Blame - tests/test_jwt.py - platform/external/python/google-auth-library-python

blob: 7b5ba5cdcb806a183f70a1f7c17b17bccd4bff9a [file] [log] [blame]

Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	1	# Copyright 2014 Google Inc.
				2	#
				3	# Licensed under the Apache License, Version 2.0 (the "License");
				4	# you may not use this file except in compliance with the License.
				5	# You may obtain a copy of the License at
				6	#
				7	# http://www.apache.org/licenses/LICENSE-2.0
				8	#
				9	# Unless required by applicable law or agreed to in writing, software
				10	# distributed under the License is distributed on an "AS IS" BASIS,
				11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	# See the License for the specific language governing permissions and
				13	# limitations under the License.
				14
				15	import base64
				16	import datetime
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	17	import json
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	18	import os
				19
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	20	import mock
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	21	import pytest
				22
				23	from google.auth import _helpers
				24	from google.auth import crypt
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	25	from google.auth import exceptions
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	26	from google.auth import jwt
				27
				28
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	29	DATA_DIR = os.path.join(os.path.dirname(__file__), "data")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	30
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	31	with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	32	PRIVATE_KEY_BYTES = fh.read()
				33
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	34	with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	35	PUBLIC_CERT_BYTES = fh.read()
				36
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	37	with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	38	OTHER_CERT_BYTES = fh.read()
				39
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	40	with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh:
				41	EC_PRIVATE_KEY_BYTES = fh.read()
				42
				43	with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh:
				44	EC_PUBLIC_CERT_BYTES = fh.read()
				45
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	46	SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	47
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	48	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	49	SERVICE_ACCOUNT_INFO = json.load(fh)
				50
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	51
				52	@pytest.fixture
				53	def signer():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	54	return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	55
				56
				57	def test_encode_basic(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	58	test_payload = {"test": "value"}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	59	encoded = jwt.encode(signer, test_payload)
				60	header, payload, _, _ = jwt._unverified_decode(encoded)
				61	assert payload == test_payload
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	62	assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	63
				64
				65	def test_encode_extra_headers(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	66	encoded = jwt.encode(signer, {}, header={"extra": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	67	header = jwt.decode_header(encoded)
				68	assert header == {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	69	"typ": "JWT",
				70	"alg": "RS256",
				71	"kid": signer.key_id,
				72	"extra": "value",
				73	}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	74
				75
arithmetic1728	0a83706	2021-04-08 10:58:38 -0700	[diff] [blame]	76	def test_encode_custom_alg_in_headers(signer):
				77	encoded = jwt.encode(signer, {}, header={"alg": "foo"})
				78	header = jwt.decode_header(encoded)
				79	assert header == {"typ": "JWT", "alg": "foo", "kid": signer.key_id}
				80
				81
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	82	@pytest.fixture
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	83	def es256_signer():
				84	return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")
				85
				86
				87	def test_encode_basic_es256(es256_signer):
				88	test_payload = {"test": "value"}
				89	encoded = jwt.encode(es256_signer, test_payload)
				90	header, payload, _, _ = jwt._unverified_decode(encoded)
				91	assert payload == test_payload
				92	assert header == {"typ": "JWT", "alg": "ES256", "kid": es256_signer.key_id}
				93
				94
				95	@pytest.fixture
				96	def token_factory(signer, es256_signer):
				97	def factory(claims=None, key_id=None, use_es256_signer=False):
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	98	now = _helpers.datetime_to_secs(_helpers.utcnow())
				99	payload = {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	100	"aud": "audience@example.com",
				101	"iat": now,
				102	"exp": now + 300,
				103	"user": "billy bob",
				104	"metadata": {"meta": "data"},
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	105	}
				106	payload.update(claims or {})
				107
				108	# False is specified to remove the signer's key id for testing
				109	# headers without key ids.
