From a7d468749c947570df4c8f2c7e7854633abe48da Mon Sep 17 00:00:00 2001 From: Negar Bayati Date: Fri, 15 May 2026 16:57:42 +0000 Subject: [PATCH 1/2] fix(auth): allowlist agents-nonprod trust domains for agent identity Allow `agents-nonprod` SPIFFE trust domains (`agents-nonprod.global.org-.system.id.goog` and `agents-nonprod.global.proj-.system.id.goog`) in addition to the production `agents` ones. This enables support for Agent Identity testing and validation in non-production environments (e.g., GKE autopush, staging), resolving pool format validation failures for non-prod agent pools. Bug: b/513574981 --- .../google/auth/_agent_identity_utils.py | 6 ++--- .../tests/test_agent_identity_utils.py | 23 +++++++++++-------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/packages/google-auth/google/auth/_agent_identity_utils.py b/packages/google-auth/google/auth/_agent_identity_utils.py index 299c56ccbfde..8a1eddbe1cd3 100644 --- a/packages/google-auth/google/auth/_agent_identity_utils.py +++ b/packages/google-auth/google/auth/_agent_identity_utils.py @@ -22,9 +22,7 @@ import time from urllib.parse import quote, urlparse -from google.auth import environment_vars -from google.auth import exceptions - +from google.auth import environment_vars, exceptions _LOGGER = logging.getLogger(__name__) @@ -37,6 +35,8 @@ _AGENT_IDENTITY_SPIFFE_TRUST_DOMAIN_PATTERNS = [ r"^agents\.global\.org-\d+\.system\.id\.goog$", r"^agents\.global\.proj-\d+\.system\.id\.goog$", + r"^agents-nonprod\.global\.org-\d+\.system\.id\.goog$", + r"^agents-nonprod\.global\.proj-\d+\.system\.id\.goog$", ] _WELL_KNOWN_CERT_PATH = "/var/run/secrets/workload-spiffe-credentials/certificates.pem" diff --git a/packages/google-auth/tests/test_agent_identity_utils.py b/packages/google-auth/tests/test_agent_identity_utils.py index b2e690c7465a..85c82e71e85d 100644 --- a/packages/google-auth/tests/test_agent_identity_utils.py +++ b/packages/google-auth/tests/test_agent_identity_utils.py @@ -15,15 +15,13 @@ import base64 import hashlib import json -from unittest import mock import urllib.parse +from unittest import mock -from cryptography import x509 import pytest +from cryptography import x509 -from google.auth import _agent_identity_utils -from google.auth import environment_vars -from google.auth import exceptions +from google.auth import _agent_identity_utils, environment_vars, exceptions # A mock PEM-encoded certificate without an Agent Identity SPIFFE ID. NON_AGENT_IDENTITY_CERT_BYTES = ( @@ -60,15 +58,22 @@ def test__is_agent_identity_certificate_invalid(self): cert = _agent_identity_utils.parse_certificate(NON_AGENT_IDENTITY_CERT_BYTES) assert not _agent_identity_utils._is_agent_identity_certificate(cert) - def test__is_agent_identity_certificate_valid_spiffe(self): + @pytest.mark.parametrize( + "spiffe_id", + [ + "spiffe://agents.global.proj-12345.system.id.goog/workload", + "spiffe://agents.global.org-12345.system.id.goog/workload", + "spiffe://agents-nonprod.global.proj-12345.system.id.goog/workload", + "spiffe://agents-nonprod.global.org-12345.system.id.goog/workload", + ], + ) + def test__is_agent_identity_certificate_valid_spiffe(self, spiffe_id): mock_cert = mock.MagicMock() mock_ext = mock.MagicMock() mock_san_value = mock.MagicMock() mock_cert.extensions.get_extension_for_oid.return_value = mock_ext mock_ext.value = mock_san_value - mock_san_value.get_values_for_type.return_value = [ - "spiffe://agents.global.proj-12345.system.id.goog/workload" - ] + mock_san_value.get_values_for_type.return_value = [spiffe_id] assert _agent_identity_utils._is_agent_identity_certificate(mock_cert) def test__is_agent_identity_certificate_non_matching_spiffe(self): From 54626d8f2170595c79396265b836bd56abda9904 Mon Sep 17 00:00:00 2001 From: Negar Bayati Date: Fri, 15 May 2026 17:16:32 +0000 Subject: [PATCH 2/2] fix lint issue --- packages/google-auth/tests/test_agent_identity_utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/google-auth/tests/test_agent_identity_utils.py b/packages/google-auth/tests/test_agent_identity_utils.py index 85c82e71e85d..f74bdad9e475 100644 --- a/packages/google-auth/tests/test_agent_identity_utils.py +++ b/packages/google-auth/tests/test_agent_identity_utils.py @@ -15,11 +15,11 @@ import base64 import hashlib import json -import urllib.parse from unittest import mock +import urllib.parse -import pytest from cryptography import x509 +import pytest from google.auth import _agent_identity_utils, environment_vars, exceptions