google-auth 2.49.0__tar.gz → 2.49.0.dev0__tar.gz

{google_auth-2.49.0/google_auth.egg-info → google_auth-2.49.0.dev0}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.4
+Metadata-Version: 2.1
 Name: google-auth
-Version: 2.49.0
+Version: 2.49.0.dev0
 Summary: Google Authentication Library
 Home-page: https://github.com/googleapis/google-auth-library-python
 Author: Google Cloud Platform
@@ -27,7 +27,6 @@ Requires-Python: >=3.8
 License-File: LICENSE
 Requires-Dist: pyasn1-modules>=0.2.1
 Requires-Dist: cryptography>=38.0.3
-Requires-Dist: rsa<5,>=3.1.4
 Provides-Extra: cryptography
 Requires-Dist: cryptography>=38.0.3; extra == "cryptography"
 Provides-Extra: aiohttp
@@ -63,21 +62,10 @@ Requires-Dist: aioresponses; extra == "testing"
 Requires-Dist: pytest-asyncio; extra == "testing"
 Requires-Dist: pyopenssl<24.3.0; extra == "testing"
 Requires-Dist: aiohttp<3.10.0; extra == "testing"
+Requires-Dist: rsa<5,>=3.1.4; extra == "testing"
 Provides-Extra: urllib3
 Requires-Dist: urllib3; extra == "urllib3"
 Requires-Dist: packaging; extra == "urllib3"
-Dynamic: author
-Dynamic: author-email
-Dynamic: classifier
-Dynamic: description
-Dynamic: home-page
-Dynamic: keywords
-Dynamic: license
-Dynamic: license-file
-Dynamic: provides-extra
-Dynamic: requires-dist
-Dynamic: requires-python
-Dynamic: summary
 
 Google Auth Python Library
 ==========================

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/aio/transport/aiohttp.py

@@ -12,11 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Transport adapter for Asynchronous HTTP Requests based on aiohttp."""
+"""Transport adapter for Asynchronous HTTP Requests based on aiohttp.
+"""
 
 import asyncio
 import logging
-from typing import AsyncGenerator, Mapping, Optional, TYPE_CHECKING, Union
+from typing import AsyncGenerator, Mapping, Optional
 
 try:
     import aiohttp  # type: ignore
@@ -30,15 +31,6 @@ from google.auth import exceptions
 from google.auth.aio import _helpers as _helpers_async
 from google.auth.aio import transport
 
-if TYPE_CHECKING:  # pragma: NO COVER
-    from aiohttp import ClientTimeout  # type: ignore
-
-else:
-    try:
-        from aiohttp import ClientTimeout
-    except (ImportError, AttributeError):
-        ClientTimeout = None
-
 _LOGGER = logging.getLogger(__name__)
 
 
@@ -121,7 +113,7 @@ class Request(transport.Request):
     .. automethod:: __call__
     """
 
-    def __init__(self, session: Optional[aiohttp.ClientSession] = None):
+    def __init__(self, session: aiohttp.ClientSession = None):
         self._session = session
         self._closed = False
 
@@ -131,7 +123,7 @@ class Request(transport.Request):
         method: str = "GET",
         body: Optional[bytes] = None,
         headers: Optional[Mapping[str, str]] = None,
-        timeout: Union[float, ClientTimeout] = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
         **kwargs,
     ) -> transport.Response:
         """
@@ -166,10 +158,7 @@ class Request(transport.Request):
             if not self._session:
                 self._session = aiohttp.ClientSession()
 
