Skip to content

Commit

Permalink
fix: disable universe-domain validation (#2236)
Browse files Browse the repository at this point in the history 
Co-authored-by: Anthonios Partheniou <partheniou@google.com>
Co-authored-by: ohmayr <omairn@google.com>
  • Loading branch information
@TimurSadykov @parthea @ohmayr
3 people authored Oct 30, 2024
1 parent 7ccebd2 commit ecaa41e
Show file tree
Hide file tree
Showing 17 changed files with 32 additions and 735 deletions.
33 changes: 3 additions & 30 deletions gapic/templates/%namespace/%name_%version/%sub/services/%service/client.py.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -400,33 +400,6 @@ class {{ service.client_name }}(metaclass={{ service.client_name }}Meta):
if len(universe_domain.strip()) == 0:
raise ValueError("Universe Domain cannot be an empty string.")
return universe_domain

@staticmethod
def _compare_universes(client_universe: str,
credentials: ga_credentials.Credentials) -> bool:
"""Returns True iff the universe domains used by the client and credentials match.

Args:
client_universe (str): The universe domain configured via the client options.
credentials (ga_credentials.Credentials): The credentials being used in the client.

Returns:
bool: True iff client_universe matches the universe in credentials.

Raises:
ValueError: when client_universe does not match the universe in credentials.
"""

default_universe = {{ service.client_name }}._DEFAULT_UNIVERSE
credentials_universe = getattr(credentials, "universe_domain", default_universe)

if client_universe != credentials_universe:
raise ValueError("The configured universe domain "
f"({client_universe}) does not match the universe domain "
f"found in the credentials ({credentials_universe}). "
"If you haven't configured the universe domain explicitly, "
f"`{default_universe}` is the default.")
return True

def _validate_universe_domain(self):
"""Validates client's and credentials' universe domains are consistent.
Expand All @@ -437,9 +410,9 @@ class {{ service.client_name }}(metaclass={{ service.client_name }}Meta):
Raises:
ValueError: If the configured universe domain is not valid.
"""
self._is_universe_domain_valid = (self._is_universe_domain_valid or
{{ service.client_name }}._compare_universes(self.universe_domain, self.transport._credentials))
return self._is_universe_domain_valid

# NOTE (b/349488459): universe validation is disabled until further notice.
return True

@property
def api_endpoint(self):
Expand Down
65 changes: 0 additions & 65 deletions gapic/templates/tests/unit/gapic/%name_%version/%sub/test_%service.py.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,71 +268,6 @@ def test__get_universe_domain():
{{ service.client_name }}._get_universe_domain("", None)
assert str(excinfo.value) == "Universe Domain cannot be an empty string."

@pytest.mark.parametrize("client_class,transport_class,transport_name", [
{% if 'grpc' in opts.transport %}
({{ service.client_name }}, transports.{{ service.grpc_transport_name }}, "grpc"),
{% endif %}
{% if 'rest' in opts.transport %}
({{ service.client_name }}, transports.{{ service.rest_transport_name }}, "rest"),
{% endif %}
])
def test__validate_universe_domain(client_class, transport_class, transport_name):
client = client_class(
transport=transport_class(
credentials=ga_credentials.AnonymousCredentials()
)
)
assert client._validate_universe_domain() == True

# Test the case when universe is already validated.
assert client._validate_universe_domain() == True

if transport_name == "grpc":
# Test the case where credentials are provided by the
# `local_channel_credentials`. The default universes in both match.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
client = client_class(transport=transport_class(channel=channel))
assert client._validate_universe_domain() == True

# Test the case where credentials do not exist: e.g. a transport is provided
# with no credentials. Validation should still succeed because there is no
# mismatch with non-existent credentials.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
transport=transport_class(channel=channel)
transport._credentials = None
client = client_class(transport=transport)
assert client._validate_universe_domain() == True

# TODO: This is needed to cater for older versions of google-auth
# Make this test unconditional once the minimum supported version of
# google-auth becomes 2.23.0 or higher.
google_auth_major, google_auth_minor = [int(part) for part in google.auth.__version__.split(".")[0:2]]
if google_auth_major > 2 or (google_auth_major == 2 and google_auth_minor >= 23):
credentials = ga_credentials.AnonymousCredentials()
credentials._universe_domain = "foo.com"
# Test the case when there is a universe mismatch from the credentials.
client = client_class(
transport=transport_class(credentials=credentials)
)
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (googleapis.com) does not match the universe domain found in the credentials (foo.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test the case when there is a universe mismatch from the client.
#
# TODO: Make this test unconditional once the minimum supported version of
# google-api-core becomes 2.15.0 or higher.
api_core_major, api_core_minor = [int(part) for part in api_core_version.__version__.split(".")[0:2]]
if api_core_major > 2 or (api_core_major == 2 and api_core_minor >= 15):
client = client_class(client_options={"universe_domain": "bar.com"}, transport=transport_class(credentials=ga_credentials.AnonymousCredentials(),))
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (bar.com) does not match the universe domain found in the credentials (googleapis.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test that ValueError is raised if universe_domain is provided via client options and credentials is None
with pytest.raises(ValueError):
client._compare_universes("foo.bar", None)


