Determine this is the right repository
Summary of the issue
When running unit tests locally on developer machines that have context-aware access or enterprise mTLS configured (such as Google-managed corporate MacBooks), several tests fail unexpectedly.
This happens because the test suite's global configuration (tests/conftest.py) does not sanitize the environment. Global environment variables (like GOOGLE_API_CERTIFICATE_CONFIG or GOOGLE_API_USE_CLIENT_CERTIFICATE) and default configuration files (like ~/.config/gcloud/certificate_config.json) leak directly into the pytest session.
Any test that does not explicitly mock _mtls_helper.check_use_client_cert() or clear these environment variables will transition to using mTLS hostnames (e.g. expecting iamcredentials.googleapis.com but getting iamcredentials.mtls.googleapis.com). Since the mock networks in the tests are configured with standard endpoints, the requests fail to match the mock setups, causing transport exceptions and test failures.
Proposed fix
Introduce a function-scoped, autouse fixture in tests/conftest.py to establish a clean, hermetic environment for every unit test. Using pytest's standard monkeypatch fixture ensures all local environmental variables and mocks are automatically cleaned up and restored back to the developer's original workstation state after each test executes. This can be accomplished by something like:
# tests/conftest.py
@pytest.fixture(autouse=True)
def clean_mtls_environment(monkeypatch):
from google.auth.transport import _mtls_helper
# Pop all mTLS-related environment variables
for var in [
"GOOGLE_API_USE_CLIENT_CERTIFICATE",
"GOOGLE_API_CERTIFICATE_CONFIG",
"CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE",
"CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH",
]:
monkeypatch.delenv(var, raising=False)
# Mock check_use_client_cert to return False by default
monkeypatch.setattr(_mtls_helper, "check_use_client_cert", lambda: False)This way tests specifically designed to verify mTLS behaviors can easily override the global mock locally by re-patching the method in their own bodies (which runs after the global autouse setup):
def test_mtls_behavior(monkeypatch):
from google.auth.transport import _mtls_helper
monkeypatch.setattr(_mtls_helper, "check_use_client_cert", lambda: True)
# Test runs with mTLS enabled cleanly
Determine this is the right repository
Summary of the issue
When running unit tests locally on developer machines that have context-aware access or enterprise mTLS configured (such as Google-managed corporate MacBooks), several tests fail unexpectedly.
This happens because the test suite's global configuration (
tests/conftest.py) does not sanitize the environment. Global environment variables (likeGOOGLE_API_CERTIFICATE_CONFIGorGOOGLE_API_USE_CLIENT_CERTIFICATE) and default configuration files (like~/.config/gcloud/certificate_config.json) leak directly into thepytestsession.Any test that does not explicitly mock
_mtls_helper.check_use_client_cert()or clear these environment variables will transition to using mTLS hostnames (e.g. expectingiamcredentials.googleapis.combut gettingiamcredentials.mtls.googleapis.com). Since the mock networks in the tests are configured with standard endpoints, the requests fail to match the mock setups, causing transport exceptions and test failures.Proposed fix
Introduce a function-scoped, autouse fixture in
tests/conftest.pyto establish a clean, hermetic environment for every unit test. Using pytest's standardmonkeypatchfixture ensures all local environmental variables and mocks are automatically cleaned up and restored back to the developer's original workstation state after each test executes. This can be accomplished by something like:This way tests specifically designed to verify mTLS behaviors can easily override the global mock locally by re-patching the method in their own bodies (which runs after the global autouse setup):