Blame - tests/test_jwt.py - platform/external/python/google-auth-library-python

blob: b0c6e48e9d1eff9a7b27e8a3e8016d73d60257e5 [file] [log] [blame]

Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	1	# Copyright 2014 Google Inc.
				2	#
				3	# Licensed under the Apache License, Version 2.0 (the "License");
				4	# you may not use this file except in compliance with the License.
				5	# You may obtain a copy of the License at
				6	#
				7	# http://www.apache.org/licenses/LICENSE-2.0
				8	#
				9	# Unless required by applicable law or agreed to in writing, software
				10	# distributed under the License is distributed on an "AS IS" BASIS,
				11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	# See the License for the specific language governing permissions and
				13	# limitations under the License.
				14
				15	import base64
				16	import datetime
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	17	import json
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	18	import os
				19
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	20	import mock
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	21	import pytest
				22
				23	from google.auth import _helpers
				24	from google.auth import crypt
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	25	from google.auth import exceptions
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	26	from google.auth import jwt
				27
				28
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	29	DATA_DIR = os.path.join(os.path.dirname(__file__), "data")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	30
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	31	with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	32	PRIVATE_KEY_BYTES = fh.read()
				33
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	34	with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	35	PUBLIC_CERT_BYTES = fh.read()
				36
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	37	with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	38	OTHER_CERT_BYTES = fh.read()
				39
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	40	SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	41
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	42	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	43	SERVICE_ACCOUNT_INFO = json.load(fh)
				44
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	45
				46	@pytest.fixture
				47	def signer():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	48	return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	49
				50
				51	def test_encode_basic(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	52	test_payload = {"test": "value"}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	53	encoded = jwt.encode(signer, test_payload)
				54	header, payload, _, _ = jwt._unverified_decode(encoded)
				55	assert payload == test_payload
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	56	assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	57
				58
				59	def test_encode_extra_headers(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	60	encoded = jwt.encode(signer, {}, header={"extra": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	61	header = jwt.decode_header(encoded)
				62	assert header == {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	63	"typ": "JWT",
				64	"alg": "RS256",
				65	"kid": signer.key_id,
				66	"extra": "value",
				67	}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	68
				69
				70	@pytest.fixture
				71	def token_factory(signer):
				72	def factory(claims=None, key_id=None):
				73	now = _helpers.datetime_to_secs(_helpers.utcnow())
				74	payload = {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	75	"aud": "audience@example.com",
				76	"iat": now,
				77	"exp": now + 300,
				78	"user": "billy bob",
				79	"metadata": {"meta": "data"},
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	80	}
				81	payload.update(claims or {})
				82
				83	# False is specified to remove the signer's key id for testing
				84	# headers without key ids.
				85	if key_id is False:
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	86	signer._key_id = None
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	87	key_id = None
				88
				89	return jwt.encode(signer, payload, key_id=key_id)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	90
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	91	return factory
				92
				93
				94	def test_decode_valid(token_factory):
				95	payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	96	assert payload["aud"] == "audience@example.com"
				97	assert payload["user"] == "billy bob"
				98	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	99
				100
				101	def test_decode_valid_with_audience(token_factory):
				102	payload = jwt.decode(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	103	token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com"
				104	)
				105	assert payload["aud"] == "audience@example.com"
				106	assert payload["user"] == "billy bob"
				107	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	108
				109
				110	def test_decode_valid_unverified(token_factory):
				111	payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	112	assert payload["aud"] == "audience@example.com"
				113	assert payload["user"] == "billy bob"
				114	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	115
				116
				117	def test_decode_bad_token_wrong_number_of_segments():
				118	with pytest.raises(ValueError) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	119	jwt.decode("1.2", PUBLIC_CERT_BYTES)
				120	assert excinfo.match(r"Wrong number of segments")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	121
				122
				123	def test_decode_bad_token_not_base64():
				124	with pytest.raises((ValueError, TypeError)) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	125	jwt.decode("1.2.3", PUBLIC_CERT_BYTES)
				126	assert excinfo.match(r"Incorrect padding\|more than a multiple of 4")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	127
				128
				129	def test_decode_bad_token_not_json():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	130	token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	131	with pytest.raises(ValueError) as excinfo:
				132	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	133	assert excinfo.match(r"Can\'t parse segment")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	134
				135
				136	def test_decode_bad_token_no_iat_or_exp(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	137	token = jwt.encode(signer, {"test": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	138	with pytest.raises(ValueError) as excinfo:
				139	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	140	assert excinfo.match(r"Token does not contain required claim")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	141
				142
				143	def test_decode_bad_token_too_early(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	144	token = token_factory(
				145	claims={
				146	"iat": _helpers.datetime_to_secs(
				147	_helpers.utcnow() + datetime.timedelta(hours=1)
				148	)
				149	}
				150	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	151	with pytest.raises(ValueError) as excinfo:
				152	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	153	assert excinfo.match(r"Token used too early")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	154
				155
				156	def test_decode_bad_token_expired(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	157	token = token_factory(