@pytest.mark.parametrize("client_class,transport_name", [
{% if 'grpc' in opts.transport %}
Expand Down
33 changes: 3 additions & 30 deletions tests/integration/goldens/asset/google/cloud/asset_v1/services/asset_service/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,33 +460,6 @@ def _get_universe_domain(client_universe_domain: Optional[str], universe_domain_
raise ValueError("Universe Domain cannot be an empty string.")
return universe_domain

@staticmethod
def _compare_universes(client_universe: str,
credentials: ga_credentials.Credentials) -> bool:
"""Returns True iff the universe domains used by the client and credentials match.
Args:
client_universe (str): The universe domain configured via the client options.
credentials (ga_credentials.Credentials): The credentials being used in the client.
Returns:
bool: True iff client_universe matches the universe in credentials.
Raises:
ValueError: when client_universe does not match the universe in credentials.
"""

default_universe = AssetServiceClient._DEFAULT_UNIVERSE
credentials_universe = getattr(credentials, "universe_domain", default_universe)

if client_universe != credentials_universe:
raise ValueError("The configured universe domain "
f"({client_universe}) does not match the universe domain "
f"found in the credentials ({credentials_universe}). "
"If you haven't configured the universe domain explicitly, "
f"`{default_universe}` is the default.")
return True

def _validate_universe_domain(self):
"""Validates client's and credentials' universe domains are consistent.
Expand All @@ -496,9 +469,9 @@ def _validate_universe_domain(self):
Raises:
ValueError: If the configured universe domain is not valid.
"""
self._is_universe_domain_valid = (self._is_universe_domain_valid or
AssetServiceClient._compare_universes(self.universe_domain, self.transport._credentials))
return self._is_universe_domain_valid

# NOTE (b/349488459): universe validation is disabled until further notice.
return True

@property
def api_endpoint(self):
Expand Down
61 changes: 0 additions & 61 deletions tests/integration/goldens/asset/tests/unit/gapic/asset_v1/test_asset_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,67 +192,6 @@ def test__get_universe_domain():
AssetServiceClient._get_universe_domain("", None)
assert str(excinfo.value) == "Universe Domain cannot be an empty string."

@pytest.mark.parametrize("client_class,transport_class,transport_name", [
(AssetServiceClient, transports.AssetServiceGrpcTransport, "grpc"),
(AssetServiceClient, transports.AssetServiceRestTransport, "rest"),
])
def test__validate_universe_domain(client_class, transport_class, transport_name):
client = client_class(
transport=transport_class(
credentials=ga_credentials.AnonymousCredentials()
)
)
assert client._validate_universe_domain() == True

# Test the case when universe is already validated.
assert client._validate_universe_domain() == True

if transport_name == "grpc":
# Test the case where credentials are provided by the
# `local_channel_credentials`. The default universes in both match.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
client = client_class(transport=transport_class(channel=channel))
assert client._validate_universe_domain() == True

# Test the case where credentials do not exist: e.g. a transport is provided
# with no credentials. Validation should still succeed because there is no
# mismatch with non-existent credentials.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
transport=transport_class(channel=channel)
transport._credentials = None
client = client_class(transport=transport)
assert client._validate_universe_domain() == True

# TODO: This is needed to cater for older versions of google-auth
# Make this test unconditional once the minimum supported version of
# google-auth becomes 2.23.0 or higher.
google_auth_major, google_auth_minor = [int(part) for part in google.auth.__version__.split(".")[0:2]]
if google_auth_major > 2 or (google_auth_major == 2 and google_auth_minor >= 23):
credentials = ga_credentials.AnonymousCredentials()
credentials._universe_domain = "foo.com"
# Test the case when there is a universe mismatch from the credentials.
client = client_class(
transport=transport_class(credentials=credentials)
)
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (googleapis.com) does not match the universe domain found in the credentials (foo.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test the case when there is a universe mismatch from the client.
#
# TODO: Make this test unconditional once the minimum supported version of
# google-api-core becomes 2.15.0 or higher.
api_core_major, api_core_minor = [int(part) for part in api_core_version.__version__.split(".")[0:2]]
if api_core_major > 2 or (api_core_major == 2 and api_core_minor >= 15):
client = client_class(client_options={"universe_domain": "bar.com"}, transport=transport_class(credentials=ga_credentials.AnonymousCredentials(),))
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (bar.com) does not match the universe domain found in the credentials (googleapis.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test that ValueError is raised if universe_domain is provided via client options and credentials is None
with pytest.raises(ValueError):
client._compare_universes("foo.bar", None)


