Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 18686b50ca
Branches Tags
ydb
/
contrib
/
python
/
google-auth
/
py3
/
tests
/
test_impersonated_credentials.py

test_impersonated_credentials.py 29 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813 
  1. # Copyright 2018 Google Inc.
    2. 

  2. #
    3. 

  3. # Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. # you may not use this file except in compliance with the License.
    5. 

  5. # You may obtain a copy of the License at
    6. 

  6. #
    7. 

  7. #      http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. #
    9. 

  9. # Unless required by applicable law or agreed to in writing, software
    10. 

  10. # distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. # See the License for the specific language governing permissions and
    13. 

  13. # limitations under the License.
    14. 

  14. 

  15. import datetime
    16. 

  16. import http.client as http_client
    17. 

  17. import json
    18. 

  18. import os
    19. 

  19. 

  20. import mock
    21. 

  21. import pytest  # type: ignore
    22. 

  22. 

  23. from google.auth import _helpers
    24. 

  24. from google.auth import crypt
    25. 

  25. from google.auth import exceptions
    26. 

  26. from google.auth import impersonated_credentials
    27. 

  27. from google.auth import transport
    28. 

  28. from google.auth.impersonated_credentials import Credentials
    29. 

  29. from google.oauth2 import credentials
    30. 

  30. from google.oauth2 import service_account
    31. 

  31. 

  32. import yatest.common as yc
    33. 

  33. DATA_DIR = os.path.join(os.path.dirname(yc.source_path(__file__)), "data")
    34. 

  34. 

  35. with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
    36. 

  36.     PRIVATE_KEY_BYTES = fh.read()
    37. 

  37. 

  38. SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
    39. 

  39. 

  40. ID_TOKEN_DATA = (
    41. 

  41.     "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"
    42. 

  42.     "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"
    43. 

  43.     "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"
    44. 

  44.     "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"
    45. 

  45.     "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"
    46. 

  46.     "zA4NTY4In0.redacted"
    47. 

  47. )
    48. 

  48. ID_TOKEN_EXPIRY = 1564475051
    49. 

  49. 

  50. with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh:
    51. 

  51.     SERVICE_ACCOUNT_INFO = json.load(fh)
    52. 

  52. 

  53. SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
    54. 

  54. TOKEN_URI = "https://example.com/oauth2/token"
    55. 

  55. 

  56. ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = (
    57. 

  57.     "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp"
    58. 

  58. )
    59. 

  59. ID_TOKEN_REQUEST_METRICS_HEADER_VALUE = (
    60. 

  60.     "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/imp"
    61. 

  61. )
    62. 

  62. 

  63. 

  64. @pytest.fixture
    65. 

  65. def mock_donor_credentials():
    66. 

  66.     with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:
    67. 

  67.         grant.return_value = (
    68. 

  68.             "source token",
    69. 

  69.             _helpers.utcnow() + datetime.timedelta(seconds=500),
    70. 

  70.             {},
    71. 

  71.         )
    72. 

  72.         yield grant
    73. 

  73. 

  74. 

  75. class MockResponse:
    76. 

  76.     def __init__(self, json_data, status_code):
    77. 

  77.         self.json_data = json_data
    78. 

  78.         self.status_code = status_code
    79. 

  79. 

  80.     def json(self):
    81. 

  81.         return self.json_data
    82. 

  82. 

  83. 

  84. @pytest.fixture
    85. 

  85. def mock_authorizedsession_sign():
    86. 

  86.     with mock.patch(
    87. 

  87.         "google.auth.transport.requests.AuthorizedSession.request", autospec=True
    88. 

  88.     ) as auth_session:
    89. 

  89.         data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}
    90. 

  90.         auth_session.return_value = MockResponse(data, http_client.OK)
    91. 

  91.         yield auth_session
    92. 

  92. 

  93. 

  94. @pytest.fixture
    95. 

  95. def mock_authorizedsession_idtoken():
    96. 

  96.     with mock.patch(
    97. 

  97.         "google.auth.transport.requests.AuthorizedSession.request", autospec=True
    98. 

  98.     ) as auth_session:
    99. 

  99.         data = {"token": ID_TOKEN_DATA}
    100. 

  100.         auth_session.return_value = MockResponse(data, http_client.OK)
    101. 

  101.         yield auth_session
    102. 

  102. 

  103. 

  104. class TestImpersonatedCredentials(object):
    105. 

  105. 

  106.     SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
    107. 

  107.     TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"
    108. 

  108.     TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]
    109. 

  109.     # DELEGATES: List[str] = []
    110. 

  110.     # Because Python 2.7:
    111. 

  111.     DELEGATES = []  # type: ignore
    112. 

  112.     LIFETIME = 3600
    113. 

  113.     SOURCE_CREDENTIALS = service_account.Credentials(
    114. 

  114.         SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI
    115. 

  115.     )
    116. 

