fix: rename CLOCK_SKEW and separate client/server user case (#863)
* fix: rename CLOCK_SKEW and separate client/server user case
* update clock skew to 20s
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
index ebe9aa5..81cc6db 100644
--- a/tests/compute_engine/test_credentials.py
+++ b/tests/compute_engine/test_credentials.py
@@ -64,7 +64,7 @@
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
@mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
def test_refresh_success(self, get, utcnow):
@@ -98,7 +98,7 @@
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
@mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
def test_refresh_success_with_scopes(self, get, utcnow):
diff --git a/tests/oauth2/test_credentials.py b/tests/oauth2/test_credentials.py
index b6a80e3..243f97d 100644
--- a/tests/oauth2/test_credentials.py
+++ b/tests/oauth2/test_credentials.py
@@ -115,7 +115,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_refresh_success(self, unused_utcnow, refresh_grant):
token = "token"
@@ -175,7 +175,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_refresh_with_refresh_token_and_refresh_handler(
self, unused_utcnow, refresh_grant
@@ -361,7 +361,7 @@
@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
def test_refresh_with_refresh_handler_expired_token(self, unused_utcnow):
- expected_expiry = datetime.datetime.min + _helpers.CLOCK_SKEW
+ expected_expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD
# Simulate refresh handler returns an expired token.
refresh_handler = mock.Mock(return_value=("TOKEN", expected_expiry))
scopes = ["email", "profile"]
@@ -391,7 +391,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_credentials_with_scopes_requested_refresh_success(
self, unused_utcnow, refresh_grant
@@ -457,7 +457,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_credentials_with_only_default_scopes_requested(
self, unused_utcnow, refresh_grant
@@ -521,7 +521,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_credentials_with_scopes_returned_refresh_success(
self, unused_utcnow, refresh_grant
@@ -588,7 +588,7 @@
@mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
@mock.patch(
"google.auth._helpers.utcnow",
- return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+ return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
)
def test_credentials_with_scopes_refresh_failure_raises_refresh_error(
self, unused_utcnow, refresh_grant
diff --git a/tests/test_credentials.py b/tests/test_credentials.py
index 0633b38..2de6388 100644
--- a/tests/test_credentials.py
+++ b/tests/test_credentials.py
@@ -46,7 +46,9 @@
# Set the expiration to one second more than now plus the clock skew
# accomodation. These credentials should be valid.
credentials.expiry = (
- datetime.datetime.utcnow() + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1)
+ datetime.datetime.utcnow()
+ + _helpers.REFRESH_THRESHOLD
+ + datetime.timedelta(seconds=1)
)
assert credentials.valid
diff --git a/tests/test_downscoped.py b/tests/test_downscoped.py
index 795ec29..9ca95f5 100644
--- a/tests/test_downscoped.py
+++ b/tests/test_downscoped.py
@@ -669,7 +669,9 @@
# Set the expiration to one second more than now plus the clock skew
# accommodation. These credentials should be valid.
credentials.expiry = (
- datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1)
+ datetime.datetime.min
+ + _helpers.REFRESH_THRESHOLD
+ + datetime.timedelta(seconds=1)
)
assert credentials.valid
diff --git a/tests/test_external_account.py b/tests/test_external_account.py
index e8297da..df6174f 100644
--- a/tests/test_external_account.py
+++ b/tests/test_external_account.py
@@ -976,7 +976,9 @@
# Set the expiration to one second more than now plus the clock skew
# accomodation. These credentials should be valid.
credentials.expiry = (
- datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1)
+ datetime.datetime.min
+ + _helpers.REFRESH_THRESHOLD
+ + datetime.timedelta(seconds=1)
)
