Merge branch 'add_cryptography_dependency' into remove_rsa_3

Author: daniel-sanche

.github/workflows/unittest.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        python: ['3.8']
+        python: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13', '3.14']
     steps:
     - name: Checkout
       uses: actions/checkout@v4

google/auth/__init__.py

@@ -42,12 +42,12 @@ class Python37DeprecationWarning(DeprecationWarning):  # pragma: NO COVER
 
 
 # Raise warnings for deprecated versions
-eol_message = """
-    You are using a Python version {} past its end of life. Google will update
-    google-auth with critical bug fixes on a best-effort basis, but not
-    with any other fixes or features. Please upgrade your Python version,
-    and then update google-auth.
-    """
+eol_message = (
+    "You are using a Python version {} past its end of life. Google will update "
+    "google-auth with critical bug fixes on a best-effort basis, but not "
+    "with any other fixes or features. Please upgrade your Python version, "
+    "and then update google-auth."
+)
 if sys.version_info.major == 3 and sys.version_info.minor == 8:  # pragma: NO COVER
     warnings.warn(eol_message.format("3.8"), FutureWarning)
 elif sys.version_info.major == 3 and sys.version_info.minor == 9:  # pragma: NO COVER

google/auth/aws.py

@@ -530,9 +530,10 @@ def _get_metadata_security_credentials(
             google.auth.exceptions.RefreshError: If an error occurs while
                 retrieving the AWS security credentials.
         """
-        headers = {"Content-Type": "application/json"}
         if imdsv2_session_token is not None:
-            headers["X-aws-ec2-metadata-token"] = imdsv2_session_token
+            headers = {"X-aws-ec2-metadata-token": imdsv2_session_token}
+        else:
+            headers = None
 
         response = request(
             url="{}/{}".format(self._security_credentials_url, role_name),

google/auth/crypt/__init__.py

@@ -38,35 +38,14 @@
 """
 
 from google.auth.crypt import base
+from google.auth.crypt import es
+from google.auth.crypt import es256
 from google.auth.crypt import rsa
 
-# google.auth.crypt.es depends on the crytpography module which may not be
-# successfully imported depending on the system.
-try:
-    from google.auth.crypt import es
-    from google.auth.crypt import es256
-except ImportError:  # pragma: NO COVER
-    es = None  # type: ignore
-    es256 = None  # type: ignore
-
-if es is not None and es256 is not None:  # pragma: NO COVER
-    __all__ = [
-        "EsSigner",
-        "EsVerifier",
-        "ES256Signer",
-        "ES256Verifier",
-        "RSASigner",
-        "RSAVerifier",
-        "Signer",
-        "Verifier",
-    ]
-
-    EsSigner = es.EsSigner
-    EsVerifier = es.EsVerifier
-    ES256Signer = es256.ES256Signer
-    ES256Verifier = es256.ES256Verifier
-else:  # pragma: NO COVER
-    __all__ = ["RSASigner", "RSAVerifier", "Signer", "Verifier"]
+EsSigner = es.EsSigner
+EsVerifier = es.EsVerifier
+ES256Signer = es256.ES256Signer
+ES256Verifier = es256.ES256Verifier
 
 
 # Aliases to maintain the v1.0.0 interface, as the crypt module was split
@@ -103,3 +82,15 @@ class to use for verification. This can be used to select different
         if verifier.verify(message, signature):
             return True
     return False
+
+
+__all__ = [
+    "EsSigner",
+    "EsVerifier",
+    "ES256Signer",
+    "ES256Verifier",
+    "RSASigner",
+    "RSAVerifier",
+    "Signer",
+    "Verifier",
+]

google/auth/crypt/es.py

@@ -102,15 +102,15 @@ def verify(self, message: bytes, signature: bytes) -> bool:
 
     @classmethod
     def from_string(cls, public_key: Union[str, bytes]) -> "EsVerifier":
-        """Construct an Verifier instance from a public key or public
+        """Construct a Verifier instance from a public key or public
         certificate string.
 
         Args:
             public_key (Union[str, bytes]): The public key in PEM format or the
                 x509 public key certificate.
 
         Returns:
-            Verifier: The constructed verifier.
+            google.auth.crypt.Verifier: The constructed verifier.
 
         Raises:
             ValueError: If the public key can't be parsed.

google/auth/crypt/rsa.py

@@ -32,14 +32,8 @@
 class RSAVerifier(base.Verifier):
     """Verifies RSA cryptographic signatures using public keys.
 
