fix: enable self signed jwt for grpc (#958)

Author: arithmetic1728

gapic/templates/%namespace/%name_%version/%sub/services/%service/client.py.j2

@@ -304,6 +304,12 @@ class {{ service.client_name }}(metaclass={{ service.client_name }}Meta):
                 client_cert_source_for_mtls=client_cert_source_func,
                 quota_project_id=client_options.quota_project_id,
                 client_info=client_info,
+                {% if "grpc" in opts.transport %}
+                always_use_jwt_access=(
+                    Transport == type(self).get_transport_class("grpc")
+                    or Transport == type(self).get_transport_class("grpc_asyncio")
+                ),
+                {% endif %}
             )
 
 

gapic/templates/tests/unit/gapic/%name_%version/%sub/test_%service.py.j2

@@ -113,19 +113,6 @@ def test_{{ service.client_name|snake_case }}_from_service_account_info(client_c
         {% endif %}
 
 
-@pytest.mark.parametrize("client_class", [
-    {{ service.client_name }},
-    {% if 'grpc' in opts.transport %}
-    {{ service.async_client_name }},
-    {% endif %}
-])
-def test_{{ service.client_name|snake_case }}_service_account_always_use_jwt(client_class):
-    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
-        creds = service_account.Credentials(None, None, None)
-        client = client_class(credentials=creds)
-        use_jwt.assert_not_called()
-
-
 @pytest.mark.parametrize("transport_class,transport_name", [
     {% if 'grpc' in opts.transport %}
     (transports.{{ service.grpc_transport_name }}, "grpc"),
@@ -134,12 +121,17 @@ def test_{{ service.client_name|snake_case }}_service_account_always_use_jwt(cli
     (transports.{{ service.rest_transport_name }}, "rest"),
     {% endif %}
 ])
-def test_{{ service.client_name|snake_case }}_service_account_always_use_jwt_true(transport_class, transport_name):
+def test_{{ service.client_name|snake_case }}_service_account_always_use_jwt(transport_class, transport_name):
     with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
         creds = service_account.Credentials(None, None, None)
         transport = transport_class(credentials=creds, always_use_jwt_access=True)
         use_jwt.assert_called_once_with(True)
 
+    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
+        creds = service_account.Credentials(None, None, None)
+        transport = transport_class(credentials=creds, always_use_jwt_access=False)
+        use_jwt.assert_not_called()
+
 
 @pytest.mark.parametrize("client_class", [
     {{ service.client_name }},
@@ -216,6 +208,9 @@ def test_{{ service.client_name|snake_case }}_client_options(client_class, trans
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            {% if 'grpc' in opts.transport %}
+            always_use_jwt_access=True,
+            {% endif %}
         )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -232,6 +227,9 @@ def test_{{ service.client_name|snake_case }}_client_options(client_class, trans
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                {% if 'grpc' in opts.transport %}
+                always_use_jwt_access=True,
+                {% endif %}
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -248,6 +246,9 @@ def test_{{ service.client_name|snake_case }}_client_options(client_class, trans
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                {% if 'grpc' in opts.transport %}
+                always_use_jwt_access=True,
+                {% endif %}
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has
@@ -274,6 +275,9 @@ def test_{{ service.client_name|snake_case }}_client_options(client_class, trans
             client_cert_source_for_mtls=None,
             quota_project_id="octopus",
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            {% if 'grpc' in opts.transport %}
+            always_use_jwt_access=True,
+            {% endif %}
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name,use_client_cert_env", [
@@ -319,6 +323,9 @@ def test_{{ service.client_name|snake_case }}_mtls_env_auto(client_class, transp
                 client_cert_source_for_mtls=expected_client_cert_source,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                {% if 'grpc' in opts.transport %}
+                always_use_jwt_access=True,
+                {% endif %}
             )
 
     # Check the case ADC client cert is provided. Whether client cert is used depends on
@@ -344,6 +351,9 @@ def test_{{ service.client_name|snake_case }}_mtls_env_auto(client_class, transp
                         client_cert_source_for_mtls=expected_client_cert_source,
                         quota_project_id=None,
                         client_info=transports.base.DEFAULT_CLIENT_INFO,
+                        {% if 'grpc' in opts.transport %}
+                        always_use_jwt_access=True,
+                        {% endif %}
                     )
 
     # Check the case client_cert_source and ADC client cert are not provided.
@@ -360,6 +370,9 @@ def test_{{ service.client_name|snake_case }}_mtls_env_auto(client_class, transp
                     client_cert_source_for_mtls=None,
                     quota_project_id=None,
                     client_info=transports.base.DEFAULT_CLIENT_INFO,
+                    {% if 'grpc' in opts.transport %}
+                    always_use_jwt_access=True,
+                    {% endif %}
                 )
 
