Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / e115bae9b725215945fda7d50805fe3ba6e597f9 / . / tests / test_impersonated_credentials.py
blob: 19e2f342161627877428986ec304f4c1b079c597 [file] [log] [blame]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]1# Copyright 2018 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15import datetime
16import json
17import os
18
19import mock
20import pytest
21from six.moves import http_client
22
23from google.auth import _helpers
24from google.auth import crypt
25from google.auth import exceptions
26from google.auth import impersonated_credentials
27from google.auth import transport
28from google.auth.impersonated_credentials import Credentials
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]29from google.oauth2 import credentials
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]30from google.oauth2 import service_account
31
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]32DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]33
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]34with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]35 PRIVATE_KEY_BYTES = fh.read()
36
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]37SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]38
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]39ID_TOKEN_DATA = (
40 "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"
41 "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"
42 "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"
43 "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"
44 "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"
45 "zA4NTY4In0.redacted"
46)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]47ID_TOKEN_EXPIRY = 1564475051
48
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]49with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]50 SERVICE_ACCOUNT_INFO = json.load(fh)
51
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]52SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
53TOKEN_URI = "https://example.com/oauth2/token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]54
55
56@pytest.fixture
57def mock_donor_credentials():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]58 with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]59 grant.return_value = (
60 "source token",
61 _helpers.utcnow() + datetime.timedelta(seconds=500),
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]62 {},
63 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]64 yield grant
65
66
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]67class MockResponse:
68 def __init__(self, json_data, status_code):
69 self.json_data = json_data
70 self.status_code = status_code
71
72 def json(self):
73 return self.json_data
74
75
76@pytest.fixture
77def mock_authorizedsession_sign():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]78 with mock.patch(
79 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
80 ) as auth_session:
81 data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]82 auth_session.return_value = MockResponse(data, http_client.OK)
83 yield auth_session
84
85
86@pytest.fixture
87def mock_authorizedsession_idtoken():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]88 with mock.patch(
89 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
90 ) as auth_session:
91 data = {"token": ID_TOKEN_DATA}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]92 auth_session.return_value = MockResponse(data, http_client.OK)
93 yield auth_session
94
95
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]96class TestImpersonatedCredentials(object):
97
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]98 SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
99 TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"
100 TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]101 DELEGATES = []
102 LIFETIME = 3600
103 SOURCE_CREDENTIALS = service_account.Credentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]104 SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI
105 )
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]106 USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]107
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]108 def make_credentials(
109 self,
110 source_credentials=SOURCE_CREDENTIALS,
111 lifetime=LIFETIME,
112 target_principal=TARGET_PRINCIPAL,
113 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]114
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]115 return Credentials(
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]116 source_credentials=source_credentials,
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]117 target_principal=target_principal,
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]118 target_scopes=self.TARGET_SCOPES,
119 delegates=self.DELEGATES,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]120 lifetime=lifetime,
121 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]122
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]123 def test_make_from_user_credentials(self):
124 credentials = self.make_credentials(
125 source_credentials=self.USER_SOURCE_CREDENTIALS
126 )
127 assert not credentials.valid
128 assert credentials.expired
129
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]130 def test_default_state(self):
131 credentials = self.make_credentials()
132 assert not credentials.valid
133 assert credentials.expired
134
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame^]135 def make_request(
136 self,
137 data,
138 status=http_client.OK,
139 headers=None,
140 side_effect=None,
141 use_data_bytes=True,
142 ):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]143 response = mock.create_autospec(transport.Response, instance=False)
144 response.status = status
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame^]145 response.data = _helpers.to_bytes(data) if use_data_bytes else data
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]146 response.headers = headers or {}
147
148 request = mock.create_autospec(transport.Request, instance=False)
149 request.side_effect = side_effect
150 request.return_value = response
151
152 return request
153
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame^]154 @pytest.mark.parametrize("use_data_bytes", [True, False])
155 def test_refresh_success(self, use_data_bytes, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]156 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]157 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]158
159 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]160 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
161 ).isoformat("T") + "Z"
162 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]163
164 request = self.make_request(
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame^]165 data=json.dumps(response_body),
166 status=http_client.OK,
167 use_data_bytes=use_data_bytes,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]168 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]169
170 credentials.refresh(request)
171
172 assert credentials.valid
173 assert not credentials.expired
174
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]175 def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]176 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]177 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]178
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]179 expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(
180 "T"
181 )
182 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]183
184 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]185 data=json.dumps(response_body), status=http_client.OK
186 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]187
188 with pytest.raises(exceptions.RefreshError) as excinfo:
189 credentials.refresh(request)
190
191 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
192
193 assert not credentials.valid
194 assert credentials.expired
195
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]196 def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
197 credentials = self.make_credentials(lifetime=None)
198
199 response_body = {
200 "error": {
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]201 "code": 403,
202 "message": "The caller does not have permission",
