Blame - tests/test_jwt.py - platform/external/python/google-auth-library-python

blob: 39c45bd236d5da7f29952e923254eeae7f73bdfe [file] [log] [blame]

Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	1	# Copyright 2014 Google Inc.
				2	#
				3	# Licensed under the Apache License, Version 2.0 (the "License");
				4	# you may not use this file except in compliance with the License.
				5	# You may obtain a copy of the License at
				6	#
				7	# http://www.apache.org/licenses/LICENSE-2.0
				8	#
				9	# Unless required by applicable law or agreed to in writing, software
				10	# distributed under the License is distributed on an "AS IS" BASIS,
				11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	# See the License for the specific language governing permissions and
				13	# limitations under the License.
				14
				15	import base64
				16	import datetime
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	17	import json
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	18	import os
				19
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	20	import mock
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	21	import pytest
				22
				23	from google.auth import _helpers
				24	from google.auth import crypt
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	25	from google.auth import exceptions
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	26	from google.auth import jwt
				27
				28
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	29	DATA_DIR = os.path.join(os.path.dirname(__file__), "data")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	30
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	31	with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	32	PRIVATE_KEY_BYTES = fh.read()
				33
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	34	with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	35	PUBLIC_CERT_BYTES = fh.read()
				36
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	37	with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	38	OTHER_CERT_BYTES = fh.read()
				39
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	40	with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh:
				41	EC_PRIVATE_KEY_BYTES = fh.read()
				42
				43	with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh:
				44	EC_PUBLIC_CERT_BYTES = fh.read()
				45
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	46	SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	47
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	48	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	49	SERVICE_ACCOUNT_INFO = json.load(fh)
				50
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	51
				52	@pytest.fixture
				53	def signer():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	54	return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	55
				56
				57	def test_encode_basic(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	58	test_payload = {"test": "value"}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	59	encoded = jwt.encode(signer, test_payload)
				60	header, payload, _, _ = jwt._unverified_decode(encoded)
				61	assert payload == test_payload
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	62	assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	63
				64
				65	def test_encode_extra_headers(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	66	encoded = jwt.encode(signer, {}, header={"extra": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	67	header = jwt.decode_header(encoded)
				68	assert header == {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	69	"typ": "JWT",
				70	"alg": "RS256",
				71	"kid": signer.key_id,
				72	"extra": "value",
				73	}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	74
				75
arithmetic1728	0a83706	2021-04-08 10:58:38 -0700	[diff] [blame]	76	def test_encode_custom_alg_in_headers(signer):
				77	encoded = jwt.encode(signer, {}, header={"alg": "foo"})
				78	header = jwt.decode_header(encoded)
				79	assert header == {"typ": "JWT", "alg": "foo", "kid": signer.key_id}
				80
				81
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	82	@pytest.fixture
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	83	def es256_signer():
				84	return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")
				85
				86
				87	def test_encode_basic_es256(es256_signer):
				88	test_payload = {"test": "value"}
				89	encoded = jwt.encode(es256_signer, test_payload)
				90	header, payload, _, _ = jwt._unverified_decode(encoded)
				91	assert payload == test_payload
				92	assert header == {"typ": "JWT", "alg": "ES256", "kid": es256_signer.key_id}
				93
				94
				95	@pytest.fixture
				96	def token_factory(signer, es256_signer):
				97	def factory(claims=None, key_id=None, use_es256_signer=False):
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	98	now = _helpers.datetime_to_secs(_helpers.utcnow())
				99	payload = {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	100	"aud": "audience@example.com",
				101	"iat": now,
				102	"exp": now + 300,
				103	"user": "billy bob",
				104	"metadata": {"meta": "data"},
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	105	}
				106	payload.update(claims or {})
				107
				108	# False is specified to remove the signer's key id for testing
				109	# headers without key ids.
