feat(transport/http): Add environment variables to conform to AIP-4114 (#677)
- Add GOOGLE_API_USE_CLIENT_CERTIFICATE.
- Rename GOOGLE_API_USE_MTLS to GOOGLE_API_USE_MTLS_ENDPOINT and set default to auto. The old name GOOGLE_API_USE_MTLS will be officially deprecated.
diff --git a/transport/http/dial.go b/transport/http/dial.go
index 4450301..a1a01c9 100644
--- a/transport/http/dial.go
+++ b/transport/http/dial.go
@@ -241,8 +241,14 @@
//
// We would like to avoid introducing client-side logic that parses whether the
// endpoint override is an mTLS url, since the url pattern may change at anytime.
+//
+// Important Note: For now, the environment variable GOOGLE_API_USE_CLIENT_CERTIFICATE
+// must be set to "true" to allow certificate to be used (including user provided
+// certificates). For details, see AIP-4114.
func getClientCertificateSource(settings *internal.DialSettings) (cert.Source, error) {
- if settings.HTTPClient != nil {
+ if !isClientCertificateEnabled() {
+ return nil, nil
+ } else if settings.HTTPClient != nil {
return nil, nil // HTTPClient is incompatible with ClientCertificateSource
} else if settings.ClientCertSource != nil {
return settings.ClientCertSource, nil
@@ -252,6 +258,12 @@
}
+func isClientCertificateEnabled() bool {
+ useClientCert := os.Getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE")
+ // TODO(andyrzhao): Update default to return "true" after DCA feature is fully released.
+ return strings.ToLower(useClientCert) == "true"
+}
+
// getEndpoint returns the endpoint for the service, taking into account the
// user-provided endpoint override "settings.Endpoint"
//
@@ -259,7 +271,7 @@
// the default mTLS endpoint if a client certificate is available.
//
// You can override the default endpoint (mtls vs. regular) by setting the
-// GOOGLE_API_USE_MTLS environment variable.
+// GOOGLE_API_USE_MTLS_ENDPOINT environment variable.
//
// If the endpoint override is an address (host:port) rather than full base
// URL (ex. https://...), then the user-provided address will be merged into
@@ -286,10 +298,12 @@
}
func getMTLSMode() string {
- mode := os.Getenv("GOOGLE_API_USE_MTLS")
+ mode := os.Getenv("GOOGLE_API_USE_MTLS_ENDPOINT")
if mode == "" {
- // TODO(shinfan): Update this to "auto" when the mTLS feature is fully released.
- return mTLSModeNever
+ mode = os.Getenv("GOOGLE_API_USE_MTLS") // Deprecated.
+ }
+ if mode == "" {
+ return mTLSModeAuto
}
return strings.ToLower(mode)
}
diff --git a/transport/http/dial_test.go b/transport/http/dial_test.go
index ddbdc6e..5009ca2 100644
--- a/transport/http/dial_test.go
+++ b/transport/http/dial_test.go
@@ -62,18 +62,21 @@
func TestGetEndpointWithClientCertSource(t *testing.T) {
dummyClientCertSource := func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return nil, nil }
testCases := []struct {
- UserEndpoint string
- DefaultEndpoint string
- Want string
- WantErr bool
+ UserEndpoint string
+ DefaultEndpoint string
+ DefaultMTLSEndpoint string
+ Want string
+ WantErr bool
}{
{
- DefaultEndpoint: "https://foo.googleapis.com/bar/baz",
- Want: "https://foo.googleapis.com/bar/baz",
+ DefaultEndpoint: "https://foo.googleapis.com/bar/baz",
+ DefaultMTLSEndpoint: "https://foo.mtls.googleapis.com/bar/baz",
+ Want: "https://foo.mtls.googleapis.com/bar/baz",
},
{
- DefaultEndpoint: "https://staging-foo.sandbox.googleapis.com/bar/baz",
- Want: "https://staging-foo.sandbox.googleapis.com/bar/baz",
+ DefaultEndpoint: "https://staging-foo.sandbox.googleapis.com/bar/baz",
+ DefaultMTLSEndpoint: "https://staging-foo.mtls.sandbox.googleapis.com/bar/baz",
+ Want: "https://staging-foo.mtls.sandbox.googleapis.com/bar/baz",
},
{
UserEndpoint: "myhost:3999",
@@ -94,8 +97,9 @@
for _, tc := range testCases {
got, err := getEndpoint(&internal.DialSettings{
- Endpoint: tc.UserEndpoint,
- DefaultEndpoint: tc.DefaultEndpoint,
+ Endpoint: tc.UserEndpoint,
+ DefaultEndpoint: tc.DefaultEndpoint,
+ DefaultMTLSEndpoint: tc.DefaultMTLSEndpoint,
}, dummyClientCertSource)
if tc.WantErr && err == nil {
t.Errorf("want err, got nil err")