  116.     USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE")
    117. 

  117.     IAM_ENDPOINT_OVERRIDE = (
    118. 

  118.         "https://us-east1-iamcredentials.googleapis.com/v1/projects/-"
    119. 

  119.         + "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL)
    120. 

  120.     )
    121. 

  121. 

  122.     def make_credentials(
    123. 

  123.         self,
    124. 

  124.         source_credentials=SOURCE_CREDENTIALS,
    125. 

  125.         lifetime=LIFETIME,
    126. 

  126.         target_principal=TARGET_PRINCIPAL,
    127. 

  127.         iam_endpoint_override=None,
    128. 

  128.     ):
    129. 

  129. 

  130.         return Credentials(
    131. 

  131.             source_credentials=source_credentials,
    132. 

  132.             target_principal=target_principal,
    133. 

  133.             target_scopes=self.TARGET_SCOPES,
    134. 

  134.             delegates=self.DELEGATES,
    135. 

  135.             lifetime=lifetime,
    136. 

  136.             iam_endpoint_override=iam_endpoint_override,
    137. 

  137.         )
    138. 

  138. 

  139.     def test_get_cred_info(self):
    140. 

  140.         credentials = self.make_credentials()
    141. 

  141.         assert not credentials.get_cred_info()
    142. 

  142. 

  143.         credentials._cred_file_path = "/path/to/file"
    144. 

  144.         assert credentials.get_cred_info() == {
    145. 

  145.             "credential_source": "/path/to/file",
    146. 

  146.             "credential_type": "impersonated credentials",
    147. 

  147.             "principal": "impersonated@project.iam.gserviceaccount.com",
    148. 

  148.         }
    149. 

  149. 

  150.     def test_universe_domain_matching_source(self):
    151. 

  151.         source_credentials = service_account.Credentials(
    152. 

  152.             SIGNER, "some@email.com", TOKEN_URI, universe_domain="foo.bar"
    153. 

  153.         )
    154. 

  154.         credentials = self.make_credentials(source_credentials=source_credentials)
    155. 

  155.         assert credentials.universe_domain == "foo.bar"
    156. 

  156. 

  157.     def test__make_copy_get_cred_info(self):
    158. 

  158.         credentials = self.make_credentials()
    159. 

  159.         credentials._cred_file_path = "/path/to/file"
    160. 

  160.         cred_copy = credentials._make_copy()
    161. 

  161.         assert cred_copy._cred_file_path == "/path/to/file"
    162. 

  162. 

  163.     def test_make_from_user_credentials(self):
    164. 

  164.         credentials = self.make_credentials(
    165. 

  165.             source_credentials=self.USER_SOURCE_CREDENTIALS
    166. 

  166.         )
    167. 

  167.         assert not credentials.valid
    168. 

  168.         assert credentials.expired
    169. 

  169. 

  170.     def test_default_state(self):
    171. 

  171.         credentials = self.make_credentials()
    172. 

  172.         assert not credentials.valid
    173. 

  173.         assert credentials.expired
    174. 

  174. 

  175.     def test_make_from_service_account_self_signed_jwt(self):
    176. 

  176.         source_credentials = service_account.Credentials(
    177. 

  177.             SIGNER, self.SERVICE_ACCOUNT_EMAIL, TOKEN_URI, always_use_jwt_access=True
    178. 

  178.         )
    179. 

  179.         credentials = self.make_credentials(source_credentials=source_credentials)
    180. 

  180.         # test the source credential don't lose self signed jwt setting
    181. 

  181.         assert credentials._source_credentials._always_use_jwt_access
    182. 

  182.         assert credentials._source_credentials._jwt_credentials
    183. 

  183. 

  184.     def make_request(
    185. 

  185.         self,
    186. 

  186.         data,
    187. 

  187.         status=http_client.OK,
    188. 

  188.         headers=None,
    189. 

  189.         side_effect=None,
    190. 

  190.         use_data_bytes=True,
    191. 

  191.     ):
    192. 

  192.         response = mock.create_autospec(transport.Response, instance=False)
    193. 

  193.         response.status = status
    194. 

  194.         response.data = _helpers.to_bytes(data) if use_data_bytes else data
    195. 

  195.         response.headers = headers or {}
    196. 

  196. 

  197.         request = mock.create_autospec(transport.Request, instance=False)
    198. 

  198.         request.side_effect = side_effect
    199. 

  199.         request.return_value = response
    200. 

  200. 

  201.         return request
    202. 

  202. 

  203.     def test_token_usage_metrics(self):
    204. 

  204.         credentials = self.make_credentials()
    205. 

  205.         credentials.token = "token"
    206. 

  206.         credentials.expiry = None
    207. 

  207. 

  208.         headers = {}
    209. 

