chore: get CA cert from response

google/cloud/alloydb/connector/client.py

@@ -15,7 +15,7 @@
 from __future__ import annotations
 
 import logging
-from typing import List, Optional, TYPE_CHECKING
+from typing import List, Optional, Tuple, TYPE_CHECKING
 
 import aiohttp
 from cryptography.hazmat.primitives import serialization
@@ -117,7 +117,7 @@ async def _get_client_certificate(
         region: str,
         cluster: str,
         key: rsa.RSAPrivateKey,
-    ) -> List[str]:
+    ) -> Tuple[str, List[str]]:
         """
         Fetch a client certificate for the given AlloyDB cluster.
 
@@ -134,7 +134,7 @@ async def _get_client_certificate(
                 to generate client certificate.
 
         Returns:
-            Tuple[str, list[str]]: Tuple containing the client certificate
+            Tuple[str, list[str]]: Tuple containing the CA certificate
                 and certificate chain for the AlloyDB instance.
         """
         logger.debug(f"['{project}/{region}/{cluster}']: Requesting client certificate")
@@ -166,7 +166,7 @@ async def _get_client_certificate(
         )
         resp_dict = await resp.json()
 
-        return resp_dict["pemCertificateChain"]
+        return (resp_dict["caCert"], resp_dict["pemCertificateChain"])
 
     async def close(self) -> None:
         """Close AlloyDBClient gracefully."""

google/cloud/alloydb/connector/refresh.py

@@ -19,7 +19,7 @@
 import logging
 import ssl
 from tempfile import TemporaryDirectory
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from cryptography import x509
 
@@ -75,10 +75,9 @@ class RefreshResult:
     """
 
     def __init__(
-        self, instance_ip: str, key: rsa.RSAPrivateKey, cert_chain: List[str]
+        self, instance_ip: str, key: rsa.RSAPrivateKey, certs: Tuple[str, List[str]]
     ) -> None:
         self.instance_ip = instance_ip
-
         # create TLS context
         self.context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         # update ssl.PROTOCOL_TLS_CLIENT default
@@ -87,7 +86,8 @@ def __init__(
         self.context.minimum_version = ssl.TLSVersion.TLSv1_3
         # add request_ssl attribute to ssl.SSLContext, required for pg8000 driver
         self.context.request_ssl = False  # type: ignore
-
+        # unpack certs
+        ca_cert, cert_chain = certs
         # get expiration from client certificate
         cert_obj = x509.load_pem_x509_certificate(cert_chain[0].encode("UTF-8"))
         self.expiration = cert_obj.not_valid_after
@@ -97,7 +97,7 @@ def __init__(
         # need to be written to files in order to be loaded by the SSLContext
         with TemporaryDirectory() as tmpdir:
             ca_filename, cert_chain_filename, key_filename = _write_to_file(
-                tmpdir, cert_chain, key
+                tmpdir, ca_cert, cert_chain, key
             )
             self.context.load_cert_chain(cert_chain_filename, keyfile=key_filename)
             self.context.load_verify_locations(cafile=ca_filename)

google/cloud/alloydb/connector/utils.py

@@ -23,7 +23,7 @@
 
 
 def _write_to_file(
-    dir_path: str, cert_chain: List[str], key: rsa.RSAPrivateKey
+    dir_path: str, ca_cert: str, cert_chain: List[str], key: rsa.RSAPrivateKey
 ) -> Tuple[str, str, str]:
     """
     Helper function to write the server_ca, client certificate and
@@ -40,7 +40,7 @@ def _write_to_file(
     )
 
     with open(ca_filename, "w+") as ca_out:
-        ca_out.write("".join(cert_chain))
+        ca_out.write(ca_cert)
     with open(cert_chain_filename, "w+") as chain_out:
         chain_out.write("".join(cert_chain))
     with open(key_filename, "wb") as priv_out:
@@ -49,7 +49,7 @@ def _write_to_file(
     return (ca_filename, cert_chain_filename, key_filename)
 
 
-async def generate_keys() -> Tuple[rsa.RSAPrivateKey, str]:
+def generate_keys() -> Tuple[rsa.RSAPrivateKey, str]:
     priv_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     pub_key = (
         priv_key.public_key()