				110	if key_id is False:
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	111	signer._key_id = None
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	112	key_id = None
				113
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	114	if use_es256_signer:
				115	return jwt.encode(es256_signer, payload, key_id=key_id)
				116	else:
				117	return jwt.encode(signer, payload, key_id=key_id)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	118
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	119	return factory
				120
				121
				122	def test_decode_valid(token_factory):
				123	payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	124	assert payload["aud"] == "audience@example.com"
				125	assert payload["user"] == "billy bob"
				126	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	127
				128
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	129	def test_decode_valid_es256(token_factory):
				130	payload = jwt.decode(
				131	token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES
				132	)
				133	assert payload["aud"] == "audience@example.com"
				134	assert payload["user"] == "billy bob"
				135	assert payload["metadata"]["meta"] == "data"
				136
				137
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	138	def test_decode_valid_with_audience(token_factory):
				139	payload = jwt.decode(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	140	token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com"
				141	)
				142	assert payload["aud"] == "audience@example.com"
				143	assert payload["user"] == "billy bob"
				144	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	145
				146
				147	def test_decode_valid_unverified(token_factory):
				148	payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	149	assert payload["aud"] == "audience@example.com"
				150	assert payload["user"] == "billy bob"
				151	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	152
				153
				154	def test_decode_bad_token_wrong_number_of_segments():
				155	with pytest.raises(ValueError) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	156	jwt.decode("1.2", PUBLIC_CERT_BYTES)
				157	assert excinfo.match(r"Wrong number of segments")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	158
				159
				160	def test_decode_bad_token_not_base64():
				161	with pytest.raises((ValueError, TypeError)) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	162	jwt.decode("1.2.3", PUBLIC_CERT_BYTES)
				163	assert excinfo.match(r"Incorrect padding\|more than a multiple of 4")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	164
				165
				166	def test_decode_bad_token_not_json():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	167	token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	168	with pytest.raises(ValueError) as excinfo:
				169	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	170	assert excinfo.match(r"Can\'t parse segment")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	171
				172
				173	def test_decode_bad_token_no_iat_or_exp(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	174	token = jwt.encode(signer, {"test": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	175	with pytest.raises(ValueError) as excinfo:
				176	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	177	assert excinfo.match(r"Token does not contain required claim")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	178
				179
				180	def test_decode_bad_token_too_early(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	181	token = token_factory(
				182	claims={
				183	"iat": _helpers.datetime_to_secs(
				184	_helpers.utcnow() + datetime.timedelta(hours=1)
				185	)
				186	}
				187	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	188	with pytest.raises(ValueError) as excinfo:
				189	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	190	assert excinfo.match(r"Token used too early")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	191
				192
				193	def test_decode_bad_token_expired(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	194	token = token_factory(
				195	claims={
				196	"exp": _helpers.datetime_to_secs(
				197	_helpers.utcnow() - datetime.timedelta(hours=1)
				198	)
				199	}
				200	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	201	with pytest.raises(ValueError) as excinfo:
				202	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	203	assert excinfo.match(r"Token expired")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	204
				205
				206	def test_decode_bad_token_wrong_audience(token_factory):
				207	token = token_factory()
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	208	audience = "audience2@example.com"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	209	with pytest.raises(ValueError) as excinfo:
				210	jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	211	assert excinfo.match(r"Token has wrong audience")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	212
				213
				214	def test_decode_wrong_cert(token_factory):
				215	with pytest.raises(ValueError) as excinfo:
				216	jwt.decode(token_factory(), OTHER_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	217	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	218
				219
				220	def test_decode_multicert_bad_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	221	certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	222	with pytest.raises(ValueError) as excinfo:
				223	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	224	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	225
				226
				227	def test_decode_no_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	228	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	229	with pytest.raises(ValueError) as excinfo:
				230	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	231	assert excinfo.match(r"Certificate for key id 1 not found")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	232
				233
				234	def test_decode_no_key_id(token_factory):
				235	token = token_factory(key_id=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	236	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	237	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	238	assert payload["user"] == "billy bob"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	239
				240
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	241	def test_decode_unknown_alg():
				242	headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"})
				243	token = b".".join(
				244	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				245	)
				246
				247	with pytest.raises(ValueError) as excinfo:
				248	jwt.decode(token)
				249	assert excinfo.match(r"fakealg")
				250
				251
				252	def test_decode_missing_crytography_alg(monkeypatch):
				253	monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256")
				254	headers = json.dumps({u"kid": u"1", u"alg": u"ES256"})
				255	token = b".".join(
				256	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				257	)
				258
				259	with pytest.raises(ValueError) as excinfo:
				260	jwt.decode(token)
				261	assert excinfo.match(r"cryptography")
				262
				263
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	264	def test_roundtrip_explicit_key_id(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	265	token = token_factory(key_id="3")
				266	certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	267	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	268	assert payload["user"] == "billy bob"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	269
				270
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	271	class TestCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	272	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				273	SUBJECT = "subject"
				274	AUDIENCE = "audience"
				275	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	276	credentials = None
				277
				278	@pytest.fixture(autouse=True)