  209.         credentials.before_request(mock.Mock(), None, None, headers)
    210. 

  210.         assert headers["authorization"] == "Bearer token"
    211. 

  211.         assert headers["x-goog-api-client"] == "cred-type/imp"
    212. 

  212. 

  213.     @pytest.mark.parametrize("use_data_bytes", [True, False])
    214. 

  214.     def test_refresh_success(self, use_data_bytes, mock_donor_credentials):
    215. 

  215.         credentials = self.make_credentials(lifetime=None)
    216. 

  216.         token = "token"
    217. 

  217. 

  218.         expire_time = (
    219. 

  219.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    220. 

  220.         ).isoformat("T") + "Z"
    221. 

  221.         response_body = {"accessToken": token, "expireTime": expire_time}
    222. 

  222. 

  223.         request = self.make_request(
    224. 

  224.             data=json.dumps(response_body),
    225. 

  225.             status=http_client.OK,
    226. 

  226.             use_data_bytes=use_data_bytes,
    227. 

  227.         )
    228. 

  228. 

  229.         with mock.patch(
    230. 

  230.             "google.auth.metrics.token_request_access_token_impersonate",
    231. 

  231.             return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE,
    232. 

  232.         ):
    233. 

  233.             credentials.refresh(request)
    234. 

  234. 

  235.         assert credentials.valid
    236. 

  236.         assert not credentials.expired
    237. 

  237.         assert (
    238. 

  238.             request.call_args.kwargs["headers"]["x-goog-api-client"]
    239. 

  239.             == ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE
    240. 

  240.         )
    241. 

  241. 

  242.     @pytest.mark.parametrize("use_data_bytes", [True, False])
    243. 

  243.     def test_refresh_success_nonGdu(self, use_data_bytes, mock_donor_credentials):
    244. 

  244.         source_credentials = service_account.Credentials(
    245. 

  245.             SIGNER, "some@email.com", TOKEN_URI, universe_domain="foo.bar"
    246. 

  246.         )
    247. 

  247.         credentials = self.make_credentials(
    248. 

  248.             lifetime=None, source_credentials=source_credentials
    249. 

  249.         )
    250. 

  250.         token = "token"
    251. 

  251. 

  252.         expire_time = (
    253. 

  253.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    254. 

  254.         ).isoformat("T") + "Z"
    255. 

  255.         response_body = {"accessToken": token, "expireTime": expire_time}
    256. 

  256. 

  257.         request = self.make_request(
    258. 

  258.             data=json.dumps(response_body),
    259. 

  259.             status=http_client.OK,
    260. 

  260.             use_data_bytes=use_data_bytes,
    261. 

  261.         )
    262. 

  262. 

  263.         credentials.refresh(request)
    264. 

  264. 

  265.         assert credentials.valid
    266. 

  266.         assert not credentials.expired
    267. 

  267.         # Confirm override endpoint used.
    268. 

  268.         request_kwargs = request.call_args[1]
    269. 

  269.         assert (
    270. 

  270.             request_kwargs["url"]
    271. 

  271.             == "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateAccessToken"
    272. 

  272.         )
    273. 

  273. 

  274.     @pytest.mark.parametrize("use_data_bytes", [True, False])
    275. 

  275.     def test_refresh_success_iam_endpoint_override(
    276. 

  276.         self, use_data_bytes, mock_donor_credentials
    277. 

  277.     ):
    278. 

  278.         credentials = self.make_credentials(
    279. 

  279.             lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE
    280. 

  280.         )
    281. 

  281.         token = "token"
    282. 

  282. 

  283.         expire_time = (
    284. 

  284.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    285. 

  285.         ).isoformat("T") + "Z"
    286. 

  286.         response_body = {"accessToken": token, "expireTime": expire_time}
    287. 

  287. 

  288.         request = self.make_request(
    289. 

  289.             data=json.dumps(response_body),
    290. 

  290.             status=http_client.OK,
    291. 

  291.             use_data_bytes=use_data_bytes,
    292. 

  292.         )
    293. 

  293. 

  294.         credentials.refresh(request)
    295. 

  295. 

  296.         assert credentials.valid
    297. 

  297.         assert not credentials.expired
    298. 

  298.         # Confirm override endpoint used.
    299. 

  299.         request_kwargs = request.call_args[1]
    300. 

  300.         assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE
    301. 

  301. 

  302.     @pytest.mark.parametrize("time_skew", [150, -150])
    303. 

  303.     def test_refresh_source_credentials(self, time_skew):
    304. 

  304.         credentials = self.make_credentials(lifetime=None)
    305. 

  305. 

  306.         # Source credentials is refreshed only if it is expired within
    307. 

  307.         # _helpers.REFRESH_THRESHOLD from now. We add a time_skew to the expiry, so
    308. 

