fix(auth): Delegate workload cert and key default lookup to helper function (#1877)

get_client_ssl_credentials had a bug that defaulted the cert path to
CERTIFICATE_CONFIGURATION_DEFAULT_PATH if not explicitly specified. The
correct behavior should be to delegate the lookup logic to
"_get_workload_cert_and_key" which also takes into account the cert
config path set by the env var GOOGLE_API_CERTIFICATE_CONFIG.

---------

Co-authored-by: Daniel Sanche <d.sanche14@gmail.com>

Author: andyrzhao

google/auth/transport/_mtls_helper.py

@@ -279,7 +279,7 @@ def _run_cert_provider_command(command, expect_encrypted_key=False):
 def get_client_ssl_credentials(
     generate_encrypted_key=False,
     context_aware_metadata_path=CONTEXT_AWARE_METADATA_PATH,
-    certificate_config_path=CERTIFICATE_CONFIGURATION_DEFAULT_PATH,
+    certificate_config_path=None,
 ):
     """Returns the client side certificate, private key and passphrase.
 
@@ -306,13 +306,10 @@ def get_client_ssl_credentials(
             the cert, key and passphrase.
     """
 
-    # 1. Check for certificate config json.
-    cert_config_path = _check_config_path(certificate_config_path)
-    if cert_config_path:
-        # Attempt to retrieve X.509 Workload cert and key.
-        cert, key = _get_workload_cert_and_key(cert_config_path)
-        if cert and key:
-            return True, cert, key, None
+    # 1.  Attempt to retrieve X.509 Workload cert and key.
+    cert, key = _get_workload_cert_and_key(certificate_config_path)
+    if cert and key:
+        return True, cert, key, None
 
     # 2. Check for context aware metadata json
     metadata_path = _check_config_path(context_aware_metadata_path)

tests/transport/test__mtls_helper.py

@@ -334,9 +334,15 @@ def test_success_with_certificate_config(
         assert key == pytest.private_key_bytes
         assert passphrase is None
 
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
+    )
     @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
-    def test_success_without_metadata(self, mock_check_config_path):
+    def test_success_without_metadata(
+        self, mock_check_config_path, mock_get_workload_cert_and_key
+    ):
         mock_check_config_path.return_value = False
+        mock_get_workload_cert_and_key.return_value = (None, None)
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
         assert not has_cert
         assert cert is None
@@ -395,12 +401,17 @@ def test_missing_cert_command(
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
+    )
     def test_customize_context_aware_metadata_path(
         self,
+        mock_get_workload_cert_and_key,
         mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
     ):
+        mock_get_workload_cert_and_key.return_value = (None, None)
         context_aware_metadata_path = "/path/to/metata/data"
         mock_check_config_path.return_value = context_aware_metadata_path
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}