-            if isinstance(timeout, aiohttp.ClientTimeout):
-                client_timeout = timeout
-            else:
-                client_timeout = aiohttp.ClientTimeout(total=timeout)
+            client_timeout = aiohttp.ClientTimeout(total=timeout)
             _helpers.request_log(_LOGGER, method, url, body, headers)
             response = await self._session.request(
                 method,
@@ -187,12 +176,8 @@ class Request(transport.Request):
             raise client_exc from caught_exc
 
         except asyncio.TimeoutError as caught_exc:
-            if isinstance(timeout, aiohttp.ClientTimeout):
-                timeout_seconds = timeout.total
-            else:
-                timeout_seconds = timeout
             timeout_exc = exceptions.TimeoutError(
-                f"Request timed out after {timeout_seconds} seconds."
+                f"Request timed out after {timeout} seconds."
             )
             raise timeout_exc from caught_exc
 

google_auth-2.49.0.dev0/google/auth/aio/transport/sessions.py

@@ -0,0 +1,268 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import asyncio
+from contextlib import asynccontextmanager
+import functools
+import time
+from typing import Mapping, Optional
+
+from google.auth import _exponential_backoff, exceptions
+from google.auth.aio import transport
+from google.auth.aio.credentials import Credentials
+from google.auth.exceptions import TimeoutError
+
+try:
+    from google.auth.aio.transport.aiohttp import Request as AiohttpRequest
+
+    AIOHTTP_INSTALLED = True
+except ImportError:  # pragma: NO COVER
+    AIOHTTP_INSTALLED = False
+
+
+@asynccontextmanager
+async def timeout_guard(timeout):
+    """
+    timeout_guard is an asynchronous context manager to apply a timeout to an asynchronous block of code.
+
+    Args:
+        timeout (float): The time in seconds before the context manager times out.
+
+    Raises:
+        google.auth.exceptions.TimeoutError: If the code within the context exceeds the provided timeout.
+
+    Usage:
+        async with timeout_guard(10) as with_timeout:
+            await with_timeout(async_function())
+    """
+    start = time.monotonic()
+    total_timeout = timeout
+
+    def _remaining_time():
+        elapsed = time.monotonic() - start
+        remaining = total_timeout - elapsed
+        if remaining <= 0:
+            raise TimeoutError(
+                f"Context manager exceeded the configured timeout of {total_timeout}s."
+            )
+        return remaining
+
+    async def with_timeout(coro):
+        try:
+            remaining = _remaining_time()
+            response = await asyncio.wait_for(coro, remaining)
+            return response
+        except (asyncio.TimeoutError, TimeoutError) as e:
+            raise TimeoutError(
+                f"The operation {coro} exceeded the configured timeout of {total_timeout}s."
+            ) from e
+
+    try:
+        yield with_timeout
+
+    finally:
+        _remaining_time()
+
+
+class AsyncAuthorizedSession:
+    """This is an asynchronous implementation of :class:`google.auth.requests.AuthorizedSession` class.
+    We utilize an instance of a class that implements :class:`google.auth.aio.transport.Request` configured
+    by the caller or otherwise default to `google.auth.aio.transport.aiohttp.Request` if the external aiohttp
+    package is installed.
+
+    A Requests Session class with credentials.
+
+    This class is used to perform asynchronous requests to API endpoints that require
+    authorization::
+
+        import aiohttp
+        from google.auth.aio.transport import sessions
+
+        async with sessions.AsyncAuthorizedSession(credentials) as authed_session:
+            response = await authed_session.request(
+                'GET', 'https://www.googleapis.com/storage/v1/b')
+
+    The underlying :meth:`request` implementation handles adding the
+    credentials' headers to the request and refreshing credentials as needed.
+
+    Args:
+        credentials (google.auth.aio.credentials.Credentials):
+            The credentials to add to the request.
+        auth_request (Optional[google.auth.aio.transport.Request]):
+            An instance of a class that implements
+            :class:`~google.auth.aio.transport.Request` used to make requests
+            and refresh credentials. If not passed,
+            an instance of :class:`~google.auth.aio.transport.aiohttp.Request`
+            is created.
+
+    Raises:
+        - google.auth.exceptions.TransportError: If `auth_request` is `None`
+            and the external package `aiohttp` is not installed.
+        - google.auth.exceptions.InvalidType: If the provided credentials are
+            not of type `google.auth.aio.credentials.Credentials`.
+    """
+
+    def __init__(
+        self, credentials: Credentials, auth_request: Optional[transport.Request] = None
+    ):
+        if not isinstance(credentials, Credentials):