				110	if key_id is False:
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	111	signer._key_id = None
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	112	key_id = None
				113
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	114	if use_es256_signer:
				115	return jwt.encode(es256_signer, payload, key_id=key_id)
				116	else:
				117	return jwt.encode(signer, payload, key_id=key_id)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	118
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	119	return factory
				120
				121
				122	def test_decode_valid(token_factory):
				123	payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	124	assert payload["aud"] == "audience@example.com"
				125	assert payload["user"] == "billy bob"
				126	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	127
				128
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	129	def test_decode_valid_es256(token_factory):
				130	payload = jwt.decode(
				131	token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES
				132	)
				133	assert payload["aud"] == "audience@example.com"
				134	assert payload["user"] == "billy bob"
				135	assert payload["metadata"]["meta"] == "data"
				136
				137
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	138	def test_decode_valid_with_audience(token_factory):
				139	payload = jwt.decode(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	140	token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com"
				141	)
				142	assert payload["aud"] == "audience@example.com"
				143	assert payload["user"] == "billy bob"
				144	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	145
				146
Jonathan Beaulieu	56c3946	2021-04-15 04:28:04 -0400	[diff] [blame]	147	def test_decode_valid_with_audience_list(token_factory):
				148	payload = jwt.decode(
				149	token_factory(),
				150	certs=PUBLIC_CERT_BYTES,
				151	audience=["audience@example.com", "another_audience@example.com"],
				152	)
				153	assert payload["aud"] == "audience@example.com"
				154	assert payload["user"] == "billy bob"
				155	assert payload["metadata"]["meta"] == "data"
				156
				157
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	158	def test_decode_valid_unverified(token_factory):
				159	payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	160	assert payload["aud"] == "audience@example.com"
				161	assert payload["user"] == "billy bob"
				162	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	163
				164
				165	def test_decode_bad_token_wrong_number_of_segments():
				166	with pytest.raises(ValueError) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	167	jwt.decode("1.2", PUBLIC_CERT_BYTES)
				168	assert excinfo.match(r"Wrong number of segments")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	169
				170
				171	def test_decode_bad_token_not_base64():
				172	with pytest.raises((ValueError, TypeError)) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	173	jwt.decode("1.2.3", PUBLIC_CERT_BYTES)
				174	assert excinfo.match(r"Incorrect padding\|more than a multiple of 4")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	175
				176
				177	def test_decode_bad_token_not_json():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	178	token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	179	with pytest.raises(ValueError) as excinfo:
				180	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	181	assert excinfo.match(r"Can\'t parse segment")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	182
				183
				184	def test_decode_bad_token_no_iat_or_exp(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	185	token = jwt.encode(signer, {"test": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	186	with pytest.raises(ValueError) as excinfo:
				187	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	188	assert excinfo.match(r"Token does not contain required claim")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	189
				190
				191	def test_decode_bad_token_too_early(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	192	token = token_factory(
				193	claims={
				194	"iat": _helpers.datetime_to_secs(
				195	_helpers.utcnow() + datetime.timedelta(hours=1)
				196	)
				197	}
				198	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	199	with pytest.raises(ValueError) as excinfo:
				200	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	201	assert excinfo.match(r"Token used too early")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	202
				203
				204	def test_decode_bad_token_expired(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	205	token = token_factory(
				206	claims={
				207	"exp": _helpers.datetime_to_secs(
				208	_helpers.utcnow() - datetime.timedelta(hours=1)
				209	)
				210	}
				211	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	212	with pytest.raises(ValueError) as excinfo:
				213	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	214	assert excinfo.match(r"Token expired")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	215
				216
				217	def test_decode_bad_token_wrong_audience(token_factory):
				218	token = token_factory()
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	219	audience = "audience2@example.com"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	220	with pytest.raises(ValueError) as excinfo:
				221	jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	222	assert excinfo.match(r"Token has wrong audience")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	223
				224
Jonathan Beaulieu	56c3946	2021-04-15 04:28:04 -0400	[diff] [blame]	225	def test_decode_bad_token_wrong_audience_list(token_factory):
				226	token = token_factory()
				227	audience = ["audience2@example.com", "audience3@example.com"]
				228	with pytest.raises(ValueError) as excinfo:
				229	jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
				230	assert excinfo.match(r"Token has wrong audience")
				231
				232
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	233	def test_decode_wrong_cert(token_factory):
				234	with pytest.raises(ValueError) as excinfo:
				235	jwt.decode(token_factory(), OTHER_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	236	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	237
				238