-    Requires installation of `cryptography` optional dependency.
-
-    .. deprecated::
-        The `rsa` library has been archived. Please migrate to
-        `cryptography` for public keys.
-
     Args:
-        public_key (Union[rsa.key.PublicKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey]):
+        public_key (Union["rsa.key.PublicKey", cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey]):
             The public key used to verify signatures.
     Raises:
         ImportError: if called with an rsa.key.PublicKey, when the rsa library is not installed
@@ -84,14 +78,8 @@ def from_string(cls, public_key):
 class RSASigner(base.Signer, base.FromServiceAccountMixin):
     """Signs messages with an RSA private key.
 
-    Requires installation of `cryptography` optional dependency.
-
-    .. deprecated::
-        The `rsa` library has been archived. Please migrate to
-        `cryptography` for public keys.
-
     Args:
-        private_key (Union[rsa.key.PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey]):
+        private_key (Union["rsa.key.PrivateKey", cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey]):
             The private key to sign with.
         key_id (str): Optional key ID used to identify this private key. This
             can be useful to associate the private key with its associated

google/oauth2/__init__.py

@@ -28,12 +28,12 @@ class Python37DeprecationWarning(DeprecationWarning):  # pragma: NO COVER
 
 
 # Raise warnings for deprecated versions
-eol_message = """
-    You are using a Python version {} past its end of life. Google will update
-    google-auth with critical bug fixes on a best-effort basis, but not
-    with any other fixes or features. Please upgrade your Python version,
-    and then update google-auth.
-    """
+eol_message = (
+    "You are using a Python version {} past its end of life. Google will update "
+    "google-auth with critical bug fixes on a best-effort basis, but not "
+    "with any other fixes or features. Please upgrade your Python version, "
+    "and then update google-auth."
+)
 if sys.version_info.major == 3 and sys.version_info.minor == 8:  # pragma: NO COVER
     warnings.warn(eol_message.format("3.8"), FutureWarning)
 elif sys.version_info.major == 3 and sys.version_info.minor == 9:  # pragma: NO COVER

noxfile.py

@@ -51,14 +51,7 @@
     "lint",
     "blacken",
     "mypy",
-    "unit-3.9",
-    "unit-3.10",
-    "unit-3.11",
-    "unit-3.12",
-    "unit-3.13",
-    "unit-3.14",
     # cover must be last to avoid error `No data to report`
-    "cover",
     "docs",
 ]
 

samples/cloud-client/snippets/requirements.txt

@@ -1,5 +1,5 @@
-google-cloud-compute==1.41.0
-google-cloud-storage==3.7.0
+google-cloud-compute==1.42.0
+google-cloud-storage==3.8.0
 google-auth==2.47.0
 pytest===8.4.2; python_version == '3.9'
 pytest==9.0.2; python_version > '3.9'

setup.py

@@ -18,17 +18,15 @@
 from setuptools import find_namespace_packages
 from setuptools import setup
 
+cryptography_base_require = [
+    "cryptography >= 38.0.3",
+]
 
 DEPENDENCIES = (
     "pyasn1-modules>=0.2.1",
-    "cryptography >= 38.0.3",
+    cryptography_base_require,
 )
 
-# Note: cryptography was made into a required dependency. Extra is kept for backwards compatibility
-cryptography_extra_require = [
-    "cryptography >= 38.0.3",
-]
-
 requests_extra_require = ["requests >= 2.20.0, < 3.0.0"]
 
 aiohttp_extra_require = ["aiohttp >= 3.6.2, < 4.0.0", *requests_extra_require]
@@ -37,8 +35,8 @@
 
 reauth_extra_require = ["pyu2f>=0.1.5"]
 
-# TODO(https://github.com/googleapis/google-auth-library-python/issues/1738): Add bounds for cryptography and pyopenssl dependencies.
-enterprise_cert_extra_require = ["cryptography", "pyopenssl"]
+# TODO(https://github.com/googleapis/google-auth-library-python/issues/1738): Add bounds for pyopenssl dependency.
+enterprise_cert_extra_require = ["pyopenssl"]
 
 pyopenssl_extra_require = ["pyopenssl>=20.0.0"]
 
@@ -78,7 +76,8 @@
 ]
 
 extras = {
-    "cryptography": cryptography_extra_require,
+    # Note: cryptography was made into a required dependency. Extra is kept for backwards compatibility
+    "cryptography": cryptography_base_require,
     "aiohttp": aiohttp_extra_require,
     "enterprise_cert": enterprise_cert_extra_require,
     "pyopenssl": pyopenssl_extra_require,