From 7379dde0f7b51c6b24f7ffd7c81f7285c7cc3d43 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Thu, 11 Jul 2024 14:46:43 -0700
Subject: [PATCH 01/10] feat(auth): Update get_client_ssl_credentials to
 support X.509 workload certs

---
 google/auth/transport/_mtls_helper.py | 36 +++++++++----
 tests/transport/test__mtls_helper.py  | 77 ++++++++++++++++++++-------
 2 files changed, 84 insertions(+), 29 deletions(-)

diff --git a/google/auth/transport/_mtls_helper.py b/google/auth/transport/_mtls_helper.py
index 6299e2bde..4ecb0128d 100644
--- a/google/auth/transport/_mtls_helper.py
+++ b/google/auth/transport/_mtls_helper.py
@@ -48,21 +48,21 @@
 )
 
 
-def _check_dca_metadata_path(metadata_path):
-    """Checks for context aware metadata. If it exists, returns the absolute path;
+def _check_config_path(config_path):
+    """Checks for config file path. If it exists, returns the absolute path with user expansion;
     otherwise returns None.
 
     Args:
-        metadata_path (str): context aware metadata path.
+        config_path (str): The config file path for either context_aware_metadata.json or certificate_config.json for example
 
     Returns:
         str: absolute path if exists and None otherwise.
     """
-    metadata_path = path.expanduser(metadata_path)
-    if not path.exists(metadata_path):
-        _LOGGER.debug("%s is not found, skip client SSL authentication.", metadata_path)
+    config_path = path.expanduser(config_path)
+    if not path.exists(config_path):
+        _LOGGER.debug("%s is not found.", config_path)
         return None
-    return metadata_path
+    return config_path
 
 
 def _load_json_file(path):
@@ -279,14 +279,22 @@ def _run_cert_provider_command(command, expect_encrypted_key=False):
 def get_client_ssl_credentials(
     generate_encrypted_key=False,
     context_aware_metadata_path=CONTEXT_AWARE_METADATA_PATH,
+    certificate_config_path=_CERTIFICATE_CONFIGURATION_DEFAULT_PATH,
 ):
     """Returns the client side certificate, private key and passphrase.
 
+    We look for certificates and keys with the following order of priority:
+        1. Certificate and key specified by certificate_config.json.
+               Currently, only X.509 workload certificates are supported.
+        2. Certificate and key specified by context aware metadata (i.e. SecureConnect).
+
     Args:
         generate_encrypted_key (bool): If set to True, encrypted private key
             and passphrase will be generated; otherwise, unencrypted private key
-            will be generated and passphrase will be None.
+            will be generated and passphrase will be None. This option only
+            affects keys obtained via context_aware_metadata.json.
         context_aware_metadata_path (str): The context_aware_metadata.json file path.
+        certificate_config_path (str): The certificate_config.json file path.
 
     Returns:
         Tuple[bool, bytes, bytes, bytes]:
@@ -297,7 +305,17 @@ def get_client_ssl_credentials(
         google.auth.exceptions.ClientCertError: if problems occurs when getting
             the cert, key and passphrase.
     """
-    metadata_path = _check_dca_metadata_path(context_aware_metadata_path)
+
+    # 1. Check for certificate config json.
+    cert_config_path = _check_config_path(certificate_config_path)
+    if cert_config_path:
+        # Attempt to retrieve X.509 Workload cert and key.
+        cert, key = _get_workload_cert_and_key(cert_config_path)
+        if cert and key:
+            return True, cert, key, None
+
+    # 2. Check for context aware metadata json
+    metadata_path = _check_config_path(context_aware_metadata_path)
 
     if metadata_path:
         metadata_json = _load_json_file(metadata_path)
diff --git a/tests/transport/test__mtls_helper.py b/tests/transport/test__mtls_helper.py
index b195616dd..4da2b4c42 100644
--- a/tests/transport/test__mtls_helper.py
+++ b/tests/transport/test__mtls_helper.py
@@ -111,15 +111,15 @@ def test_key(self):
         )
 
 
-class TestCheckaMetadataPath(object):
+class TestCheckConfigPath(object):
     def test_success(self):
         metadata_path = os.path.join(pytest.data_dir, "context_aware_metadata.json")
-        returned_path = _mtls_helper._check_dca_metadata_path(metadata_path)
+        returned_path = _mtls_helper._check_config_path(metadata_path)
         assert returned_path is not None
 
     def test_failure(self):
         metadata_path = os.path.join(pytest.data_dir, "not_exists.json")
-        returned_path = _mtls_helper._check_dca_metadata_path(metadata_path)
+        returned_path = _mtls_helper._check_config_path(metadata_path)
         assert returned_path is None
 
 
@@ -279,15 +279,15 @@ class TestGetClientSslCredentials(object):
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
-    def test_success(
+    def test_success_with_context_aware_metadata(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
     ):
-        mock_check_dca_metadata_path.return_value = True
+        mock_check_config_path.return_value = True
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
         mock_run_cert_provider_command.return_value = (b"cert", b"key", None)
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
@@ -297,10 +297,47 @@ def test_success(
         assert passphrase is None
 
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
+    )
+    @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_cert_config_path", autospec=True
+    )
+    @mock.patch(
+        "google.auth.transport._mtls_helper._read_cert_and_key_files", autospec=True
+    )
+    def test_success_with_certificate_config(
+        self,
+        mock_check_config_path,
+        mock_load_json_file,
+        mock_get_cert_config_path,
+        mock_read_cert_and_key_files,
+    ):
+        cert_config_path = "/path/to/cert"
+        mock_check_config_path.return_value = True
+        mock_load_json_file.return_value = {
+            "cert_configs": {
+                "workload": {"cert_path": "cert/path", "key_path": "key/path"}
+            }
+        }
+        mock_get_cert_config_path.return_value = cert_config_path
+        mock_read_cert_and_key_files.return_value = (
+            pytest.public_cert_bytes,
+            pytest.private_key_bytes,
+        )
+
+        has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials(
+            certificate_config_path=cert_config_path)
+        assert has_cert
+        assert cert == pytest.public_cert_bytes
+        assert key == pytest.private_key_bytes
+        assert passphrase is None
+
+    @mock.patch(
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
-    def test_success_without_metadata(self, mock_check_dca_metadata_path):
-        mock_check_dca_metadata_path.return_value = False
+    def test_success_without_metadata(self, mock_check_config_path):
+        mock_check_config_path.return_value = False
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
         assert not has_cert
         assert cert is None
@@ -312,15 +349,15 @@ def test_success_without_metadata(self, mock_check_dca_metadata_path):
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_success_with_encrypted_key(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
     ):
-        mock_check_dca_metadata_path.return_value = True
+        mock_check_config_path.return_value = True
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
         mock_run_cert_provider_command.return_value = (b"cert", b"key", b"passphrase")
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials(
@@ -336,12 +373,12 @@ def test_success_with_encrypted_key(
 
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_missing_cert_command(
-        self, mock_check_dca_metadata_path, mock_load_json_file
+        self, mock_check_config_path, mock_load_json_file
     ):
-        mock_check_dca_metadata_path.return_value = True
+        mock_check_config_path.return_value = True
         mock_load_json_file.return_value = {}
         with pytest.raises(exceptions.ClientCertError):
             _mtls_helper.get_client_ssl_credentials()
@@ -351,16 +388,16 @@ def test_missing_cert_command(
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_customize_context_aware_metadata_path(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
     ):
         context_aware_metadata_path = "/path/to/metata/data"
-        mock_check_dca_metadata_path.return_value = context_aware_metadata_path
+        mock_check_config_path.return_value = context_aware_metadata_path
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
         mock_run_cert_provider_command.return_value = (b"cert", b"key", None)
 
@@ -372,7 +409,7 @@ def test_customize_context_aware_metadata_path(
         assert cert == b"cert"
         assert key == b"key"
         assert passphrase is None
-        mock_check_dca_metadata_path.assert_called_with(context_aware_metadata_path)
+        mock_check_config_path.assert_called_with(context_aware_metadata_path)
         mock_load_json_file.assert_called_with(context_aware_metadata_path)
 
 

From 62bd8f23c958ced4fefab7f3e720c3e241a42c45 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Thu, 11 Jul 2024 21:57:23 -0700
Subject: [PATCH 02/10] feat(auth): Update has_default_client_cert_source

---
 google/auth/transport/_mtls_helper.py | 6 +++---
 google/auth/transport/mtls.py         | 6 ++----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/google/auth/transport/_mtls_helper.py b/google/auth/transport/_mtls_helper.py
index 4ecb0128d..68568dd60 100644
--- a/google/auth/transport/_mtls_helper.py
+++ b/google/auth/transport/_mtls_helper.py
@@ -23,7 +23,7 @@
 from google.auth import exceptions
 
 CONTEXT_AWARE_METADATA_PATH = "~/.secureConnect/context_aware_metadata.json"
-_CERTIFICATE_CONFIGURATION_DEFAULT_PATH = "~/.config/gcloud/certificate_config.json"
+CERTIFICATE_CONFIGURATION_DEFAULT_PATH = "~/.config/gcloud/certificate_config.json"
 _CERTIFICATE_CONFIGURATION_ENV = "GOOGLE_API_CERTIFICATE_CONFIG"
 _CERT_PROVIDER_COMMAND = "cert_provider_command"
 _CERT_REGEX = re.compile(
@@ -136,7 +136,7 @@ def _get_cert_config_path(certificate_config_path=None):
         if env_path is not None and env_path != "":
             certificate_config_path = env_path
         else:
-            certificate_config_path = _CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+            certificate_config_path = CERTIFICATE_CONFIGURATION_DEFAULT_PATH
 
     certificate_config_path = path.expanduser(certificate_config_path)
     if not path.exists(certificate_config_path):
@@ -279,7 +279,7 @@ def _run_cert_provider_command(command, expect_encrypted_key=False):
 def get_client_ssl_credentials(
     generate_encrypted_key=False,
     context_aware_metadata_path=CONTEXT_AWARE_METADATA_PATH,
-    certificate_config_path=_CERTIFICATE_CONFIGURATION_DEFAULT_PATH,
+    certificate_config_path=CERTIFICATE_CONFIGURATION_DEFAULT_PATH,
 ):
     """Returns the client side certificate, private key and passphrase.
 
diff --git a/google/auth/transport/mtls.py b/google/auth/transport/mtls.py
index c5707617f..67661cd82 100644
--- a/google/auth/transport/mtls.py
+++ b/google/auth/transport/mtls.py
@@ -24,10 +24,8 @@ def has_default_client_cert_source():
     Returns:
         bool: indicating if the default client cert source exists.
     """
-    metadata_path = _mtls_helper._check_dca_metadata_path(
-        _mtls_helper.CONTEXT_AWARE_METADATA_PATH
-    )
-    return metadata_path is not None
+    return (_mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH) is not None) or
+        (_mtls_helper._check_config_path(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH) is not None)
 
 
 def default_client_cert_source():

From 2079d6887806ff026d52462fa140c816e8a09a82 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Thu, 11 Jul 2024 22:15:19 -0700
Subject: [PATCH 03/10] feat(auth): Fix formatting

---
 google/auth/transport/mtls.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/google/auth/transport/mtls.py b/google/auth/transport/mtls.py
index 67661cd82..34bb96638 100644
--- a/google/auth/transport/mtls.py
+++ b/google/auth/transport/mtls.py
@@ -24,8 +24,15 @@ def has_default_client_cert_source():
     Returns:
         bool: indicating if the default client cert source exists.
     """
-    return (_mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH) is not None) or
-        (_mtls_helper._check_config_path(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH) is not None)
+    return (
+        _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
+        is not None
+    ) or (
+        _mtls_helper._check_config_path(
+            _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+        )
+        is not None
+    )
 
 
 def default_client_cert_source():

From 232000d5200a98c8f1417457f883f342a89fe79e Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Fri, 12 Jul 2024 15:30:12 -0700
Subject: [PATCH 04/10] feat(auth): Fix test__mtls_helper.py

