Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / 9eec091cd4340f8e57dd0e837a7e8df808f9f5bd / . / tests / test_impersonated_credentials.py
blob: 1cfcc7c6c1aa458c8d53f06f909dc55db7a2c8d3 [file] [log] [blame]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]1# Copyright 2018 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15import datetime
16import json
17import os
18
19import mock
20import pytest
21from six.moves import http_client
22
23from google.auth import _helpers
24from google.auth import crypt
25from google.auth import exceptions
26from google.auth import impersonated_credentials
27from google.auth import transport
28from google.auth.impersonated_credentials import Credentials
29from google.oauth2 import service_account
30
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]31DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]32
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]33with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]34 PRIVATE_KEY_BYTES = fh.read()
35
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]36SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]37
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]38ID_TOKEN_DATA = (
39 "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"
40 "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"
41 "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"
42 "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"
43 "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"
44 "zA4NTY4In0.redacted"
45)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]46ID_TOKEN_EXPIRY = 1564475051
47
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]48with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]49 SERVICE_ACCOUNT_INFO = json.load(fh)
50
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]51SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
52TOKEN_URI = "https://example.com/oauth2/token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]53
54
55@pytest.fixture
56def mock_donor_credentials():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]57 with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]58 grant.return_value = (
59 "source token",
60 _helpers.utcnow() + datetime.timedelta(seconds=500),
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]61 {},
62 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]63 yield grant
64
65
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]66class MockResponse:
67 def __init__(self, json_data, status_code):
68 self.json_data = json_data
69 self.status_code = status_code
70
71 def json(self):
72 return self.json_data
73
74
75@pytest.fixture
76def mock_authorizedsession_sign():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]77 with mock.patch(
78 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
79 ) as auth_session:
80 data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]81 auth_session.return_value = MockResponse(data, http_client.OK)
82 yield auth_session
83
84
85@pytest.fixture
86def mock_authorizedsession_idtoken():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]87 with mock.patch(
88 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
89 ) as auth_session:
90 data = {"token": ID_TOKEN_DATA}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]91 auth_session.return_value = MockResponse(data, http_client.OK)
92 yield auth_session
93
94
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]95class TestImpersonatedCredentials(object):
96
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]97 SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
98 TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"
99 TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]100 DELEGATES = []
101 LIFETIME = 3600
102 SOURCE_CREDENTIALS = service_account.Credentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]103 SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI
104 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]105
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]106 def make_credentials(self, lifetime=LIFETIME, target_principal=TARGET_PRINCIPAL):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]107
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]108 return Credentials(
109 source_credentials=self.SOURCE_CREDENTIALS,
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]110 target_principal=target_principal,
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]111 target_scopes=self.TARGET_SCOPES,
112 delegates=self.DELEGATES,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]113 lifetime=lifetime,
114 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]115
116 def test_default_state(self):
117 credentials = self.make_credentials()
118 assert not credentials.valid
119 assert credentials.expired
120
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]121 def make_request(self, data, status=http_client.OK, headers=None, side_effect=None):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]122 response = mock.create_autospec(transport.Response, instance=False)
123 response.status = status
124 response.data = _helpers.to_bytes(data)
125 response.headers = headers or {}
126
127 request = mock.create_autospec(transport.Request, instance=False)
128 request.side_effect = side_effect
129 request.return_value = response
130
131 return request
132
133 def test_refresh_success(self, mock_donor_credentials):
134 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]135 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]136
137 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]138 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
139 ).isoformat("T") + "Z"
140 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]141
142 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]143 data=json.dumps(response_body), status=http_client.OK
144 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]145
146 credentials.refresh(request)
147
148 assert credentials.valid
149 assert not credentials.expired
150
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]151 def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]152 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]153 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]154
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]155 expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(
156 "T"
157 )
158 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]159
160 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]161 data=json.dumps(response_body), status=http_client.OK
162 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]163
164 with pytest.raises(exceptions.RefreshError) as excinfo:
165 credentials.refresh(request)
166
167 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
168
169 assert not credentials.valid
170 assert credentials.expired
171
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]172 def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
173 credentials = self.make_credentials(lifetime=None)
174
175 response_body = {
176 "error": {
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]177 "code": 403,
178 "message": "The caller does not have permission",
179 "status": "PERMISSION_DENIED",
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]180 }
181 }
182
183 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]184 data=json.dumps(response_body), status=http_client.UNAUTHORIZED
185 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]186
187 with pytest.raises(exceptions.RefreshError) as excinfo:
188 credentials.refresh(request)
189
190 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
191
192 assert not credentials.valid
193 assert credentials.expired
194
