feat(auth): Ensure new auth SDK versions are backwards compatible with previous SDKs to enable copying to G3

[macastelaz]

Incorporate universal bug fixes, robustness guardrails, and circular import decoupling

• Restore fail-fast validation in _mtls_helper.py
• Add robustness guardrails to impersonated_credentials.py for universe_domain
• Safeguard RSA Signer & key_id in rsa.py
• Break circular import in credentials.py
• Update unit tests in test__mtls_helper.py to match new behavior and run robustly in Google environments.

TAG=agy
CONV=39c1761f-e06b-4e3a-80b6-b4fbc70df0b6

[gemini-code-assist]

Code Review

This pull request introduces dynamic imports for regional access boundary lookups, adds robust environment variable validation for client certificates, and improves fallback handling for universe domains and key IDs. The review feedback highlights opportunities to make the code more robust and efficient, such as performing safe None checks before accessing object properties in rsa.py, avoiding falsy value issues when retrieving key_id, and eliminating redundant attribute lookups in impersonated_credentials.py.

[daniel-sanche]

I don't think we should be reverting this kind of behaviour. It was an explicit decision to return False instead of raise an exception here

[macastelaz]

Do you by chance have any additional context you could share on the original decision to return False here? From my view point, it feels like a security risk to not fail fast here. E.g. if a user sets this to ture trying to set the desire to use a client cert for an mtls connection and we silently "downgrade" this to false because of the typo, I'm not sure it's a great result. By raising here, we fail fast and close that "hole".

FWIW, there are internal tests for gapic generated clients that are asserting an error is raised so if we do stick with returning false, we'll likely need to update a lot of older APIs, etc.

FWIW, we currently have a discrepancy in

google-cloud-python/packages/google-api-core/google/api_core/operations_v1/abstract_operations_base_client.py

Line 310 in 384724c

if use_client_cert_str not in ("true", "false"):

which raises the error as well as in the gapic generator (

google-cloud-python/packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/services/%service/client.py.j2

Line 210 in 384724c

if use_client_cert_str not in ("true", "false"):

)

[daniel-sanche]

With this change, someone would get an ImportError if they called RSASigner(None) without the rsa library installed. That doesn't seem right

Can we make the class use the default _cryptography_rsa implementation if None is passed? Or otherwise refactor the class to support None?

[macastelaz]

Good call - fixed this to use the default implementation in the case of None

[daniel-sanche]

Is this to support subclasses? (If so, maybe add a comment?)

[macastelaz]

Added a comment

[daniel-sanche]

This seems like it could be a pretty big behaviour change. Are you sure this is safe?

[macastelaz]

It should be safe (I know, famous last words): the base credential class already sets this same default (

google-cloud-python/packages/google-auth/google/auth/credentials.py

Line 78 in 384724c

self._universe_domain = DEFAULT_UNIVERSE_DOMAIN

) and if the universe domain is set to something else, it would still be respected here. There are cases where you have an older custom credential class or what we encountered in mock credentials used in tests where the universe domain isn't set and the class doesn't extend the base, but I think even in these cases, using DEFAULT_UNIVERSE_DOMAIN is expected across Google client libraries.

Thoughts?