---
 tests/transport/test__mtls_helper.py | 40 +++++++++++++++++++---------
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/tests/transport/test__mtls_helper.py b/tests/transport/test__mtls_helper.py
index 4da2b4c42..39365369a 100644
--- a/tests/transport/test__mtls_helper.py
+++ b/tests/transport/test__mtls_helper.py
@@ -274,6 +274,9 @@ def test_popen_raise_exception(self, mock_popen):
 
 
 class TestGetClientSslCredentials(object):
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
+    )
     @mock.patch(
         "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True
     )
@@ -286,10 +289,12 @@ def test_success_with_context_aware_metadata(
         mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
+        mock_get_workload_cert_and_key,
     ):
-        mock_check_config_path.return_value = True
+        mock_check_config_path.return_value = "/path/to/config"
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
         mock_run_cert_provider_command.return_value = (b"cert", b"key", None)
+        mock_get_workload_cert_and_key.return_value = (None, None)
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
         assert has_cert
         assert cert == b"cert"
@@ -297,14 +302,14 @@ def test_success_with_context_aware_metadata(
         assert passphrase is None
 
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
+        "google.auth.transport._mtls_helper._read_cert_and_key_files", autospec=True
     )
-    @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
         "google.auth.transport._mtls_helper._get_cert_config_path", autospec=True
     )
+    @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._read_cert_and_key_files", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_success_with_certificate_config(
         self,
@@ -313,8 +318,8 @@ def test_success_with_certificate_config(
         mock_get_cert_config_path,
         mock_read_cert_and_key_files,
     ):
-        cert_config_path = "/path/to/cert"
-        mock_check_config_path.return_value = True
+        cert_config_path = "/path/to/config"
+        mock_check_config_path.return_value = cert_config_path
         mock_load_json_file.return_value = {
             "cert_configs": {
                 "workload": {"cert_path": "cert/path", "key_path": "key/path"}
@@ -326,8 +331,7 @@ def test_success_with_certificate_config(
             pytest.private_key_bytes,
         )
 
-        has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials(
-            certificate_config_path=cert_config_path)
+        has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
         assert has_cert
         assert cert == pytest.public_cert_bytes
         assert key == pytest.private_key_bytes
@@ -344,6 +348,9 @@ def test_success_without_metadata(self, mock_check_config_path):
         assert key is None
         assert passphrase is None
 
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
+    )
     @mock.patch(
         "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True
     )
@@ -356,10 +363,12 @@ def test_success_with_encrypted_key(
         mock_check_config_path,
         mock_load_json_file,
         mock_run_cert_provider_command,
+        mock_get_workload_cert_and_key,
     ):
-        mock_check_config_path.return_value = True
+        mock_check_config_path.return_value = "/path/to/config"
         mock_load_json_file.return_value = {"cert_provider_command": ["command"]}
         mock_run_cert_provider_command.return_value = (b"cert", b"key", b"passphrase")
+        mock_get_workload_cert_and_key.return_value = (None, None)
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials(
             generate_encrypted_key=True
         )
@@ -371,15 +380,22 @@ def test_success_with_encrypted_key(
             ["command", "--with_passphrase"], expect_encrypted_key=True
         )
 
+    @mock.patch(
+        "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
+    )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
         "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_missing_cert_command(
-        self, mock_check_config_path, mock_load_json_file
+        self,
+        mock_check_config_path,
+        mock_load_json_file,
+        mock_get_workload_cert_and_key,
     ):
-        mock_check_config_path.return_value = True
+        mock_check_config_path.return_value = "/path/to/config"
         mock_load_json_file.return_value = {}
+        mock_get_workload_cert_and_key.return_value = (None, None)
         with pytest.raises(exceptions.ClientCertError):
             _mtls_helper.get_client_ssl_credentials()
 
@@ -557,7 +573,7 @@ def test_default(self, mock_path_exists):
         mock_path_exists.return_value = True
         returned_path = _mtls_helper._get_cert_config_path()
         expected_path = os.path.expanduser(
-            _mtls_helper._CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+            _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
         )
         assert returned_path == expected_path
 

From 3e951e6aae331b5c02ce0b63b5492a69a05df238 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Fri, 12 Jul 2024 22:18:11 -0700
Subject: [PATCH 05/10] feat(auth): Fix function name in tests

---
 google/auth/transport/grpc.py |  2 +-
 tests/transport/test_grpc.py  | 28 ++++++++++++++--------------
 tests/transport/test_mtls.py  |  8 ++++----
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/google/auth/transport/grpc.py b/google/auth/transport/grpc.py
index 9a817976d..1ebe13795 100644
--- a/google/auth/transport/grpc.py
+++ b/google/auth/transport/grpc.py
@@ -302,7 +302,7 @@ def __init__(self):
             self._is_mtls = False
         else:
             # Load client SSL credentials.
-            metadata_path = _mtls_helper._check_dca_metadata_path(
+            metadata_path = _mtls_helper._check_config_path(
                 _mtls_helper.CONTEXT_AWARE_METADATA_PATH
             )
             self._is_mtls = metadata_path is not None
diff --git a/tests/transport/test_grpc.py b/tests/transport/test_grpc.py
index 433cc6855..dcdf91f06 100644
--- a/tests/transport/test_grpc.py
+++ b/tests/transport/test_grpc.py
@@ -143,11 +143,11 @@ def test__get_authorization_headers_with_service_account_and_default_host(self):
 class TestSecureAuthorizedChannel(object):
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_secure_authorized_channel_adc(
         self,
-        check_dca_metadata_path,
+        check_config_path,
         load_json_file,
         secure_channel,
         ssl_channel_credentials,
@@ -161,7 +161,7 @@ def test_secure_authorized_channel_adc(
 
         # Mock the context aware metadata and client cert/key so mTLS SSL channel
         # will be used.
-        check_dca_metadata_path.return_value = METADATA_PATH
+        check_config_path.return_value = METADATA_PATH
         load_json_file.return_value = {"cert_provider_command": ["some command"]}
         get_client_ssl_credentials.return_value = (
             True,
@@ -332,11 +332,11 @@ def test_secure_authorized_channel_with_client_cert_callback_success(
 
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
     @mock.patch(
-        "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+        "google.auth.transport._mtls_helper._check_config_path", autospec=True
     )
     def test_secure_authorized_channel_with_client_cert_callback_failure(
         self,
-        check_dca_metadata_path,
+        check_config_path,
         load_json_file,
         secure_channel,
         ssl_channel_credentials,
@@ -401,18 +401,18 @@ def test_secure_authorized_channel_cert_callback_without_client_cert_env(
 )
 @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
 @mock.patch(
-    "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+    "google.auth.transport._mtls_helper._check_config_path", autospec=True
 )
 class TestSslCredentials(object):
     def test_no_context_aware_metadata(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_get_client_ssl_credentials,
         mock_ssl_channel_credentials,
     ):
         # Mock that the metadata file doesn't exist.
-        mock_check_dca_metadata_path.return_value = None
+        mock_check_config_path.return_value = None
 
         with mock.patch.dict(
             os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"}
@@ -429,12 +429,12 @@ def test_no_context_aware_metadata(
 
     def test_get_client_ssl_credentials_failure(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_get_client_ssl_credentials,
         mock_ssl_channel_credentials,
     ):
-        mock_check_dca_metadata_path.return_value = METADATA_PATH
+        mock_check_config_path.return_value = METADATA_PATH
         mock_load_json_file.return_value = {"cert_provider_command": ["some command"]}
 
         # Mock that client cert and key are not loaded and exception is raised.
@@ -448,12 +448,12 @@ def test_get_client_ssl_credentials_failure(
 
     def test_get_client_ssl_credentials_success(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_get_client_ssl_credentials,
         mock_ssl_channel_credentials,
     ):
-        mock_check_dca_metadata_path.return_value = METADATA_PATH
+        mock_check_config_path.return_value = METADATA_PATH
         mock_load_json_file.return_value = {"cert_provider_command": ["some command"]}
         mock_get_client_ssl_credentials.return_value = (
             True,
@@ -476,7 +476,7 @@ def test_get_client_ssl_credentials_success(
 
     def test_get_client_ssl_credentials_without_client_cert_env(
         self,
-        mock_check_dca_metadata_path,
+        mock_check_config_path,
         mock_load_json_file,
         mock_get_client_ssl_credentials,
         mock_ssl_channel_credentials,
@@ -486,7 +486,7 @@ def test_get_client_ssl_credentials_without_client_cert_env(
 
         assert ssl_credentials.ssl_credentials is not None
         assert not ssl_credentials.is_mtls
-        mock_check_dca_metadata_path.assert_not_called()
+        mock_check_config_path.assert_not_called()
         mock_load_json_file.assert_not_called()
         mock_get_client_ssl_credentials.assert_not_called()
         mock_ssl_channel_credentials.assert_called_once()
diff --git a/tests/transport/test_mtls.py b/tests/transport/test_mtls.py
index b62063e47..e82520b41 100644
--- a/tests/transport/test_mtls.py
+++ b/tests/transport/test_mtls.py
@@ -20,13 +20,13 @@
 
 
 @mock.patch(
-    "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True
+    "google.auth.transport._mtls_helper._check_config_path", autospec=True
 )
-def test_has_default_client_cert_source(check_dca_metadata_path):
-    check_dca_metadata_path.return_value = mock.Mock()
+def test_has_default_client_cert_source(check_config_path):
+    check_config_path.return_value = mock.Mock()
     assert mtls.has_default_client_cert_source()
 
-    check_dca_metadata_path.return_value = None
+    check_config_path.return_value = None
     assert not mtls.has_default_client_cert_source()
 
 

From 1ff9d550c6dd5c9f1b7b677d7ddecc03e31a592a Mon Sep 17 00:00:00 2001
From: Carl Lundin <clundin@google.com>
Date: Tue, 30 Jul 2024 14:15:47 -0700
Subject: [PATCH 06/10] chore: Refresh system test creds.

