "false".
+ if not hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ with pytest.raises(ValueError):
+ SecretManagerServiceClient._use_client_cert_effective()
+
+ # Test case 11: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to an
invalid value.
+ # The method should return False as the environment variable is set to an
invalid value.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "unsupported"}
+ ):
+ assert SecretManagerServiceClient._use_client_cert_effective() is
False
+
+ # Test case 12: Test when `should_use_client_cert` is available and the
+ # `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is unset. Also,
+ # the GOOGLE_API_CONFIG environment variable is unset.
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE":
""}):
+ with mock.patch.dict(os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
""}):
+ assert SecretManagerServiceClient._use_client_cert_effective()
is False
+
+
def test__get_client_cert_source():
mock_provided_cert_source = mock.Mock()
mock_default_cert_source = mock.Mock()
@@ -601,17 +707,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client = client_class(transport=transport_name)
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be
either `true` or `false`"
- )
-
# Check the case quota_project_id is provided
options = client_options.ClientOptions(quota_project_id="octopus")
with mock.patch.object(transport_class, "__init__") as patched:
@@ -847,6 +942,119 @@
assert api_endpoint == mock_api_endpoint
assert cert_source is None
+ # Test the case GOOGLE_API_USE_CLIENT_CERTIFICATE is "Unsupported".
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
+ ):
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ mock_client_cert_source = mock.Mock()
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source(
+ options
+ )
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is None
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset.
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", None)
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
+ # Test cases for mTLS enablement when GOOGLE_API_USE_CLIENT_CERTIFICATE is
unset(empty).
+ test_cases = [
+ (
+ # With workloads present in config, mTLS is enabled.
+ {
+ "version": 1,
+ "cert_configs": {
+ "workload": {
+ "cert_path": "path/to/cert/file",
+ "key_path": "path/to/key/file",
+ }
+ },
+ },
+ mock_client_cert_source,
+ ),
+ (
+ # With workloads not present in config, mTLS is disabled.
+ {
+ "version": 1,
+ "cert_configs": {},
+ },
+ None,
+ ),
+ ]
+ if hasattr(google.auth.transport.mtls, "should_use_client_cert"):
+ for config_data, expected_cert_source in test_cases:
+ env = os.environ.copy()
+ env.pop("GOOGLE_API_USE_CLIENT_CERTIFICATE", "")
+ with mock.patch.dict(os.environ, env, clear=True):
+ config_filename = "mock_certificate_config.json"
+ config_file_content = json.dumps(config_data)
+ m = mock.mock_open(read_data=config_file_content)
+ with mock.patch("builtins.open", m):
+ with mock.patch.dict(
+ os.environ, {"GOOGLE_API_CERTIFICATE_CONFIG":
config_filename}
+ ):
+ mock_api_endpoint = "foo"
+ options = client_options.ClientOptions(
+ client_cert_source=mock_client_cert_source,
+ api_endpoint=mock_api_endpoint,
+ )
+ (
+ api_endpoint,
+ cert_source,
+ ) =
client_class.get_mtls_endpoint_and_cert_source(options)
+ assert api_endpoint == mock_api_endpoint
+ assert cert_source is expected_cert_source
+
# Test the case GOOGLE_API_USE_MTLS_ENDPOINT is "never".
with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT":
"never"}):
api_endpoint, cert_source =
client_class.get_mtls_endpoint_and_cert_source()
@@ -897,18 +1105,6 @@
== "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be
`never`, `auto` or `always`"
)
- # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value.
- with mock.patch.dict(
- os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"}
- ):
- with pytest.raises(ValueError) as excinfo:
- client_class.get_mtls_endpoint_and_cert_source()
-
- assert (
- str(excinfo.value)
- == "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must
be either `true` or `false`"
- )
-
@pytest.mark.parametrize(
"client_class", [SecretManagerServiceClient,
SecretManagerServiceAsyncClient]
@@ -13051,6 +13247,7 @@
# Remove this test when deprecated arguments (api_mtls_endpoint,
client_cert_source) are
# removed from grpc/grpc_asyncio transport constructor.
[email protected]("ignore::FutureWarning")
@pytest.mark.parametrize(
"transport_class",
[
