Codecov Report

Merging #1249 (71d7e35) into master (52e39f8) will decrease coverage by 1.88%.
The diff coverage is 74.80%.

❗ Current head 71d7e35 differs from pull request most recent head 7d7612a. Consider uploading reports for the commit 7d7612a to get more accurate results

@@             Coverage Diff              @@
##             master    #1249      +/-   ##
============================================
- Coverage     81.46%   79.58%   -1.89%     
+ Complexity     1347     1275      -72     
============================================
  Files           211      211              
  Lines          5730     5588     -142     
  Branches        525      477      -48     
============================================
- Hits           4668     4447     -221     
- Misses          850      952     +102     
+ Partials        212      189      -23     

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3b1859e...7d7612a. Read the comment docs.

As I mentioned in grpc/grpc-java#7667, even non-shaded Netty is a no-no for gax, as it is unstable API. Gax should really be using https://github.com/grpc/grpc-java-api-checker, to make that sort of bug a compile error. Discussion about which API to use (there isn't one currently) will continue on grpc/grpc-java#7667

I'm a bit concerned by usage of system tools to read files: is it necessary? if yes, then why? It seems like the same result can be achieved in pure system-independent java-native way. Which will be more efficient and most importantly more portable and reliable.

Because we need to run a system-dependent native helper binary to get the certificate. This is mentioned in Obtaining the Default Device Certificate section in the AIP. Quoted from the AIP:

The default device certicate should be procured using the EndpointVerification workflow, 
which fetches the certificate from a platform-specific credential store (ex. KeyChain in 
macOS) via a native helper.

Exporting the certificate via the native helper involves executing a "cert provider command"
specified in a well-known gcloud metadata file of the following format:

{
   "version": 1
   "min_cloud_sdk_version": "240.0.0"
   "has_client_cert": true
   "endpoint_verification_error": ""
   "cert_provider_command": "[absolute_path_to_provider_command] --fetch_client_cert"
}

For Linux and macOS platforms, the above metadata file is located at "~/.secureConnect/context_aware_metadata.json".

The cert provider command will print the certificate to stdout

I will revisit this PR and re-implement the grpc part after a new stable api is available in grpc-java. Currently putting this PR on hold.

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

This PR is ready now. Please take another look, thanks! @elharo @miraleung @vam-google @ejona86