---
 system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index ccb040256c0cf0e7e68c58b58536bc49bf81293d..ba7444e1df8e8d3fc1f51912ad4ef49d4ec5b07d 100644
GIT binary patch
literal 10324
zcmV-aD67{BB>?tKRTEdEYGJTZ<>FTl(mkbszCMI9ylE@VNasIML}e%qA3zeSPylv+
ziVkJc%0}s*Ebc^*w;Ob}Qogu}1fYImvwUW1HY0ssfFm1(eWNvy?;s56pS2Q?o-*!T
z8-soi@Q|V8D!Ub@sAw0}Wa1IB3Vhm0Z<GM;-}7LyA?i(5m?1Teu!LJpRbkjXD2`ED
zNI(PXnXTMim^WS<mB&B&K^a3Cz4OzVQgZ(3r7P+&@)le9;OzVzl7ELpV2CTa`0#Ec
zs!FHohu&S<9d)~v{nTD&iPYhsuj^03;MLBM`=8XTOCIs*wC8mTjWJdHM}hvZ`JArx
zR(DJ2{DG0aR&dfQDq$DHE$hNk%C?hiVP=IDD9jaJD<4`k1^BU-L((&7<4TC!-$TqN
z23@d?s+!=u%r2bjDp)3edop+U*k+JdFf|7|Hz!YN2cH_WD4U7G?*tR7C;5{}FAI1l
zw{{&Vr`z9>4X6CUp1G>RRH*IB!I$UWq{%^8C$3930c>0qK*EwF26j-0)9!ux9F`kH
zoTJ3Gd)uo*&m)fF8{t{yF;2Vn!`H}((lp(Lbj^et-$13#gn8jpLZpPcHNwj)q=7Sw
zG9OVWv~Q?i9VD|m$-D9qwyi5#U0n-e7@!B?8|#ZYrtyA!@RjQ&@N5Pi0aVKLa$QgX
zkV`3zN(w-7!(fcdZQzjOdcqK{>f#m~!iS$xs63d4{{%QStO&re6yISbWm#6z-CJsw
zbRw~geAoZFga^}oXX%;PD_3}jXmeXNcwhDY606Zr6DU}1n)7`)t<XVy1J~m_88{!a
z3O{9+o^sI;U=|Q5VO;Ful>H=qd_3!W-oRS7RAU8?r~)5Ek1N$@4wt-ha8#jnuLAx6
zSes9yuY@$Hn4fBBX8bQg>94LsPqoQMj+<jpO&|#_!1a6!y_ew5I#6z*W}h?Ly?-!T
zvQz#6O&Iysg-H5~NMJw;n`z|WjyY@|P}}==;F#ED?qG4`{><oHZIaiS$=^8?x=!c!
zU5T*!&6dA%Pa}8&_@`z}0^M0T&q=%>jjfud@(?aBhQALDHKpOqgd5HMP5)k+Kr>e|
z&3izPYpXp9OkkNKliNbR+~tiLg+_@_l$1pjA9DwZIc>2UjiDW~JW<D=N6g2}i3@+{
z(rt<$hmPsX80RvXE#pO%HC4AI1C90Z1(jRRqgvt<EeTa|zLVUakv%<Fg6Myk!g1=M
z!A4&Zx|-%c$~9n<a&|jR+U+yv!Utsug7!Y`+_X+j1@{&3A$p%<*-6bKl!hSGrz{lG
z-h5$2UK*{IwI>tso{0;3gPE7l>KQH(sGi7tOBTxFw02SEuZ`D$l^_WaKU@3Wo&Sr1
zry_~;b)ZGgI`>)6l^-+|s<=&e2?ek%wD2i77i~_4)Mub;j`~OaW%XUan%nDLe)Owd
zz{6wkhol-wI1e1r#s0EPyoupep;hv-{@!3++fBq6W+=T@+q!M+>T3z<MHbXN8xztD
z6Dr^&PgOv$7v;1=HVOX{{RzS%fAyvs3guR~**ory2<e&P4$DQF@86@caD`({>Ggb|
z{_z_L&QF3mVpcO2Gmi`UqnzZ3pp_>c#hzrw)fBJ>#$yQ)sX~EHvHjf)*k%sd5wEG*
z=6~WLEInrDXLhJNa0*)Rhw`+6I6h~?qYtw2F7Z2j&{osBvImS*EM^yzb#^|mZ=!C#
zc>E)8dx$~D7BkZGNy|QCzW+T6zOZJb&W~{bHalmG6d_D{O-_*t4%Q~+n)9mmt=ehH
z(|Z~3WS7i4A>xL~`j*toX4cEtD*q|!i0-g#334X89qO?Ij^4^Z0W^1#i}Yb%dEB40
zg5+Gj$FFloxIiMgFC>q}#=~qmE%G7s2;DnWo;cH7?m|0P;mWHh$Ks_+w-Gu<6gDK#
z-Why8XJ{50Gxl|HA`Wk}`jolI*DRXH-NSnTX4l^ikO&_Ob=}i3;mY9V#JlV+`E0p|
zcf<*lgw)Xh9s)!FYH8JrC5^iyl8S2^JMmA~s+7P!(n5qgJ(sSPwT){@2SMK=&Ff;7
zGKH!8$hOS7&cSU!CWNpP#cbn=klN24%+X@H4vT^Pf$1i36gE3AJYrMG!}GmLe^6bu
zm-;mLu+CWl!0Ci{p_9E8(Gb(2tR){@M0tq<7WIq<Ac>`+NjFN(7+>ARLQu~B{!iq3
zzqQ)d&@~2HpY2ek_^`Xu*wUmuwz#)XXGbY_Zb6Q)Jj{fGm*;0pz}5lXT8g)7b}utW
zE~tC4auT~I6l}JLHX7^$Cjh>dS~ypsdQ!Ouw@5yN-H5mw&@HWxpV6R_?u#o#!&E|s
zK+QA<{I+A?b(yM7Rurox)FDNx?r|C2%B&VRr2L;OHy=qe{qF(yOHLlq$x+Dg_1<OC
z!E)bm-e=GfbaOUjKne;X#@cPwTPwn!eM|=wx95c!;W-TS%9N76b5d<CLaBU5$Y=wB
z={mOvU7tIEb`vp98GO^))>-Ee;LYol&sg0H`oASh(S;~+e6pOJr?_CpU4hj+9RA!J
z8^iabuR#xkJ=sMRcuxqvU>yK%qNtjV>zH~*3x34fQZB|Gko=%sMmAC91OrakMb@OE
zL5#q9pZ4l$bBbUC^>=$^wM0oEbBBJD1G|c;=K1{>phVa#C6A<7wt1#xS{DO}plWDM
ze>0OI&%dafi>AhsDGT7=t{!|j_MvU2{HJrGfom!B10c@Jw|;-U!+qP{CGduL#9u(L
zHUcE5Ivatjk(4p%T)z(H2?-9veZ0!89Kvm;J%V$L86UP?2S<?|DcViKf6H(vDUF^t
zH?8E-P&fXjEhv4bd~<-7tX}{sz&ylRQKv~W`)5s3nV#PqN0H%YLGLTyl=zRG{{SX{
z+#pu08n}snui1x~0=c_VLp@nuSgaGs@`taOa!qA3jXVb-%*uY%>Oc-0Ke-yJwH+(_
z4@M{^%xrM^HW0j{+sCMko}1nHbK_D<!fc?sO{rs??Jp$j7nY%SjrgOz&GfHwk0ikv
zw0U<y^XzvV=W<JAYO6f-z+$B2{WDcQMAYg09HxwcJ8IDdm#TF30}SQMDZVVI^LT3$
z*~Z4iwWhdc$-Q>6FY^`5-P1#u!c?~a$f#<8G=Lb6eK~rCB3WGWml0L#U<;*(Yx!4*
ztS*FdgWH4toXvt@W|%UM;Pasv<Jb;e<JgF?_<tb{d<M7sAUSrWS*kirb_&$qV%?R1
z(i0W1kR+*&#Tma^lo>z7Q~of|=Bfl|{DvOc;Dn+XPkC*EBqle$haouU5MVN2;nlw~
z+ui=K*(9>bFlKDcFAk?3eyWe$al?{R<c#(3wz$x9>nO~lHL|7mV<1RnFG`}$iVY0J
z`XqlJp20h&Y;ZyOlHCzQtGPbsS+Ozw^8a*H<4f^h+ZX+-;fI9|Z+T;eOI_zO{Y&sB
zrYzFARgvg=2`oU*e=s$g!CVb-xwqJ!+5KLy+42S>@zC^lO6?@E5AIB{LmHp#C5gVn
zH0!JMq6)PvAR<^7PbvZ6Ryyg0%4TE*=}M_nl@-%LNW;uhvc4NTF|XgSjYEFkq)rXv
z2^QDr<z3|Isx0dWR})`2v#!-#Us`KDJq#lGkc%W_!F&G}n@gFw0WNggZk@_>-Vx!<
z;TDXIJT#PB0Y3aNO06|pAGf0YGGJxO)}&gw!HoNzrCk3g+Y#~<O{dv6gDC+(SDxpk
zIXLHU!StB(wu1+kjQJ4ySdk}ms%EWb*_3eHC5*7XUvp1Z`0{sV$zqxVIF0~6FPOxp
zgrlxIM~Hx?<E%cItZWuP^LG*(l6JU%>Y(C!n;^RS3wkwud>thz<oflJnscN_5)k2R
zwcl=dnZ0%#fT4TI!}K%wCWAb4kCIui&yaNt?t6_@TF*ycT_|}_bao`$^c&k^Z*qdM
z0|-7>Y*I*<9gTTODqqiJ$*AjP2TWW0f^mQm`uhauT@UJ1>ovo)9-y7wE*lh$B1lG9
zf3-YB7PoBxu&P{8l~zub7#u%<XO|gK!NvQw*>;MMCgwD*!PaC6Rt>8vO}a@aSd#%3
zntvl!1197kljKKGf5#%#`n);=@L(=AZ?ZCUTjK00Tw7I`I3HLDa0ZEt6}L{{t(z7T
z(R0DT-fOptOp^!8j<OuAjMU>y0E+uwW~U5!$(I;Kn<E_wk^8oH0x!;x)ALj}!iu46
z+jZMOtH&R)!JG=I^9}tT(1URXEjS%&g8Z-x`)F~cLvJ4xSaL`hMEmsS)^3=+ck)I@
zV|(|DmcDO>(Z}@jQ?sNv^z-Z!%z{rRlWshua7>gZWdVTm0tFMLE}EL4UR4ef7^jt%
z0L+A;&{$FnTj{~{sks~Nrjc>ovZ&m%P@8*tbFnB+7dJps6%-m{oGK*iPzE(zD*Sg-
