Fix indentation issues in AIP 4118 and 4119 (#947)

Author: cesarghali

aip/auth/4118.md

@@ -29,8 +29,9 @@ describes the general guidance of supporting such authentication.
 On Google Cloud, workload credentials should be provisioned using one of the
 following methods:
 
-  - [Set up service security with Envoy][3].
-  - [Set up service security with proxyless gRPC][4].
+- [Set up service security with Envoy][3].
+
+- [Set up service security with proxyless gRPC][4].
 
 In order for workload credentials to be properly used, the auth libraries
 **must** support the automatic switching of the service endpoint to its mTLS
@@ -44,14 +45,14 @@ added as a **"cert_configs"** type as follows:
 
 ```json
 {
-  “version”: 1
+  "version": 1
   "cert_configs": {
     "workload": {
       "cert_path": "path/to/cert/file"
       "key_path": "path/to/key/file"
-      “workload_identity_provider”: “...”
+      "workload_identity_provider": "..."
       "authenticate_as_identity_type": "gsa/native"
-      “service_account_email”: “...”
+      "service_account_email": "..."
     },
     "keychain": {
       ...
@@ -78,15 +79,16 @@ environment variable.
 The following lists the fields of the **"workload"** certificate info type that
 are relevant to workload credentials:
 
-  - **"cert_path"**: The specified value will be used as the full path to locate
-    the workload certificate file. This file **must** contain a PEM-encoded
-    X.509 certificate chain (ordered from leaf to root) where the leaf
-    certificate is a valid X.509 SVID. The chain __may__ consist of only the
-    leaf certificate.
-  - **"key_path"**: The specified value will be used as the full path to locate
-    the workload private key file. This file must contain a PEM-formatted
-    private key associated with the X.509 certificate specified by
-    **“cert_path”**.
+- **"cert_path"**: The specified value will be used as the full path to locate
+the workload certificate file. This file **must** contain a PEM-encoded
+X.509 certificate chain (ordered from leaf to root) where the leaf
+certificate is a valid X.509 SVID. The chain __may__ consist of only the
+leaf certificate.
+
+- **"key_path"**: The specified value will be used as the full path to locate
+the workload private key file. This file must contain a PEM-formatted
+private key associated with the X.509 certificate specified by
+**“cert_path”**.
 
 The description of the **"workload_identity_provider"**,
 **"authenticate_as_identity_type"** and **"service_account_email"** fields can
@@ -103,30 +105,34 @@ Support for mTLS authentication to Google APIs using workload credentials
 **must** give priority to user mTLS endpoint override via client options. The
 auth libraries **must** follow the steps below:
 
-  - Locate the workload certificate and private key files using the above
-    config file. If one of these files is not present, mTLS using workload
-    credentials may be disabled. The auth libraries **must** check that the
-    public and private keys in the certificate and key files match before
-    passing them to the TLS library.
-      - Occasional mismatches may happen, since during certificate rotation the
-        client library may read the two files while another process is replacing
-        them. In that case, the library **must** retry reading the certificate
-        and private key files and checking their match status, up to a maximum
-        of four attempts. The library **should** wait for 5 seconds between
-        attempts.
-      - If the certificate and private key files are loaded in memory (as
-        opposed to being read from disk for every mTLS connection), the auth
-        libraries **must** periodically reload them (at least every 10 minutes
-        or when the certificate expires) to refresh their copies in memory after
-        the infrastructure rotates them. Refreshing the credentials **must** be
-        done in a background thread and not upon usage.
-  - Configure the TLS library to use the found, and matched, certificate and
-    key for client authentication during the TLS handshake.
-  - If the user specifies the endpoint override via client options, use it as is
-    and connect to the specified endpoint using mTLS.
-  - If the user does not specify the endpoint override, use the default mTLS
-    endpoint if the certificate and key files exist and the default regular
-    endpoint otherwise.
+- Locate the workload certificate and private key files using the above
+config file. If one of these files is not present, mTLS using workload
+credentials may be disabled. The auth libraries **must** check that the
+public and private keys in the certificate and key files match before
+passing them to the TLS library.
+
+  - Occasional mismatches may happen, since during certificate rotation the
+    client library may read the two files while another process is replacing
+    them. In that case, the library **must** retry reading the certificate
+    and private key files and checking their match status, up to a maximum
+    of four attempts. The library **should** wait for 5 seconds between
+    attempts.
+  - If the certificate and private key files are loaded in memory (as
+    opposed to being read from disk for every mTLS connection), the auth
+    libraries **must** periodically reload them (at least every 10 minutes
+    or when the certificate expires) to refresh their copies in memory after
+    the infrastructure rotates them. Refreshing the credentials **must** be
+    done in a background thread and not upon usage.
+    
+- Configure the TLS library to use the found, and matched, certificate and
+key for client authentication during the TLS handshake.
+
+- If the user specifies the endpoint override via client options, use it as is
+and connect to the specified endpoint using mTLS.
+
+- If the user does not specify the endpoint override, use the default mTLS
+endpoint if the certificate and key files exist and the default regular
+endpoint otherwise.
 
 Note that mTLS 1.3 **must** be the only supported version to preserve client
 identity and certificate confidentiality.

aip/auth/4119.md

@@ -46,14 +46,14 @@ default location of this file can be changed using the
 
