fix(transport): propagate mTLS adapter to auth session and fix connection leaks#17689
Open
nbayati wants to merge 1 commit into
Open
fix(transport): propagate mTLS adapter to auth session and fix connection leaks#17689nbayati wants to merge 1 commit into
nbayati wants to merge 1 commit into
Conversation
…tion leaks When `configure_mtls_channel` is called, the newly created mTLS HTTPAdapter is mounted to the `"https://"` prefix. Previously, the existing adapter was replaced but never explicitly closed, which orphaned the underlying urllib3 connection pools and could cause file descriptor exhaustion. This commit addresses the connection leak by retrieving the old adapter and safely calling `.close()` on it before replacing it. Additionally, the mTLS adapter is now correctly propagated to the internal `_auth_request_session`. This ensures that out-of-band IAM signing requests and token refreshes securely traverse the mTLS channel when authenticating against strict Certificate-Based Access (CBA) endpoints. Finally, a documentation warning was added to clarify that dynamically reconfiguring the channel mutates the underlying session and is not natively thread-safe.
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the configure_mtls_channel method in requests.py to properly close old adapters when mounting a new mTLS adapter, and extends this configuration to _auth_request_session if it exists. It also adds comprehensive unit tests and a thread-safety warning in the docstring. The review feedback correctly points out a potential AttributeError when configure_mtls_channel is called on a base Session instance where _auth_request_session is not defined, and provides an actionable code suggestion to safely access the attribute using getattr.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is fixing two issues found in the auth library:
Adapter Connection Leaks
Whenever the
configure_mtls_channel()method was called, the code would create a new mTLSHTTPAdapterand mount it to"https://". However, it never closed the old adapter it was replacing. Because of how the underlyingrequestsandurllib3libraries work, the old adapter's connection pool was left open, creating dangling sockets and eventually causing file descriptor exhaustion.The Fix: I updated the method to retrieve the existing
"https://"adapter (viaself.get_adapter()) before replacing it. If an old adapter is found, we now explicitly callold_adapter.close()to shut down its connection pool and cleanly release the sockets back to the OS.Missing Auth Request Session Update (Issue google-auth: mTLS token refresh blindspot due to unconfigured internal helper transport #17680)
The
AuthorizedSessionclass maintains an internal session called_auth_request_session. This hidden session is specifically responsible for doing background work, like fetching new OAuth tokens or signing IAM requests. When mTLS was enabled, the new secure adapter was only applied to the main user-facing session, completely missing this internal session. As a result, critical token refreshes were bypassing mTLS and failing when they hit strict Certificate-Based Access (CBA) endpoints.The Fix: I added logic to check if
self._auth_request_sessionexists during the mTLS configuration. If it does, we now apply the exact same cleanup (closing its old adapter) and then explicitly mount the new mTLS adapter to it. This guarantees that all background token refreshes are routed securely over the mTLS channel.Also added a documentation warning to clarify that dynamically reconfiguring the channel mutates the underlying session and is not natively thread-safe.