				279	def credentials_fixture(self, signer):
				280	self.credentials = jwt.Credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	281	signer,
				282	self.SERVICE_ACCOUNT_EMAIL,
				283	self.SERVICE_ACCOUNT_EMAIL,
				284	self.AUDIENCE,
				285	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	286
				287	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	288	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	289	info = json.load(fh)
				290
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	291	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	292	info, audience=self.AUDIENCE
				293	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	294
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	295	assert credentials._signer.key_id == info["private_key_id"]
				296	assert credentials._issuer == info["client_email"]
				297	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	298	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	299
				300	def test_from_service_account_info_args(self):
				301	info = SERVICE_ACCOUNT_INFO.copy()
				302
				303	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	304	info,
				305	subject=self.SUBJECT,
				306	audience=self.AUDIENCE,
				307	additional_claims=self.ADDITIONAL_CLAIMS,
				308	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	309
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	310	assert credentials._signer.key_id == info["private_key_id"]
				311	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	312	assert credentials._subject == self.SUBJECT
				313	assert credentials._audience == self.AUDIENCE
				314	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				315
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	316	def test_from_service_account_file(self):
				317	info = SERVICE_ACCOUNT_INFO.copy()
				318
				319	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	320	SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE
				321	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	322
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	323	assert credentials._signer.key_id == info["private_key_id"]
				324	assert credentials._issuer == info["client_email"]
				325	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	326	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	327
				328	def test_from_service_account_file_args(self):
				329	info = SERVICE_ACCOUNT_INFO.copy()
				330
				331	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	332	SERVICE_ACCOUNT_JSON_FILE,
				333	subject=self.SUBJECT,
				334	audience=self.AUDIENCE,
				335	additional_claims=self.ADDITIONAL_CLAIMS,
				336	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	337
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	338	assert credentials._signer.key_id == info["private_key_id"]
				339	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	340	assert credentials._subject == self.SUBJECT
				341	assert credentials._audience == self.AUDIENCE
				342	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				343
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	344	def test_from_signing_credentials(self):
				345	jwt_from_signing = self.credentials.from_signing_credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	346	self.credentials, audience=mock.sentinel.new_audience
				347	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	348	jwt_from_info = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	349	SERVICE_ACCOUNT_INFO, audience=mock.sentinel.new_audience
				350	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	351
				352	assert isinstance(jwt_from_signing, jwt.Credentials)
				353	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				354	assert jwt_from_signing._issuer == jwt_from_info._issuer
				355	assert jwt_from_signing._subject == jwt_from_info._subject
				356	assert jwt_from_signing._audience == jwt_from_info._audience
				357
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	358	def test_default_state(self):
				359	assert not self.credentials.valid
				360	# Expiration hasn't been set yet
				361	assert not self.credentials.expired
				362
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	363	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	364	new_audience = "new_audience"
				365	new_credentials = self.credentials.with_claims(audience=new_audience)
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	366
				367	assert new_credentials._signer == self.credentials._signer
				368	assert new_credentials._issuer == self.credentials._issuer
				369	assert new_credentials._subject == self.credentials._subject
				370	assert new_credentials._audience == new_audience
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	371	assert new_credentials._additional_claims == self.credentials._additional_claims
Bu Sun Kim	3dda7b2	2020-07-09 10:39:39 -0700	[diff] [blame]	372	assert new_credentials._quota_project_id == self.credentials._quota_project_id
				373
				374	def test_with_quota_project(self):
				375	quota_project_id = "project-foo"
				376
				377	new_credentials = self.credentials.with_quota_project(quota_project_id)
				378	assert new_credentials._signer == self.credentials._signer
				379	assert new_credentials._issuer == self.credentials._issuer
				380	assert new_credentials._subject == self.credentials._subject
				381	assert new_credentials._audience == self.credentials._audience
				382	assert new_credentials._additional_claims == self.credentials._additional_claims
				383	assert new_credentials._quota_project_id == quota_project_id
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	384
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	385	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	386	to_sign = b"123"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	387	signature = self.credentials.sign_bytes(to_sign)
				388	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				389
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	390	def test_signer(self):
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	391	assert isinstance(self.credentials.signer, crypt.RSASigner)
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	392
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	393	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	394	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	395
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	396	def _verify_token(self, token):
				397	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	398	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	399	return payload
				400
				401	def test_refresh(self):
				402	self.credentials.refresh(None)
				403	assert self.credentials.valid
				404	assert not self.credentials.expired
				405
				406	def test_expired(self):
				407	assert not self.credentials.expired
				408
				409	self.credentials.refresh(None)
				410	assert not self.credentials.expired
				411
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	412	with mock.patch("google.auth._helpers.utcnow") as now:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	413	one_day = datetime.timedelta(days=1)
				414	now.return_value = self.credentials.expiry + one_day
				415	assert self.credentials.expired
				416
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	417	def test_before_request(self):
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	418	headers = {}
				419
				420	self.credentials.refresh(None)
				421	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	422	None, "GET", "http://example.com?a=1#3", headers
				423	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	424
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	425	header_value = headers["authorization"]
				426	_, token = header_value.split(" ")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	427
