fix(cloud): stop googleapiclient pulling in the system oauth2client (#10110)

[dpage]

Summary

• pgAdmin 9.16 fails to start on Ubuntu 24.04 (and similar) with AttributeError: module 'lib' has no attribute 'GEN_EMAIL', thrown from the system pyOpenSSL whilst registering the cloud blueprint.
• Root cause is a dependency-leak collision, not a bug in the cloud code. The packaged Linux venv is built with --system-site-packages (deliberately, for Python virtual environment as installed from Debian package lacks dbus-python #7173, so it can reach system dbus-python), which also exposes the system's deprecated oauth2client and its companion pyOpenSSL. googleapiclient._auth does an optional import oauth2client, picks it up from the system site-packages, and drags in that old pyOpenSSL. The 9.16 bump of bundled cryptography to 49.x is incompatible with it, so the import aborts and takes the whole app down.
• pgAdmin never uses oauth2client itself; it authenticates to Google via google-auth/google-auth-oauthlib. The fix parks a None sentinel under sys.modules['oauth2client'] before importing googleapiclient, at both import sites (web/pgadmin/misc/cloud/google/__init__.py and the standalone web/pgacloud/providers/google.py). The optional import then fails cleanly and googleapiclient falls back to google-auth.
• The --system-site-packages flag is left intact, so the Python virtual environment as installed from Debian package lacks dbus-python #7173 dbus-python behaviour is unaffected.

Test plan

• Added test_google_oauth2client_blocked.py: importing cloud.google installs the sentinel and googleapiclient._auth.HAS_OAUTH2CLIENT is False.
• runtests.py --pkg misc.cloud.google.tests — all 10 tests pass.
• pycodestyle clean on all changed files.

Closes #10110

Summary by CodeRabbit

• Bug Fixes

  • Resolved startup failures for Google Cloud authentication by preventing legacy OAuth client loading, ensuring the system reliably falls back to the modern Google authentication flow in packaged environments.

• Tests

  • Added a regression test that verifies legacy OAuth client blocking behavior during Google Cloud module import and confirms googleapiclient uses the non-legacy authentication path.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 060d2c4c-8add-4ec1-8cd0-2f2ffc9245d1

📥 Commits

Reviewing files that changed from the base of the PR and between a11b067 and 6790269.

📒 Files selected for processing (1)

• web/pgadmin/misc/cloud/google/tests/test_google_oauth2client_blocked.py

🚧 Files skipped from review as they are similar to previous changes (1)

• web/pgadmin/misc/cloud/google/tests/test_google_oauth2client_blocked.py

---

Walkthrough

Both Google provider entry points (web/pgacloud/providers/google.py and web/pgadmin/misc/cloud/google/__init__.py) now import sys and call sys.modules.setdefault('oauth2client', None) before any googleapiclient import, preventing the legacy oauth2client package from loading. A regression test verifies the sentinel is installed and HAS_OAUTH2CLIENT is False.

Changes

oauth2client import guard and regression test

Layer / File(s)	Summary
oauth2client import sentinel in Google provider modules web/pgacloud/providers/google.py, web/pgadmin/misc/cloud/google/__init__.py	Adds import sys and sys.modules.setdefault('oauth2client', None) in both Google provider modules so that googleapiclient._auth finds a None sentinel for oauth2client and sets HAS_OAUTH2CLIENT = False, falling back to google-auth and avoiding the broken system oauth2client/pyOpenSSL chain on Ubuntu 24.04.
Regression test verifying oauth2client is blocked web/pgadmin/misc/cloud/google/tests/test_google_oauth2client_blocked.py	Adds _SkipServerSetUpMixin and TestOauth2ClientBlockedOnGoogleImport which import pgadmin.misc.cloud.google, assert sys.modules['oauth2client'] is None, then import googleapiclient._auth and assert HAS_OAUTH2CLIENT is False.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: preventing googleapiclient from loading system oauth2client, which directly addresses the root cause of the Ubuntu 24.04 startup failure.
Linked Issues check	✅ Passed	The code changes directly implement the required fix by blocking oauth2client imports in both google module locations and include regression tests, fully addressing issue #10110's objective to restore startup functionality.
Out of Scope Changes check	✅ Passed	All changes are tightly scoped to blocking oauth2client imports and testing this behavior, with no unrelated modifications to other systems or features.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@web/pgadmin/misc/cloud/google/tests/test_google_oauth2client_blocked.py`:
- Line 41: The scenarios class-level variable is defined as a mutable list
containing a dictionary, which can cause state leakage between tests and
violates Ruff RUF012. Convert the scenarios variable from a list to a tuple by
replacing the square brackets with parentheses, and ensure the inner dict is
also converted to a tuple representation (using tuples for key-value pairs or
another immutable structure) so that the entire scenarios container is immutable
and cannot be accidentally modified during test execution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e90e0c79-f270-4322-aa40-b22cb4edc3ec

📥 Commits

Reviewing files that changed from the base of the PR and between dfc4ef3 and a11b067.

📒 Files selected for processing (3)

• web/pgacloud/providers/google.py
• web/pgadmin/misc/cloud/google/__init__.py
• web/pgadmin/misc/cloud/google/tests/test_google_oauth2client_blocked.py