				239	def test_decode_multicert_bad_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	240	certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	241	with pytest.raises(ValueError) as excinfo:
				242	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	243	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	244
				245
				246	def test_decode_no_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	247	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	248	with pytest.raises(ValueError) as excinfo:
				249	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	250	assert excinfo.match(r"Certificate for key id 1 not found")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	251
				252
				253	def test_decode_no_key_id(token_factory):
				254	token = token_factory(key_id=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	255	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	256	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	257	assert payload["user"] == "billy bob"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	258
				259
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame]	260	def test_decode_unknown_alg():
				261	headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"})
				262	token = b".".join(
				263	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				264	)
				265
				266	with pytest.raises(ValueError) as excinfo:
				267	jwt.decode(token)
				268	assert excinfo.match(r"fakealg")
				269
				270
				271	def test_decode_missing_crytography_alg(monkeypatch):
				272	monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256")
				273	headers = json.dumps({u"kid": u"1", u"alg": u"ES256"})
				274	token = b".".join(
				275	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				276	)
				277
				278	with pytest.raises(ValueError) as excinfo:
				279	jwt.decode(token)
				280	assert excinfo.match(r"cryptography")
				281
				282
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	283	def test_roundtrip_explicit_key_id(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	284	token = token_factory(key_id="3")
				285	certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	286	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	287	assert payload["user"] == "billy bob"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	288
				289
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	290	class TestCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	291	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				292	SUBJECT = "subject"
				293	AUDIENCE = "audience"
				294	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	295	credentials = None
				296
				297	@pytest.fixture(autouse=True)
				298	def credentials_fixture(self, signer):
				299	self.credentials = jwt.Credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	300	signer,
				301	self.SERVICE_ACCOUNT_EMAIL,
				302	self.SERVICE_ACCOUNT_EMAIL,
				303	self.AUDIENCE,
				304	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	305
				306	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	307	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	308	info = json.load(fh)
				309
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	310	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	311	info, audience=self.AUDIENCE
				312	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	313
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	314	assert credentials._signer.key_id == info["private_key_id"]
				315	assert credentials._issuer == info["client_email"]
				316	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	317	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	318
				319	def test_from_service_account_info_args(self):
				320	info = SERVICE_ACCOUNT_INFO.copy()
				321
				322	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	323	info,
				324	subject=self.SUBJECT,
				325	audience=self.AUDIENCE,
				326	additional_claims=self.ADDITIONAL_CLAIMS,
				327	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	328
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	329	assert credentials._signer.key_id == info["private_key_id"]
				330	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	331	assert credentials._subject == self.SUBJECT
				332	assert credentials._audience == self.AUDIENCE
				333	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				334
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	335	def test_from_service_account_file(self):
				336	info = SERVICE_ACCOUNT_INFO.copy()
				337
				338	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	339	SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE
				340	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	341
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	342	assert credentials._signer.key_id == info["private_key_id"]
				343	assert credentials._issuer == info["client_email"]
				344	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	345	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	346
				347	def test_from_service_account_file_args(self):
				348	info = SERVICE_ACCOUNT_INFO.copy()
				349
				350	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	351	SERVICE_ACCOUNT_JSON_FILE,
				352	subject=self.SUBJECT,
				353	audience=self.AUDIENCE,
				354	additional_claims=self.ADDITIONAL_CLAIMS,
				355	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	356
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	357	assert credentials._signer.key_id == info["private_key_id"]
				358	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	359	assert credentials._subject == self.SUBJECT
				360	assert credentials._audience == self.AUDIENCE
				361	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				362
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	363	def test_from_signing_credentials(self):
				364	jwt_from_signing = self.credentials.from_signing_credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	365	self.credentials, audience=mock.sentinel.new_audience
				366	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	367	jwt_from_info = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	368	SERVICE_ACCOUNT_INFO, audience=mock.sentinel.new_audience
				369	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	370
				371	assert isinstance(jwt_from_signing, jwt.Credentials)
				372	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				373	assert jwt_from_signing._issuer == jwt_from_info._issuer
