From dc0d0edb542398ed7a8eebe96c3be4600257b07e Mon Sep 17 00:00:00 2001
From: Alberto Vara <alberto.vara@datadoghq.com>
Date: Mon, 4 Nov 2024 10:35:34 +0100
Subject: [PATCH] fix(iast): add google.auth to the IAST denylist [backport
 2.13] (#11247)

Backport e33e2355e97b2bbd40d4223bb6d0c79f8da5b8a4 from #11240 to 2.13.

This fix resolves an issue where importing the
``google.cloud.storage.batch`` module would fail raising an
AttributeError

```
  File "site-packages/google/auth/crypt/rsa.py", line 22, in <module>
    RSASigner = _cryptography_rsa.RSASigner
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'google.auth.crypt._cryptography_rsa' has no attribute 'RSASigner'
```
tests_packages are working in this branch:


https://app.circleci.com/pipelines/github/DataDog/dd-trace-py/76358/workflows/427a6bbc-f088-4779-b6fd-35e8e6f988d5/jobs/4346061


## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
---
 ddtrace/appsec/_iast/_ast/ast_patching.py                   | 1 +
 .../notes/iast-fi-import-error-google-37815bda58036c08.yaml | 4 ++++
 tests/appsec/iast_packages/packages/pkg_google_api_core.py  | 6 ++++++
 tests/appsec/iast_packages/test_packages.py                 | 6 ++++--
 4 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/iast-fi-import-error-google-37815bda58036c08.yaml

diff --git a/ddtrace/appsec/_iast/_ast/ast_patching.py b/ddtrace/appsec/_iast/_ast/ast_patching.py
index 08a95ca5a68..de826ff2950 100644
--- a/ddtrace/appsec/_iast/_ast/ast_patching.py
+++ b/ddtrace/appsec/_iast/_ast/ast_patching.py
@@ -82,6 +82,7 @@
     "uvicorn",
     "anyio",
     "httpcore",
+    "google.auth.crypt",
 )
 
 
diff --git a/releasenotes/notes/iast-fi-import-error-google-37815bda58036c08.yaml b/releasenotes/notes/iast-fi-import-error-google-37815bda58036c08.yaml
new file mode 100644
index 00000000000..d27e37136a0
--- /dev/null
+++ b/releasenotes/notes/iast-fi-import-error-google-37815bda58036c08.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Code Security: This fix resolves an issue where importing the ``google.cloud.storage.batch`` module would fail raising an ImportError
diff --git a/tests/appsec/iast_packages/packages/pkg_google_api_core.py b/tests/appsec/iast_packages/packages/pkg_google_api_core.py
index 81d97307c00..a87e0ae3456 100644
--- a/tests/appsec/iast_packages/packages/pkg_google_api_core.py
+++ b/tests/appsec/iast_packages/packages/pkg_google_api_core.py
@@ -9,6 +9,12 @@
 from .utils import ResultResponse
 
 
+try:
+    from google.cloud.storage.batch import Batch  # noqa:F401
+except ModuleNotFoundError:
+    pass
+
+
 pkg_google_api_core = Blueprint("package_google_api_core", __name__)
 
 
diff --git a/tests/appsec/iast_packages/test_packages.py b/tests/appsec/iast_packages/test_packages.py
index 7fcaaeb7ac4..e81c6fa221f 100644
--- a/tests/appsec/iast_packages/test_packages.py
+++ b/tests/appsec/iast_packages/test_packages.py
@@ -255,7 +255,7 @@ def uninstall(self, python_cmd):
     PackageForTesting("fsspec", "2024.5.0", "", "/", ""),
     PackageForTesting(
         "google-auth",
-        "2.29.0",
+        "2.35.0",
         "",
         "",
         "",
@@ -265,12 +265,14 @@ def uninstall(self, python_cmd):
     ),
     PackageForTesting(
         "google-api-core",
-        "2.19.0",
+        "2.22.0",
         "",
         "",
         "",
         import_name="google",
         import_module_to_validate="google.auth.iam",
+        extras=[("google-cloud-storage", "2.18.2")],
+        test_e2e=True,
     ),
     PackageForTesting(
         "google-api-python-client",