zON#*C-bbk$O<*(G=rt>!se|<$VP^#6<!xkvX{Epr7@6n%E4?AEF4)3L&p)WSiACXs
zC`IBV!*nc=FSquHq%NzmUMcF~nH_1GY2xCTXSzp{&F5>dHbftY+<ogfb-BxY8Qx<(
zt->R6M6vj`!zpo4=Aj{H7Zqa}DV6Pb-g6*fchKZrGZcc1nDgc+^w+G&-7=LzEZ^%G
z^p-oxv}=pD5~z#Hiz=86vXIssL9#}Vv_dxK0lm|O(Bj{!SBMs~)!<xGLoNqfesH|G
zH8Yu7b%K;GvuxO|?kWKdzg#pQ9*J-PwEIh7g;<F1)}C3J%HSP(f#^7x-vt1%<r|Q%
z0ebGZ&>RveKJoBQLJ4_z+8|<^cW%l^dwyVhK(zztG+eZZ&_U3~+vIy+5nbSDhzQ&B
zORUw;t(??3FA#a3PAIbL@wUkNd9eA;yN^LqazYYEXX|?W20jW>{CY8aH8LrgW(*n&
z7~BO4gAM}A)@n~E&__ZLy0BV}fMK)W>4vx;CSZeS^r&nIwWrCq82G@8iPAt{mGOAr
zm|~i({fzrs-Mw-$J_4UWWLLHTs68k88vUD6@_;}_`=dU3D^f;qThM3*8FkGa0~PF%
z3IVvbw0D>0hrry_Q>+<&x|M58tUC#?U~ZN=Du$3{z=?EfhwCG6NJ<u+Hotk7b{Z~J
zfV9CIOfl`1!Ad1TATPFt5S3y-m5I237Z;^A@mb~_w}Zw70m0EF@G2aDM3W7Ue?Qm{
z2&x7e2(&gZRMdKEXZ3b_0<WoW$H%FVT)wB;4H8;lPaa3d*C8Lk+D^*Tf-pZrvgn*o
z9yo!T#6TI9txIJRv%s`Tr@dw@r_RQPFzf`tGQf<}H4K!DLRzTMa>|Hc{IuMTswJ(9
z02C`?Fgo-MWjG+l=@rD(v<ZBZL~c-WvhQc*qDK-Uc&E2Tdr4^LBlWN>)3z)i6ZI2+
zHqlnNEl%PnCdx!c2ywcZzY0?G`+~=Pyau1zJW>psCq_O>RhG=@t2ms$*Z|w8+og7a
z14`kaEfKkGOV$%=(wdN+>LH&{)pkTm^#=>)RE@bn^V$7hx#Zgl_&w--Nva|p_gnjr
zJ2Z=<`k0Cev<Q+?lf{J*n<DdE$(@2`Oqspdlg`M4T<$=cb**y)Fp0DmD|xesla>ks
zqUnOaTlddydf;g6pEgq?{p2fURm#YO;nr^(&3Y<#ZTI(fTd*$T5u1_}xKjiDUua1I
zcQdIu2Za4%H+h39-m;AHc@d@?ab!&gO`yrj{C&13+)~d%(MHN!(mtNPF7f%zH?fDL
zQqFi0jvZ)Yk;UyEP;4*u4kuAL$vSqEvr6-5HYeDizZn@Lrf{{G3KAfm&rQ@0dy`K6
zA-hY#NHIg$k4bY6Jz0rroLQ|3CVaAmyOK?~UvK^>jbd$6|IRHzjoLY>7Tp~>t7^;1
z^%Or%GBYMJD-H?->RSgNFjC$zXZdG>M=l;aJtq`(z`UzI+gnY4nHsRkqn+40(eeyY
zH=b<N9aW+=)P;ZrYRZ%v*<*AiHxl&Cy6?s*vn*ax&{&5^EOY@l_>JP#I2E;A8@VGv
zyvRH15Gnoy?+-0$PqHR}-m0))YpySg6!<6y+lkiqgKN5kab!Z~+<G_?zW~sQqNDy%
z+tgr_Gf)}oye0``2kdm{VTf`+-fI~SB-<3t0Me!LvD#ew%d8buZmcXXpD!y7j)uMp
zkDSka45%8+@WV*iJa*I9gkZ)YmrboFxCYePo`jbqGH_~Z5tpoI5z=ptq8dYP?Pl*H
zB|v?TUb^DB{|Pr-!*2>q?B&&hWrBTa*E5yM2>uC}`MqgW%EIBI@KmMBR%dH9?lh-h
zz5sq)w=w+e9cCYwBzi2OpFvc1;MMLr`LjUEMZ3XKflY^~{CK!~&Wo@P!!z%8eS-+7
zIPjcK7IrB>R<`SjBlR|{PJ4(~1>N#b7OS9TP97_y$qYya@3kc_gV55VL^)iBm)E~>
z<=+^z1%i20C_;8T&!+$YU_L`E`CtCCitW+eh6HQ6TwM^ILoVL)Y>)OZhGhysis_r(
z3<i1XIJ5d(x;f&NKQxJv_)8x8;0{+$aYT+%$kB*RJ>$duV<sr)zyatbJAuIB#i`cl
zqsI2%e@*xHv8ZO}kivY5=>5c4-V}fAV>(W-Ax$3fzO?9~qEWPvkMPfVnZb+xlE|C(
z2{HPGfHMv(R54x{oX>`-xoQfgwS_Fka29lR$PS)IcYcOI6nB3muX%?qDz+kWG~v0#
zbEHc4#O*rm$SRd%|8#LUD^Ec>WR_AFdi;`nlQqvuu#ZhrE^3(KN*(mshfkuT__&|o
z5F@w7#_gs;fhtb*n2CR0Rl@0C07jNUz<k)7)%wO_K2GTGI=wP8pOgs0gFy$E2#jAl
zx2ku{t}k<dQA)xDFP3c2sY$dj1!j4Ez3?i4>a$TO$9G2*+!CJiiEMD`yr&8k`Tp4>
z7m^heHf~QJ^D(6KBYwyJz9FudVwwGH>)tUzywSsJx2l)A4S;<~z+{cQ`hL_lMy)<!
z#WoOWu{&GJ1{=QG8G?i4yxw)8mko#$nck*bWsiT6UM2Ii1jOe$F=aa42}KbLqGEAN
zh};q+*m9v2kNl@=FY&5fwcE)B__Bj^B|gE;oWXOw9AC`)tKYZZsDJ}&8YjvU-L+?Z
zh5Ot^Y_)mqqKZLUFc*dPEl60e4C2zSkQ@60!U+to%Q6h$0ir)G6QK{4?Z7?6S&pLR
zR>VORA#I&QoU6J(^`2MzTAw%;D{(*p=_q5!Wf;z3AfhI=do8A^nVza%o8r+#gjh`g
z8)(3O$jZnyN}kBRIcvw~JgSJ)TUcTnILg(@!oQ3Xtb86?+oFJszc7|kpqw{+I1qKW
zH_wMg)mfM>(wd*{HUYqM3ivJ9m1=pR#r6822QQu4dmoXWBzaa6dVw&Y>?RPa`g+XB
z2l-AP4~YWAG%&|-&oPM7KHEr#<)^$MCiLOmE7Zkj&ZdZ4Y9u(hLBs1=cx-Bgn{v9;
z0HI?XC=MQlSE(Ut>UtNG)i)aF=SF3km(ThF#oIg~Tk{$OOrYw^hH``_%Rt5tG=YQp
zc>eWx(*TsN>oo7Ci5N7k&kq-<F_-DpSR(4z-EI*!>*B?u*%_%e%kNS&%@SL_^~z4v
zt=+sjMCnO&0j!HBr)OeC)nS+75@6T&IK>7<{!uP+Ix?)Z)Jg`Fxc&1JeJQbX-4aqA
zzbt>VYq74;q)nSVT6?Q&owyx7$A>+Mh!R+a!JGRbJrlVum#T?FP1lIP+qyQ?C_cl-
zvKf}1Pgq{7LC^)Kwu8928|{R$RQ)0efi1HaVfK)^irr+}{Ny7p2yOa&*{TAq4UoK-
zZ(hm&>yp3};Emqkp_Pi4Jdcz4@=mO7PJD)c5up-eq)y{3yJ1hvTG(vi$q;w&2%&=H
z6u9Mqrbv#gBetq1;bY+LGP(GOf6(DCm_ZbhOq<(tHDhOS6v+8|6@f@4Is?2_Qp(qI
zvhx<e{o%w6l4?&*P7#v0mqgfC{yk`*UjPL~rIn+hIce7^8Fkw{eYT#*V10;LM1A3^
ziAmUSBq}FUJ4g@#QShr^wwj=1D1u&nIEs#id*iL7NQ&+&)Fq(g22HmUC+rBOmn}YK
z#__lt*)i*w#`b-8H2N#`?xE>tZnQ2YvbM-iY^ZCQa<_}W^#&FgKj2Wd=1{G^0_<4%
zf+x2ggPpxoACPOV3%<<C^N$2+%bV^tf{uX=_FqDY&MiY`r)=n4{^{=D0qWAS$~iWR
zvH+KHa}=Q+4Y*P^X_fr+o@*Cbo&=*WjiyX1?lq|;X7J$FQ&;QmCRGFCs<=HrHrU{#
zKvkg2lC;+<HJI&o+DInx-&U(mzQn`XI1hDT%MZ_`Ghe%AkuykTPqRR1ZyF3rov(!1
zqL3Eme9Iiw9!>#|&v(%;yn~>whRcAZt;IxS7nS6l5Rm+G^9V!XMcpX7&DGo2T|k8f
z466FUd_`m45^ifo3)-(}9apkOzxY~zX}LI*GpZBObV5&_rbK4ICS%rN?IK9LqT)Q$
zv-(+uxTLi%MoS7VX3mnahr7L#3UEu~0W913Fr|ZCvYgqSLV5jhgopP<Da=u^cX%b;
z_pSXZBHQUhpewk$jq5ffysh|wJgvT<J&i(ZqWM?uEJL8K%R8RiXEIrNfE$!Kr{5gb
z_0N%y@K?<sN#+`<tMwZ~{&3Ssk)b%G%^%@Na^jv6K2P*zamk}!gJ>#Q|0n-zY%1x!
zs_9m$uIUU<ZGN>9BBtU<hZ@zA!E$JBl!F!E2dqzbp0SbFk&;b-*T3k7+lxh@<5QL*
zm2|n@bXTX6Z19pEf-ww6-^XQ{7U@1<b2KOJd|-*jeIyiDk8{1{^vNsBN#3!+J=zr3
zFC=GpwLU|$M919umQEo_UMK=T-f>lNF~h*<9OKWeENfk@gwIJA@(CsN|9eAUq=J9}
z#1XqwYZke?IIn!d11yTD*t-*Ovx;o5%+TE5>(vvyN&fvJ;G?foayO(eTMwf*VqC##
zN+)H0_Ple-lG?ceu-Z%eL91fko#^R(coL20YS|hGM>46^(##39n-^a}U=EVW%i8@F
zU6P)+wpS((6C#EEJG%pfK_!6o0A>w&T^qui*P(Q+3PTc%`p}xZ`UU2~fzW5CCK_H=
