Blame - tests/test_impersonated_credentials.py - platform/external/python/google-auth-library-python

2018-11-09 11:05:34 -0800

[diff] [blame]

1

2

#

3

# Licensed under the Apache License, Version 2.0 (the "License");

4

# you may not use this file except in compliance with the License.

5

# You may obtain a copy of the License at

6

#

7

# http://www.apache.org/licenses/LICENSE-2.0

8

#

9

# Unless required by applicable law or agreed to in writing, software

10

# distributed under the License is distributed on an "AS IS" BASIS,

11

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

12

# See the License for the specific language governing permissions and

13

# limitations under the License.

import datetime

import json

import os

import mock

import pytest

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

21

from six.moves import http_client

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

22

23

from google.auth import _helpers

24

from google.auth import crypt

25

from google.auth import exceptions

26

from google.auth import impersonated_credentials

27

from google.auth import transport

28

from google.auth.impersonated_credentials import Credentials

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

29

from google.oauth2 import credentials

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

30

from google.oauth2 import service_account

31

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

32

DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data")

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

33

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

34

with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

35

PRIVATE_KEY_BYTES = fh.read()

36

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

37

SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

38

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

39

ID_TOKEN_DATA = (

40

"eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"

41

"Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"

42

"zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"

43

"HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"

44

"y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"

45

"zA4NTY4In0.redacted"

46

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

47

ID_TOKEN_EXPIRY = 1564475051

48

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

49

with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

50

SERVICE_ACCOUNT_INFO = json.load(fh)

51

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

52

SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")

53

TOKEN_URI = "https://example.com/oauth2/token"

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

@pytest.fixture

def mock_donor_credentials():

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

58

with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

59

grant.return_value = (

60

"source token",

61

_helpers.utcnow() + datetime.timedelta(seconds=500),

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

62

{},

63

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

yield grant

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

67

class MockResponse:

68

def __init__(self, json_data, status_code):

69

self.json_data = json_data

70

self.status_code = status_code

71

72

def json(self):

73

return self.json_data

@pytest.fixture

def mock_authorizedsession_sign():

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

78

with mock.patch(

79

"google.auth.transport.requests.AuthorizedSession.request", autospec=True

80

) as auth_session:

81

data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

82

auth_session.return_value = MockResponse(data, http_client.OK)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

yield auth_session

@pytest.fixture

def mock_authorizedsession_idtoken():

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

88

with mock.patch(

89

"google.auth.transport.requests.AuthorizedSession.request", autospec=True

90

) as auth_session:

91

data = {"token": ID_TOKEN_DATA}

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

92

auth_session.return_value = MockResponse(data, http_client.OK)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

yield auth_session

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

96

class TestImpersonatedCredentials(object):

97

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

98

SERVICE_ACCOUNT_EMAIL = "service-account@example.com"

99

TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"

100

TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

101

DELEGATES = []

102

LIFETIME = 3600

103

SOURCE_CREDENTIALS = service_account.Credentials(

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

104

SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI

105

)

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

106

USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE")

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

107

IAM_ENDPOINT_OVERRIDE = (

108

"https://us-east1-iamcredentials.googleapis.com/v1/projects/-"

109

+ "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL)

110

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

111

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

112

def make_credentials(

113

self,

114

source_credentials=SOURCE_CREDENTIALS,

115

lifetime=LIFETIME,

116

target_principal=TARGET_PRINCIPAL,

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

117

iam_endpoint_override=None,

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

118

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

119

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

120

return Credentials(

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

121

source_credentials=source_credentials,

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

122

target_principal=target_principal,

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

123

target_scopes=self.TARGET_SCOPES,

124

delegates=self.DELEGATES,

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

125

lifetime=lifetime,

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

126

iam_endpoint_override=iam_endpoint_override,

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

127

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

128

Bu Sun Kim

2020-03-13 13:21:18 -0700

[diff] [blame]

129

def test_make_from_user_credentials(self):

130

credentials = self.make_credentials(

131

source_credentials=self.USER_SOURCE_CREDENTIALS

132

)

133

assert not credentials.valid

134

assert credentials.expired

135

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

136

def test_default_state(self):

137

credentials = self.make_credentials()

138

assert not credentials.valid

139

assert credentials.expired

140

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

141

def make_request(

142

self,

143

data,

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

144

status=http_client.OK,

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

headers=None,

side_effect=None,

use_data_bytes=True,

):

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

149

response = mock.create_autospec(transport.Response, instance=False)

150

response.status = status

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

151

response.data = _helpers.to_bytes(data) if use_data_bytes else data

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

152

response.headers = headers or {}

153

154

request = mock.create_autospec(transport.Request, instance=False)

