feat(auth): prune crypto provider dependencies

src/auth/Cargo.toml

@@ -38,8 +38,8 @@ async-trait.workspace = true
 base64.workspace      = true
 bytes.workspace       = true
 http.workspace        = true
-reqwest               = { workspace = true, features = ["json", "rustls-tls"] }
-rustls                = { workspace = true, features = ["logging", "ring", "std", "tls12"] }
+reqwest               = { workspace = true, features = ["json", "rustls-tls-no-provider", "rustls-tls-webpki-roots"] }
+rustls                = { workspace = true, features = ["logging", "std", "tls12"] }
 rustls-pki-types      = { workspace = true, features = ["std"] }
 serde.workspace       = true
 serde_json.workspace  = true
@@ -66,14 +66,16 @@ url.workspace         = true
 mutants.workspace     = true
 
 [features]
-default = ["default-idtoken-backend"]
+default = ["default-idtoken-backend", "default-rustls-provider"]
 # The `idtoken` feature enables support to create and validate OIDC ID Tokens.
 # See the create top-level documentation for more information.
 idtoken = ["dep:jsonwebtoken"]
 # By default this crate enables the `rust_crypto` backend. Applications can
 # link `google-cloud-auth` with `default-features = false, feature = ["idtoken"]
 # to select the backend themselves.
 default-idtoken-backend = ["jsonwebtoken?/rust_crypto"]
+# Enable a default TLS configuration for `reqwest`.
+default-rustls-provider = ["reqwest/rustls-tls", "rustls/ring"]
 # Do not use, this was a mistake in the 1.3 release.
 jsonwebtoken = ["dep:jsonwebtoken"]
 

src/auth/README.md

@@ -16,6 +16,11 @@ also describes the common terminology used with authentication, such as
 
 # Features
 
+- `default-rustls-provider`: enabled by default. This feature selects a default
+  crypto provider and trusted root certificate selection for TLS. Applications
+  that have specific requirements for TLS (such as exclusively using the
+  [aws-lc-rs], or [ring] crates) should disable this default and configure the
+  `reqwest` crate features to fit their needs.
 - `idtoken`: disabled by default, this feature enables support to create and
   verify [OIDC ID Tokens].
 - `default-idtoken-backend`: enabled by default, this feature enables a default
@@ -26,13 +31,15 @@ also describes the common terminology used with authentication, such as
   backend selection:
   - Configure this crate with `default-features = false`, and
     `features = ["idtoken"]`
-  - Configure the `jsonwebtoken` crate to use the desired backend.
+  - Select the desired backend for `jsonwebtoken`.
 
 [authentication methods at google]: https://cloud.google.com/docs/authentication
+[aws-lc-rs]: https://crates.io/crates/aws-lc-rs
 [credentials]: https://cloud.google.com/docs/authentication#credentials
 [credentials::credentials]: https://docs.rs/google-cloud-auth/latest/google_cloud_auth/credentials/struct.Credentials.html
 [gcloud-auth]: https://crates.io/crates/gcloud-auth
 [jsonwebtoken]: https://crates.io/crates/jsonwebtoken
 [oidc id tokens]: https://cloud.google.com/docs/authentication/token-types#identity-tokens
 [principals]: https://cloud.google.com/docs/authentication#principal
+[ring]: https://crates.io/crates/ring
 [tokens]: https://cloud.google.com/docs/authentication#token

