C.J. Collier | 37141e4 | 2020-02-13 13:49:49 -0800 | [diff] [blame] | 1 | # Copyright 2016 Google LLC |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | import datetime |
| 16 | |
| 17 | import mock |
| 18 | import pytest |
| 19 | |
| 20 | from google.auth import app_engine |
| 21 | |
| 22 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 23 | class _AppIdentityModule(object): |
| 24 | """The interface of the App Idenity app engine module. |
| 25 | See https://cloud.google.com/appengine/docs/standard/python/refdocs |
| 26 | /google.appengine.api.app_identity.app_identity |
| 27 | """ |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 28 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 29 | def get_application_id(self): |
| 30 | raise NotImplementedError() |
| 31 | |
| 32 | def sign_blob(self, bytes_to_sign, deadline=None): |
| 33 | raise NotImplementedError() |
| 34 | |
| 35 | def get_service_account_name(self, deadline=None): |
| 36 | raise NotImplementedError() |
| 37 | |
| 38 | def get_access_token(self, scopes, service_account_id=None): |
| 39 | raise NotImplementedError() |
| 40 | |
| 41 | |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 42 | @pytest.fixture |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 43 | def app_identity(monkeypatch): |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 44 | """Mocks the app_identity module for google.auth.app_engine.""" |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 45 | app_identity_module = mock.create_autospec(_AppIdentityModule, instance=True) |
| 46 | monkeypatch.setattr(app_engine, "app_identity", app_identity_module) |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 47 | yield app_identity_module |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 48 | |
| 49 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 50 | def test_get_project_id(app_identity): |
| 51 | app_identity.get_application_id.return_value = mock.sentinel.project |
Jon Wayne Parrott | 2148fde | 2016-10-24 13:44:25 -0700 | [diff] [blame] | 52 | assert app_engine.get_project_id() == mock.sentinel.project |
| 53 | |
| 54 | |
Zev Goldstein | 7f7d92d | 2021-07-23 15:52:46 -0400 | [diff] [blame^] | 55 | @mock.patch.object(app_engine, "app_identity", new=None) |
Jon Wayne Parrott | 2148fde | 2016-10-24 13:44:25 -0700 | [diff] [blame] | 56 | def test_get_project_id_missing_apis(): |
| 57 | with pytest.raises(EnvironmentError) as excinfo: |
| 58 | assert app_engine.get_project_id() |
| 59 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 60 | assert excinfo.match(r"App Engine APIs are not available") |
Jon Wayne Parrott | 2148fde | 2016-10-24 13:44:25 -0700 | [diff] [blame] | 61 | |
| 62 | |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 63 | class TestSigner(object): |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 64 | def test_key_id(self, app_identity): |
| 65 | app_identity.sign_blob.return_value = ( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 66 | mock.sentinel.key_id, |
| 67 | mock.sentinel.signature, |
| 68 | ) |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 69 | |
| 70 | signer = app_engine.Signer() |
| 71 | |
Jon Wayne Parrott | 254befe | 2017-02-22 14:37:31 -0800 | [diff] [blame] | 72 | assert signer.key_id is None |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 73 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 74 | def test_sign(self, app_identity): |
| 75 | app_identity.sign_blob.return_value = ( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 76 | mock.sentinel.key_id, |
| 77 | mock.sentinel.signature, |
| 78 | ) |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 79 | |
| 80 | signer = app_engine.Signer() |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 81 | to_sign = b"123" |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 82 | |
| 83 | signature = signer.sign(to_sign) |
| 84 | |
| 85 | assert signature == mock.sentinel.signature |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 86 | app_identity.sign_blob.assert_called_with(to_sign) |
Jon Wayne Parrott | 5b4e9c8 | 2017-02-15 16:44:00 -0800 | [diff] [blame] | 87 | |
| 88 | |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 89 | class TestCredentials(object): |
Zev Goldstein | 7f7d92d | 2021-07-23 15:52:46 -0400 | [diff] [blame^] | 90 | @mock.patch.object(app_engine, "app_identity", new=None) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 91 | def test_missing_apis(self): |
| 92 | with pytest.raises(EnvironmentError) as excinfo: |
| 93 | app_engine.Credentials() |
| 94 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 95 | assert excinfo.match(r"App Engine APIs are not available") |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 96 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 97 | def test_default_state(self, app_identity): |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 98 | credentials = app_engine.Credentials() |
| 99 | |
| 100 | # Not token acquired yet |
| 101 | assert not credentials.valid |
| 102 | # Expiration hasn't been set yet |
| 103 | assert not credentials.expired |
| 104 | # Scopes are required |
| 105 | assert not credentials.scopes |
Bu Sun Kim | bf5ce0c | 2021-02-01 15:17:49 -0700 | [diff] [blame] | 106 | assert not credentials.default_scopes |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 107 | assert credentials.requires_scopes |
Bu Sun Kim | 3dda7b2 | 2020-07-09 10:39:39 -0700 | [diff] [blame] | 108 | assert not credentials.quota_project_id |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 109 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 110 | def test_with_scopes(self, app_identity): |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 111 | credentials = app_engine.Credentials() |
| 112 | |
| 113 | assert not credentials.scopes |
| 114 | assert credentials.requires_scopes |
| 115 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 116 | scoped_credentials = credentials.with_scopes(["email"]) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 117 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 118 | assert scoped_credentials.has_scopes(["email"]) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 119 | assert not scoped_credentials.requires_scopes |