155

request.side_effect = side_effect

156

request.return_value = response

return request

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

160

@pytest.mark.parametrize("use_data_bytes", [True, False])

161

def test_refresh_success(self, use_data_bytes, mock_donor_credentials):

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

162

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

163

token = "token"

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

164

165

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

166

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

167

).isoformat("T") + "Z"

168

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

169

170

request = self.make_request(

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

171

data=json.dumps(response_body),

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

172

status=http_client.OK,

arithmetic1728

2020-05-06 16:00:17 -0700

[diff] [blame]

173

use_data_bytes=use_data_bytes,

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

174

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

175

176

credentials.refresh(request)

177

178

assert credentials.valid

179

assert not credentials.expired

180

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

181

@pytest.mark.parametrize("use_data_bytes", [True, False])

182

def test_refresh_success_iam_endpoint_override(

183

self, use_data_bytes, mock_donor_credentials

184

):

185

credentials = self.make_credentials(

186

lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE

)

token = "token"

expire_time = (

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

192

).isoformat("T") + "Z"

193

response_body = {"accessToken": token, "expireTime": expire_time}

194

195

request = self.make_request(

196

data=json.dumps(response_body),

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

197

status=http_client.OK,

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

198

use_data_bytes=use_data_bytes,

199

)

200

201

credentials.refresh(request)

202

203

assert credentials.valid

204

assert not credentials.expired

205

# Confirm override endpoint used.

arithmetic1728

d80c85f

2021-03-08 13:35:44 -0800

[diff] [blame]

206

request_kwargs = request.call_args[1]

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

207

assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE

208

arithmetic1728

2020-05-28 11:01:24 -0700

[diff] [blame]

209

@pytest.mark.parametrize("time_skew", [100, -100])

210

def test_refresh_source_credentials(self, time_skew):

211

credentials = self.make_credentials(lifetime=None)

212

213

# Source credentials is refreshed only if it is expired within

arithmetic1728

738611b

2021-09-09 17:09:54 -0700

[diff] [blame]

214

# _helpers.REFRESH_THRESHOLD from now. We add a time_skew to the expiry, so

arithmetic1728

2020-05-28 11:01:24 -0700

[diff] [blame]

215

# source credentials is refreshed only if time_skew <= 0.

216

credentials._source_credentials.expiry = (

217

_helpers.utcnow()

arithmetic1728

738611b

2021-09-09 17:09:54 -0700

[diff] [blame]

218

+ _helpers.REFRESH_THRESHOLD

arithmetic1728

2020-05-28 11:01:24 -0700

[diff] [blame]

219

+ datetime.timedelta(seconds=time_skew)

220

)

221

credentials._source_credentials.token = "Token"

222

223

with mock.patch(

224

"google.oauth2.service_account.Credentials.refresh", autospec=True

225

) as source_cred_refresh:

226

expire_time = (

227

_helpers.utcnow().replace(microsecond=0)

228

+ datetime.timedelta(seconds=500)

229

).isoformat("T") + "Z"

230

response_body = {"accessToken": "token", "expireTime": expire_time}

231

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

232

data=json.dumps(response_body), status=http_client.OK

arithmetic1728

2020-05-28 11:01:24 -0700

[diff] [blame]

233

)

234

235

credentials.refresh(request)

236

237

assert credentials.valid

238

assert not credentials.expired

239

240

# Source credentials is refreshed only if it is expired within

arithmetic1728

738611b

2021-09-09 17:09:54 -0700

[diff] [blame]

241

# _helpers.REFRESH_THRESHOLD

arithmetic1728

2020-05-28 11:01:24 -0700

[diff] [blame]

242

if time_skew > 0:

243

source_cred_refresh.assert_not_called()

244

else:

245

source_cred_refresh.assert_called_once()

246

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

247

def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

248

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

249

token = "token"

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

250

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

251

expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(

252

"T"

253

)

254

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

255

256

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

257

data=json.dumps(response_body), status=http_client.OK

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

258

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

259

260

with pytest.raises(exceptions.RefreshError) as excinfo:

261

credentials.refresh(request)

262

263

assert excinfo.match(impersonated_credentials._REFRESH_ERROR)

264

265

assert not credentials.valid

266

assert credentials.expired

267

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

268

def test_refresh_failure_unauthorzed(self, mock_donor_credentials):

269

credentials = self.make_credentials(lifetime=None)