  308.         # source credentials is refreshed only if time_skew <= 0.
    309. 

  309.         credentials._source_credentials.expiry = (
    310. 

  310.             _helpers.utcnow()
    311. 

  311.             + _helpers.REFRESH_THRESHOLD
    312. 

  312.             + datetime.timedelta(seconds=time_skew)
    313. 

  313.         )
    314. 

  314.         credentials._source_credentials.token = "Token"
    315. 

  315. 

  316.         with mock.patch(
    317. 

  317.             "google.oauth2.service_account.Credentials.refresh", autospec=True
    318. 

  318.         ) as source_cred_refresh:
    319. 

  319.             expire_time = (
    320. 

  320.                 _helpers.utcnow().replace(microsecond=0)
    321. 

  321.                 + datetime.timedelta(seconds=500)
    322. 

  322.             ).isoformat("T") + "Z"
    323. 

  323.             response_body = {"accessToken": "token", "expireTime": expire_time}
    324. 

  324.             request = self.make_request(
    325. 

  325.                 data=json.dumps(response_body), status=http_client.OK
    326. 

  326.             )
    327. 

  327. 

  328.             credentials.refresh(request)
    329. 

  329. 

  330.             assert credentials.valid
    331. 

  331.             assert not credentials.expired
    332. 

  332. 

  333.             # Source credentials is refreshed only if it is expired within
    334. 

  334.             # _helpers.REFRESH_THRESHOLD
    335. 

  335.             if time_skew > 0:
    336. 

  336.                 source_cred_refresh.assert_not_called()
    337. 

  337.             else:
    338. 

  338.                 source_cred_refresh.assert_called_once()
    339. 

  339. 

  340.     def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):
    341. 

  341.         credentials = self.make_credentials(lifetime=None)
    342. 

  342.         token = "token"
    343. 

  343. 

  344.         expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(
    345. 

  345.             "T"
    346. 

  346.         )
    347. 

  347.         response_body = {"accessToken": token, "expireTime": expire_time}
    348. 

  348. 

  349.         request = self.make_request(
    350. 

  350.             data=json.dumps(response_body), status=http_client.OK
    351. 

  351.         )
    352. 

  352. 

  353.         with pytest.raises(exceptions.RefreshError) as excinfo:
    354. 

  354.             credentials.refresh(request)
    355. 

  355. 

  356.         assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
    357. 

  357. 

  358.         assert not credentials.valid
    359. 

  359.         assert credentials.expired
    360. 

  360. 

  361.     def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
    362. 

  362.         credentials = self.make_credentials(lifetime=None)
    363. 

  363. 

  364.         response_body = {
    365. 

  365.             "error": {
    366. 

  366.                 "code": 403,
    367. 

  367.                 "message": "The caller does not have permission",
    368. 

  368.                 "status": "PERMISSION_DENIED",
    369. 

  369.             }
    370. 

  370.         }
    371. 

  371. 

  372.         request = self.make_request(
    373. 

  373.             data=json.dumps(response_body), status=http_client.UNAUTHORIZED
    374. 

  374.         )
    375. 

  375. 

  376.         with pytest.raises(exceptions.RefreshError) as excinfo:
    377. 

  377.             credentials.refresh(request)
    378. 

  378. 

  379.         assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
    380. 

  380. 

  381.         assert not credentials.valid
    382. 

  382.         assert credentials.expired
    383. 

  383. 

  384.     def test_refresh_failure(self):
    385. 

  385.         credentials = self.make_credentials(lifetime=None)
    386. 

  386.         credentials.expiry = None
    387. 

  387.         credentials.token = "token"
    388. 

  388.         id_creds = impersonated_credentials.IDTokenCredentials(
    389. 

  389.             credentials, target_audience="audience"
    390. 

  390.         )
    391. 

  391. 

  392.         response = mock.create_autospec(transport.Response, instance=False)
    393. 

  393.         response.status_code = http_client.UNAUTHORIZED
    394. 

  394.         response.json = mock.Mock(return_value="failed to get ID token")
    395. 

  395. 

  396.         with mock.patch(
    397. 

  397.             "google.auth.transport.requests.AuthorizedSession.post",
    398. 

  398.             return_value=response,
    399. 

  399.         ):
    400. 

  400.             with pytest.raises(exceptions.RefreshError) as excinfo:
    401. 

  401.                 id_creds.refresh(None)
    402. 

  402. 

  403.         assert excinfo.match("Error getting ID token")
    404. 

  404. 

  405.     def test_refresh_failure_http_error(self, mock_donor_credentials):
    406. 

  406.         credentials = self.make_credentials(lifetime=None)
    407. 

  407. 

  408.         response_body = {}
    409. 

  409. 

  410.         request = self.make_request(
    411. 

  411.             data=json.dumps(response_body), status=http_client.HTTPException
    412. 