zZlb=C_ao;lV@doPavW^MKyQcx=%x>_GO$d3^$X^Py%Mk$?mB7~nN9Yln*eMr%QQN{
zB)HFthN;b;uu%GdU`#9Oh-0F8R{-__MvP&$hzhRQ0Qu9GWgj|a@iGjkXB6Mm;=Lv!
z7_90ytMo2o05A*F=%x;_T!h+c@gO+3f1yu6Oi3!(?GI_nxS?n={@*8jAfPRnJ&|%y
z>J6rtuFhXj1#QUlMRU!st6Ql&y-+iR?HwbZQrlDbtAjsQw0|ha1*P%feLtBNGUOrQ
zpwnc(1adl}>2f%}gmyfWmiW(S-F!;T4$=B6^m(p-Z5b;vVVqxvd_Vd8CAGY~;ZxWU
z2qfc!j~ahNb@nv<hUX&eFE^$WyD7^_lkcndbry>?bGD2qu!XU|IlY&0YBk}jwIz;4
z^H1zZyytjj5c4qb5$AO*AW~f#q18$fwdDLKq34F?uNZ#Ahta0Dlt50HUhBN{T3LSy
z)mYYSJ^Qa1R9uK{CC@n|*K@iav;VQM*a_s^n?+i|`VuTDogUX=7i15$(_P;{>_1$y
zInSnROJ$~uWE5b%w;-A(H{BS>Xewfq+W3#sqmseyBFMdM6>oB3R1(HZ0{<nPl_^)k
zL~Qe!Af+WO_A=$KO2+a&2BMDh$<~iW09N;)a6Ud0IzyIfRy(V7$dvqn+5OwJdefne
z$Hr;eCp%5e(K>R@oc{+87;HpHN5W?k6cD_!Errk4v9kp``;)8d54xVtB7V&;n*2>l
zok0x}_I|$88VA!S7#8A#zcwY&0;RyLCrHCk{4FddKeH`H^oZ<om2Zr|Z5F0mJqSr~
z@cOhxM!eL0&r(AqqE?&YzxQyra!ueD2HH;)u<?hvf(BPlXX-%|nu|kVc8<AEOPJ{d
zwa>Qa4+*DV#i5r%_c{(H9Z0J;!7S>u&B~i1ER>NF2w^6UT+iR(O7a{(51L98;HTB%
zyPyEfiGjfuv#-`UB@YvKi&ehWcAh3uQBGUqFel3(3_0Qr!b-A7xJok5Yo;GM{A?AG
ze^eq@Aut0H3;O!|6YOItPS3D?PrQR@mTF0>-u4w`%E`o&_Dj?9@-EzGy>Xu+=p4>~
z(6pQW*TDUkXO+l1>I*-z8dym{8uY~=xIYU_b3>W%v9(mu8D4PUY^;GGLCCQ$E4`3b
z^c-w%G?ilG36Kz!hans7AQI%mzu*9qfy&zgkN|C{eGLJY`~_tM9a&L8%A!nWkq<!M
zCHv#Y(aZ)3d%@d|b#V6i@CcNQU%8M`w>B$V4BKG^!4#?E|2Y>irMeiTq*|8r>N7>s
z22S_lEt2?yC6Gd<f?%#pvu3X-<k0N2$@x8oi##mfNiNp!q>P*%Q7WX~*lc<~p?#0K
z&PI8^HefC(Z-YbhJA*B+uHgTv;}TEJaHb=#+3PDZqR!P=EII{9BH9d0%g|<2apb30
z#cTzelAUbUC1n%9Ow|#yS2hj4TK{2cg^B1XY$8t_y1=v51G@qXU^5_>;*`5{XvPnW
zK>D|mBzYohzyex2KY~2P!LfT}qp!(Y^<3RKP%e~S7fx3u_=n+30Af0;qBZ5}m3i5!
zVnySL_3US{?C~M9+?qN^*grRp9$~^S{%xDa25rjIJR>&>@mjk#qjb0cL{;Fw>nA$d
zHQpJaDhVlUE>v{T8|17W`L0k8V{JlxH~!AUsco$>jj<W~X-Hfy)@SA2iu9;~%K+h`
z(Q>wCQ)kVCM{zX>WswL9E*Mrj;n(QJBkAvSt&o7SCTEK2fhIy%HTZ=gt_d@^W=43%
zA>2<m2q^~*vDB{~FOh-BG9M?rl_AaNp0Tosi?txt2P0@1W+s%&{6$uoxPG7qiB9As
zX@kw|hvBpR)6i6&l=)>jb|<>-eVznc;CvTFj-nG@a4ekwOo>CBEOHX7A;XLG%>3!*
zi5gEILOGvq?DiHiwx!w~WgbHVp7>cGPX7SV>A8(7ZPf*e#xe91#WpVAo1PjVWg(}K
z9pw)S^B%N$bo~XOLapnsUFKm+_wEvx8tm<D(1~Ju+f1y=MUgV$4+3{rAhb4Qk-m&Y
zoHZ>N(nJN=U3JLPZ{7_{_5e>yFC!$p2x=TN8ywj!GhDISTbb1BdRaA1gDM;cH%r4f
z{)RvxZ@Wejl(h|#fuuD5wMv81mjWBir~!zYd2t2W;t>rP6QzT0XgIOV4f7k#><Az-
z^yU~qjzXJJeHm-|#BQ_IKXQsYT}$Amq-60oX>NTI;K(Zys+X$C+VPZsk;o9^P7bN+
z$3>sJPkS8@HEN95py&N|Zf<97Fq}Nja$PoFstEqM-U++(I`!%8BviQ0?hB|1SX>bH
z^wWUoeAiKGf@@omaa&=qDJN(^Hb`nafuP=KhJd+;P#aJgwtZ5;$)^2Rnb(I^2mT+v
z?;Nb9<dw$Ty3)Ak*t@)Q09YHWA^HN3P1aT7oq!q`Ei3tI9txA*M73>(cHm{Ar?7~t
z>)=@>7riSSA=+_6Z?uI>Jb;Vn_6mT`myQ<=3MLTNTjm_m&3(Z=SFB%FiVFVa2|u*2
zancNl;_xiO3>~oPo53GfQ}9cI7xC_d+AfwiM9L57G>AI@f4dY1??4-nKp3_;`SH}H
z9~n0uxZaZOyLZ;V{sjsv19%9NzArsO(56e-x4<SaT()35$XvKAowbW{mLhMR6zNx!
zWuHw?qzJ05*%R`Y&_xJljD2kyoO^r#&2qqMtV+g-w-8vED1c2<fM+vzPlm=8d`+kv
zNc*Y5Z#N6jw*eY^wuVDDmS<$x40WmiBS577boY|r2|-)8bh<-E+Hx*Y4`YSQntIyh
zv%E?beT20R?VTP}mTCCa@Kp;GUKhsb`$O1-w@(F>CU*9n;0%t}eTL59Q-cQ=d_q|;
zb><yPWBic|DBST!O4yyvsXtb>B<n$M1!^FUE*J^cDv{v@Rkq*Tm@5R~_#7vV9=^v)
zfCW9wI+4MS7SDzlCPP)oi{-lgbmg);Teo$^Y5YjOZynV9xIJNG85y?~f!xYCl82xC
zoXL3v?r5c+1+A7pMh#`jJZu`@8Ncr%(n>f3Z>eF`;PjS!Z6|fG@Hqvy8Kb{V*}wE=
z9}c&83sY=}doF41o45@1Z}Fw!$PFSZz(0pToFbH%qQcjyr>%Jt4b#eI3gPDrVPyLQ
zSXO7o3|`nH0R$xJMBCRgyZHp_C=(c<)0|{H+xU_^;xcr8#_90dNcTc2h)9nU5}xj#
z?aA~P?5YU04&tSqzdndcKVK27?M9Ja8ciEv1XyCCMu4<*8Fx|+{L6IxCjM&g&I3l6
zJY#avP~rKib;3qCQ>aaUfavbth#m*A6?;Ewb#f@z=S+N+7}oZrE6^}L-$j$bG3daN
z@D`tCurg)d*(AcVsKJ+l<wFFN^4)k9n&E)5Y3J;PS!5PTbNNx*KxMkNQs3Yf8ZPs7
z@xF<Ymz1vpF4<C6`T{D|KQZ-0Dh1~iMj}Pw)e8-M0fbMHG8>?m`EX&<4a8ArOlPb^
zWA9=FdnH^IqQ7339`8|-^mj4K>d6>)vck(-5X2@DNgHq~anpG8!MVP6y6HVY4_JK{
zQ}ibHUrhch#W(W=_0(G{#;rMtGx;ihP5|{J576SMwX!kpTPUR-n)o75ZcttL<lKKA
zQfbvux8v?Kx&LrdJE0^%=bX0288h+V>M_HhRPlsJ($fPZ0j2?psak{V)X@gS#z!os
z=j=!bt;+S!ymC}8N<|C)CE|0Z(99S&@z8FNv6!Cb7HXi74H#DK0w)75F*l6UZ$pUq
zn-sCJ0Uc8XmXMh9l&B%@EOTl}T0xL;kR6OG`OQm3O&Rw}VKUd-=cFz6t4%Fm^$`qM
z6gHZYqdQYpqIY!rhzJDQ(9!jX6e00EQeq`t6el<H7u8ECAOrCyLY9Fufq7;sL6u1P
zj;_NN^aP+P)oH7H5+4f_6I^%k?2xW(Mk&>BLHPI^ihYE>@9if$B~QZY(GYJSrjbQ{
zxMB5*L~wZT%-u$H_*@Qb*^En3@S?nX6g_@xJ+vtb|3xCciRUH5^*B}HN0H+ZO;h@I
z&6m#fW;KQD&4db`W5hrq+~7=4ybdblAWQ^A{JMSv3;uGae7&Wj5FY@mCST$?(6`E)
z-+0TS>ae?pEJ5OaWmt3ONyK-++@J0@vUE0Lq{Y8uI+M*kbb5zTdePh2n+&XEzlwEe
zzfgz%RKt%*kZf(2Y)gS59a;n-to=-`X$F0l3n7R<1_!Uf`25z5t{|kctw3y?J$V&p
z>`Fj5^ntz5IaPjnZT{iPpe)gOiOPkiQP5`6x|1KL+>+POlT@!d{{%Hhhu}^9L)pkt
zz=XOg+bK|@fYTm9gc!Cck0<Zz*}H(fORsz^GHa_<lDwWcAQ?(Jz_Oye%#1WE%pw_Y
z|Ll4WE2*AaGYp;w)-bXr;g-_-)HIm&`~T)0xV<0fg<GNX%)Szcv8HaW+lQmB>+GD!
z^ak+sSij_I!2LdvaVh**@fI0=|9t=p|5Kegg|f(0uzaC*ggRjTOTh?>G9<>O)#rW=
mgp)CVH)^5O(40R1<24kMS$zD%5J=ukpgAlzok-+9-GP`ylnqY+