270

271

response_body = {

272

"error": {

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

273

"code": 403,

274

"message": "The caller does not have permission",

275

"status": "PERMISSION_DENIED",

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

}

}

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

280

data=json.dumps(response_body), status=http_client.UNAUTHORIZED

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

281

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

282

283

with pytest.raises(exceptions.RefreshError) as excinfo:

284

credentials.refresh(request)

285

286

assert excinfo.match(impersonated_credentials._REFRESH_ERROR)

287

288

assert not credentials.valid

289

assert credentials.expired

290

291

def test_refresh_failure_http_error(self, mock_donor_credentials):

292

credentials = self.make_credentials(lifetime=None)

response_body = {}

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

297

data=json.dumps(response_body), status=http_client.HTTPException

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

298

)

salrashid123

2018-11-09 11:05:34 -0800

[diff] [blame]

299

300

with pytest.raises(exceptions.RefreshError) as excinfo:

301

credentials.refresh(request)

302

303

assert excinfo.match(impersonated_credentials._REFRESH_ERROR)

304

305

assert not credentials.valid

306

assert credentials.expired

307

308

def test_expired(self):

309

credentials = self.make_credentials(lifetime=None)

310

assert credentials.expired

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

311

312

def test_signer(self):

313

credentials = self.make_credentials()

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

314

assert isinstance(credentials.signer, impersonated_credentials.Credentials)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

315

316

def test_signer_email(self):

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

317

credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

318

assert credentials.signer_email == self.TARGET_PRINCIPAL

319

320

def test_service_account_email(self):

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

321

credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

322

assert credentials.service_account_email == self.TARGET_PRINCIPAL

323

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

324

def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

325

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

326

token = "token"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

327

328

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

329

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

330

).isoformat("T") + "Z"

331

token_response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

332

333

response = mock.create_autospec(transport.Response, instance=False)

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

334

response.status = http_client.OK

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

335

response.data = _helpers.to_bytes(json.dumps(token_response_body))

336

337

request = mock.create_autospec(transport.Request, instance=False)

338

request.return_value = response

339

340

credentials.refresh(request)

341

342

assert credentials.valid

343

assert not credentials.expired

344

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

345

signature = credentials.sign_bytes(b"signed bytes")

346

assert signature == b"signature"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

347

arithmetic1728

ef31284

2021-11-01 13:10:17 -0700

[diff] [blame]

348

def test_sign_bytes_failure(self):

349

credentials = self.make_credentials(lifetime=None)

350

351

with mock.patch(

352

"google.auth.transport.requests.AuthorizedSession.request", autospec=True

353

) as auth_session:

354

data = {"error": {"code": 403, "message": "unauthorized"}}

355

auth_session.return_value = MockResponse(data, http_client.FORBIDDEN)

356

357

with pytest.raises(exceptions.TransportError) as excinfo:

358

credentials.sign_bytes(b"foo")

359

assert excinfo.match("'code': 403")

360

Bu Sun Kim

3dda7b2

2020-07-09 10:39:39 -0700

[diff] [blame]

361

def test_with_quota_project(self):

362

credentials = self.make_credentials()

363

364

quota_project_creds = credentials.with_quota_project("project-foo")

365

assert quota_project_creds._quota_project_id == "project-foo"

366

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

367

@pytest.mark.parametrize("use_data_bytes", [True, False])

368

def test_with_quota_project_iam_endpoint_override(

369

self, use_data_bytes, mock_donor_credentials

370

):

371

credentials = self.make_credentials(

372

lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE

373

)

374

token = "token"

375

# iam_endpoint_override should be copied to created credentials.

376

quota_project_creds = credentials.with_quota_project("project-foo")

377

378

expire_time = (

379

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

380

).isoformat("T") + "Z"

381

response_body = {"accessToken": token, "expireTime": expire_time}

382

383

request = self.make_request(

384

data=json.dumps(response_body),

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

385

status=http_client.OK,

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

386

use_data_bytes=use_data_bytes,

387

)

388

389

quota_project_creds.refresh(request)

390

391

assert quota_project_creds.valid

392

assert not quota_project_creds.expired

393

# Confirm override endpoint used.

arithmetic1728

d80c85f

2021-03-08 13:35:44 -0800

[diff] [blame]

394

request_kwargs = request.call_args[1]

bojeil-google

2021-02-16 12:33:20 -0800

[diff] [blame]

395

assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE

396

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

397

def test_id_token_success(

398

self, mock_donor_credentials, mock_authorizedsession_idtoken

399

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

400

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

401

token = "token"

402

target_audience = "https://foo.bar"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

403

404

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

405

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

406

).isoformat("T") + "Z"