  412.         )
    413. 

  413. 

  414.         with pytest.raises(exceptions.RefreshError) as excinfo:
    415. 

  415.             credentials.refresh(request)
    416. 

  416. 

  417.         assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
    418. 

  418. 

  419.         assert not credentials.valid
    420. 

  420.         assert credentials.expired
    421. 

  421. 

  422.     def test_expired(self):
    423. 

  423.         credentials = self.make_credentials(lifetime=None)
    424. 

  424.         assert credentials.expired
    425. 

  425. 

  426.     def test_signer(self):
    427. 

  427.         credentials = self.make_credentials()
    428. 

  428.         assert isinstance(credentials.signer, impersonated_credentials.Credentials)
    429. 

  429. 

  430.     def test_signer_email(self):
    431. 

  431.         credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
    432. 

  432.         assert credentials.signer_email == self.TARGET_PRINCIPAL
    433. 

  433. 

  434.     def test_service_account_email(self):
    435. 

  435.         credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
    436. 

  436.         assert credentials.service_account_email == self.TARGET_PRINCIPAL
    437. 

  437. 

  438.     def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
    439. 

  439.         credentials = self.make_credentials(lifetime=None)
    440. 

  440.         expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:signBlob"
    441. 

  441.         self._sign_bytes_helper(
    442. 

  442.             credentials,
    443. 

  443.             mock_donor_credentials,
    444. 

  444.             mock_authorizedsession_sign,
    445. 

  445.             expected_url,
    446. 

  446.         )
    447. 

  447. 

  448.     def test_sign_bytes_nonGdu(
    449. 

  449.         self, mock_donor_credentials, mock_authorizedsession_sign
    450. 

  450.     ):
    451. 

  451.         source_credentials = service_account.Credentials(
    452. 

  452.             SIGNER, "some@email.com", TOKEN_URI, universe_domain="foo.bar"
    453. 

  453.         )
    454. 

  454.         credentials = self.make_credentials(
    455. 

  455.             lifetime=None, source_credentials=source_credentials
    456. 

  456.         )
    457. 

  457.         expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:signBlob"
    458. 

  458.         self._sign_bytes_helper(
    459. 

  459.             credentials,
    460. 

  460.             mock_donor_credentials,
    461. 

  461.             mock_authorizedsession_sign,
    462. 

  462.             expected_url,
    463. 

  463.         )
    464. 

  464. 

  465.     def _sign_bytes_helper(
    466. 

  466.         self,
    467. 

  467.         credentials,
    468. 

  468.         mock_donor_credentials,
    469. 

  469.         mock_authorizedsession_sign,
    470. 

  470.         expected_url,
    471. 

  471.     ):
    472. 

  472.         token = "token"
    473. 

  473. 

  474.         expire_time = (
    475. 

  475.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    476. 

  476.         ).isoformat("T") + "Z"
    477. 

  477.         token_response_body = {"accessToken": token, "expireTime": expire_time}
    478. 

  478. 

  479.         response = mock.create_autospec(transport.Response, instance=False)
    480. 

  480.         response.status = http_client.OK
    481. 

  481.         response.data = _helpers.to_bytes(json.dumps(token_response_body))
    482. 

  482. 

  483.         request = mock.create_autospec(transport.Request, instance=False)
    484. 

  484.         request.return_value = response
    485. 

  485. 

  486.         credentials.refresh(request)
    487. 

  487.         assert credentials.valid
    488. 

  488.         assert not credentials.expired
    489. 

  489. 

  490.         signature = credentials.sign_bytes(b"signed bytes")
    491. 

  491.         mock_authorizedsession_sign.assert_called_with(
    492. 

  492.             mock.ANY,
    493. 

  493.             "POST",
    494. 

  494.             expected_url,
    495. 

  495.             None,
    496. 

  496.             json={"payload": "c2lnbmVkIGJ5dGVz", "delegates": []},
    497. 

  497.             headers={"Content-Type": "application/json"},
    498. 

  498.         )
    499. 

  499. 

  500.         assert signature == b"signature"
    501. 

  501. 

  502.     def test_sign_bytes_failure(self):
    503. 

  503.         credentials = self.make_credentials(lifetime=None)
    504. 

  504. 

  505.         with mock.patch(
    506. 

  506.             "google.auth.transport.requests.AuthorizedSession.request", autospec=True
    507. 

  507.         ) as auth_session:
    508. 

  508.             data = {"error": {"code": 403, "message": "unauthorized"}}
    509. 

  509.             mock_response = MockResponse(data, http_client.UNAUTHORIZED)
    510. 

  510.             auth_session.return_value = mock_response
    511. 

  511. 

  512.             with pytest.raises(exceptions.TransportError) as excinfo:
    513. 

  513.                 credentials.sign_bytes(b"foo")
    514. 