literal 10324
zcmV-aD67{BB>?tKRTIz?XEI5-!7nZ0?6u;+M^WKg0HYZ_MP-{$x9BSNH474|Pylv+
ziVhF}z)@J?)^98=!~H*?Ka{)TBPKFam@RC|_!ZI_=FVl+$D7RQdWI^XG&rgs%+H&^
z$^{u_9kF!T24;r!d8B$JwLH=Re_Ccj<#AtVH;|Zyva0DT<SKc(C8wjA3GK63f%A2;
zR3587h%A$6ve5d_{`bJ|oU==;r~ka4Dl{A?qrb%3g=MnW)fs(}DPUNoMV@j}PQmNg
z+{!YF6P?RwoN39VO{Ny*)^8(fx5r1PQ}0uGXXXH@Rrm9gZ@Qk0sEQC!`9~$sUespI
zpEp&5f87ej=q}KsELH^oKbNApOzLaxw=mrUtx0QWKj+1YZf4|@+$>~|rK|Rq<#yLH
zzt?HueKUkJ-HM#WYELV<g^2i$BIoXKCsVBUBbGOL5vc3#f9z9RKBax^WB-yn9RxVR
zrt(DP!av*hi_NdmEC%m=`rbY3)#tc$pW9-%ge-)p+K|;z*2%jyKF4nL5gBzX5<I;h
z+TKdu92R3{6f5Y?Ln?cEh5wJ18=A1f(Ej7HodFzwYx+hAaRfqWyFjF;b^rji6I!Sy
z7ptH0^5B+~ML2}+;=XWeRbHKOk6sg#X#*JuH-DFJs(z0lmzB{-5J|F;pyUUYr4Wz2
zY7&q16xjr8_edrp%qQ;k`Vt-@L$@f;X$y6H1#@9&Oh!0A>bcRve$Src70y*~fHY%R
zVC;gxNUwYe`1qp=b+HNN3jCX71fUYZnAn;Zt5O}vTMRxMZB+S$rq4X3uHW@1?_!M|
zzDMcPlr5O5VUCyHfraz1f4?rxB1&vzVvbc1h@S8cpIa`#Go(nIfIOJIYS(BRXX=-W
zue$V^WS03?Js{^RTHh>i>Tk^o{Pzo?5!r~8hyJTRI#fLeZj$q4iE%lK3{9l@qvBi{
z?7L5+k_F9FjdoP;V1lHar#R%h=;8q&9c=f7f<tgN>V=M%tE6;A!_-y}8wAJt<I>pP
z*Bg=<^xT_b$+lBLm%;9iG%$*vH4phhI0BezR{Dp9*SzsU(>3^SG4oX3Cfvx;v86>t
zkmen6oy)aY1+9{@Jv5H1Zb#Xl@px98Qp#y`+DNZCLm~-TFkZZ?B)C5DZ%=sJdfLeE
z!GN-sxn?3KUmtLJa7PhUv0<~|S?<kn3lA%&!hp*gi6@B*BqSo)KNNu9UE8W~>J8#e
zQEl}p?*{1S!ygsUG*REBE<MN%vzOYcxK-}ObNWd9>kMGt0XZ-NLnTJ7859{pEmA6b
zC^f<Bn+y19OV&ylRs@o+T^MCt@%YU<t(BDC-^Hd?1Q9l{_nV4)<+b!--34weiUSVe
z8iPQR&Vk^aAQldg-eu8m<agor@wbiuKnWh|&lf%Xi6-eugr_Zb(DE9tG^xF82Inyp
zvPvX2sRw98+rV-f4%vTSSIqoW7juXDc@L@nS!E0-t#BS6i<g0g+f4%!)z*n8a^EJ0
zmNd5+ZsNVr`5U<2<@7Krx3Yb}<aAkdu~5`IYUMKecnO?zX5_;H*)pz>EC)gaP<)bt
zdz$Dh|Iq<Pd(2LMH3MgGL0CCZbKL~&L3oZb)K~5G626_%I!gsFjS>;d9`>oR3MR4i
z203>8CKu7|9kjoG-~f<9eKWYLyRWXTu;q7xZ3K0UT-^|aq3+FKpS9nWnFs5~_aRR?
z>sWfz5v>Xv5h!y(i(h=wq?dhi1=Bh3;5CmYWctPC1jW>-$G}?>{psJ(RA`Hqjf#SA
z0DJ<L^AuG~UfFkm3BegodDDz<Rv*8hVE~z_0f5E)ivA_@-_9($J|^V<br~s;9zROw
zEGB#wI+Eb(e3Cu4@3+00T=OZ3pS%^iAUY7E%az<f2H@NXP!6KCE+gn%@nsa$?Lp#>
z-|9IR!-mS+6h0RbORg#kk)^)xVCGdh7dkhIRlb;&f!#R|f?q{akK#Hh2=)CCN@*n1
z>b4aif7Lm~ek_LU3<d(?`lMbPJmtlZ2`B;c=*=CmmgX`~arcX=#hu=m?E?5BpiiG#
zNNL7ho_Z}pgT^EDK<v6^-5O$e5iD=`4=k5Te~Cw)zsl@w2rsxU#DF*uAoLNz$z+%y
z%M`vFM~I=nVQ)Pc--gZpDY8tJx==vp2hP2^U}>cPE(cz=s3{IN0`*qk=c*-Go%<U`
zk-dDtt$4KEl=W*4_eYPgg>67SP}cqMVnSh@g-rp%J7ZD&^dGjj^^;^5DpT5_ZxATI
znCcx>G}l8|l{cP?&B*km!9kqGk{QY*Pw#}BcZO*PCf9I(nG<GkBE5axU`l-EGC}Ll
z@19lXmq6?XG@}y0b~_jr1`aT}m>mVH`;LZ|5WzGztKlKF=+6E?f|Q33OuP0T6~r3L
zU@_o~v7p2J0*Hcg+?7a!Da`JB66G4dFUb@O?eQbV&Mo;ayR_G8NtV7*>{x_&Nt1wx
zo_$JrJ*7?vE$<RewNrj@05Uzy|2uCXI(;4Wu8P-u%Zt*24P;I=a>tD(D%jbWmZhM%
zs00x4I>i0VBg_uDaO)L3LLgI7gJ-nZDMqr7*PHX0#&$i~Zvbk8+Ff)5Es7|gZb=;E
zwBN2fz#Zfx9C@??n1Ir!nDBPZ7VU30y}?;FaW|ObTkilP`PESyIHb}60Zo!Y9&WSR
zqm^$z$M#{ZlwU#adnRPUo{W}x;@}e#?1tS_QA-0ISsEAKxM9U-9=(d}SpRSgoxPPZ
z%sTkmp3;1_-@z$$amAAWQQvPNHX|z<F5t3;eFhaw6vgdH_2q(ytq<~ueSGi?xPhVh
zot=YwunLoA9YUL@R)<yZ!EP9w+^XGdNw|7im9odlKn#L;!luH)Cs<)sQ#Xti$8xqO
z{sJ<HcAjazCa!R%>>>E04JN5_QWzk@JVo_Vuwv3p&l!gtXWrY83~ePvFf+JXmnQVl
zVl8r$+`nxRw$f@EG-Vc*VD#^N_#S8HWJ6%4Zfw(f>u<r_2{GH5&X;4%(OoNcxI(RN
z@Hq4)?}Ga{a*^W;AJ09xEm2P%ajQ@HxCjQU(A2VZrM7K$M}ZAeC4}Vs$IshBOxvm#
zViVH956|50$TE<K){m(+EX~u0Kw|~WiTBZ$z3aMksF{qU{ju%Sc`a((4sVYE%_oM9
z8Q@L2%Yj^=GiO-;+4YJ~XP%eT8T@sZ2f0oUKxE?)?_R2H^NS60duXQ~JW!m}Gn;^w
z!Ifx)SUhfoYgjeFbM|v=b{YNUz;&FL(Pee)NOZxkNf^D0JSG=}!0Ah2EqW=>hGmP9
zVq&PQN1xh(Kq<gsL+iL_@`QGV=}uD8pEs$QnUOQ!l(p$9bZmlS+xtiO_azZKujAdf
z3C^Y%7Lf3WZ+a{jyQaq|D<@IZvDJNpdiu#5oki6Z2#_9B%-@2g6m0L{AjaQqs9eM=
z;ZsE__{o|?O_Aj~8jykE+7<;LP}ZU`5j$zxOAT1NhIb8E^1rJUOqfTIRpt)?i^7=+
zA)B|q;Zt*;pFWqx{)=+Z(Bg_#PO+~n)cT^l4bs57sW9UYHzPAYwu@%Sc#$qDXV*Ob
zRThbFW5A!>Y$gszuFW(RqCa72KzSh2GLjl!dhC5@4~v%&W91(9(NP7;cp|m@ojeRH
zPTUQ>JPgbFdUSO|7jYUTP8sPjHJ{G9ZTBM)6ZBX{qnC+M@R7pLZ{un?vt+~Of6<X(
z<4NaNJrf6h)95l#r>UQp!3l3ZY9EGyV@Y>&{-!nRQXK~Sia!%&NjEcWaS;##wJy3f
z#f2kf@d0j_z9ps2(lBE37uMMzsx?HtNgJuiSdSx+RMo*a29kw~K}9IGMaT*8&${`f
z$qD#sVnIkFcf~ucM=lV7y-+$I2K3!Z3T69Oq?Ysi`~ONBzme#i0i-cI^m`Y?Zbh^0
zA|sl*p67*(jA0S46pK%0<>u_7HoN4#RX~!#ghO!#qsJ0T@}K)Mg#kF@FUeZs&uz1-
zOE)0_C%R^Y>jwR-s1~!mrGyXv;fPuoDP2*7w=gw(iy5X=H>WC~lmoo?Hj@a+bVp~o
zOdHQE$8#Q%)F(Ic1*KYC^Cc#@3IEDCvNN8J{a~^nA2}ab@W7ne?-aA-3eXiwft*f$
zuw6DJ=xK+1e#CR4S%Thm@L$Stfjs<#_T0OB7ZRr1C{#ZD#MjqQuF@-lDg<F^nM0vj
z>FK82KeN2m2ySetBYm=A?Je&zMk^qQNHp;*uI*e7*v8!_A&2tGlNt*9k!hGdNM5bp
zxi;Go56ac;9?^cMkTrX{GF3q!?o|OIY1mX*n9AmXX*pkAekq$8^o7%!$zUvfzsD+>
zvR+D+4|P>9JA($aMKMC=175K1%KLdRk5(0N4xW)bV=|Zi1qic4dRl5AMKkDc2DbtX
zl&|8OC3eDZ$Lpmnv#apgNmuR{M@o4wE|-QWG3Pw|wk%^7vMXNL(zktdiQLb#y^&E<
zBeHOLK8yse&@~`|c%4K@WWH;k5FhTQc{hqC-%pwlM$5dn%5(YPSLvNKS$ZJly@S7^
zcR(;TitI{G*FP;uwN7)Kv~WkD0E9Olm>SQfCX05xUM3!IrpX=$xP*;(OQ{ndgStbz
z4JQ1=wDUv?_*{tACLI0&Px#Iein$~x#Py#Nm99ZjO()s9iH<}t?FR8v!z&BjGN!B_
zemg1`!}ak}t%!`Au?wJd@7>iPWDQfBEyiHbc&*Tq^r&Vdv2Hl2>|}Mkg}Y_bvNGuv
zTS)l6?4?5Jg~Bo=igB8mY0?bfRA(kJew;LwxzR)K&xlQvCp(AAepq?{$fIKDJFveY
zwmx60FcBZxQV;5uxQIBll9xN#;(_H{kaoK6xh5i*<P=O+v3?2^wkNEOuOPNwb3D{;
zq>Tcg_x{oDg>@65zM(3ji_z<R)2*>a!wm{pV0}OWA>KJ-CMeZ1-=NM=L_l0m#=|4-
ze?5150qh5-y4nci))ejncjIIJ-8(KkdV3BYt!w!<^VoC{Kst&v>2dgF(3rFnsr;sj
zJoqRYpJb^eaP`)vQSL_`Tvi_j#k%nN5IFvYLhypVL1w>`+s)kBt~|hIZAzf@8oyK$
z#S-C7=6p5EdK}!o+_kUqnlOwcZx}^H2C<-la4@@TLRkw+`N^j}k7S8*sEukzjGL}B
zOQqz@V}9zOlEH4kLk79LCwCJ*7u8x`&IDpjcic1C?%n!&P`-Cp(mZO)c&STX)#$xZ
z{y4W^XAbcAV+{Cg`npI9cqxr3wX9SDpt=Ho2sdUp@FZ6rgmV3~CXD>Kq^T~-f6&@9
zM_?<(yO8daa1*Clp5jVb`(J)w2^CW|dD6w5r$CDng);{S^^lRzpBbKg`tgr;0vxci
zSKR-ogghX-G2uK0bi=UabGpEfZ=y82GImWsi6k|)9-BcAtLnFx7dx_a+)apm^Pm@P
zi^B1a*i+yjPa@iRI-Z>68M5@;VFPockDyuFH<xswd6{5|S40u!dDb-HZkB)94Eu?Y
zuBzIT_hD?q3TC92n+!d5rmU`;6F=>fHOU>smu!Q`;<MRG0XIa9yzu&y&^O!{@|PSN
zfn-aRkZ^}A;VQhy<BAzgmKV+&=f9-bT$%p3SgD5<5li#Lw}zNPleG1`yd(fvcJOnd
zS$zftXig~X#<1gu1=pzPAmrFeliY4w?-^%MRW2HNCmutHxStY9w_@|>^uyW$geI-@
zdkh<hcQGBrZSGvW>%J8FDtl?~2d~eqPMAw~pjGJ?^88OeRzYWJ!C!Bdx}ri@PMqHZ
zE<cDjKkc9oqyET{ShW(MkAVBU5*xh5XuQ&Oq+WtHDxqtF)kKOs<0*_UJiOAFgHPhl
zNl;U)QOd(psFx%o8NQSMSJ12!H2*VY6lscOq1~#OCt<$w+1DrV=a{Wl8;=6D9xGxJ
zl>E9{0J`f46Ud2w^D}050LGFUTMgf;KP)NFtn4@DR!KKR$$1e}A$A*vrq{{X=D0AV
z0!dbT`!6mSNWC+?5m3b&nZK{MTm&TVH>ACzxba&9E_rI)<~K<!##{nt%nIv^pjuqE
zG~@&cDVl3M!#9tuqJ0c9hl~!+2x8wF+XE{NSg}2cz!3(F${HR$H#fuZ*?K%yiLA9J
z0+7Inw}HV^_w&||?)ji5WSY$u!J~~LYh_Co2ya$-5)Zz009lX4aOvfuRmc$!LhLho
zbfra?{v9!l-yWZt7SIY!``mOiyLeD=vCN^w%W!x0U;6<7_}1TY-7^!<yJsuH;ghkP
z2AmR8&uKy4uKm<4WRY5e6*@@Ga3Ili*zr)skFQ+GotgLnMgJ7M1YoRBp3{r!E)HP%
z4v+T+wo3B`axfcilge_JPV4D%v{3(4%H3JqZOWm)lnqNfpYb%lZWVX)Bj@yJ6VF!g
zOYwbt0^r~QFhU=bPoT-JUK-+9t{vW;<UA;o>Lsy~<AdD20eNH}uoL3#^D6oi+9*Sq
z`56W~qauY#ok#9%GRJ#ftjH@K+G>}UAb?l;N$J!U|C7aF*GMU$1$nf8?H~LPfwun%
zTJ1FmA}vKePWXf<!S<&6CtH{@)tJJUJqVrsg}g8xmYJ>a&!VZ)YgQ$vXci9YNb&0#
zB6cApea7RGogTphrS;ghQK#yT=ddgQS#kjy@;0a3O2P}GO3}7@!O{wH^CU27+Twn;
z+cKrHo}Y2St1)d-h+GViKo_N`=@hl!KQ>641%nME?+i(P4IC!bv8QO<QA8x{`n=Cw
zaVu90U}w#e$Tq}o?N>Ll>ZAC@Aa{87{FSlNuXoM~``^eB7%5-L<UnGbiO%A6yUiZ@