				374	assert jwt_from_signing._subject == jwt_from_info._subject
				375	assert jwt_from_signing._audience == jwt_from_info._audience
				376
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	377	def test_default_state(self):
				378	assert not self.credentials.valid
				379	# Expiration hasn't been set yet
				380	assert not self.credentials.expired
				381
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	382	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	383	new_audience = "new_audience"
				384	new_credentials = self.credentials.with_claims(audience=new_audience)
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	385
				386	assert new_credentials._signer == self.credentials._signer
				387	assert new_credentials._issuer == self.credentials._issuer
				388	assert new_credentials._subject == self.credentials._subject
				389	assert new_credentials._audience == new_audience
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	390	assert new_credentials._additional_claims == self.credentials._additional_claims
Bu Sun Kim	3dda7b2	2020-07-09 10:39:39 -0700	[diff] [blame]	391	assert new_credentials._quota_project_id == self.credentials._quota_project_id
				392
arithmetic1728	2cfe655	2021-06-16 15:30:36 -0700	[diff] [blame]	393	def test__make_jwt_without_audience(self):
				394	cred = jwt.Credentials.from_service_account_info(
				395	SERVICE_ACCOUNT_INFO.copy(),
				396	subject=self.SUBJECT,
				397	audience=None,
				398	additional_claims={"scope": "foo bar"},
				399	)
				400	token, _ = cred._make_jwt()
				401	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
				402	assert payload["scope"] == "foo bar"
				403	assert "aud" not in payload
				404
Bu Sun Kim	3dda7b2	2020-07-09 10:39:39 -0700	[diff] [blame]	405	def test_with_quota_project(self):
				406	quota_project_id = "project-foo"
				407
				408	new_credentials = self.credentials.with_quota_project(quota_project_id)
				409	assert new_credentials._signer == self.credentials._signer
				410	assert new_credentials._issuer == self.credentials._issuer
				411	assert new_credentials._subject == self.credentials._subject
				412	assert new_credentials._audience == self.credentials._audience
				413	assert new_credentials._additional_claims == self.credentials._additional_claims
				414	assert new_credentials._quota_project_id == quota_project_id
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	415
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	416	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	417	to_sign = b"123"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	418	signature = self.credentials.sign_bytes(to_sign)
				419	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				420
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	421	def test_signer(self):
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	422	assert isinstance(self.credentials.signer, crypt.RSASigner)
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	423
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	424	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	425	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	426
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	427	def _verify_token(self, token):
				428	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	429	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	430	return payload
				431
				432	def test_refresh(self):
				433	self.credentials.refresh(None)
				434	assert self.credentials.valid
				435	assert not self.credentials.expired
				436
				437	def test_expired(self):
				438	assert not self.credentials.expired
				439
				440	self.credentials.refresh(None)
				441	assert not self.credentials.expired
				442
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	443	with mock.patch("google.auth._helpers.utcnow") as now:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	444	one_day = datetime.timedelta(days=1)
				445	now.return_value = self.credentials.expiry + one_day
				446	assert self.credentials.expired
				447
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	448	def test_before_request(self):
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	449	headers = {}
				450
				451	self.credentials.refresh(None)
				452	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	453	None, "GET", "http://example.com?a=1#3", headers
				454	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	455
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	456	header_value = headers["authorization"]
				457	_, token = header_value.split(" ")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	458
				459	# Since the audience is set, it should use the existing token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	460	assert token.encode("utf-8") == self.credentials.token
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	461
				462	payload = self._verify_token(token)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	463	assert payload["aud"] == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	464
				465	def test_before_request_refreshes(self):
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	466	assert not self.credentials.valid
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	467	self.credentials.before_request(None, "GET", "http://example.com?a=1#3", {})
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	468	assert self.credentials.valid
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	469
				470
				471	class TestOnDemandCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	472	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				473	SUBJECT = "subject"
				474	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	475	credentials = None
				476
				477	@pytest.fixture(autouse=True)
				478	def credentials_fixture(self, signer):
				479	self.credentials = jwt.OnDemandCredentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	480	signer,
				481	self.SERVICE_ACCOUNT_EMAIL,
				482	self.SERVICE_ACCOUNT_EMAIL,
				483	max_cache_size=2,
				484	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	485
				486	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	487	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	488	info = json.load(fh)
				489
				490	credentials = jwt.OnDemandCredentials.from_service_account_info(info)
