feat(clients): allow non-dev API endpoint roots (talkiq#811)

Specifying an API endpoint root to a client used to imply that the
endpoint in use was for dev, which would disable TLS and token bearer
authorisation. This is not always a valid assumption, for example when
manually specifying a locational endpoint for Google PubSub to target a
specific region, as such endpoints are for production and should
therefore use TLS and authorisation.

Fix this by allowing manual configuration of the `api_is_dev` setting
when using a non-dev root, whilst maintaining the old behaviour by
default for backwards compatibility.

Co-Authored-By: Will Miller <will.miller@pexip.com>

Author: TheKevJames

auth/gcloud/aio/auth/token.py

@@ -94,7 +94,7 @@ def get_service_data(
     precedence order of various approaches MUST be maintained. It was last
     updated to match the following commit:
 
-    https://github.com/googleapis/google-auth-library-python/blob/6c1297c4d69ba40a8b9392775c17411253fcd73b/google/auth/_default.py#L504
+    https://github.com/googleapis/google-auth-library-python/blob/v2.48.0/google/auth/_default.py#L597
     """
     # pylint: disable=too-complex
     # _get_explicit_environ_credentials()

bigquery/gcloud/aio/bigquery/bigquery.py

@@ -25,9 +25,11 @@
 log = logging.getLogger(__name__)
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('BIGQUERY_EMULATOR_HOST')
     if host:
@@ -66,8 +68,9 @@ def __init__(
             service_file: str | IO[AnyStr] | None = None,
             session: Session | None = None, token: Token | None = None,
             api_root: str | None = None,
+            api_is_dev: bool | None = None
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
         self.session = AioSession(session)
         self.token = token or Token(
             service_file=service_file, scopes=SCOPES,

datastore/gcloud/aio/datastore/datastore.py

@@ -41,9 +41,11 @@
 LookUpResult = dict[str, str | list[EntityResult | Key]]
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('DATASTORE_EMULATOR_HOST')
     if host:
@@ -68,10 +70,13 @@ class Datastore:
     def __init__(
             self, project: str | None = None,
             service_file: str | IO[AnyStr] | None = None,
-            namespace: str = '', session: Session | None = None,
-            token: Token | None = None, api_root: str | None = None,
+            namespace: str = '',
+            session: Session | None = None,
+            token: Token | None = None,
+            api_root: str | None = None,
+            api_is_dev: bool | None = None,
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
         self.namespace = namespace
         self.session = AioSession(session)
         self.token = token or Token(

kms/gcloud/aio/kms/kms.py

@@ -23,9 +23,11 @@
 ]
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('KMS_EMULATOR_HOST')
     if host:
@@ -39,12 +41,18 @@ class KMS:
     _api_is_dev: bool
 
     def __init__(
-            self, keyproject: str, keyring: str, keyname: str,
+            self,
+            keyproject: str,
+            keyring: str,
+            keyname: str,
             service_file: str | IO[AnyStr] | None = None,
-            location: str = 'global', session: Session | None = None,
-            token: Token | None = None, api_root: str | None = None,
+            location: str = 'global',
+            session: Session | None = None,
+            token: Token | None = None,
+            api_root: str | None = None,
+            api_is_dev: bool | None = None,
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
         self._api_root = (
             f'{self._api_root}/projects/{keyproject}/locations/{location}/'
             f'keyRings/{keyring}/cryptoKeys/{keyname}'

pubsub/gcloud/aio/pubsub/publisher_client.py

@@ -25,9 +25,11 @@
 log = logging.getLogger(__name__)
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('PUBSUB_EMULATOR_HOST')
     if host:
@@ -42,11 +44,14 @@ class PublisherClient:
 
     # TODO: add project override
     def __init__(
-            self, *, service_file: str | IO[AnyStr] | None = None,
-            session: Session | None = None, token: Token | None = None,
+            self, *,
+            service_file: str | IO[AnyStr] | None = None,
+            session: Session | None = None,
+            token: Token | None = None,
             api_root: str | None = None,
+            api_is_dev: bool | None = None,
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
 
         self.session = AioSession(session, verify_ssl=not self._api_is_dev)
         self.token = token or Token(

pubsub/gcloud/aio/pubsub/subscriber_client.py

@@ -21,9 +21,11 @@
 ]
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('PUBSUB_EMULATOR_HOST')
     if host:
@@ -37,11 +39,15 @@ class SubscriberClient:
     _api_is_dev: bool
 
     def __init__(
-            self, *, service_file: str | IO[AnyStr] | None = None,
-            token: Token | None = None, session: Session | None = None,
+            self,
+            *,
+            service_file: str | IO[AnyStr] | None = None,
+            token: Token | None = None,
+            session: Session | None = None,
             api_root: str | None = None,
+            api_is_dev: bool | None = None,
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
 
         self.session = AioSession(session, verify_ssl=not self._api_is_dev)
         self.token = token or Token(

storage/gcloud/aio/storage/storage.py

@@ -42,9 +42,11 @@
 log = logging.getLogger(__name__)
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('STORAGE_EMULATOR_HOST')
     if host:
@@ -152,11 +154,14 @@ class Storage:
     _api_root_write: str
 
     def __init__(
-            self, *, service_file: str | IO[AnyStr] | None = None,
-            token: Token | None = None, session: Session | None = None,
+            self, *,
+            service_file: str | IO[AnyStr] | None = None,
+            token: Token | None = None,
+            session: Session | None = None,
             api_root: str | None = None,
+            api_is_dev: bool | None = None,
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
         self._api_root_read = f'{self._api_root}/storage/v1/b'
         self._api_root_write = f'{self._api_root}/upload/storage/v1/b'
 

taskqueue/gcloud/aio/taskqueue/queue.py

@@ -25,9 +25,11 @@
 log = logging.getLogger(__name__)
 
 
-def init_api_root(api_root: str | None) -> tuple[bool, str]:
+def init_api_root(
+        api_root: str | None, api_is_dev: bool | None,
+) -> tuple[bool, str]:
     if api_root:
-        return True, api_root
+        return api_is_dev is None or api_is_dev, api_root
 
     host = os.environ.get('CLOUDTASKS_EMULATOR_HOST')
     if host:
@@ -42,12 +44,17 @@ class PushQueue:
     _queue_path: str
 
     def __init__(
-            self, project: str, taskqueue: str, location: str = 'us-central1',
+            self,
+            project: str,
+            taskqueue: str,
+            location: str = 'us-central1',
             service_file: str | IO[AnyStr] | None = None,
-            session: Session | None = None, token: Token | None = None,
+            session: Session | None = None,
+            token: Token | None = None,
             api_root: str | None = None,
+            api_is_dev: bool | None = None
     ) -> None:
-        self._api_is_dev, self._api_root = init_api_root(api_root)
+        self._api_is_dev, self._api_root = init_api_root(api_root, api_is_dev)
         self._queue_path = (
             f'projects/{project}/locations/{location}/queues/{taskqueue}'
         )