z4~iE8c!hwxPgMJw)05Yd+_wp;O#ZV$(eNOL#sjoCQd7)#!%mk}4PNtSpD;x9Hib8N
z{JsL!fyn`aRv-k9P8*C?6=lQVhUl69Cq#dRrt9isIM?I46=@d-n6dMVE|&NCqY*_=
z0dg^liMbzgqIA#8N2(M{C#G>lSA<8@ZyE65rqbTHW?M5^VHrOD!6BXp2OWwAt=P+h
zG}czasMtTw0U4tMz@nDm7xi0Jj|_I&ccpp`FyO`HkNxc^lH!4k8Jeq!&#PvtQ8yXC
zaESY_w2nogl#P-Rte)2_?<LBeoDJ{3?Db(ulkydQR;Jd$!=A6F96K5RX&h6FZTyo!
ztft^INXKUZg_{(PSPWpXgR}a@O(k9rQi!sj2%{z4Ve60(0+59bR6<7hGZ~~Tg5dpt
z_oYoQ8}8PRdXOV^**@N8MW=BOXl|^80a(aab@Odew14xb33G*2q!917IDIN>h26!x
zr0flbac@*m4NWCQVPa^?j_9$-%9_4;`QqP@WT8A%=elBK!R<`$V8zE;NL`hNr7^-|
zYG4@=<xFeo-vyG_QScsw7WM1*t1bc>ksty;-f$y7mLITp9@|*W%Ybfc+dUPYoOEZY
z7&7r=iF?(Op~)Sc>P==)K}1SEH&+m(>BUHMPKgFp7V{<y2X5Eii`Dz&iXS_%z}@{+
zxhaK(u^*eDJU@F1raW~1W^~&T=LWxLR9(5RAE2`s5m*kh|A%25<}u#M7kbnZED{b)
z)sxr@@Fw<`2}#M5$O1v=w?;U@w~K(+_w4ETg1r+R|KeCkH)jn)ovF0&lxUqx;njZ`
z6_e1reE)#F8GK`TW(&~&zXKL5C;`8{c0En$8ZNiXSa&ohPd3YS^B{D<#VCV&0@`F(
zdP;1JVsYj7s<u~#x0lkPsc9n9{Abr{QQe8XV(sk7ehe2b7AuX}qc!e*Lbk56v7q?$
z(Gk9C3Uq;S->T7267#D6W`;9GtM4L24PLkU8>721+{{2>?V4B<Jj@k?1Q`qof&4Zn
zvwE+;)fiW&2Gd;^E_Y>kRI*~_?IT!CWi~y6qb<InFW6VBO{AAu8fOrI%1b0tvQSR0
zGsWCj>SS_ASTn+^mx&CzwKXAkWfKK}JvkdNP{S%w9HHfw&c{je4TPKK*ZFM~-S&@;
zK1#=lIF0eEB{gs0PLFPjh;|_9&@okAdfnH_D6;f^;^<#Bgm2pB=`L+59DT1JGqFJ6
z^Qq*k;n!SSh%D6JE_&R8W1Q7;_3>80ck(<WxnLl!{_2q^YUtL8z!-GrBD{rG%FiFd
zWs=T*k?IekU*jXf<8V(P<skQ3|BMf{N57H|cjW|_2YpR)@9fK<c=|jM4lno~dcLo9
z+TdrSo&~qS2Yp6L^bbw|@=kUpEv?(<Zw`QA8}_$*37q&TJ^ek)D<Km2^wl??N3Nc$
zCOMy0tAOA`dyvV4wBo!>1NN#9l$K`MdM|3H;|0a)2+c&J-ZwAp`ATr**)SBm!Vvwg
zDU&3@fuw5*jDuGvu#)Qt<HMQ5P7aN$ClTby)sDp(EpV=uO30L|(Jk;){S{>&xR_kH
zE9jpHRNHK}SC^@Q+eL`GkJE~yD`=fzViU~;#$zs${)%7Aj_-#U_rJWP{(<d9o&HLH
zTq;u5{t{GUmz?@J2upx&i5zCck*zD%1G>c}*W_Ae%z=pZ!%;IX_Z+@A_jEnVXk0Gf
z;CL@8LF%qD;?V4A#etov!hI<&lXdVLgg6H-NKa3s&Glv1aXH22CPU|x?G0Xyw6dGa
z{v~?)rb3gBy74MFSC1lavYZK{qNviVG<}?-;}PO5QUgNOJXwzstzcS~4>bxgYqQpr
zJLnTh&FK(9GRhH%a7QD<x1_8jxVczl{)+!hvfjd+Zl1?KS?CnujOtSx@^^oq>y>!&
zztEad4B>=M&W(43%miD*7J%#;GdxXLD0Ul)lx(qCQ*=^bV|~uv^Bf544sO;Q!+psY
zZ%C(J8_LzEUJAo)YD0#iV4{Kc@6jmH95-i7jcIBJNQ2M=h4=g@qhR85J%!)qrv01l
zShsCUtGhj&x_#IsW*RP1mGRe(scsc0u#4$9x=!Pa83(-|e571zvNHPix_M{)#0z`A
z%BLmsLCm4WNvKKRov*u9!Z2VsWPxp6CYQ5QeH_|>9g#y_^HNB6$DDIT&pdv0Fu+5<
z+W>o)?_X{Lul!A`<=u-%+OF%-X3R6o2OiV0*Pp^S;){ey`iHAD7v&jLg&Y6ibY(lN
zsshY!ASL{L*^}=#6>Zaj05nA-*y-&?RQt3yR62+hc|Pn{!cCC>e7JumEfWVllrjss
z`$faS9A#4_f$ddA7BMgudFXXlCF0nIqTIB4OHEDi*TZpEfJ&MH94!u#9H9w`P{dCS
zuVL*}%ubVe%XAP$_K|m3sKraq9HPwpLNPF_h=~M)g$^+R<YlFb$S>>GCss3K32En3
z6S%}Kj`Yc%8YF8P6G!x3?#Rn!8Dv~8k9tn2Vyx1V9(0;O?zz4{5}m;C!*J6&2|MTf
z6yUwQr)Brt1>08uj#y|Jp({F_Wi^Bt?jW!e{t8?>SpRQdmjorJ@KkV?!!vZLJ(3sq
zRU>3$<ghuwYrJp_-N`bpKo-nW(U)H##9sN)DA2zeGyO$DW`>imP%08u%HVM@ki!IC
zJ`xlwXV2zJ0))()AL@e4=(r5ji+}RLObAf7So7L*PDFNJv9m))!J_haG;9L<Q-2_J
z+|f&N`OQ3yWE`Lh5fAi>WC60riTNK=YKoI=`T*jcOXx6BrG7l1dn!2#h~2--19}IC
zJTkrU;OaIu&h>+L{q(pZ`y|FQ6vz4W|9G&UU^tjzn)EOxSj5qkoWz6O>J4M|B!dCb
z=@~wcY31SDnu7I8zec+R1(u~$i{}j+$d(1IgWh|n(+Yw(6@$O#le`(ubTtqeAvxwv
zgIq{by$h7-OFk}u(aFO-l&@4Ay3IB&y#~^>14jmN#5jGnIGD!lG1MN@R4+_}u`UZt
zy$de`i`+(CoZr`r9xN(~xns;fi*-18p2AlvkcMe(#q|n?%`%|)J_$p0hv+{)pB!B}
z>?k?)Y?h3-_mGes4^B+)ua*lG*w<-&DCUGB5o4fR`>HD|UTKhX8er#rJ?*y#Dx^zw
zv>7&8zVwM4uLQB6PL4$Rp?*TGd~)t=h9~bvuI)L7bXd6v#s?OffgvlTiy6KcJh%%G
zw18MmT!!#L<-sr_<Tx{><}bUPYI0d`pwNhFkt-WW^GIr=lCZgi{uNn8B?YWJF0~vn
z`Fm*G-=L5j%y@pHpzJ-JIHc~Vl!+{l?>Gv>FP$&eVB=Fem3j$z3^vKrTcNPiZL^p@
zb=moh*GGwv8fjy;WybC^0ItZ!4(GqU?M}Uos;!2@7@347$550>EcQR*#oN*U6pV>j
z=T`!&L-Q0jmVpzEaCLEP<$ae}>v#$`FEUBqcD$yFw^XsnBl+64j10LqhG<F3Pkr%y
zpi-m}*IDgV(|+2&NVTQ`1NCr35mEk=M(V$MmCeCF`s@!xG;ypc+q&l+hAIv6P8WJB
z$M%tN2XIyvw_9k7VPc?K8g%tv?<Cbwd`MS%iM$PbXT!u~$x<OAz}>!x2B6J&)jV(9
zeSS0Z+F6)}4W=-pHPF+|*_mW1iU+mVX+?ed#t}bT0S0!v$Pd$>9k0hXhV33)ppq}4
z!0s$hQCE@{qt7@;7fW`veq>Jj`(oCE+I1n=v5o`TZEbP~>rZq-Yh!~_W)q&2f0A9F
z>}ljBkZ(g14y7Q1W0*Ml4#kbuudLXGQ5O2v>jI5W`0JC5K_l3jP5BF$4$p;r9hEp3
zO0ltCsWl$e@viSfPXuo6yWxQ8i=W_vwh*^y$VP|%v5B-FKiYbocAhCmDVSd$ZG2kX
zl0NcN+SEI>O#f`P`+DhR5Px{ruX?s03uzFuBQath)M|FpO*oF5Fkd=745<#J{mNmy
zV8?)nE`;~msx$W#fHR~A!I1-?_RQ)Qbm=y61jwQvx>h|3J%rDk?GTQx=?V9%I=fFI
zmFAElPw>j3SQ5-rbl5e)(QHVXh}hq&nb=Sce}<=CxKy=>)Zm>HnDU&$8(J5R%}JUv
z1qzOGPDMsoT~M6%rhXPgiTmvP6cYXj0+MB~N3en3qBcz@X!|x}8LIF6|0JKaj7O3d
zSp-z{z7HS(Ps=#OkjGt$u>}(`pJ47YzG+*==O`RFh(V}Z-$(ky{PQ~6QIig-YfLYj
z<REn@99UDwWBi61+{loJ{T+i;M?Vc-;|`(~<$|pVcNLcwC6Q1Dva5w?AeJz;x`Cn!
z!56%{IJ8;1^OcXQ$)?&@ThnC?q!`U@MDM%@ok+=LN{^7M76cqjqNrZH;x7D!>%7wK
zlABT^_BQ={%7BjI04qUGn&!SumWogj`<z;xGY^-qM0|YYQ|^A^kzrH3ycHD}Bz=Ld
z`q6+Jw6PWI>?~3@VVednAi;}FvKqJ0GkAH2o6gwapjU_vml7y{u8}l;br?)U+C`Xj
zHPIc^i(uI3dN{(FRnVVd8Tfe78xNrtBE||$oY5n0-@CLiP`yz~4ug!vPCH9u$j*Mg
zi*hEOU41Wwbl$AIj&7M=q|D`(?o(t!v{!#bhH{qaCyw6M_>s3yWR!J=hC$Uf!8W2e
zG9AC+(7^3juUoFpn(tS^^e@uI5`{x9-&ZT})`4t4;8-2@MfPV8<!8n&mHy?g2tQu5
z@qob(jF#$h2rt2+Mb_vdnHUgZurXAlk0Y3Hq67B*-W>C=!;JD1BPydWt%><c*bR?%
zEU0j)BHCbl|5)7Y@cqi(&eRU>6~nL=SF9*%%Q8E-vWdBSVI<xb-QN7&LRe}rRnHhs
zG4MiV!h?R=9%64oqb#jRmDoF1Xw_?xPAS1qr8IX}lSjg#AZt1Jm7%>)X$^$8Pli;J
zqy6#&s0#(S@Z=CXShv)xYOgg?<84Kbl}vAsdztxE0R6_8my6@N8omHgs}5AmRN#I9
zK~RSan5Ni;hz@mH$B24I1Xsn?oJC@nGAqsT6`&uO2C@eDYP+*GX&wA($}T>ImyR3@
z!1}hl8h`et7kM$iss(JQ`_QF{IldY_p93yX=NryXt>ZVcXn2(jLNC+4P8bl}SydWK
z?3Ux5?ThJv3E^#a^2o8{VyZCw{2EGSBub$m%#tzAZI3AJE1162E@r@{bx!G$mD#g$
zn``Pe(C+IlCLE$Ul$ux!qkBeTCcRqrO?T4mzxg&}CaArcB0DjyM?Ewuxl%Xy%h3ui
z0nc|%rFLU<lsBIR4lb4J<b_JbW}jJ<S!{I0F_yj7y>q$;vR2F=kQYUdfct??%b2mv
z8^<>oEDIT568PYb94eqc0dnrOjcU!`kN1W$oeSs}&Tcpi&*nlZHj-vs0OuIgL6Q<g
zP@Pe^S*)nmmz}`xz|ffbks<jEeXSKP=~Si%LZp>edD2JTFpV+NbH>C=i8R!(uT%g$
z!5}{|jsc4|Z>fX(P50fw4@UX3`I5vZPyt=N2Z+c3Nsu2H8UJG@>>Ml?PT};8SBlq2
z(~~VSbr5_HiR=qY<Nl&w_(}Eh!sMPu;Kqa${+nE@ql!xs+fLsdKSRMGw<gM3Galp_
zI!OgqIi7=FJgEsTyAua@{)T0<G~V)=os9bJa4$KRD`sd1jP$W9k3K1#m*P;573iDe
zKPnvYAknl2-`pVOy^wld^sTd|iI-u~#pb9$?G+KMl<l;WVurXur0#pdBg~0eqy?N{
z(_NktrTAF7Dl+PV0wHW9QWYxCPb(u)Lz9MFw~tch6^ci`*Oi|-{O&a+rl2Tv#fGPU
zi%|pya)2faEpl<r-q|yuAIFu~JpYcaUnD%Qfv0wTX+osCuIG~~9d$h0-16YvRHQd>
z9ZT++p&n^%fuVK=L4(bRQsaa<Sz^1V9ykM#`SxqM%95kDyuzB4oO_^*-a+j%yMl=l
zUx%Ez;yyitq+21%C{_DPQ*y7gNMoj`2q2TB^c(l)aeLzzyhz`rT=MR#SX?)xiMc+$
zKLjt*{j;Y<5864?+$UJa-i`;AzmGZ8JgIG5#9SW5U<{tXv&slKlk}zo3rng_*J%zM
z<K2pkAhYP|?c@$i2*aK-AHT`}3E+@2*(WdKMB_+RUUq(Z8BpT0D(p!3wB&Wk?t$<C
zpN1cPZ|hRtW;c|t)F=TGW&m&Sz*U!7*p7r4Q<E3?NdZWlY)(lh+v>oQ-Z~F)@JTU(
zY$0gJM}R;<F-88eAB2BVmeDVcFJvlZjVC4$3MMM!1ajvX#!n7R8g;}4707rT?TolT
z7ku6>#50DUq>K*)736npvya|fT6-4+Bzv`5xP{e|!;ifPsS}CGASXh4aV?MF`yW#P
zF^#mpcMc`11QZrni$|{8fnePN=N0Ia0|1!Kqls16<BNh!SZl_#V38DnzON$C%~hz?
zY32>e+bWBWJ=Z5f`HQrtxMOYHBpa$}rH-S^#^^@WYu7<hs(eMo4kUANtjL}XK+&c-
z+lqna!(~inYd!m)WuTj_$zQ-pEaCPSr3+vvv-n$Q@~lUAp-ib-%jS-0D$ojevKj&7
z<3dL*zBqPUGNeCv|5;Ls9wa%KTId5HTKmd{`_`wAef@<l^V|@7wmeKBtq}NnC>ax?
zx)02x@+j0uM;CN+X<_N-Q}k^)uRCmgbs9$4{(qoUd?iyoT`Ze&Ph9H4s0xi%mhO#6
zTm{ggll%!d8YWQrTX22mHZ2!fP6?)~ltN%J#^aLO%9K4)t;PNg_%5a}avKWdfDHu_
mKGal`NiOJ(dJyVdvx1Z1NIqTODvoU87-x;59NuORu>vk~-Uqh;