assert credentials.valid
@@ -1027,7 +1029,9 @@
# Set the expiration to one second more than now plus the clock skew
# accomodation. These credentials should be valid.
credentials.expiry = (
- datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1)
+ datetime.datetime.min
+ + _helpers.REFRESH_THRESHOLD
+ + datetime.timedelta(seconds=1)
)
assert credentials.valid
diff --git a/tests/test_iam.py b/tests/test_iam.py
index 30ce227..e9eca58 100644
--- a/tests/test_iam.py
+++ b/tests/test_iam.py
@@ -45,7 +45,7 @@
super(CredentialsImpl, self).__init__()
self.token = "token"
# Force refresh
- self.expiry = datetime.datetime.min + _helpers.CLOCK_SKEW
+ self.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD
def refresh(self, request):
pass
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py
index 126c4c3..3dbb6ca 100644
--- a/tests/test_impersonated_credentials.py
+++ b/tests/test_impersonated_credentials.py
@@ -211,11 +211,11 @@
credentials = self.make_credentials(lifetime=None)
# Source credentials is refreshed only if it is expired within
- # _helpers.CLOCK_SKEW from now. We add a time_skew to the expiry, so
+ # _helpers.REFRESH_THRESHOLD from now. We add a time_skew to the expiry, so
# source credentials is refreshed only if time_skew <= 0.
credentials._source_credentials.expiry = (
_helpers.utcnow()
- + _helpers.CLOCK_SKEW
+ + _helpers.REFRESH_THRESHOLD
+ datetime.timedelta(seconds=time_skew)
)
credentials._source_credentials.token = "Token"
@@ -238,7 +238,7 @@
assert not credentials.expired
# Source credentials is refreshed only if it is expired within
- # _helpers.CLOCK_SKEW
+ # _helpers.REFRESH_THRESHOLD
if time_skew > 0:
source_cred_refresh.assert_not_called()
else:
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
index 0dd7fa9..ba7277c 100644
--- a/tests/test_jwt.py
+++ b/tests/test_jwt.py
@@ -197,7 +197,7 @@
}
)
with pytest.raises(ValueError) as excinfo:
- jwt.decode(token, PUBLIC_CERT_BYTES)
+ jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59)
assert excinfo.match(r"Token used too early")
@@ -210,10 +210,40 @@
}
)
with pytest.raises(ValueError) as excinfo:
- jwt.decode(token, PUBLIC_CERT_BYTES)
+ jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59)
assert excinfo.match(r"Token expired")
+def test_decode_success_with_no_clock_skew(token_factory):
+ token = token_factory(
+ claims={
+ "exp": _helpers.datetime_to_secs(
+ _helpers.utcnow() + datetime.timedelta(seconds=1)
+ ),
+ "iat": _helpers.datetime_to_secs(
+ _helpers.utcnow() - datetime.timedelta(seconds=1)
+ ),
+ }
+ )
+
+ jwt.decode(token, PUBLIC_CERT_BYTES)
+
+
+def test_decode_success_with_custom_clock_skew(token_factory):
+ token = token_factory(
+ claims={
+ "exp": _helpers.datetime_to_secs(
+ _helpers.utcnow() + datetime.timedelta(seconds=2)
+ ),
+ "iat": _helpers.datetime_to_secs(
+ _helpers.utcnow() - datetime.timedelta(seconds=2)
+ ),
+ }
+ )
+
+ jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=1)
+
+
def test_decode_bad_token_wrong_audience(token_factory):
token = token_factory()
audience = "audience2@example.com"
diff --git a/tests/transport/test_grpc.py b/tests/transport/test_grpc.py
index 926c1bc..3437658 100644
--- a/tests/transport/test_grpc.py
+++ b/tests/transport/test_grpc.py
@@ -80,7 +80,7 @@
def test_call_refresh(self):
credentials = CredentialsStub()
- credentials.expiry = datetime.datetime.min + _helpers.CLOCK_SKEW
+ credentials.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD
request = mock.create_autospec(transport.Request)
plugin = google.auth.transport.grpc.AuthMetadataPlugin(credentials, request)