 
@@ -387,6 +400,9 @@ def test_{{ service.client_name|snake_case }}_client_options_scopes(client_class
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            {% if 'grpc' in opts.transport %}
+            always_use_jwt_access=True,
+            {% endif %}
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name", [
@@ -413,6 +429,9 @@ def test_{{ service.client_name|snake_case }}_client_options_credentials_file(cl
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            {% if 'grpc' in opts.transport %}
+            always_use_jwt_access=True,
+            {% endif %}
         )
 {% if 'grpc' in opts.transport %}
 
@@ -431,6 +450,7 @@ def test_{{ service.client_name|snake_case }}_client_options_from_dict():
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 {% endif %}
 

tests/integration/goldens/asset/google/cloud/asset_v1/services/asset_service/client.py

@@ -344,6 +344,10 @@ def __init__(self, *,
                 client_cert_source_for_mtls=client_cert_source_func,
                 quota_project_id=client_options.quota_project_id,
                 client_info=client_info,
+                always_use_jwt_access=(
+                    Transport == type(self).get_transport_class("grpc")
+                    or Transport == type(self).get_transport_class("grpc_asyncio")
+                ),
             )
 
     def export_assets(self,

tests/integration/goldens/asset/tests/unit/gapic/asset_v1/test_asset_service.py

@@ -105,27 +105,21 @@ def test_asset_service_client_from_service_account_info(client_class):
         assert client.transport._host == 'cloudasset.googleapis.com:443'
 
 
-@pytest.mark.parametrize("client_class", [
-    AssetServiceClient,
-    AssetServiceAsyncClient,
-])
-def test_asset_service_client_service_account_always_use_jwt(client_class):
-    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
-        creds = service_account.Credentials(None, None, None)
-        client = client_class(credentials=creds)
-        use_jwt.assert_not_called()
-
-
 @pytest.mark.parametrize("transport_class,transport_name", [
     (transports.AssetServiceGrpcTransport, "grpc"),
     (transports.AssetServiceGrpcAsyncIOTransport, "grpc_asyncio"),
 ])
-def test_asset_service_client_service_account_always_use_jwt_true(transport_class, transport_name):
+def test_asset_service_client_service_account_always_use_jwt(transport_class, transport_name):
     with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
         creds = service_account.Credentials(None, None, None)
         transport = transport_class(credentials=creds, always_use_jwt_access=True)
         use_jwt.assert_called_once_with(True)
 
+    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
+        creds = service_account.Credentials(None, None, None)
+        transport = transport_class(credentials=creds, always_use_jwt_access=False)
+        use_jwt.assert_not_called()
+
 
 @pytest.mark.parametrize("client_class", [
     AssetServiceClient,
@@ -190,6 +184,7 @@ def test_asset_service_client_client_options(client_class, transport_class, tran
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -206,6 +201,7 @@ def test_asset_service_client_client_options(client_class, transport_class, tran
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -222,6 +218,7 @@ def test_asset_service_client_client_options(client_class, transport_class, tran
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has
@@ -248,6 +245,7 @@ def test_asset_service_client_client_options(client_class, transport_class, tran
             client_cert_source_for_mtls=None,
             quota_project_id="octopus",
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name,use_client_cert_env", [
@@ -286,6 +284,7 @@ def test_asset_service_client_mtls_env_auto(client_class, transport_class, trans
                 client_cert_source_for_mtls=expected_client_cert_source,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case ADC client cert is provided. Whether client cert is used depends on
@@ -311,6 +310,7 @@ def test_asset_service_client_mtls_env_auto(client_class, transport_class, trans
                         client_cert_source_for_mtls=expected_client_cert_source,
                         quota_project_id=None,
                         client_info=transports.base.DEFAULT_CLIENT_INFO,
+                        always_use_jwt_access=True,
                     )
 
     # Check the case client_cert_source and ADC client cert are not provided.
@@ -327,6 +327,7 @@ def test_asset_service_client_mtls_env_auto(client_class, transport_class, trans
                     client_cert_source_for_mtls=None,
                     quota_project_id=None,
                     client_info=transports.base.DEFAULT_CLIENT_INFO,
+                    always_use_jwt_access=True,
                 )
 
 
@@ -350,6 +351,7 @@ def test_asset_service_client_client_options_scopes(client_class, transport_clas
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name", [
@@ -372,6 +374,7 @@ def test_asset_service_client_client_options_credentials_file(client_class, tran
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 
@@ -389,6 +392,7 @@ def test_asset_service_client_client_options_from_dict():
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 

tests/integration/goldens/credentials/google/iam/credentials_v1/services/iam_credentials/client.py