| 120 | |
Bu Sun Kim | bf5ce0c | 2021-02-01 15:17:49 -0700 | [diff] [blame] | 121 | def test_with_default_scopes(self, app_identity): |
| 122 | credentials = app_engine.Credentials() |
| 123 | |
| 124 | assert not credentials.scopes |
| 125 | assert not credentials.default_scopes |
| 126 | assert credentials.requires_scopes |
| 127 | |
| 128 | scoped_credentials = credentials.with_scopes( |
| 129 | scopes=None, default_scopes=["email"] |
| 130 | ) |
| 131 | |
| 132 | assert scoped_credentials.has_scopes(["email"]) |
| 133 | assert not scoped_credentials.requires_scopes |
| 134 | |
Bu Sun Kim | 3dda7b2 | 2020-07-09 10:39:39 -0700 | [diff] [blame] | 135 | def test_with_quota_project(self, app_identity): |
| 136 | credentials = app_engine.Credentials() |
| 137 | |
| 138 | assert not credentials.scopes |
| 139 | assert not credentials.quota_project_id |
| 140 | |
| 141 | quota_project_creds = credentials.with_quota_project("project-foo") |
| 142 | |
| 143 | assert quota_project_creds.quota_project_id == "project-foo" |
| 144 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 145 | def test_service_account_email_implicit(self, app_identity): |
| 146 | app_identity.get_service_account_name.return_value = ( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 147 | mock.sentinel.service_account_email |
| 148 | ) |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 149 | credentials = app_engine.Credentials() |
| 150 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 151 | assert credentials.service_account_email == mock.sentinel.service_account_email |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 152 | assert app_identity.get_service_account_name.called |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 153 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 154 | def test_service_account_email_explicit(self, app_identity): |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 155 | credentials = app_engine.Credentials( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 156 | service_account_id=mock.sentinel.service_account_email |
| 157 | ) |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 158 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 159 | assert credentials.service_account_email == mock.sentinel.service_account_email |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 160 | assert not app_identity.get_service_account_name.called |
Jon Wayne Parrott | 61ffb05 | 2016-11-08 09:30:30 -0800 | [diff] [blame] | 161 | |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 162 | @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 163 | def test_refresh(self, utcnow, app_identity): |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 164 | token = "token" |
Jon Wayne Parrott | 1cba0f8 | 2017-09-12 10:21:02 -0700 | [diff] [blame] | 165 | ttl = 643942923 |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 166 | app_identity.get_access_token.return_value = token, ttl |
Bu Sun Kim | bf5ce0c | 2021-02-01 15:17:49 -0700 | [diff] [blame] | 167 | credentials = app_engine.Credentials( |
| 168 | scopes=["email"], default_scopes=["profile"] |
| 169 | ) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 170 | |
| 171 | credentials.refresh(None) |
| 172 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 173 | app_identity.get_access_token.assert_called_with( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 174 | credentials.scopes, credentials._service_account_id |
| 175 | ) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 176 | assert credentials.token == token |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 177 | assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 178 | assert credentials.valid |
| 179 | assert not credentials.expired |
| 180 | |
Bu Sun Kim | bf5ce0c | 2021-02-01 15:17:49 -0700 | [diff] [blame] | 181 | @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) |
| 182 | def test_refresh_with_default_scopes(self, utcnow, app_identity): |
| 183 | token = "token" |
| 184 | ttl = 643942923 |
| 185 | app_identity.get_access_token.return_value = token, ttl |
| 186 | credentials = app_engine.Credentials(default_scopes=["email"]) |
| 187 | |
| 188 | credentials.refresh(None) |
| 189 | |
| 190 | app_identity.get_access_token.assert_called_with( |
| 191 | credentials.default_scopes, credentials._service_account_id |
| 192 | ) |
| 193 | assert credentials.token == token |
| 194 | assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3) |
| 195 | assert credentials.valid |
| 196 | assert not credentials.expired |
| 197 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 198 | def test_sign_bytes(self, app_identity): |
| 199 | app_identity.sign_blob.return_value = ( |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 200 | mock.sentinel.key_id, |
| 201 | mock.sentinel.signature, |
| 202 | ) |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 203 | credentials = app_engine.Credentials() |
Bu Sun Kim | 9eec091 | 2019-10-21 17:04:21 -0700 | [diff] [blame] | 204 | to_sign = b"123" |
Jon Wayne Parrott | 0471475 | 2016-10-24 10:00:58 -0700 | [diff] [blame] | 205 | |
| 206 | signature = credentials.sign_bytes(to_sign) |
| 207 | |
| 208 | assert signature == mock.sentinel.signature |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 209 | app_identity.sign_blob.assert_called_with(to_sign) |
Jon Wayne Parrott | 4c883f0 | 2016-12-02 14:26:33 -0800 | [diff] [blame] | 210 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 211 | def test_signer(self, app_identity): |
Jon Wayne Parrott | d722167 | 2017-02-16 09:05:11 -0800 | [diff] [blame] | 212 | credentials = app_engine.Credentials() |
| 213 | assert isinstance(credentials.signer, app_engine.Signer) |
| 214 | |
Jon Wayne Parrott | 78fec2c | 2017-06-30 10:25:08 -0700 | [diff] [blame] | 215 | def test_signer_email(self, app_identity): |
Jon Wayne Parrott | 4c883f0 | 2016-12-02 14:26:33 -0800 | [diff] [blame] | 216 | credentials = app_engine.Credentials() |
| 217 | assert credentials.signer_email == credentials.service_account_email |