fix!: replace rsa dependency with cryptography

google/auth/credentials.py

@@ -17,20 +17,22 @@
 
 import abc
 from enum import Enum
+import logging
 import os
 from typing import List
 
 from google.auth import _helpers, environment_vars
 from google.auth import exceptions
 from google.auth import metrics
 from google.auth._credentials_base import _BaseCredentials
-from google.auth._default import _LOGGER
 from google.auth._refresh_worker import RefreshThreadManager
 
 DEFAULT_UNIVERSE_DOMAIN = "googleapis.com"
 NO_OP_TRUST_BOUNDARY_LOCATIONS: List[str] = []
 NO_OP_TRUST_BOUNDARY_ENCODED_LOCATIONS = "0x0"
 
+_LOGGER = logging.getLogger("google.auth._default")
+
 
 class Credentials(_BaseCredentials):
     """Base class for all credentials.

google/auth/crypt/__init__.py

@@ -38,43 +38,31 @@
 """
 
 from google.auth.crypt import base
+from google.auth.crypt import es
+from google.auth.crypt import es256
 from google.auth.crypt import rsa
 
-# google.auth.crypt.es depends on the crytpography module which may not be
-# successfully imported depending on the system.
-try:
-    from google.auth.crypt import es
-    from google.auth.crypt import es256
-except ImportError:  # pragma: NO COVER
-    es = None  # type: ignore
-    es256 = None  # type: ignore
-
-if es is not None and es256 is not None:  # pragma: NO COVER
-    __all__ = [
-        "EsSigner",
-        "EsVerifier",
-        "ES256Signer",
-        "ES256Verifier",
-        "RSASigner",
-        "RSAVerifier",
-        "Signer",
-        "Verifier",
-    ]
-
-    EsSigner = es.EsSigner
-    EsVerifier = es.EsVerifier
-    ES256Signer = es256.ES256Signer
-    ES256Verifier = es256.ES256Verifier
-else:  # pragma: NO COVER
-    __all__ = ["RSASigner", "RSAVerifier", "Signer", "Verifier"]
-
-
 # Aliases to maintain the v1.0.0 interface, as the crypt module was split
 # into submodules.
 Signer = base.Signer
 Verifier = base.Verifier
 RSASigner = rsa.RSASigner
 RSAVerifier = rsa.RSAVerifier
+EsSigner = es.EsSigner
+EsVerifier = es.EsVerifier
+ES256Signer = es256.ES256Signer
+ES256Verifier = es256.ES256Verifier
+
+__all__ = [
+    "EsSigner",
+    "EsVerifier",
+    "ES256Signer",
+    "ES256Verifier",
+    "RSASigner",
+    "RSAVerifier",
+    "Signer",
+    "Verifier",
+]
 
 
 def verify_signature(message, signature, certs, verifier_cls=rsa.RSAVerifier):

google/auth/crypt/_cryptography_rsa.py

@@ -66,7 +66,7 @@ def from_string(cls, public_key):
                 x509 public key certificate.
 
         Returns:
-            Verifier: The constructed verifier.
+            google.auth.crypt.base.Verifier: The constructed verifier.
 
         Raises:
             ValueError: If the public key can't be parsed.

google/auth/crypt/es.py

@@ -110,7 +110,7 @@ def from_string(cls, public_key: Union[str, bytes]) -> "EsVerifier":
                 x509 public key certificate.
 
         Returns:
-            Verifier: The constructed verifier.
+            google.auth.crypt.base.Verifier: The constructed verifier.
 
         Raises:
             ValueError: If the public key can't be parsed.

google/auth/crypt/rsa.py

@@ -14,17 +14,7 @@
 
 """RSA cryptography signer and verifier."""
 
+from google.auth.crypt import _cryptography_rsa
 
-try:
-    # Prefer cryptograph-based RSA implementation.
-    from google.auth.crypt import _cryptography_rsa
-
-    RSASigner = _cryptography_rsa.RSASigner
-    RSAVerifier = _cryptography_rsa.RSAVerifier
-except ImportError:  # pragma: NO COVER
-    # Fallback to pure-python RSA implementation if cryptography is
-    # unavailable.
-    from google.auth.crypt import _python_rsa
-
-    RSASigner = _python_rsa.RSASigner  # type: ignore
-    RSAVerifier = _python_rsa.RSAVerifier  # type: ignore
+RSASigner = _cryptography_rsa.RSASigner
+RSAVerifier = _cryptography_rsa.RSAVerifier

setup.py

@@ -22,30 +22,22 @@
 DEPENDENCIES = (
     "cachetools>=2.0.0,<7.0",
     "pyasn1-modules>=0.2.1",
-    # rsa==4.5 is the last version to support 2.7
-    # https://github.com/sybrenstuvel/python-rsa/issues/152#issuecomment-643470233
-    "rsa>=3.1.4,<5",
-)
-
-# TODO(https://github.com/googleapis/google-auth-library-python/issues/1737): Unit test fails with
-#  `No module named 'cryptography.hazmat.backends.openssl.x509' for Python 3.7``.
-cryptography_base_require = [
     "cryptography >= 38.0.3",
     "cryptography < 39.0.0; python_version < '3.8'",
-]
+)
 
 requests_extra_require = ["requests >= 2.20.0, < 3.0.0"]
 
 aiohttp_extra_require = ["aiohttp >= 3.6.2, < 4.0.0", *requests_extra_require]
 
-pyjwt_extra_require = ["pyjwt>=2.0", *cryptography_base_require]
+pyjwt_extra_require = ["pyjwt>=2.0"]
 
 reauth_extra_require = ["pyu2f>=0.1.5"]
 
 # TODO(https://github.com/googleapis/google-auth-library-python/issues/1738): Add bounds for cryptography and pyopenssl dependencies.
-enterprise_cert_extra_require = ["cryptography", "pyopenssl"]
+enterprise_cert_extra_require = ["pyopenssl"]
 
-pyopenssl_extra_require = ["pyopenssl>=20.0.0", cryptography_base_require]
+pyopenssl_extra_require = ["pyopenssl>=20.0.0"]
 
 # TODO(https://github.com/googleapis/google-auth-library-python/issues/1739): Add bounds for urllib3 and packaging dependencies.
 urllib3_extra_require = ["urllib3", "packaging"]
@@ -81,7 +73,7 @@
 ]
 
 extras = {
-    "cryptography": cryptography_base_require,
+    "cryptography": [],  # cryptography is required, but keep as extra for backwards compatibility
     "aiohttp": aiohttp_extra_require,
     "enterprise_cert": enterprise_cert_extra_require,
     "pyopenssl": pyopenssl_extra_require,