  514.             assert excinfo.match("'code': 403")
    515. 

  515. 

  516.     @mock.patch("time.sleep", return_value=None)
    517. 

  517.     def test_sign_bytes_retryable_failure(self, mock_time):
    518. 

  518.         credentials = self.make_credentials(lifetime=None)
    519. 

  519. 

  520.         with mock.patch(
    521. 

  521.             "google.auth.transport.requests.AuthorizedSession.request", autospec=True
    522. 

  522.         ) as auth_session:
    523. 

  523.             data = {"error": {"code": 500, "message": "internal_failure"}}
    524. 

  524.             mock_response = MockResponse(data, http_client.INTERNAL_SERVER_ERROR)
    525. 

  525.             auth_session.return_value = mock_response
    526. 

  526. 

  527.             with pytest.raises(exceptions.TransportError) as excinfo:
    528. 

  528.                 credentials.sign_bytes(b"foo")
    529. 

  529.             assert excinfo.match("exhausted signBlob endpoint retries")
    530. 

  530. 

  531.     def test_with_quota_project(self):
    532. 

  532.         credentials = self.make_credentials()
    533. 

  533. 

  534.         quota_project_creds = credentials.with_quota_project("project-foo")
    535. 

  535.         assert quota_project_creds._quota_project_id == "project-foo"
    536. 

  536. 

  537.     @pytest.mark.parametrize("use_data_bytes", [True, False])
    538. 

  538.     def test_with_quota_project_iam_endpoint_override(
    539. 

  539.         self, use_data_bytes, mock_donor_credentials
    540. 

  540.     ):
    541. 

  541.         credentials = self.make_credentials(
    542. 

  542.             lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE
    543. 

  543.         )
    544. 

  544.         token = "token"
    545. 

  545.         # iam_endpoint_override should be copied to created credentials.
    546. 

  546.         quota_project_creds = credentials.with_quota_project("project-foo")
    547. 

  547. 

  548.         expire_time = (
    549. 

  549.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    550. 

  550.         ).isoformat("T") + "Z"
    551. 

  551.         response_body = {"accessToken": token, "expireTime": expire_time}
    552. 

  552. 

  553.         request = self.make_request(
    554. 

  554.             data=json.dumps(response_body),
    555. 

  555.             status=http_client.OK,
    556. 

  556.             use_data_bytes=use_data_bytes,
    557. 

  557.         )
    558. 

  558. 

  559.         quota_project_creds.refresh(request)
    560. 

  560. 

  561.         assert quota_project_creds.valid
    562. 

  562.         assert not quota_project_creds.expired
    563. 

  563.         # Confirm override endpoint used.
    564. 

  564.         request_kwargs = request.call_args[1]
    565. 

  565.         assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE
    566. 

  566. 

  567.     def test_with_scopes(self):
    568. 

  568.         credentials = self.make_credentials()
    569. 

  569.         credentials._target_scopes = []
    570. 

  570.         assert credentials.requires_scopes is True
    571. 

  571.         credentials = credentials.with_scopes(["fake_scope1", "fake_scope2"])
    572. 

  572.         assert credentials.requires_scopes is False
    573. 

  573.         assert credentials._target_scopes == ["fake_scope1", "fake_scope2"]
    574. 

  574. 

  575.     def test_with_scopes_provide_default_scopes(self):
    576. 

  576.         credentials = self.make_credentials()
    577. 

  577.         credentials._target_scopes = []
    578. 

  578.         credentials = credentials.with_scopes(
    579. 

  579.             ["fake_scope1"], default_scopes=["fake_scope2"]
    580. 

  580.         )
    581. 

  581.         assert credentials._target_scopes == ["fake_scope1"]
    582. 

  582. 

  583.     def test_id_token_success(
    584. 

  584.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    585. 

  585.     ):
    586. 

  586.         credentials = self.make_credentials(lifetime=None)
    587. 

  587.         token = "token"
    588. 

  588.         target_audience = "https://foo.bar"
    589. 

  589. 

  590.         expire_time = (
    591. 

  591.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    592. 

  592.         ).isoformat("T") + "Z"
    593. 

  593.         response_body = {"accessToken": token, "expireTime": expire_time}
    594. 

  594. 

  595.         request = self.make_request(
    596. 

  596.             data=json.dumps(response_body), status=http_client.OK
    597. 

  597.         )
    598. 

  598. 

  599.         credentials.refresh(request)
    600. 

  600. 

  601.         assert credentials.valid
    602. 

  602.         assert not credentials.expired
    603. 

  603. 

  604.         id_creds = impersonated_credentials.IDTokenCredentials(
    605. 

  605.             credentials, target_audience=target_audience
    606. 

  606.         )
    607. 

  607.         id_creds.refresh(request)
    608. 

  608. 