195 def test_refresh_failure_http_error(self, mock_donor_credentials):
196 credentials = self.make_credentials(lifetime=None)
197
198 response_body = {}
199
200 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]201 data=json.dumps(response_body), status=http_client.HTTPException
202 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]203
204 with pytest.raises(exceptions.RefreshError) as excinfo:
205 credentials.refresh(request)
206
207 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
208
209 assert not credentials.valid
210 assert credentials.expired
211
212 def test_expired(self):
213 credentials = self.make_credentials(lifetime=None)
214 assert credentials.expired
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]215
216 def test_signer(self):
217 credentials = self.make_credentials()
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]218 assert isinstance(credentials.signer, impersonated_credentials.Credentials)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]219
220 def test_signer_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]221 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]222 assert credentials.signer_email == self.TARGET_PRINCIPAL
223
224 def test_service_account_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]225 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]226 assert credentials.service_account_email == self.TARGET_PRINCIPAL
227
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]228 def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]229 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]230 token = "token"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]231
232 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]233 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
234 ).isoformat("T") + "Z"
235 token_response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]236
237 response = mock.create_autospec(transport.Response, instance=False)
238 response.status = http_client.OK
239 response.data = _helpers.to_bytes(json.dumps(token_response_body))
240
241 request = mock.create_autospec(transport.Request, instance=False)
242 request.return_value = response
243
244 credentials.refresh(request)
245
246 assert credentials.valid
247 assert not credentials.expired
248
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]249 signature = credentials.sign_bytes(b"signed bytes")
250 assert signature == b"signature"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]251
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]252 def test_id_token_success(
253 self, mock_donor_credentials, mock_authorizedsession_idtoken
254 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]255 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]256 token = "token"
257 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]258
259 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]260 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
261 ).isoformat("T") + "Z"
262 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]263
264 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]265 data=json.dumps(response_body), status=http_client.OK
266 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]267
268 credentials.refresh(request)
269
270 assert credentials.valid
271 assert not credentials.expired
272
273 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]274 credentials, target_audience=target_audience
275 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]276 id_creds.refresh(request)
277
278 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]279 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]280
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]281 def test_id_token_from_credential(
282 self, mock_donor_credentials, mock_authorizedsession_idtoken
283 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]284 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]285 token = "token"
286 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]287
288 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]289 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
290 ).isoformat("T") + "Z"
291 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]292
293 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]294 data=json.dumps(response_body), status=http_client.OK
295 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]296
297 credentials.refresh(request)
298
299 assert credentials.valid
300 assert not credentials.expired
301
302 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]303 credentials, target_audience=target_audience
304 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]305 id_creds = id_creds.from_credentials(target_credentials=credentials)
306 id_creds.refresh(request)
307
308 assert id_creds.token == ID_TOKEN_DATA
309
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]310 def test_id_token_with_target_audience(
311 self, mock_donor_credentials, mock_authorizedsession_idtoken
312 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]313 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]314 token = "token"
315 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]316
317 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]318 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
319 ).isoformat("T") + "Z"
320 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]321
322 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]323 data=json.dumps(response_body), status=http_client.OK
324 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]325
326 credentials.refresh(request)
327
328 assert credentials.valid
329 assert not credentials.expired
330
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]331 id_creds = impersonated_credentials.IDTokenCredentials(credentials)
332 id_creds = id_creds.with_target_audience(target_audience=target_audience)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]333 id_creds.refresh(request)
334
335 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]336 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]337
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]338 def test_id_token_invalid_cred(
339 self, mock_donor_credentials, mock_authorizedsession_idtoken
340 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]341 credentials = None
342
343 with pytest.raises(exceptions.GoogleAuthError) as excinfo:
344 impersonated_credentials.IDTokenCredentials(credentials)
345
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]346 assert excinfo.match("Provided Credential must be" " impersonated_credentials")
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]347
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]348 def test_id_token_with_include_email(
349 self, mock_donor_credentials, mock_authorizedsession_idtoken
350 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]351 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]352 token = "token"
353 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]354
355 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]356 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
357 ).isoformat("T") + "Z"
358 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]359
360 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]361 data=json.dumps(response_body), status=http_client.OK
362 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]363
364 credentials.refresh(request)
365
366 assert credentials.valid
367 assert not credentials.expired
368
369 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame^]370 credentials, target_audience=target_audience
371 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]372 id_creds = id_creds.with_include_email(True)
373 id_creds.refresh(request)
374
375 assert id_creds.token == ID_TOKEN_DATA