 ```json
 {
-  “version”: 1
+  "version": 1
   "cert_configs": {
     "workload": {
       "cert_path": "path/to/cert/file"
       "key_path": "path/to/key/file"
-      “workload_identity_provider”: “...”
+      "workload_identity_provider": "..."
       "authenticate_as_identity_type": "gsa/native"
-      “service_account_email”: “...”
+      "service_account_email": "..."
     },
     "keychain": {
       ...
@@ -73,75 +73,80 @@ default location of this file can be changed using the
 
 The following lists the fields relevant to mTLS token binding configuration:
 
-  - **"workload_identity_provider"**: The specified value will be used to
-    populate the request to Security Token Service (STS) to request
-    identity-bound access tokens. This value refers to the fully qualified name
-    of the workload identity pool and identity provider configured in IAM. The
-    specified value **must** be of the following format.
+- **"workload_identity_provider"**: The specified value will be used to
+populate the request to Security Token Service (STS) to request
+identity-bound access tokens. This value refers to the fully qualified name
+of the workload identity pool and identity provider configured in IAM. The
+specified value **must** be of the following format.
 
 ```
 "workload_identity_provider":"//iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_identifier>/providers/<provider_identifier>"
 ```
 
-  - **"authenticate_as_identity_type"**: This field specifies what identity is
-    used to authenticate to Google APIs. The value can be set to `gsa` or
-    `native`, where `gsa` is the GCP service account of the workload, e.g., the
-    GCP service account of a GCE VM, and `native` is the native workload
-    identity, e.g., the GKE pod kubernetes service account. If not specified,
-    the default value is `gsa`.
-
-  - **"service_account_email"**: If set, the specified value will be used to
-    populate the request to the IAM Credentials service to request
-    identity-bound access tokens. This value refers to the service account email
-    to be used for resource access. If not set, the service account email will
-    be determined automatically by querying the following Metadata Service
-    endpoint:
-    `http://metadata/computeMetadata/v1/instance/service-accounts/default/email`.
-    The value of this field is only relevant if
-    **"authenticate_as_identity_type"** is set to `gsa`.
+- **"authenticate_as_identity_type"**: This field specifies what identity is
+used to authenticate to Google APIs. The value can be set to `gsa` or
+`native`, where `gsa` is the GCP service account of the workload, e.g., the
+GCP service account of a GCE VM, and `native` is the native workload
+identity, e.g., the GKE pod kubernetes service account. If not specified,
+the default value is `gsa`.
+
+- **"service_account_email"**: If set, the specified value will be used to
+populate the request to the IAM Credentials service to request
+identity-bound access tokens. This value refers to the service account email
+to be used for resource access. If not set, the service account email will
+be determined automatically by querying the following Metadata Service
+endpoint:
+`http://metadata/computeMetadata/v1/instance/service-accounts/default/email`.
+The value of this field is only relevant if
+**"authenticate_as_identity_type"** is set to `gsa`.
 