  609.         assert id_creds.token == ID_TOKEN_DATA
    610. 

  610.         assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
    611. 

  611. 

  612.     def test_id_token_metrics(self, mock_donor_credentials):
    613. 

  613.         credentials = self.make_credentials(lifetime=None)
    614. 

  614.         credentials.token = "token"
    615. 

  615.         credentials.expiry = None
    616. 

  616.         target_audience = "https://foo.bar"
    617. 

  617. 

  618.         id_creds = impersonated_credentials.IDTokenCredentials(
    619. 

  619.             credentials, target_audience=target_audience
    620. 

  620.         )
    621. 

  621. 

  622.         with mock.patch(
    623. 

  623.             "google.auth.metrics.token_request_id_token_impersonate",
    624. 

  624.             return_value=ID_TOKEN_REQUEST_METRICS_HEADER_VALUE,
    625. 

  625.         ):
    626. 

  626.             with mock.patch(
    627. 

  627.                 "google.auth.transport.requests.AuthorizedSession.post", autospec=True
    628. 

  628.             ) as mock_post:
    629. 

  629.                 data = {"token": ID_TOKEN_DATA}
    630. 

  630.                 mock_post.return_value = MockResponse(data, http_client.OK)
    631. 

  631.                 id_creds.refresh(None)
    632. 

  632. 

  633.                 assert id_creds.token == ID_TOKEN_DATA
    634. 

  634.                 assert id_creds.expiry == datetime.datetime.utcfromtimestamp(
    635. 

  635.                     ID_TOKEN_EXPIRY
    636. 

  636.                 )
    637. 

  637.                 assert (
    638. 

  638.                     mock_post.call_args.kwargs["headers"]["x-goog-api-client"]
    639. 

  639.                     == ID_TOKEN_REQUEST_METRICS_HEADER_VALUE
    640. 

  640.                 )
    641. 

  641. 

  642.     def test_id_token_from_credential(
    643. 

  643.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    644. 

  644.     ):
    645. 

  645.         credentials = self.make_credentials(lifetime=None)
    646. 

  646.         target_credentials = self.make_credentials(lifetime=None)
    647. 

  647.         expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateIdToken"
    648. 

  648.         self._test_id_token_helper(
    649. 

  649.             credentials,
    650. 

  650.             target_credentials,
    651. 

  651.             mock_donor_credentials,
    652. 

  652.             mock_authorizedsession_idtoken,
    653. 

  653.             expected_url,
    654. 

  654.         )
    655. 

  655. 

  656.     def test_id_token_from_credential_nonGdu(
    657. 

  657.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    658. 

  658.     ):
    659. 

  659.         source_credentials = service_account.Credentials(
    660. 

  660.             SIGNER, "some@email.com", TOKEN_URI, universe_domain="foo.bar"
    661. 

  661.         )
    662. 

  662.         credentials = self.make_credentials(
    663. 

  663.             lifetime=None, source_credentials=source_credentials
    664. 

  664.         )
    665. 

  665.         target_credentials = self.make_credentials(
    666. 

  666.             lifetime=None, source_credentials=source_credentials
    667. 

  667.         )
    668. 

  668.         expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateIdToken"
    669. 

  669.         self._test_id_token_helper(
    670. 

  670.             credentials,
    671. 

  671.             target_credentials,
    672. 

  672.             mock_donor_credentials,
    673. 

  673.             mock_authorizedsession_idtoken,
    674. 

  674.             expected_url,
    675. 

  675.         )
    676. 

  676. 

  677.     def _test_id_token_helper(
    678. 

  678.         self,
    679. 

  679.         credentials,
    680. 

  680.         target_credentials,
    681. 

  681.         mock_donor_credentials,
    682. 

  682.         mock_authorizedsession_idtoken,
    683. 

  683.         expected_url,
    684. 

  684.     ):
    685. 

  685.         token = "token"
    686. 

  686.         target_audience = "https://foo.bar"
    687. 

  687. 

  688.         expire_time = (
    689. 

  689.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    690. 

  690.         ).isoformat("T") + "Z"
    691. 

  691.         response_body = {"accessToken": token, "expireTime": expire_time}
    692. 

  692. 

  693.         request = self.make_request(
    694. 

  694.             data=json.dumps(response_body), status=http_client.OK
    695. 

  695.         )
    696. 

  696. 

  697.         credentials.refresh(request)
    698. 

  698. 

  699.         assert credentials.valid
    700. 

  700.         assert not credentials.expired
    701. 

  701. 

  702.         id_creds = impersonated_credentials.IDTokenCredentials(
    703. 

  703.             credentials, target_audience=target_audience, include_email=True
    704. 

  704.         )
    705. 

  705.         id_creds = id_creds.from_credentials(target_credentials=target_credentials)
    706. 

