draft: aio mtls support

[sai-sunder-s]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @sai-sunder-s, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the asynchronous authentication transport by integrating mutual TLS (mTLS) capabilities. It provides the foundational components for securely handling client certificates and keys, enabling AsyncAuthorizedSession to establish client-authenticated connections. The changes include new utility functions, modifications to the session management, and illustrative examples, all aimed at bolstering the security of asynchronous Google Cloud API interactions.

Highlights

• Asynchronous mTLS Support: Introduced a new module google/auth/aio/transport/mtls.py containing helper functions for mutual TLS (mTLS) in an asyncio context, including secure handling of client certificates and keys.
• Enhanced AsyncAuthorizedSession: The AsyncAuthorizedSession now includes a configure_mtls_channel method to dynamically set up mTLS, leveraging the new mTLS utilities and reconfiguring the underlying aiohttp.ClientSession with the appropriate SSL context. A new is_mtls property has also been added.
• Asynchronous Executor Utility: Added an _run_in_executor utility to google/auth/aio/transport/sessions.py to facilitate running blocking synchronous functions (like certificate loading) within an asynchronous event loop, ensuring non-blocking behavior.
• New Sample Scripts: Several new sample scripts (verify_async_mtls.py, verify_async_static_creds.py, verify_sync_mtls.py, verify_vertex_async.py) have been added to demonstrate the usage of asynchronous mTLS, static credentials, and integration with Vertex AI's async REST transport.
• Comprehensive Unit Tests: Dedicated unit tests (tests/aio/transport/test_mtls.py and tests/aio/transport/test_sessions_mtls.py) have been added to ensure the correctness and robustness of the new mTLS functionality and its integration within the asynchronous transport layer.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces mTLS support for asyncio transports, which is a valuable addition. The implementation correctly uses a thread pool for blocking I/O operations related to certificate handling. The changes are well-structured across new modules, session modifications, and accompanying tests and samples. My review focuses on a potential high-severity issue where mTLS may not be properly configured for non-aiohttp transports, and a few minor code cleanup opportunities regarding unused imports. Overall, this is a solid implementation.

[gemini-code-assist]

There's a potential issue here. If self._is_mtls is true but self._auth_request is not an instance of AiohttpRequest, the transport will not be reconfigured for mTLS. However, self.is_mtls will still report True. This could be misleading and is a potential security risk if the user believes mTLS is enabled when it is not.

Consider raising an exception for unsupported transport types to make the behavior explicit.

                if isinstance(self._auth_request, AiohttpRequest):
                    connector = aiohttp.TCPConnector(ssl=ssl_context)
                    new_session = aiohttp.ClientSession(connector=connector)
                    await self._auth_request.close()
                    self._auth_request = AiohttpRequest(session=new_session)
                else:
                    raise exceptions.TransportError("mTLS is only supported for aiohttp transport.")

[gemini-code-assist]

The asyncio and logging modules are imported but not used in this file. It's good practice to remove unused imports to keep the code clean.

Suggested change

	import asyncio
	import contextlib
	import logging
	import contextlib

[gemini-code-assist]

The json module is imported but not used. Please remove this unused import.

[gemini-code-assist]

environment_vars is imported but not used. Please remove this unused import.