Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 13f126ea43
Branches Tags
ydb
/
contrib
/
python
/
google-auth
/
py3
/
tests
/
oauth2
/
test_gdch_credentials.py

test_gdch_credentials.py 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. # Copyright 2022 Google LLC
    2. 

  2. #
    3. 

  3. # Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. # you may not use this file except in compliance with the License.
    5. 

  5. # You may obtain a copy of the License at
    6. 

  6. #
    7. 

  7. #      http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. #
    9. 

  9. # Unless required by applicable law or agreed to in writing, software
    10. 

  10. # distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. # See the License for the specific language governing permissions and
    13. 

  13. # limitations under the License.
    14. 

  14. 

  15. import copy
    16. 

  16. import datetime
    17. 

  17. import json
    18. 

  18. import os
    19. 

  19. 

  20. import mock
    21. 

  21. import pytest  # type: ignore
    22. 

  22. import requests
    23. 

  23. 

  24. from google.auth import exceptions
    25. 

  25. from google.auth import jwt
    26. 

  26. import google.auth.transport.requests
    27. 

  27. from google.oauth2 import gdch_credentials
    28. 

  28. from google.oauth2.gdch_credentials import ServiceAccountCredentials
    29. 

  29. 

  30. import yatest.common as yc
    31. 

  31. 

  32. 

  33. class TestServiceAccountCredentials(object):
    34. 

  34.     AUDIENCE = "https://service-identity.<Domain>/authenticate"
    35. 

  35.     PROJECT = "project_foo"
    36. 

  36.     PRIVATE_KEY_ID = "key_foo"
    37. 

  37.     NAME = "service_identity_name"
    38. 

  38.     CA_CERT_PATH = "/path/to/ca/cert"
    39. 

  39.     TOKEN_URI = "https://service-identity.<Domain>/authenticate"
    40. 

  40. 

  41.     JSON_PATH = os.path.join(
    42. 

  42.         os.path.dirname(yc.source_path(__file__)), "..", "data", "gdch_service_account.json"
    43. 

  43.     )
    44. 

  44.     with open(JSON_PATH, "rb") as fh:
    45. 

  45.         INFO = json.load(fh)
    46. 

  46. 

  47.     def test_with_gdch_audience(self):
    48. 

  48.         mock_signer = mock.Mock()
    49. 

  49.         creds = ServiceAccountCredentials._from_signer_and_info(mock_signer, self.INFO)
    50. 

  50.         assert creds._signer == mock_signer
    51. 

  51.         assert creds._service_identity_name == self.NAME
    52. 

  52.         assert creds._audience is None
    53. 

  53.         assert creds._token_uri == self.TOKEN_URI
    54. 

  54.         assert creds._ca_cert_path == self.CA_CERT_PATH
    55. 

  55. 

  56.         new_creds = creds.with_gdch_audience(self.AUDIENCE)
    57. 

  57.         assert new_creds._signer == mock_signer
    58. 

  58.         assert new_creds._service_identity_name == self.NAME
    59. 

  59.         assert new_creds._audience == self.AUDIENCE
    60. 

  60.         assert new_creds._token_uri == self.TOKEN_URI
    61. 

  61.         assert new_creds._ca_cert_path == self.CA_CERT_PATH
    62. 

  62. 

  63.     def test__create_jwt(self):
    64. 

  64.         creds = ServiceAccountCredentials.from_service_account_file(self.JSON_PATH)
    65. 

  65.         with mock.patch("google.auth._helpers.utcnow") as utcnow:
    66. 

  66.             utcnow.return_value = datetime.datetime.now()
    67. 

  67.             jwt_token = creds._create_jwt()
    68. 

  68.             header, payload, _, _ = jwt._unverified_decode(jwt_token)
    69. 

  69. 

  70.         expected_iss_sub_value = (
    71. 

  71.             "system:serviceaccount:project_foo:service_identity_name"
    72. 

  72.         )
    73. 

  73.         assert isinstance(jwt_token, str)
    74. 

  74.         assert header["alg"] == "ES256"
    75. 

  75.         assert header["kid"] == self.PRIVATE_KEY_ID
    76. 

  76.         assert payload["iss"] == expected_iss_sub_value
    77. 

  77.         assert payload["sub"] == expected_iss_sub_value
    78. 

  78.         assert payload["aud"] == self.AUDIENCE
    79. 

  79.         assert payload["exp"] == (payload["iat"] + 3600)
    80. 

  80. 

  81.     @mock.patch(
    82. 

  82.         "google.oauth2.gdch_credentials.ServiceAccountCredentials._create_jwt",
    83. 

  83.         autospec=True,
    84. 

  84.     )
    85. 

  85.     @mock.patch("google.oauth2._client._token_endpoint_request", autospec=True)
    86. 

  86.     def test_refresh(self, token_endpoint_request, create_jwt):
    87. 