+            raise exceptions.InvalidType(
+                f"The configured credentials of type {type(credentials)} are invalid and must be of type `google.auth.aio.credentials.Credentials`"
+            )
+        self._credentials = credentials
+        _auth_request = auth_request
+        if not _auth_request and AIOHTTP_INSTALLED:
+            _auth_request = AiohttpRequest()
+        if _auth_request is None:
+            raise exceptions.TransportError(
+                "`auth_request` must either be configured or the external package `aiohttp` must be installed to use the default value."
+            )
+        self._auth_request = _auth_request
+
+    async def request(
+        self,
+        method: str,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        """
+        Args:
+                method (str): The http method used to make the request.
+                url (str): The URI to be requested.
+                data (Optional[bytes]): The payload or body in HTTP request.
+                headers (Optional[Mapping[str, str]]): Request headers.
+                timeout (float):
+                The amount of time in seconds to wait for the server response
+                with each individual request.
+                max_allowed_time (float):
+                If the method runs longer than this, a ``Timeout`` exception is
+                automatically raised. Unlike the ``timeout`` parameter, this
+                value applies to the total method execution time, even if
+                multiple requests are made under the hood.
+
+                Mind that it is not guaranteed that the timeout error is raised
+                at ``max_allowed_time``. It might take longer, for example, if
+                an underlying request takes a lot of time, but the request
+                itself does not timeout, e.g. if a large file is being
+                transmitted. The timeout error will be raised after such
+                request completes.
+
+        Returns:
+                google.auth.aio.transport.Response: The HTTP response.
+
+        Raises:
+                google.auth.exceptions.TimeoutError: If the method does not complete within
+                the configured `max_allowed_time` or the request exceeds the configured
+                `timeout`.
+        """
+
+        retries = _exponential_backoff.AsyncExponentialBackoff(
+            total_attempts=transport.DEFAULT_MAX_RETRY_ATTEMPTS
+        )
+        async with timeout_guard(max_allowed_time) as with_timeout:
+            await with_timeout(
+                # Note: before_request will attempt to refresh credentials if expired.
+                self._credentials.before_request(
+                    self._auth_request, method, url, headers
+                )
+            )
+            # Workaround issue in python 3.9 related to code coverage by adding `# pragma: no branch`
+            # See https://github.com/googleapis/gapic-generator-python/pull/1174#issuecomment-1025132372
+            async for _ in retries:  # pragma: no branch
+                response = await with_timeout(
+                    self._auth_request(url, method, data, headers, timeout, **kwargs)
+                )
+                if response.status_code not in transport.DEFAULT_RETRYABLE_STATUS_CODES:
+                    break
+        return response
+
+    @functools.wraps(request)
+    async def get(
+        self,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        return await self.request(
+            "GET", url, data, headers, max_allowed_time, timeout, **kwargs
+        )
+
+    @functools.wraps(request)
+    async def post(
+        self,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        return await self.request(
+            "POST", url, data, headers, max_allowed_time, timeout, **kwargs
+        )
+
+    @functools.wraps(request)
+    async def put(
+        self,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        return await self.request(
+            "PUT", url, data, headers, max_allowed_time, timeout, **kwargs
+        )
+
+    @functools.wraps(request)
+    async def patch(
+        self,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        return await self.request(
+            "PATCH", url, data, headers, max_allowed_time, timeout, **kwargs
+        )
+
+    @functools.wraps(request)
+    async def delete(
+        self,
+        url: str,
+        data: Optional[bytes] = None,
+        headers: Optional[Mapping[str, str]] = None,
+        max_allowed_time: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        timeout: float = transport._DEFAULT_TIMEOUT_SECONDS,
+        **kwargs,
+    ) -> transport.Response:
+        return await self.request(
+            "DELETE", url, data, headers, max_allowed_time, timeout, **kwargs
+        )
+
+    async def close(self) -> None:
+        """
+        Close the underlying auth request session.
+        """
+        await self._auth_request.close()