@@ -340,6 +340,10 @@ def __init__(self, *,
                 client_cert_source_for_mtls=client_cert_source_func,
                 quota_project_id=client_options.quota_project_id,
                 client_info=client_info,
+                always_use_jwt_access=(
+                    Transport == type(self).get_transport_class("grpc")
+                    or Transport == type(self).get_transport_class("grpc_asyncio")
+                ),
             )
 
     def generate_access_token(self,

tests/integration/goldens/credentials/tests/unit/gapic/credentials_v1/test_iam_credentials.py

@@ -97,27 +97,21 @@ def test_iam_credentials_client_from_service_account_info(client_class):
         assert client.transport._host == 'iamcredentials.googleapis.com:443'
 
 
-@pytest.mark.parametrize("client_class", [
-    IAMCredentialsClient,
-    IAMCredentialsAsyncClient,
-])
-def test_iam_credentials_client_service_account_always_use_jwt(client_class):
-    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
-        creds = service_account.Credentials(None, None, None)
-        client = client_class(credentials=creds)
-        use_jwt.assert_not_called()
-
-
 @pytest.mark.parametrize("transport_class,transport_name", [
     (transports.IAMCredentialsGrpcTransport, "grpc"),
     (transports.IAMCredentialsGrpcAsyncIOTransport, "grpc_asyncio"),
 ])
-def test_iam_credentials_client_service_account_always_use_jwt_true(transport_class, transport_name):
+def test_iam_credentials_client_service_account_always_use_jwt(transport_class, transport_name):
     with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
         creds = service_account.Credentials(None, None, None)
         transport = transport_class(credentials=creds, always_use_jwt_access=True)
         use_jwt.assert_called_once_with(True)
 
+    with mock.patch.object(service_account.Credentials, 'with_always_use_jwt_access', create=True) as use_jwt:
+        creds = service_account.Credentials(None, None, None)
+        transport = transport_class(credentials=creds, always_use_jwt_access=False)
+        use_jwt.assert_not_called()
+
 
 @pytest.mark.parametrize("client_class", [
     IAMCredentialsClient,
@@ -182,6 +176,7 @@ def test_iam_credentials_client_client_options(client_class, transport_class, tr
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -198,6 +193,7 @@ def test_iam_credentials_client_client_options(client_class, transport_class, tr
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is
@@ -214,6 +210,7 @@ def test_iam_credentials_client_client_options(client_class, transport_class, tr
                 client_cert_source_for_mtls=None,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has
@@ -240,6 +237,7 @@ def test_iam_credentials_client_client_options(client_class, transport_class, tr
             client_cert_source_for_mtls=None,
             quota_project_id="octopus",
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name,use_client_cert_env", [
@@ -278,6 +276,7 @@ def test_iam_credentials_client_mtls_env_auto(client_class, transport_class, tra
                 client_cert_source_for_mtls=expected_client_cert_source,
                 quota_project_id=None,
                 client_info=transports.base.DEFAULT_CLIENT_INFO,
+                always_use_jwt_access=True,
             )
 
     # Check the case ADC client cert is provided. Whether client cert is used depends on
@@ -303,6 +302,7 @@ def test_iam_credentials_client_mtls_env_auto(client_class, transport_class, tra
                         client_cert_source_for_mtls=expected_client_cert_source,
                         quota_project_id=None,
                         client_info=transports.base.DEFAULT_CLIENT_INFO,
+                        always_use_jwt_access=True,
                     )
 
     # Check the case client_cert_source and ADC client cert are not provided.
@@ -319,6 +319,7 @@ def test_iam_credentials_client_mtls_env_auto(client_class, transport_class, tra
                     client_cert_source_for_mtls=None,
                     quota_project_id=None,
                     client_info=transports.base.DEFAULT_CLIENT_INFO,
+                    always_use_jwt_access=True,
                 )
 
 
@@ -342,6 +343,7 @@ def test_iam_credentials_client_client_options_scopes(client_class, transport_cl
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 @pytest.mark.parametrize("client_class,transport_class,transport_name", [
@@ -364,6 +366,7 @@ def test_iam_credentials_client_client_options_credentials_file(client_class, tr
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )
 
 
@@ -381,6 +384,7 @@ def test_iam_credentials_client_client_options_from_dict():
             client_cert_source_for_mtls=None,
             quota_project_id=None,
             client_info=transports.base.DEFAULT_CLIENT_INFO,
+            always_use_jwt_access=True,
         )