@pytest.mark.parametrize("client_class,transport_name", [
(AssetServiceClient, "grpc"),
Expand Down
33 changes: 3 additions & 30 deletions ...egration/goldens/credentials/google/iam/credentials_v1/services/iam_credentials/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,33 +397,6 @@ def _get_universe_domain(client_universe_domain: Optional[str], universe_domain_
raise ValueError("Universe Domain cannot be an empty string.")
return universe_domain

@staticmethod
def _compare_universes(client_universe: str,
credentials: ga_credentials.Credentials) -> bool:
"""Returns True iff the universe domains used by the client and credentials match.
Args:
client_universe (str): The universe domain configured via the client options.
credentials (ga_credentials.Credentials): The credentials being used in the client.
Returns:
bool: True iff client_universe matches the universe in credentials.
Raises:
ValueError: when client_universe does not match the universe in credentials.
"""

default_universe = IAMCredentialsClient._DEFAULT_UNIVERSE
credentials_universe = getattr(credentials, "universe_domain", default_universe)

if client_universe != credentials_universe:
raise ValueError("The configured universe domain "
f"({client_universe}) does not match the universe domain "
f"found in the credentials ({credentials_universe}). "
"If you haven't configured the universe domain explicitly, "
f"`{default_universe}` is the default.")
return True

def _validate_universe_domain(self):
"""Validates client's and credentials' universe domains are consistent.
Expand All @@ -433,9 +406,9 @@ def _validate_universe_domain(self):
Raises:
ValueError: If the configured universe domain is not valid.
"""
self._is_universe_domain_valid = (self._is_universe_domain_valid or
IAMCredentialsClient._compare_universes(self.universe_domain, self.transport._credentials))
return self._is_universe_domain_valid

# NOTE (b/349488459): universe validation is disabled until further notice.
return True

@property
def api_endpoint(self):
Expand Down
61 changes: 0 additions & 61 deletions ...s/integration/goldens/credentials/tests/unit/gapic/credentials_v1/test_iam_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,67 +182,6 @@ def test__get_universe_domain():
IAMCredentialsClient._get_universe_domain("", None)
assert str(excinfo.value) == "Universe Domain cannot be an empty string."

@pytest.mark.parametrize("client_class,transport_class,transport_name", [
(IAMCredentialsClient, transports.IAMCredentialsGrpcTransport, "grpc"),
(IAMCredentialsClient, transports.IAMCredentialsRestTransport, "rest"),
])
def test__validate_universe_domain(client_class, transport_class, transport_name):
client = client_class(
transport=transport_class(
credentials=ga_credentials.AnonymousCredentials()
)
)
assert client._validate_universe_domain() == True

# Test the case when universe is already validated.
assert client._validate_universe_domain() == True

if transport_name == "grpc":
# Test the case where credentials are provided by the
# `local_channel_credentials`. The default universes in both match.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
client = client_class(transport=transport_class(channel=channel))
assert client._validate_universe_domain() == True

# Test the case where credentials do not exist: e.g. a transport is provided
# with no credentials. Validation should still succeed because there is no
# mismatch with non-existent credentials.
channel = grpc.secure_channel('http://localhost/', grpc.local_channel_credentials())
transport=transport_class(channel=channel)
transport._credentials = None
client = client_class(transport=transport)
assert client._validate_universe_domain() == True

# TODO: This is needed to cater for older versions of google-auth
# Make this test unconditional once the minimum supported version of
# google-auth becomes 2.23.0 or higher.
google_auth_major, google_auth_minor = [int(part) for part in google.auth.__version__.split(".")[0:2]]
if google_auth_major > 2 or (google_auth_major == 2 and google_auth_minor >= 23):
credentials = ga_credentials.AnonymousCredentials()
credentials._universe_domain = "foo.com"
# Test the case when there is a universe mismatch from the credentials.
client = client_class(
transport=transport_class(credentials=credentials)
)
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (googleapis.com) does not match the universe domain found in the credentials (foo.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test the case when there is a universe mismatch from the client.
#
# TODO: Make this test unconditional once the minimum supported version of
# google-api-core becomes 2.15.0 or higher.
api_core_major, api_core_minor = [int(part) for part in api_core_version.__version__.split(".")[0:2]]
if api_core_major > 2 or (api_core_major == 2 and api_core_minor >= 15):
client = client_class(client_options={"universe_domain": "bar.com"}, transport=transport_class(credentials=ga_credentials.AnonymousCredentials(),))
with pytest.raises(ValueError) as excinfo:
client._validate_universe_domain()
assert str(excinfo.value) == "The configured universe domain (bar.com) does not match the universe domain found in the credentials (googleapis.com). If you haven't configured the universe domain explicitly, `googleapis.com` is the default."

# Test that ValueError is raised if universe_domain is provided via client options and credentials is None
with pytest.raises(ValueError):
client._compare_universes("foo.bar", None)


@pytest.mark.parametrize("client_class,transport_name", [
(IAMCredentialsClient, "grpc"),
Expand Down
Loading

0 comments on commit ecaa41e

Please sign in to comment.