203 "status": "PERMISSION_DENIED",
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]204 }
205 }
206
207 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]208 data=json.dumps(response_body), status=http_client.UNAUTHORIZED
209 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]210
211 with pytest.raises(exceptions.RefreshError) as excinfo:
212 credentials.refresh(request)
213
214 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
215
216 assert not credentials.valid
217 assert credentials.expired
218
219 def test_refresh_failure_http_error(self, mock_donor_credentials):
220 credentials = self.make_credentials(lifetime=None)
221
222 response_body = {}
223
224 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]225 data=json.dumps(response_body), status=http_client.HTTPException
226 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]227
228 with pytest.raises(exceptions.RefreshError) as excinfo:
229 credentials.refresh(request)
230
231 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
232
233 assert not credentials.valid
234 assert credentials.expired
235
236 def test_expired(self):
237 credentials = self.make_credentials(lifetime=None)
238 assert credentials.expired
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]239
240 def test_signer(self):
241 credentials = self.make_credentials()
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]242 assert isinstance(credentials.signer, impersonated_credentials.Credentials)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]243
244 def test_signer_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]245 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]246 assert credentials.signer_email == self.TARGET_PRINCIPAL
247
248 def test_service_account_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]249 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]250 assert credentials.service_account_email == self.TARGET_PRINCIPAL
251
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]252 def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]253 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]254 token = "token"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]255
256 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]257 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
258 ).isoformat("T") + "Z"
259 token_response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]260
261 response = mock.create_autospec(transport.Response, instance=False)
262 response.status = http_client.OK
263 response.data = _helpers.to_bytes(json.dumps(token_response_body))
264
265 request = mock.create_autospec(transport.Request, instance=False)
266 request.return_value = response
267
268 credentials.refresh(request)
269
270 assert credentials.valid
271 assert not credentials.expired
272
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]273 signature = credentials.sign_bytes(b"signed bytes")
274 assert signature == b"signature"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]275
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]276 def test_id_token_success(
277 self, mock_donor_credentials, mock_authorizedsession_idtoken
278 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]279 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]280 token = "token"
281 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]282
283 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]284 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
285 ).isoformat("T") + "Z"
286 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]287
288 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]289 data=json.dumps(response_body), status=http_client.OK
290 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]291
292 credentials.refresh(request)
293
294 assert credentials.valid
295 assert not credentials.expired
296
297 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]298 credentials, target_audience=target_audience
299 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]300 id_creds.refresh(request)
301
302 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]303 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]304
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]305 def test_id_token_from_credential(
306 self, mock_donor_credentials, mock_authorizedsession_idtoken
307 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]308 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]309 token = "token"
310 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]311
312 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]313 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
314 ).isoformat("T") + "Z"
315 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]316
317 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]318 data=json.dumps(response_body), status=http_client.OK
319 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]320
321 credentials.refresh(request)
322
323 assert credentials.valid
324 assert not credentials.expired
325
326 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]327 credentials, target_audience=target_audience
328 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]329 id_creds = id_creds.from_credentials(target_credentials=credentials)
330 id_creds.refresh(request)
331
332 assert id_creds.token == ID_TOKEN_DATA
333
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]334 def test_id_token_with_target_audience(
335 self, mock_donor_credentials, mock_authorizedsession_idtoken
336 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]337 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]338 token = "token"
339 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]340
341 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]342 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
343 ).isoformat("T") + "Z"
344 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]345
346 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]347 data=json.dumps(response_body), status=http_client.OK
348 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]349
350 credentials.refresh(request)
351
352 assert credentials.valid
353 assert not credentials.expired
354
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]355 id_creds = impersonated_credentials.IDTokenCredentials(credentials)
356 id_creds = id_creds.with_target_audience(target_audience=target_audience)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]357 id_creds.refresh(request)
358
359 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]360 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]361
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]362 def test_id_token_invalid_cred(
363 self, mock_donor_credentials, mock_authorizedsession_idtoken
364 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]365 credentials = None
366
367 with pytest.raises(exceptions.GoogleAuthError) as excinfo:
368 impersonated_credentials.IDTokenCredentials(credentials)
369
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]370 assert excinfo.match("Provided Credential must be" " impersonated_credentials")
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]371
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]372 def test_id_token_with_include_email(
373 self, mock_donor_credentials, mock_authorizedsession_idtoken
374 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]375 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]376 token = "token"
377 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]378
379 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]380 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
381 ).isoformat("T") + "Z"
382 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]383
384 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]385 data=json.dumps(response_body), status=http_client.OK
386 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]387
388 credentials.refresh(request)
389
390 assert credentials.valid
391 assert not credentials.expired
392
393 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]394 credentials, target_audience=target_audience
395 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]396 id_creds = id_creds.with_include_email(True)
397 id_creds.refresh(request)
398
399 assert id_creds.token == ID_TOKEN_DATA