				491
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	492	assert credentials._signer.key_id == info["private_key_id"]
				493	assert credentials._issuer == info["client_email"]
				494	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	495
				496	def test_from_service_account_info_args(self):
				497	info = SERVICE_ACCOUNT_INFO.copy()
				498
				499	credentials = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	500	info, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS
				501	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	502
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	503	assert credentials._signer.key_id == info["private_key_id"]
				504	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	505	assert credentials._subject == self.SUBJECT
				506	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				507
				508	def test_from_service_account_file(self):
				509	info = SERVICE_ACCOUNT_INFO.copy()
				510
				511	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	512	SERVICE_ACCOUNT_JSON_FILE
				513	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	514
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	515	assert credentials._signer.key_id == info["private_key_id"]
				516	assert credentials._issuer == info["client_email"]
				517	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	518
				519	def test_from_service_account_file_args(self):
				520	info = SERVICE_ACCOUNT_INFO.copy()
				521
				522	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	523	SERVICE_ACCOUNT_JSON_FILE,
				524	subject=self.SUBJECT,
				525	additional_claims=self.ADDITIONAL_CLAIMS,
				526	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	527
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	528	assert credentials._signer.key_id == info["private_key_id"]
				529	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	530	assert credentials._subject == self.SUBJECT
				531	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				532
				533	def test_from_signing_credentials(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	534	jwt_from_signing = self.credentials.from_signing_credentials(self.credentials)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	535	jwt_from_info = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	536	SERVICE_ACCOUNT_INFO
				537	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	538
				539	assert isinstance(jwt_from_signing, jwt.OnDemandCredentials)
				540	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				541	assert jwt_from_signing._issuer == jwt_from_info._issuer
				542	assert jwt_from_signing._subject == jwt_from_info._subject
				543
				544	def test_default_state(self):
				545	# Credentials are always valid.
				546	assert self.credentials.valid
				547	# Credentials never expire.
				548	assert not self.credentials.expired
				549
				550	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	551	new_claims = {"meep": "moop"}
				552	new_credentials = self.credentials.with_claims(additional_claims=new_claims)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	553
				554	assert new_credentials._signer == self.credentials._signer
				555	assert new_credentials._issuer == self.credentials._issuer
				556	assert new_credentials._subject == self.credentials._subject
				557	assert new_credentials._additional_claims == new_claims
				558
Bu Sun Kim	3dda7b2	2020-07-09 10:39:39 -0700	[diff] [blame]	559	def test_with_quota_project(self):
				560	quota_project_id = "project-foo"
				561	new_credentials = self.credentials.with_quota_project(quota_project_id)
				562
				563	assert new_credentials._signer == self.credentials._signer
				564	assert new_credentials._issuer == self.credentials._issuer
				565	assert new_credentials._subject == self.credentials._subject
				566	assert new_credentials._additional_claims == self.credentials._additional_claims
				567	assert new_credentials._quota_project_id == quota_project_id
				568
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	569	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	570	to_sign = b"123"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	571	signature = self.credentials.sign_bytes(to_sign)
				572	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				573
				574	def test_signer(self):
				575	assert isinstance(self.credentials.signer, crypt.RSASigner)
				576
				577	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	578	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	579
				580	def _verify_token(self, token):
				581	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	582	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	583	return payload
				584
				585	def test_refresh(self):
				586	with pytest.raises(exceptions.RefreshError):
				587	self.credentials.refresh(None)
				588
				589	def test_before_request(self):
				590	headers = {}
				591
				592	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	593	None, "GET", "http://example.com?a=1#3", headers
				594	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	595
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	596	_, token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	597	payload = self._verify_token(token)
				598
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	599	assert payload["aud"] == "http://example.com"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	600
				601	# Making another request should re-use the same token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	602	self.credentials.before_request(None, "GET", "http://example.com?b=2", headers)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	603
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	604	_, new_token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	605
				606	assert new_token == token
				607
				608	def test_expired_token(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	609	self.credentials._cache["audience"] = (
				610	mock.sentinel.token,
				611	datetime.datetime.min,
				612	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	613
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	614	token = self.credentials._get_jwt_for_audience("audience")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	615
				616	assert token != mock.sentinel.token