From 7a628e6631418572cc8c757909f2bf7d2e2a38bb Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Tue, 30 Jul 2024 14:55:56 -0700
Subject: [PATCH 07/10] feat(auth): Fix style

---
 google/auth/transport/mtls.py | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/google/auth/transport/mtls.py b/google/auth/transport/mtls.py
index 34bb96638..1ae9b52e0 100644
--- a/google/auth/transport/mtls.py
+++ b/google/auth/transport/mtls.py
@@ -24,15 +24,11 @@ def has_default_client_cert_source():
     Returns:
         bool: indicating if the default client cert source exists.
     """
-    return (
-        _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
-        is not None
-    ) or (
-        _mtls_helper._check_config_path(
-            _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
-        )
-        is not None
-    )
+    if _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH) is not None:
+        return true
+    if _mtls_helper._check_config_path(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH) is not None:
+        return true
+    return false
 
 
 def default_client_cert_source():

From 94422121167379972e8df0e38ed88f4d431fc4ee Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Tue, 30 Jul 2024 15:21:14 -0700
Subject: [PATCH 08/10] feat(auth): Fix casing

---
 google/auth/transport/mtls.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/google/auth/transport/mtls.py b/google/auth/transport/mtls.py
index 1ae9b52e0..58061510a 100644
--- a/google/auth/transport/mtls.py
+++ b/google/auth/transport/mtls.py
@@ -25,10 +25,10 @@ def has_default_client_cert_source():
         bool: indicating if the default client cert source exists.
     """
     if _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH) is not None:
-        return true
+        return True
     if _mtls_helper._check_config_path(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH) is not None:
-        return true
-    return false
+        return True
+    return False
 
 
 def default_client_cert_source():

From 22592b49af5d1dd9e4319305cb7143b5b1eadfe2 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Wed, 7 Aug 2024 11:43:26 -0700
Subject: [PATCH 09/10] feat(auth): Fix linter issue

---
 google/auth/transport/mtls.py        | 12 ++++++++++--
 tests/transport/test__mtls_helper.py | 24 ++++++------------------
 tests/transport/test_grpc.py         | 12 +++---------
 tests/transport/test_mtls.py         |  4 +---
 4 files changed, 20 insertions(+), 32 deletions(-)

diff --git a/google/auth/transport/mtls.py b/google/auth/transport/mtls.py
index 58061510a..e7a7304f6 100644
--- a/google/auth/transport/mtls.py
+++ b/google/auth/transport/mtls.py
@@ -24,9 +24,17 @@ def has_default_client_cert_source():
     Returns:
         bool: indicating if the default client cert source exists.
     """
-    if _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH) is not None:
+    if (
+        _mtls_helper._check_config_path(_mtls_helper.CONTEXT_AWARE_METADATA_PATH)
+        is not None
+    ):
         return True
-    if _mtls_helper._check_config_path(_mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH) is not None:
+    if (
+        _mtls_helper._check_config_path(
+            _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+        )
+        is not None
+    ):
         return True
     return False
 
diff --git a/tests/transport/test__mtls_helper.py b/tests/transport/test__mtls_helper.py
index 39365369a..f6e20b726 100644
--- a/tests/transport/test__mtls_helper.py
+++ b/tests/transport/test__mtls_helper.py
@@ -281,9 +281,7 @@ class TestGetClientSslCredentials(object):
         "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_success_with_context_aware_metadata(
         self,
         mock_check_config_path,
@@ -308,9 +306,7 @@ def test_success_with_context_aware_metadata(
         "google.auth.transport._mtls_helper._get_cert_config_path", autospec=True
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_success_with_certificate_config(
         self,
         mock_check_config_path,
@@ -337,9 +333,7 @@ def test_success_with_certificate_config(
         assert key == pytest.private_key_bytes
         assert passphrase is None
 
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_success_without_metadata(self, mock_check_config_path):
         mock_check_config_path.return_value = False
         has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials()
@@ -355,9 +349,7 @@ def test_success_without_metadata(self, mock_check_config_path):
         "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_success_with_encrypted_key(
         self,
         mock_check_config_path,
@@ -384,9 +376,7 @@ def test_success_with_encrypted_key(
         "google.auth.transport._mtls_helper._get_workload_cert_and_key", autospec=True
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_missing_cert_command(
         self,
         mock_check_config_path,
@@ -403,9 +393,7 @@ def test_missing_cert_command(
         "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True
     )
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_customize_context_aware_metadata_path(
         self,
         mock_check_config_path,
diff --git a/tests/transport/test_grpc.py b/tests/transport/test_grpc.py
index dcdf91f06..ed3f3ee83 100644
--- a/tests/transport/test_grpc.py
+++ b/tests/transport/test_grpc.py
@@ -142,9 +142,7 @@ def test__get_authorization_headers_with_service_account_and_default_host(self):
 @mock.patch("grpc.secure_channel", autospec=True)
 class TestSecureAuthorizedChannel(object):
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_secure_authorized_channel_adc(
         self,
         check_config_path,
@@ -331,9 +329,7 @@ def test_secure_authorized_channel_with_client_cert_callback_success(
         )
 
     @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-    @mock.patch(
-        "google.auth.transport._mtls_helper._check_config_path", autospec=True
-    )
+    @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
     def test_secure_authorized_channel_with_client_cert_callback_failure(
         self,
         check_config_path,
@@ -400,9 +396,7 @@ def test_secure_authorized_channel_cert_callback_without_client_cert_env(
     "google.auth.transport._mtls_helper.get_client_ssl_credentials", autospec=True
 )
 @mock.patch("google.auth.transport._mtls_helper._load_json_file", autospec=True)
-@mock.patch(
-    "google.auth.transport._mtls_helper._check_config_path", autospec=True
-)
+@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
 class TestSslCredentials(object):
     def test_no_context_aware_metadata(
         self,
diff --git a/tests/transport/test_mtls.py b/tests/transport/test_mtls.py
index e82520b41..e65f10737 100644
--- a/tests/transport/test_mtls.py
+++ b/tests/transport/test_mtls.py
@@ -19,9 +19,7 @@
 from google.auth.transport import mtls
 
 
-@mock.patch(
-    "google.auth.transport._mtls_helper._check_config_path", autospec=True
-)
+@mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
 def test_has_default_client_cert_source(check_config_path):
     check_config_path.return_value = mock.Mock()
     assert mtls.has_default_client_cert_source()

From 7726727874d27122e12efd4556c8190891cc8738 Mon Sep 17 00:00:00 2001
From: Andy Zhao <andyzhao@google.com>
Date: Wed, 7 Aug 2024 14:52:43 -0700
Subject: [PATCH 10/10] feat(auth): Fix coverage issue

---
 tests/transport/test_mtls.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/tests/transport/test_mtls.py b/tests/transport/test_mtls.py
index e65f10737..ea549ae14 100644
--- a/tests/transport/test_mtls.py
+++ b/tests/transport/test_mtls.py
@@ -16,14 +16,29 @@
 import pytest  # type: ignore
 
 from google.auth import exceptions
+from google.auth.transport import _mtls_helper
 from google.auth.transport import mtls
 
 
 @mock.patch("google.auth.transport._mtls_helper._check_config_path", autospec=True)
 def test_has_default_client_cert_source(check_config_path):
-    check_config_path.return_value = mock.Mock()
+    def return_path_for_metadata(path):
+        return mock.Mock() if path == _mtls_helper.CONTEXT_AWARE_METADATA_PATH else None
+
+    check_config_path.side_effect = return_path_for_metadata
+    assert mtls.has_default_client_cert_source()
+
+    def return_path_for_cert_config(path):
+        return (
+            mock.Mock()
+            if path == _mtls_helper.CERTIFICATE_CONFIGURATION_DEFAULT_PATH
+            else None
+        )
+
+    check_config_path.side_effect = return_path_for_cert_config
     assert mtls.has_default_client_cert_source()
 
+    check_config_path.side_effect = None
     check_config_path.return_value = None
     assert not mtls.has_default_client_cert_source()