src/auth/src/credentials/service_account.rs

@@ -399,9 +399,20 @@ impl ServiceAccountKey {
     // Creates a signer using the private key stored in the service account file.
     pub(crate) fn signer(&self) -> Result<Box<dyn Signer>> {
         let private_key = self.private_key.clone();
-        let key_provider = CryptoProvider::get_default().map_or_else(
-            || rustls::crypto::ring::default_provider().key_provider,
-            |p| p.key_provider,
+        let key_provider = CryptoProvider::get_default().map(|p| p.key_provider);
+        #[cfg(feature = "default-rustls-provider")]
+        let key_provider =
+            key_provider.unwrap_or_else(|| rustls::crypto::ring::default_provider().key_provider);
+        #[cfg(not(feature = "default-rustls-provider"))]
+        let key_provider = key_provider.expect(
+            r###"
+The default rustls::CryptoProvider should be configured by the application. The
+`google-cloud-auth` crate was compiled without the `default-rustls-provider`
+feature. Without this feature the crate expects the application to initialize
+the rustls crypto provider using `rustls::CryptoProvider::install_default()`.
+
+Note that the application must use the exact same version of `rustls` as the
+`google-cloud-auth` crate does. Otherwise `install_default()` has no effect."###,
         );
 
         let key_der = PrivateKeyDer::from_pem_slice(private_key.as_bytes()).map_err(|e| {

src/auth/src/lib.rs

@@ -26,6 +26,11 @@
 //!
 //! # Features
 //!
+//! - `default-rustls-provider`: enabled by default. This feature selects a default
+//!   crypto provider and trusted root certificate selection for TLS. Applications
+//!   that have specific requirements for TLS (such as exclusively using the
+//!   [aws-lc-rs], or [ring] crates) should disable this default and configure the
+//!   `reqwest` crate features to fit their needs.
 //! - `idtoken`: disabled by default, this feature enables support to create and
 //!   verify [OIDC ID Tokens].
 //! - `default-idtoken-backend`: enabled by default, this feature enables a default
@@ -36,8 +41,10 @@
 //!   backend selection:
 //!   - Configure this crate with `default-features = false`, and
 //!     `features = ["idtoken"]`
-//!   - Configure the `jsonwebtoken` crate to use the desired backend.
+//!   - Select the desired backend for `jsonwebtoken`.
 //!
+//! [aws-lc-rs]: https://crates.io/crates/aws-lc-rs
+//! [ring]: https://crates.io/crates/ring
 //! [jsonwebtoken]: https://crates.io/crates/jsonwebtoken
 //! [oidc id tokens]: https://cloud.google.com/docs/authentication/token-types#identity-tokens
 //! [Authentication methods at Google]: https://cloud.google.com/docs/authentication

src/gax-internal/Cargo.toml

@@ -96,7 +96,7 @@ tonic-prost                        = { workspace = true, optional = true }
 tower                              = { workspace = true, optional = true }
 tracing                            = { workspace = true, optional = true }
 # Local crates
-google-cloud-auth = { workspace = true, optional = true }
+google-cloud-auth = { workspace = true, optional = true, features = ["default-rustls-provider"] }
 gax               = { workspace = true, optional = true }
 rpc               = { workspace = true, optional = true }
 wkt               = { workspace = true, optional = true }

src/storage/Cargo.toml

@@ -60,15 +60,15 @@ hex                        = { workspace = true, features = ["std"] }
 # Transitive dependencies. Used for minimal version selection.
 mime.workspace = true
 # Local crates
-google-cloud-auth.workspace = true
-gax.workspace               = true
-gaxi                        = { workspace = true, features = ["_internal-common", "_internal-grpc-client"] }
-gtype.workspace             = true
-iam_v1.workspace            = true
-longrunning.workspace       = true
-lro.workspace               = true
-rpc.workspace               = true
-wkt.workspace               = true
+google-cloud-auth     = { workspace = true, features = ["default-rustls-provider"] }
+gax.workspace         = true
+gaxi                  = { workspace = true, features = ["_internal-common", "_internal-grpc-client"] }
+gtype.workspace       = true
+iam_v1.workspace      = true
+longrunning.workspace = true
+lro.workspace         = true
+rpc.workspace         = true
+wkt.workspace         = true
 
 [features]
 unstable-stream = ["reqwest/stream"]

tests/crypto-providers/test-gaxi/Cargo.toml

@@ -54,5 +54,5 @@ features = ["_internal-http-client"]
 [features]
 with-default = [
   # TODO(#4170) - enable when gax-internal is ready
-  # "google-cloud-gax-internal/_default-tls"
+  # "google-cloud-gax-internal/_default-rustls-provider"
 ]