  706.         id_creds.refresh(request)
    707. 

  707. 

  708.         args = mock_authorizedsession_idtoken.call_args.args
    709. 

  709. 

  710.         assert args[2] == expected_url
    711. 

  711. 

  712.         assert id_creds.token == ID_TOKEN_DATA
    713. 

  713.         assert id_creds._include_email is True
    714. 

  714.         assert id_creds._target_credentials is target_credentials
    715. 

  715. 

  716.     def test_id_token_with_target_audience(
    717. 

  717.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    718. 

  718.     ):
    719. 

  719.         credentials = self.make_credentials(lifetime=None)
    720. 

  720.         token = "token"
    721. 

  721.         target_audience = "https://foo.bar"
    722. 

  722. 

  723.         expire_time = (
    724. 

  724.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    725. 

  725.         ).isoformat("T") + "Z"
    726. 

  726.         response_body = {"accessToken": token, "expireTime": expire_time}
    727. 

  727. 

  728.         request = self.make_request(
    729. 

  729.             data=json.dumps(response_body), status=http_client.OK
    730. 

  730.         )
    731. 

  731. 

  732.         credentials.refresh(request)
    733. 

  733. 

  734.         assert credentials.valid
    735. 

  735.         assert not credentials.expired
    736. 

  736. 

  737.         id_creds = impersonated_credentials.IDTokenCredentials(
    738. 

  738.             credentials, include_email=True
    739. 

  739.         )
    740. 

  740.         id_creds = id_creds.with_target_audience(target_audience=target_audience)
    741. 

  741.         id_creds.refresh(request)
    742. 

  742. 

  743.         assert id_creds.token == ID_TOKEN_DATA
    744. 

  744.         assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
    745. 

  745.         assert id_creds._include_email is True
    746. 

  746. 

  747.     def test_id_token_invalid_cred(
    748. 

  748.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    749. 

  749.     ):
    750. 

  750.         credentials = None
    751. 

  751. 

  752.         with pytest.raises(exceptions.GoogleAuthError) as excinfo:
    753. 

  753.             impersonated_credentials.IDTokenCredentials(credentials)
    754. 

  754. 

  755.         assert excinfo.match("Provided Credential must be" " impersonated_credentials")
    756. 

  756. 

  757.     def test_id_token_with_include_email(
    758. 

  758.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    759. 

  759.     ):
    760. 

  760.         credentials = self.make_credentials(lifetime=None)
    761. 

  761.         token = "token"
    762. 

  762.         target_audience = "https://foo.bar"
    763. 

  763. 

  764.         expire_time = (
    765. 

  765.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    766. 

  766.         ).isoformat("T") + "Z"
    767. 

  767.         response_body = {"accessToken": token, "expireTime": expire_time}
    768. 

  768. 

  769.         request = self.make_request(
    770. 

  770.             data=json.dumps(response_body), status=http_client.OK
    771. 

  771.         )
    772. 

  772. 

  773.         credentials.refresh(request)
    774. 

  774. 

  775.         assert credentials.valid
    776. 

  776.         assert not credentials.expired
    777. 

  777. 

  778.         id_creds = impersonated_credentials.IDTokenCredentials(
    779. 

  779.             credentials, target_audience=target_audience
    780. 

  780.         )
    781. 

  781.         id_creds = id_creds.with_include_email(True)
    782. 

  782.         id_creds.refresh(request)
    783. 

  783. 

  784.         assert id_creds.token == ID_TOKEN_DATA
    785. 

  785. 

  786.     def test_id_token_with_quota_project(
    787. 

  787.         self, mock_donor_credentials, mock_authorizedsession_idtoken
    788. 

  788.     ):
    789. 

  789.         credentials = self.make_credentials(lifetime=None)
    790. 

  790.         token = "token"
    791. 

  791.         target_audience = "https://foo.bar"
    792. 

  792. 

  793.         expire_time = (
    794. 

  794.             _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
    795. 

  795.         ).isoformat("T") + "Z"
    796. 

  796.         response_body = {"accessToken": token, "expireTime": expire_time}
    797. 

  797. 

  798.         request = self.make_request(
    799. 

  799.             data=json.dumps(response_body), status=http_client.OK
    800. 

  800.         )
    801. 

  801. 

  802.         credentials.refresh(request)
    803. 

  803. 

  804.         assert credentials.valid
    805. 

  805.         assert not credentials.expired
    806. 

  806. 

  807.         id_creds = impersonated_credentials.IDTokenCredentials(
    808. 

  808.             credentials, target_audience=target_audience
    809. 

  809.         )
    810. 

  810.         id_creds = id_creds.with_quota_project("project-foo")
    811. 

  811.         id_creds.refresh(request)
    812. 

  812. 

  813.         assert id_creds.quota_project_id == "project-foo"
    814.