				428	# Since the audience is set, it should use the existing token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	429	assert token.encode("utf-8") == self.credentials.token
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	430
				431	payload = self._verify_token(token)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	432	assert payload["aud"] == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	433
				434	def test_before_request_refreshes(self):
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	435	assert not self.credentials.valid
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	436	self.credentials.before_request(None, "GET", "http://example.com?a=1#3", {})
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	437	assert self.credentials.valid
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	438
				439
				440	class TestOnDemandCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	441	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				442	SUBJECT = "subject"
				443	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	444	credentials = None
				445
				446	@pytest.fixture(autouse=True)
				447	def credentials_fixture(self, signer):
				448	self.credentials = jwt.OnDemandCredentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	449	signer,
				450	self.SERVICE_ACCOUNT_EMAIL,
				451	self.SERVICE_ACCOUNT_EMAIL,
				452	max_cache_size=2,
				453	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	454
				455	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	456	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	457	info = json.load(fh)
				458
				459	credentials = jwt.OnDemandCredentials.from_service_account_info(info)
				460
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	461	assert credentials._signer.key_id == info["private_key_id"]
				462	assert credentials._issuer == info["client_email"]
				463	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	464
				465	def test_from_service_account_info_args(self):
				466	info = SERVICE_ACCOUNT_INFO.copy()
				467
				468	credentials = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	469	info, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS
				470	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	471
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	472	assert credentials._signer.key_id == info["private_key_id"]
				473	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	474	assert credentials._subject == self.SUBJECT
				475	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				476
				477	def test_from_service_account_file(self):
				478	info = SERVICE_ACCOUNT_INFO.copy()
				479
				480	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	481	SERVICE_ACCOUNT_JSON_FILE
				482	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	483
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	484	assert credentials._signer.key_id == info["private_key_id"]
				485	assert credentials._issuer == info["client_email"]
				486	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	487
				488	def test_from_service_account_file_args(self):
				489	info = SERVICE_ACCOUNT_INFO.copy()
				490
				491	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	492	SERVICE_ACCOUNT_JSON_FILE,
				493	subject=self.SUBJECT,
				494	additional_claims=self.ADDITIONAL_CLAIMS,
				495	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	496
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	497	assert credentials._signer.key_id == info["private_key_id"]
				498	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	499	assert credentials._subject == self.SUBJECT
				500	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				501
				502	def test_from_signing_credentials(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	503	jwt_from_signing = self.credentials.from_signing_credentials(self.credentials)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	504	jwt_from_info = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	505	SERVICE_ACCOUNT_INFO
				506	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	507
				508	assert isinstance(jwt_from_signing, jwt.OnDemandCredentials)
				509	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				510	assert jwt_from_signing._issuer == jwt_from_info._issuer
				511	assert jwt_from_signing._subject == jwt_from_info._subject
				512
				513	def test_default_state(self):
				514	# Credentials are always valid.
				515	assert self.credentials.valid
				516	# Credentials never expire.
				517	assert not self.credentials.expired
				518
				519	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	520	new_claims = {"meep": "moop"}
				521	new_credentials = self.credentials.with_claims(additional_claims=new_claims)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	522
				523	assert new_credentials._signer == self.credentials._signer
				524	assert new_credentials._issuer == self.credentials._issuer
				525	assert new_credentials._subject == self.credentials._subject
				526	assert new_credentials._additional_claims == new_claims
				527
Bu Sun Kim	3dda7b2	2020-07-09 10:39:39 -0700	[diff] [blame]	528	def test_with_quota_project(self):
				529	quota_project_id = "project-foo"
				530	new_credentials = self.credentials.with_quota_project(quota_project_id)
				531
				532	assert new_credentials._signer == self.credentials._signer
				533	assert new_credentials._issuer == self.credentials._issuer
				534	assert new_credentials._subject == self.credentials._subject
				535	assert new_credentials._additional_claims == self.credentials._additional_claims
				536	assert new_credentials._quota_project_id == quota_project_id
				537
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	538	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	539	to_sign = b"123"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	540	signature = self.credentials.sign_bytes(to_sign)
				541	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				542
				543	def test_signer(self):
				544	assert isinstance(self.credentials.signer, crypt.RSASigner)
				545
				546	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	547	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	548
				549	def _verify_token(self, token):
				550	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	551	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	552	return payload
				553
				554	def test_refresh(self):
				555	with pytest.raises(exceptions.RefreshError):
				556	self.credentials.refresh(None)
				557
				558	def test_before_request(self):
				559	headers = {}
				560
				561	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	562	None, "GET", "http://example.com?a=1#3", headers
				563	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	564
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	565	_, token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	566	payload = self._verify_token(token)
				567
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	568	assert payload["aud"] == "http://example.com"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	569
				570	# Making another request should re-use the same token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	571	self.credentials.before_request(None, "GET", "http://example.com?b=2", headers)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	572
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	573	_, new_token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	574
				575	assert new_token == token
				576
				577	def test_expired_token(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	578	self.credentials._cache["audience"] = (
				579	mock.sentinel.token,
				580	datetime.datetime.min,
				581	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	582
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	583	token = self.credentials._get_jwt_for_audience("audience")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	584
				585	assert token != mock.sentinel.token