fix: remove deprecated rsa dependency

[daniel-sanche]

Coping over googleapis/google-auth-library-python#1930 to the new repo

This PR removes rsa as a required dependency, now that it has been replaced with cryptography (with warnings issued)

This change has been released as the 2.49.0.dev0 pre-release

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the google-auth library's RSA implementation to remove the rsa package as a mandatory dependency. By transitioning to cryptography as the primary RSA backend and making rsa an optional extra, the change reduces the core dependency footprint and improves flexibility for users who may not require the rsa library's specific key types. This ensures that the library remains functional for users relying on rsa.key objects while not forcing the dependency on all users.

Highlights

• Dependency Management: The rsa library was removed as a direct, mandatory dependency from the core google-auth package, reducing the default installation footprint.
• Optional Dependency: The rsa library is now an optional extra dependency, allowing users to install it explicitly via pip install google-auth[rsa] if they require its specific key types.
• Dynamic Module Loading: The RSAVerifier and RSASigner classes were updated to dynamically import the _python_rsa module only when rsa.key objects are provided, ensuring it's loaded on demand rather than at module initialization.
• Improved Error Handling: Docstrings for RSAVerifier and RSASigner were updated to explicitly mention a potential ImportError if the rsa library is not installed when attempting to use rsa.key objects.

Changelog

• packages/google-auth/google/auth/crypt/rsa.py
  • Removed the top-level import of _python_rsa.
  • Introduced conditional, local imports of _python_rsa within the RSAVerifier and RSASigner constructors.
  • Added ImportError to the docstrings of RSAVerifier and RSASigner to inform users about potential errors if rsa is not installed.
• packages/google-auth/setup.py
  • Removed rsa from the main DEPENDENCIES list.
  • Defined rsa_extra_require to specify rsa as an optional dependency.
  • Included rsa_extra_require in testing_extra_require to ensure test environments can still use it.
  • Added rsa_extra_require to the extras dictionary, making it installable via pip install google-auth[rsa].
• packages/google-auth/testing/constraints-3.8.txt
  • Removed the rsa package from the pinned dependency list for Python 3.8.
• packages/google-auth/tests/crypt/test_rsa.py
  • Added a type: ignore comment to the import rsa as rsa_lib statement to suppress type checking warnings.

Activity

• This change is a re-application of a previous pull request (fix: remove deprecated rsa dependency google-auth-library-python#1930) to the new repository structure.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly removes rsa as a required dependency and makes it an optional extra. The lazy-loading of _python_rsa in google/auth/crypt/rsa.py is implemented well. However, I've identified a critical issue in setup.py where the new rsa extra is incorrectly added to the testing requirements. This would break the test environment setup. My review comment provides a fix for this issue.