Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 44c93d2

Browse filesBrowse files
nbayatinbayati
authored
fix(auth): allowlist agents-nonprod trust domains for agent identity (googleapis#17155)
Allow `agents-nonprod` SPIFFE trust domains (`agents-nonprod.global.org-<id>.system.id.goog` and `agents-nonprod.global.proj-<id>.system.id.goog`) in addition to the production `agents` ones. This enables support for Agent Identity testing and validation in non-production environments (e.g., GKE autopush, staging), resolving pool format validation failures for non-prod agent pools. Bug: b/513574981
1 parent ff52983 commit 44c93d2
Copy full SHA for 44c93d2

2 files changed

+15-10Lines changed: 15 additions & 10 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎packages/google-auth/google/auth/_agent_identity_utils.py‎

Copy file name to clipboardExpand all lines: packages/google-auth/google/auth/_agent_identity_utils.py
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,7 @@
2222
import time
2323
from urllib.parse import quote, urlparse
2424

25-
from google.auth import environment_vars
26-
from google.auth import exceptions
27-
25+
from google.auth import environment_vars, exceptions
2826

2927
_LOGGER = logging.getLogger(__name__)
3028

@@ -37,6 +35,8 @@
3735
_AGENT_IDENTITY_SPIFFE_TRUST_DOMAIN_PATTERNS = [
3836
r"^agents\.global\.org-\d+\.system\.id\.goog$",
3937
r"^agents\.global\.proj-\d+\.system\.id\.goog$",
38+
r"^agents-nonprod\.global\.org-\d+\.system\.id\.goog$",
39+
r"^agents-nonprod\.global\.proj-\d+\.system\.id\.goog$",
4040
]
4141

4242
_WELL_KNOWN_CERT_PATH = "/var/run/secrets/workload-spiffe-credentials/certificates.pem"
Collapse file

‎packages/google-auth/tests/test_agent_identity_utils.py‎

Copy file name to clipboardExpand all lines: packages/google-auth/tests/test_agent_identity_utils.py
+12-7Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,7 @@
2121
from cryptography import x509
2222
import pytest
2323

24-
from google.auth import _agent_identity_utils
25-
from google.auth import environment_vars
26-
from google.auth import exceptions
24+
from google.auth import _agent_identity_utils, environment_vars, exceptions
2725

2826
# A mock PEM-encoded certificate without an Agent Identity SPIFFE ID.
2927
NON_AGENT_IDENTITY_CERT_BYTES = (
@@ -60,15 +58,22 @@ def test__is_agent_identity_certificate_invalid(self):
6058
cert = _agent_identity_utils.parse_certificate(NON_AGENT_IDENTITY_CERT_BYTES)
6159
assert not _agent_identity_utils._is_agent_identity_certificate(cert)
6260

63-
def test__is_agent_identity_certificate_valid_spiffe(self):
61+
@pytest.mark.parametrize(
62+
"spiffe_id",
63+
[
64+
"spiffe://agents.global.proj-12345.system.id.goog/workload",
65+
"spiffe://agents.global.org-12345.system.id.goog/workload",
66+
"spiffe://agents-nonprod.global.proj-12345.system.id.goog/workload",
67+
"spiffe://agents-nonprod.global.org-12345.system.id.goog/workload",
68+
],
69+
)
70+
def test__is_agent_identity_certificate_valid_spiffe(self, spiffe_id):
6471
mock_cert = mock.MagicMock()
6572
mock_ext = mock.MagicMock()
6673
mock_san_value = mock.MagicMock()
6774
mock_cert.extensions.get_extension_for_oid.return_value = mock_ext
6875
mock_ext.value = mock_san_value
69-
mock_san_value.get_values_for_type.return_value = [
70-
"spiffe://agents.global.proj-12345.system.id.goog/workload"
71-
]
76+
mock_san_value.get_values_for_type.return_value = [spiffe_id]
7277
assert _agent_identity_utils._is_agent_identity_certificate(mock_cert)
7378

7479
def test__is_agent_identity_certificate_non_matching_spiffe(self):

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.