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/crypt/rsa.py

@@ -24,7 +24,6 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 
 from google.auth import _helpers
 from google.auth.crypt import _cryptography_rsa
-from google.auth.crypt import _python_rsa
 from google.auth.crypt import base
 
 RSA_KEY_MODULE_PREFIX = "rsa.key"
@@ -37,6 +36,7 @@ class RSAVerifier(base.Verifier):
         public_key (Union["rsa.key.PublicKey", cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey]):
             The public key used to verify signatures.
     Raises:
+        ImportError: if called with an rsa.key.PublicKey, when the rsa library is not installed
         ValueError: if an unrecognized public key is provided
     """
 
@@ -45,6 +45,8 @@ class RSAVerifier(base.Verifier):
         if isinstance(public_key, RSAPublicKey):
             impl_lib = _cryptography_rsa
         elif module_str.startswith(RSA_KEY_MODULE_PREFIX):
+            from google.auth.crypt import _python_rsa
+
             impl_lib = _python_rsa
         else:
             raise ValueError(f"unrecognized public key type: {type(public_key)}")
@@ -85,6 +87,7 @@ class RSASigner(base.Signer, base.FromServiceAccountMixin):
             public key or certificate.
 
     Raises:
+        ImportError: if called with an rsa.key.PrivateKey, when the rsa library is not installed
         ValueError: if an unrecognized public key is provided
     """
 
@@ -93,6 +96,8 @@ class RSASigner(base.Signer, base.FromServiceAccountMixin):
         if isinstance(private_key, RSAPrivateKey):
             impl_lib = _cryptography_rsa
         elif module_str.startswith(RSA_KEY_MODULE_PREFIX):
+            from google.auth.crypt import _python_rsa
+
             impl_lib = _python_rsa
         else:
             raise ValueError(f"unrecognized private key type: {type(private_key)}")

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/environment_vars.py

@@ -113,18 +113,6 @@ GOOGLE_API_CERTIFICATE_CONFIG = "GOOGLE_API_CERTIFICATE_CONFIG"
 """Environment variable defining the location of Google API certificate config
 file."""
 
-CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE = (
-    "CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE"
-)
-"""Environment variable controlling whether to use client certificate or not.
-This variable is the fallback of GOOGLE_API_USE_CLIENT_CERTIFICATE."""
-
-CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH = (
-    "CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH"
-)
-"""Environment variable defining the location of Google API certificate config
-file. This variable is the fallback of GOOGLE_API_CERTIFICATE_CONFIG."""
-
 GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES = (
     "GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES"
 )

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/iam.py

@@ -22,13 +22,14 @@ API`_'s auth-related functionality.
 import base64
 import http.client as http_client
 import json
+import os
 
 from google.auth import _exponential_backoff
 from google.auth import _helpers
 from google.auth import credentials
 from google.auth import crypt
 from google.auth import exceptions
-from google.auth.transport import _mtls_helper
+from google.auth.transport import mtls
 
 IAM_RETRY_CODES = {
     http_client.INTERNAL_SERVER_ERROR,
@@ -39,12 +40,20 @@ IAM_RETRY_CODES = {
 
 _IAM_SCOPE = ["https://www.googleapis.com/auth/iam"]
 
-# Determine if we should use mTLS.
-if (
-    hasattr(_mtls_helper, "check_use_client_cert")
-    and _mtls_helper.check_use_client_cert()
-):
-    # Construct the template domain using the library's DEFAULT_UNIVERSE_DOMAIN constant.
+# 1. Determine if we should use mTLS.
+# Note: We only support automatic mTLS on the default googleapis.com universe.
+if hasattr(mtls, "should_use_client_cert"):
+    use_client_cert = mtls.should_use_client_cert()
+else:  # pragma: NO COVER
+    # if unsupported, fallback to reading from env var
+    use_client_cert = (
+        os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false").lower() == "true"
+    )
+
+# 2. Construct the template domain using the library's DEFAULT_UNIVERSE_DOMAIN constant.
+# This ensures that the .replace() calls in the classes will work correctly.
+if use_client_cert:
+    # We use the .mtls. prefix only for the default universe template
     _IAM_DOMAIN = f"iamcredentials.mtls.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
 else:
     _IAM_DOMAIN = f"iamcredentials.{credentials.DEFAULT_UNIVERSE_DOMAIN}"