 The description of the **"cert_path"** and **"key_path"** fields can be found in
 [Mutual Authentication Using Workload Credentials][2].
 
 To enable using token binding when communicating with Google APIs the following
 conditions are required:
 
-  - [Mutual Authentication Using Workload Credentials][2] **must** be enabled.
-  - The **"workload_identity_provider"** **must** be present,
-    **"authenticate_as_identity_type"** __may__ be set and
-    **"service_account_email"** __may__ be set in the **"workload"**
-    section of the **"~/.config/gcloud/certificate_config.json"** configuration
-    file.
+- [Mutual Authentication Using Workload Credentials][2] **must** be enabled.
+
+- The **"workload_identity_provider"** **must** be present,
+**"authenticate_as_identity_type"** __may__ be set and
+**"service_account_email"** __may__ be set in the **"workload"**
+section of the **"~/.config/gcloud/certificate_config.json"** configuration
+file.
 
 ### Expected Behavior
 
 To support the usage of identity-bound access tokens, the auth libraries
 **must** follow the steps below when sending requests to Google APIs:
 
-  1. Connect to the mTLS endpoint of the [STS API][3] using the workload
-     credentials provisioned as described in [Mutual Authentication Using
-     Workload Credentials][2]. This endpoint **must** be
-     `sts.mtls.googleapis.com`.
-  1. Send an HTTP request to STS’s [ExchangeToken][5] method requesting an
-     identity-bound token using the information in the
-     **"workload_identity_provider"** field in the
-     **"~/.config/gcloud/certificate_config.json"** configuration file. The
-     scope of the requested token **must** be
-     `https://www.googleapis.com/auth/iam`.
-  1. Connect to the mTLS endpoint of the [IAM Credentials Service API][4] using
-     the workload credentials provisioned as described in [Mutual Authentication
-     Using Workload Credentials][2]. This endpoint **must** be
-     `iamcredentials.mtls.googleapis.com`.
-  1. If **"authenticate_as_identity_type"** is set to `gsa`, send an HTTP
-     request to the IAM Credentials Service’s [GenerateAccessToken][6] method
-     requesting an identity bound token asserting the service account email in
-     the **"service_account_email"** field in the
-     **"~/.config/gcloud/certificate_config.json"** configuration file. The
-     scope of this token **must** be the same scope defined by the user for
-     accessing the requested Google API.
-  1. Attach the returned token in Step 4 to the request. Note that this request
-     **must** be sent over an mTLS channel using the same workload credentials
-     in Step 1.
+1. Connect to the mTLS endpoint of the [STS API][3] using the workload
+credentials provisioned as described in [Mutual Authentication Using
+Workload Credentials][2]. This endpoint **must** be
+`sts.mtls.googleapis.com`.
+
+1. Send an HTTP request to STS’s [ExchangeToken][5] method requesting an
+identity-bound token using the information in the
+**"workload_identity_provider"** field in the
+**"~/.config/gcloud/certificate_config.json"** configuration file. The
+scope of the requested token **must** be
+`https://www.googleapis.com/auth/iam`.
+
+1. Connect to the mTLS endpoint of the [IAM Credentials Service API][4] using
+the workload credentials provisioned as described in [Mutual Authentication
+Using Workload Credentials][2]. This endpoint **must** be
+`iamcredentials.mtls.googleapis.com`.
+
+1. If **"authenticate_as_identity_type"** is set to `gsa`, send an HTTP
+request to the IAM Credentials Service’s [GenerateAccessToken][6] method
+requesting an identity bound token asserting the service account email in
+the **"service_account_email"** field in the
+**"~/.config/gcloud/certificate_config.json"** configuration file. The
+scope of this token **must** be the same scope defined by the user for
+accessing the requested Google API.
+
+1. Attach the returned token in Step 4 to the request. Note that this request
+**must** be sent over an mTLS channel using the same workload credentials
+in Step 1.
 
 <!-- prettier-ignore-start -->
 [0]: https://google.aip.dev/auth/4110