407

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

408

409

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

410

data=json.dumps(response_body), status=http_client.OK

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

411

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

412

413

credentials.refresh(request)

414

415

assert credentials.valid

416

assert not credentials.expired

417

418

id_creds = impersonated_credentials.IDTokenCredentials(

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

419

credentials, target_audience=target_audience

420

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

421

id_creds.refresh(request)

422

423

assert id_creds.token == ID_TOKEN_DATA

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

424

assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

425

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

426

def test_id_token_from_credential(

427

self, mock_donor_credentials, mock_authorizedsession_idtoken

428

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

429

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

430

token = "token"

431

target_audience = "https://foo.bar"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

432

433

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

434

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

435

).isoformat("T") + "Z"

436

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

437

438

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

439

data=json.dumps(response_body), status=http_client.OK

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

440

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

441

442

credentials.refresh(request)

443

444

assert credentials.valid

445

assert not credentials.expired

446

447

id_creds = impersonated_credentials.IDTokenCredentials(

Pietro De Nicolao

2020-12-11 20:00:30 +0100

[diff] [blame]

448

credentials, target_audience=target_audience, include_email=True

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

449

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

450

id_creds = id_creds.from_credentials(target_credentials=credentials)

451

id_creds.refresh(request)

452

453

assert id_creds.token == ID_TOKEN_DATA

Pietro De Nicolao

2020-12-11 20:00:30 +0100

[diff] [blame]

454

assert id_creds._include_email is True

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

455

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

456

def test_id_token_with_target_audience(

457

self, mock_donor_credentials, mock_authorizedsession_idtoken

458

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

459

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

460

token = "token"

461

target_audience = "https://foo.bar"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

462

463

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

464

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

465

).isoformat("T") + "Z"

466

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

467

468

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

469

data=json.dumps(response_body), status=http_client.OK

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

470

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

471

472

credentials.refresh(request)

473

474

assert credentials.valid

475

assert not credentials.expired

476

Pietro De Nicolao

2020-12-11 20:00:30 +0100

[diff] [blame]

477

id_creds = impersonated_credentials.IDTokenCredentials(

478

credentials, include_email=True

479

)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

480

id_creds = id_creds.with_target_audience(target_audience=target_audience)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

481

id_creds.refresh(request)

482

483

assert id_creds.token == ID_TOKEN_DATA

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

484

assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)

Pietro De Nicolao

2020-12-11 20:00:30 +0100

[diff] [blame]

485

assert id_creds._include_email is True

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

486

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

487

def test_id_token_invalid_cred(

488

self, mock_donor_credentials, mock_authorizedsession_idtoken

489

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

490

credentials = None

491

492

with pytest.raises(exceptions.GoogleAuthError) as excinfo:

493

impersonated_credentials.IDTokenCredentials(credentials)

494

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

495

assert excinfo.match("Provided Credential must be" " impersonated_credentials")

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

496

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

497

def test_id_token_with_include_email(

498

self, mock_donor_credentials, mock_authorizedsession_idtoken

499

):

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

500

credentials = self.make_credentials(lifetime=None)

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

501

token = "token"

502

target_audience = "https://foo.bar"

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

503

504

expire_time = (

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

505

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

506

).isoformat("T") + "Z"

507

response_body = {"accessToken": token, "expireTime": expire_time}

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

508

509

request = self.make_request(

arithmetic1728

2021-10-21 15:25:46 -0700

[diff] [blame]

510

data=json.dumps(response_body), status=http_client.OK

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

511

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

512

513

credentials.refresh(request)

514

515

assert credentials.valid

516

assert not credentials.expired

517

518

id_creds = impersonated_credentials.IDTokenCredentials(

Bu Sun Kim

2019-10-21 17:04:21 -0700

[diff] [blame]

519

credentials, target_audience=target_audience

520

)

salrashid123

2019-08-07 14:31:33 -0700

[diff] [blame]

521

id_creds = id_creds.with_include_email(True)

522

id_creds.refresh(request)

523

524

assert id_creds.token == ID_TOKEN_DATA

Bu Sun Kim

3dda7b2

2020-07-09 10:39:39 -0700

[diff] [blame]

525

526

def test_id_token_with_quota_project(

527

self, mock_donor_credentials, mock_authorizedsession_idtoken

528

):

529

credentials = self.make_credentials(lifetime=None)

530

token = "token"

531

target_audience = "https://foo.bar"

532

533

expire_time = (

534

_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)

535

).isoformat("T") + "Z"

536

response_body = {"accessToken": token, "expireTime": expire_time}

537

538

request = self.make_request(

arithmetic1728