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/transport/_mtls_helper.py

@@ -25,8 +25,6 @@ from google.auth import environment_vars
 from google.auth import exceptions
 
 CONTEXT_AWARE_METADATA_PATH = "~/.secureConnect/context_aware_metadata.json"
-
-# Default gcloud config path, to be used with path.expanduser for cross-platform compatibility.
 CERTIFICATE_CONFIGURATION_DEFAULT_PATH = "~/.config/gcloud/certificate_config.json"
 _CERT_PROVIDER_COMMAND = "cert_provider_command"
 _CERT_REGEX = re.compile(
@@ -105,9 +103,7 @@ def _load_json_file(path):
     return json_data
 
 
-def _get_workload_cert_and_key(
-    certificate_config_path=None, include_context_aware=True
-):
+def _get_workload_cert_and_key(certificate_config_path=None):
     """Read the workload identity cert and key files specified in the certificate config provided.
     If no config path is provided, check the environment variable: "GOOGLE_API_CERTIFICATE_CONFIG"
     first, then the well known gcloud location: "~/.config/gcloud/certificate_config.json".
@@ -115,8 +111,6 @@ def _get_workload_cert_and_key(
     Args:
         certificate_config_path (string): The certificate config path. If no path is provided,
         the environment variable will be checked first, then the well known gcloud location.
-        include_context_aware (bool): If context aware metadata path should be checked for the
-        SecureConnect mTLS configuration.
 
     Returns:
         Tuple[Optional[bytes], Optional[bytes]]: client certificate bytes in PEM format and key
@@ -127,9 +121,7 @@ def _get_workload_cert_and_key(
         the certificate or key information.
     """
 
-    cert_path, key_path = _get_workload_cert_and_key_paths(
-        certificate_config_path, include_context_aware
-    )
+    cert_path, key_path = _get_workload_cert_and_key_paths(certificate_config_path)
 
     if cert_path is None and key_path is None:
         return None, None
@@ -137,7 +129,7 @@ def _get_workload_cert_and_key(
     return _read_cert_and_key_files(cert_path, key_path)
 
 
-def _get_cert_config_path(certificate_config_path=None, include_context_aware=True):
+def _get_cert_config_path(certificate_config_path=None):
     """Get the certificate configuration path based on the following order:
 
     1: Explicit override, if set
@@ -149,8 +141,6 @@ def _get_cert_config_path(certificate_config_path=None, include_context_aware=Tr
     Args:
         certificate_config_path (string): The certificate config path. If provided, the well known
         location and environment variable will be ignored.
-        include_context_aware (bool): If context aware metadata path should be checked for the
-        SecureConnect mTLS configuration.
 
     Returns:
         The absolute path of the certificate config file, and None if the file does not exist.
@@ -161,14 +151,7 @@ def _get_cert_config_path(certificate_config_path=None, include_context_aware=Tr
         if env_path is not None and env_path != "":
             certificate_config_path = env_path
         else:
-            env_path = environ.get(
-                environment_vars.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH,
-                None,
-            )
-            if include_context_aware and env_path is not None and env_path != "":
-                certificate_config_path = env_path
-            else:
-                certificate_config_path = CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+            certificate_config_path = CERTIFICATE_CONFIGURATION_DEFAULT_PATH
 
     certificate_config_path = path.expanduser(certificate_config_path)
     if not path.exists(certificate_config_path):
@@ -176,8 +159,8 @@ def _get_cert_config_path(certificate_config_path=None, include_context_aware=Tr
     return certificate_config_path
 
 
-def _get_workload_cert_and_key_paths(config_path, include_context_aware=True):
-    absolute_path = _get_cert_config_path(config_path, include_context_aware)
+def _get_workload_cert_and_key_paths(config_path):
+    absolute_path = _get_cert_config_path(config_path)
     if absolute_path is None:
         return None, None
 