  87.         creds = ServiceAccountCredentials.from_service_account_info(self.INFO)
    88. 

  88.         creds = creds.with_gdch_audience(self.AUDIENCE)
    89. 

  89.         req = google.auth.transport.requests.Request()
    90. 

  90. 

  91.         mock_jwt_token = "jwt token"
    92. 

  92.         create_jwt.return_value = mock_jwt_token
    93. 

  93.         sts_token = "STS token"
    94. 

  94.         token_endpoint_request.return_value = {
    95. 

  95.             "access_token": sts_token,
    96. 

  96.             "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
    97. 

  97.             "token_type": "Bearer",
    98. 

  98.             "expires_in": 3600,
    99. 

  99.         }
    100. 

  100. 

  101.         creds.refresh(req)
    102. 

  102. 

  103.         token_endpoint_request.assert_called_with(
    104. 

  104.             req,
    105. 

  105.             self.TOKEN_URI,
    106. 

  106.             {
    107. 

  107.                 "grant_type": gdch_credentials.TOKEN_EXCHANGE_TYPE,
    108. 

  108.                 "audience": self.AUDIENCE,
    109. 

  109.                 "requested_token_type": gdch_credentials.ACCESS_TOKEN_TOKEN_TYPE,
    110. 

  110.                 "subject_token": mock_jwt_token,
    111. 

  111.                 "subject_token_type": gdch_credentials.SERVICE_ACCOUNT_TOKEN_TYPE,
    112. 

  112.             },
    113. 

  113.             access_token=None,
    114. 

  114.             use_json=True,
    115. 

  115.             verify=self.CA_CERT_PATH,
    116. 

  116.         )
    117. 

  117.         assert creds.token == sts_token
    118. 

  118. 

  119.     def test_refresh_wrong_requests_object(self):
    120. 

  120.         creds = ServiceAccountCredentials.from_service_account_info(self.INFO)
    121. 

  121.         creds = creds.with_gdch_audience(self.AUDIENCE)
    122. 

  122.         req = requests.Request()
    123. 

  123. 

  124.         with pytest.raises(exceptions.RefreshError) as excinfo:
    125. 

  125.             creds.refresh(req)
    126. 

  126.         assert excinfo.match(
    127. 

  127.             "request must be a google.auth.transport.requests.Request object"
    128. 

  128.         )
    129. 

  129. 

  130.     def test__from_signer_and_info_wrong_format_version(self):
    131. 

  131.         with pytest.raises(ValueError) as excinfo:
    132. 

  132.             ServiceAccountCredentials._from_signer_and_info(
    133. 

  133.                 mock.Mock(), {"format_version": "2"}
    134. 

  134.             )
    135. 

  135.         assert excinfo.match("Only format version 1 is supported")
    136. 

  136. 

  137.     def test_from_service_account_info_miss_field(self):
    138. 

  138.         for field in [
    139. 

  139.             "format_version",
    140. 

  140.             "private_key_id",
    141. 

  141.             "private_key",
    142. 

  142.             "name",
    143. 

  143.             "project",
    144. 

  144.             "token_uri",
    145. 

  145.         ]:
    146. 

  146.             info_with_missing_field = copy.deepcopy(self.INFO)
    147. 

  147.             del info_with_missing_field[field]
    148. 

  148.             with pytest.raises(ValueError) as excinfo:
    149. 

  149.                 ServiceAccountCredentials.from_service_account_info(
    150. 

  150.                     info_with_missing_field
    151. 

  151.                 )
    152. 

  152.             assert excinfo.match("missing fields")
    153. 

  153. 

  154.     @mock.patch("google.auth._service_account_info.from_filename")
    155. 

  155.     def test_from_service_account_file(self, from_filename):
    156. 

  156.         mock_signer = mock.Mock()
    157. 

  157.         from_filename.return_value = (self.INFO, mock_signer)
    158. 

  158.         creds = ServiceAccountCredentials.from_service_account_file(self.JSON_PATH)
    159. 

  159.         from_filename.assert_called_with(
    160. 

  160.             self.JSON_PATH,
    161. 

  161.             require=[
    162. 

  162.                 "format_version",
    163. 

  163.                 "private_key_id",
    164. 

  164.                 "private_key",
    165. 

  165.                 "name",
    166. 

  166.                 "project",
    167. 

  167.                 "token_uri",
    168. 

  168.             ],
    169. 

  169.             use_rsa_signer=False,
    170. 

  170.         )
    171. 

  171.         assert creds._signer == mock_signer
    172. 

  172.         assert creds._service_identity_name == self.NAME
    173. 

  173.         assert creds._audience is None
    174. 

  174.         assert creds._token_uri == self.TOKEN_URI
    175. 

  175.         assert creds._ca_cert_path == self.CA_CERT_PATH
    176.