@@ -221,6 +221,73 @@ def parse_common_location_path(path: str) -> Dict[str, str]:
221221 m = re .match (r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$" , path )
222222 return m .groupdict () if m else {}
223223
224+ @classmethod
225+ def get_mtls_endpoint_and_cert_source (
226+ cls , client_options : Optional [client_options_lib .ClientOptions ] = None
227+ ):
228+ """Return the API endpoint and client cert source for mutual TLS.
229+
230+ The client cert source is determined in the following order:
231+ (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the
232+ client cert source is None.
233+ (2) if `client_options.client_cert_source` is provided, use the provided one; if the
234+ default client cert source exists, use the default one; otherwise the client cert
235+ source is None.
236+
237+ The API endpoint is determined in the following order:
238+ (1) if `client_options.api_endpoint` if provided, use the provided one.
239+ (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the
240+ default mTLS endpoint; if the environment variabel is "never", use the default API
241+ endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise
242+ use the default API endpoint.
243+
244+ More details can be found at https://google.aip.dev/auth/4114.
245+
246+ Args:
247+ client_options (google.api_core.client_options.ClientOptions): Custom options for the
248+ client. Only the `api_endpoint` and `client_cert_source` properties may be used
249+ in this method.
250+
251+ Returns:
252+ Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the
253+ client cert source to use.
254+
255+ Raises:
256+ google.auth.exceptions.MutualTLSChannelError: If any errors happen.
257+ """
258+ if client_options is None :
259+ client_options = client_options_lib .ClientOptions ()
260+ use_client_cert = os .getenv ("GOOGLE_API_USE_CLIENT_CERTIFICATE" , "false" )
261+ use_mtls_endpoint = os .getenv ("GOOGLE_API_USE_MTLS_ENDPOINT" , "auto" )
262+ if use_client_cert not in "true" , "false" ):
263+ raise ValueError (
264+ "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`"
265+ )
266+ if use_mtls_endpoint not in "auto" , "never" , "always" ):
267+ raise MutualTLSChannelError (
268+ "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`"
269+ )
270+
271+ # Figure out the client cert source to use.
272+ client_cert_source = None
273+ if use_client_cert == "true" :
274+ if client_options .client_cert_source :
275+ client_cert_source = client_options .client_cert_source
276+ elif mtls .has_default_client_cert_source ():
277+ client_cert_source = mtls .default_client_cert_source ()
278+
279+ # Figure out which api endpoint to use.
280+ if client_options .api_endpoint is not None :
281+ api_endpoint = client_options .api_endpoint
282+ elif use_mtls_endpoint == "always" or (
283+ use_mtls_endpoint == "auto" and client_cert_source
284+ ):
285+ api_endpoint = cls .DEFAULT_MTLS_ENDPOINT
286+ else :
287+ api_endpoint = cls .DEFAULT_ENDPOINT
288+
289+ return api_endpoint , client_cert_source
290+
224291 def __init__ (
225292 self ,
226293 * ,
@@ -271,57 +338,22 @@ def __init__(
271338 if client_options is None :
272339 client_options = client_options_lib .ClientOptions ()
273340
274- # Create SSL credentials for mutual TLS if needed.
275- if os .getenv ("GOOGLE_API_USE_CLIENT_CERTIFICATE" , "false" ) not in
276- "true" ,
277- "false" ,
278- ):
279- raise ValueError (
280- "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`"
281- )
282- use_client_cert = (
283- os .getenv ("GOOGLE_API_USE_CLIENT_CERTIFICATE" , "false" ) == "true"
341+ api_endpoint , client_cert_source_func = self .get_mtls_endpoint_and_cert_source (
342+ client_options
284343 )
285344
286- client_cert_source_func = None
287- is_mtls = False
288- if use_client_cert :
289- if client_options .client_cert_source :
290- is_mtls = True
291- client_cert_source_func = client_options .client_cert_source
292- else :
293
F987
- is_mtls = mtls .has_default_client_cert_source ()
294- if is_mtls :
295- client_cert_source_func = mtls .default_client_cert_source ()
296- else :
297- client_cert_source_func = None
298-
299- # Figure out which api endpoint to use.
300- if client_options .api_endpoint is not None :
301- api_endpoint = client_options .api_endpoint
302- else :
303- use_mtls_env = os .getenv ("GOOGLE_API_USE_MTLS_ENDPOINT" , "auto" )
304- if use_mtls_env == "never" :
305- api_endpoint = self .DEFAULT_ENDPOINT
306- elif use_mtls_env == "always" :
307- api_endpoint = self .DEFAULT_MTLS_ENDPOINT
308- elif use_mtls_env == "auto" :
309- if is_mtls :
310- api_endpoint = self .DEFAULT_MTLS_ENDPOINT
311- else :
312- api_endpoint = self .DEFAULT_ENDPOINT
313- else :
314- raise MutualTLSChannelError (
315- "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted "
316- "values: never, auto, always"
317- )
345+ api_key_value = getattr (client_options , "api_key" , None )
346+ if api_key_value and credentials :
347+ raise ValueError (
348+ "client_options.api_key and credentials are mutually exclusive"
349+ )
318350
319351 # Save or instantiate the transport.
320352 # Ordinarily, we provide the transport, but allowing a custom transport
321353 # instance provides an extensibility point for unusual situations.
322354 if isinstance (transport , VideoIntelligenceServiceTransport ):
323355 # transport is a VideoIntelligenceServiceTransport instance.
324- if credentials or client_options .credentials_file :
356+ if credentials or client_options .credentials_file or api_key_value :
325357 raise ValueError (
326358 "When providing a transport instance, "
327359 "provide its credentials directly."
@@ -333,6 +365,15 @@ def __init__(
333365 )
334366 self ._transport = transport
335367 else :
368+ import google .auth ._default # type: ignore
369+
370+ if api_key_value and hasattr (
371+ google .auth ._default , "get_api_key_credentials"
372+ ):
373+ credentials = google .auth ._default .get_api_key_credentials (
374+ api_key_value
375+ )
376+
336377 Transport = type (self ).get_transport_class (transport )
337378 self ._transport = Transport (
338379 credentials = credentials ,
0 commit comments