@@ -191,21 +174,28 @@ def _get_workload_cert_and_key_paths(config_path, include_context_aware=True):
         )
     cert_configs = data["cert_configs"]
 
-    # We return None, None if the expected workload fields are not present.
-    # The certificate config might be present for other types of connections (e.g. gECC),
-    # and we want to gracefully fallback to testing other mTLS configurations
-    # like SecureConnect instead of throwing an exception.
-
     if "workload" not in cert_configs:
-        return None, None
+        raise exceptions.ClientCertError(
+            'Certificate config file {} is in an invalid format, a "workload" cert config is expected'.format(
+                absolute_path
+            )
+        )
     workload = cert_configs["workload"]
 
     if "cert_path" not in workload:
-        return None, None
+        raise exceptions.ClientCertError(
+            'Certificate config file {} is in an invalid format, a "cert_path" is expected in the workload cert config'.format(
+                absolute_path
+            )
+        )
     cert_path = workload["cert_path"]
 
     if "key_path" not in workload:
-        return None, None
+        raise exceptions.ClientCertError(
+            'Certificate config file {} is in an invalid format, a "key_path" is expected in the workload cert config'.format(
+                absolute_path
+            )
+        )
     key_path = workload["key_path"]
 
     # == BEGIN Temporary Cloud Run PATCH ==
@@ -462,23 +452,13 @@ def check_use_client_cert():
     Returns:
         bool: Whether the client certificate should be used for mTLS connection.
     """
-    use_client_cert = getenv(environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE)
-    if use_client_cert is None or use_client_cert == "":
-        use_client_cert = getenv(
-            environment_vars.CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE
-        )
-
+    use_client_cert = getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE")
     # Check if the value of GOOGLE_API_USE_CLIENT_CERTIFICATE is set.
     if use_client_cert:
         return use_client_cert.lower() == "true"
     else:
         # Check if the value of GOOGLE_API_CERTIFICATE_CONFIG is set.
-        cert_path = getenv(environment_vars.GOOGLE_API_CERTIFICATE_CONFIG)
-        if cert_path is None:
-            cert_path = getenv(
-                environment_vars.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH
-            )
-
+        cert_path = getenv("GOOGLE_API_CERTIFICATE_CONFIG")
         if cert_path:
             try:
                 with open(cert_path, "r") as f:

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/transport/mtls.py

@@ -20,19 +20,14 @@ from google.auth import exceptions
 from google.auth.transport import _mtls_helper
 
 
-def has_default_client_cert_source(include_context_aware=True):
+def has_default_client_cert_source():
     """Check if default client SSL credentials exists on the device.
 
-    Args:
-       include_context_aware (bool): include_context_aware indicates if context_aware
-       path location will be checked or should it be skipped.
-
     Returns:
         bool: indicating if the default client cert source exists.
     """
     if (
-        include_context_aware
-        and _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
+        _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
         is not None
     ):
         return True
@@ -63,7 +58,7 @@ def default_client_cert_source():
         google.auth.exceptions.DefaultClientCertSourceError: If the default
             client SSL credentials don't exist or are malformed.
     """
-    if not has_default_client_cert_source(include_context_aware=True):
+    if not has_default_client_cert_source():
         raise exceptions.MutualTLSChannelError(
             "Default client cert source doesn't exist"
         )
@@ -99,7 +94,7 @@ def default_client_encrypted_cert_source(cert_path, key_path):
         google.auth.exceptions.DefaultClientCertSourceError: If any problem
             occurs when loading or saving the client certificate and key.
     """
-    if not has_default_client_cert_source(include_context_aware=True):
+    if not has_default_client_cert_source():
         raise exceptions.MutualTLSChannelError(
             "Default client encrypted cert source doesn't exist"
         )

{google_auth-2.49.0 → google_auth-2.49.0.dev0}/google/auth/version.py

@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.49.0"
+__version__ = "2.49.0-dev0"