				158	claims={
				159	"exp": _helpers.datetime_to_secs(
				160	_helpers.utcnow() - datetime.timedelta(hours=1)
				161	)
				162	}
				163	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	164	with pytest.raises(ValueError) as excinfo:
				165	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	166	assert excinfo.match(r"Token expired")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	167
				168
				169	def test_decode_bad_token_wrong_audience(token_factory):
				170	token = token_factory()
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	171	audience = "audience2@example.com"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	172	with pytest.raises(ValueError) as excinfo:
				173	jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	174	assert excinfo.match(r"Token has wrong audience")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	175
				176
				177	def test_decode_wrong_cert(token_factory):
				178	with pytest.raises(ValueError) as excinfo:
				179	jwt.decode(token_factory(), OTHER_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	180	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	181
				182
				183	def test_decode_multicert_bad_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	184	certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	185	with pytest.raises(ValueError) as excinfo:
				186	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	187	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	188
				189
				190	def test_decode_no_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	191	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	192	with pytest.raises(ValueError) as excinfo:
				193	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	194	assert excinfo.match(r"Certificate for key id 1 not found")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	195
				196
				197	def test_decode_no_key_id(token_factory):
				198	token = token_factory(key_id=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	199	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	200	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	201	assert payload["user"] == "billy bob"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	202
				203
				204	def test_roundtrip_explicit_key_id(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	205	token = token_factory(key_id="3")
				206	certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	207	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	208	assert payload["user"] == "billy bob"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	209
				210
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	211	class TestCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	212	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				213	SUBJECT = "subject"
				214	AUDIENCE = "audience"
				215	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	216	credentials = None
				217
				218	@pytest.fixture(autouse=True)
				219	def credentials_fixture(self, signer):
				220	self.credentials = jwt.Credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	221	signer,
				222	self.SERVICE_ACCOUNT_EMAIL,
				223	self.SERVICE_ACCOUNT_EMAIL,
				224	self.AUDIENCE,
				225	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	226
				227	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	228	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	229	info = json.load(fh)
				230
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	231	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	232	info, audience=self.AUDIENCE
				233	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	234
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	235	assert credentials._signer.key_id == info["private_key_id"]
				236	assert credentials._issuer == info["client_email"]
				237	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	238	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	239
				240	def test_from_service_account_info_args(self):
				241	info = SERVICE_ACCOUNT_INFO.copy()
				242
				243	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	244	info,
				245	subject=self.SUBJECT,
				246	audience=self.AUDIENCE,
				247	additional_claims=self.ADDITIONAL_CLAIMS,
				248	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	249
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	250	assert credentials._signer.key_id == info["private_key_id"]
				251	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	252	assert credentials._subject == self.SUBJECT
				253	assert credentials._audience == self.AUDIENCE
				254	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				255
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	256	def test_from_service_account_file(self):
				257	info = SERVICE_ACCOUNT_INFO.copy()
				258
				259	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	260	SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE
				261	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	262
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	263	assert credentials._signer.key_id == info["private_key_id"]
				264	assert credentials._issuer == info["client_email"]
				265	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	266	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	267
				268	def test_from_service_account_file_args(self):
				269	info = SERVICE_ACCOUNT_INFO.copy()
				270
				271	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	272	SERVICE_ACCOUNT_JSON_FILE,
				273	subject=self.SUBJECT,
				274	audience=self.AUDIENCE,
				275	additional_claims=self.ADDITIONAL_CLAIMS,
				276	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	277
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	278	assert credentials._signer.key_id == info["private_key_id"]
				279	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	280	assert credentials._subject == self.SUBJECT
				281	assert credentials._audience == self.AUDIENCE
				282	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				283
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	284	def test_from_signing_credentials(self):
				285	jwt_from_signing = self.credentials.from_signing_credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	286	self.credentials, audience=mock.sentinel.new_audience
				287	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	288	jwt_from_info = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	289	SERVICE_ACCOUNT_INFO, audience=mock.sentinel.new_audience
				290	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	291
				292	assert isinstance(jwt_from_signing, jwt.Credentials)
				293	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				294	assert jwt_from_signing._issuer == jwt_from_info._issuer
				295	assert jwt_from_signing._subject == jwt_from_info._subject
				296	assert jwt_from_signing._audience == jwt_from_info._audience
				297
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	298	def test_default_state(self):
				299	assert not self.credentials.valid
				300	# Expiration hasn't been set yet
				301	assert not self.credentials.expired
				302
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	303	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	304	new_audience = "new_audience"
				305	new_credentials = self.credentials.with_claims(audience=new_audience)
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	306
				307	assert new_credentials._signer == self.credentials._signer
				308	assert new_credentials._issuer == self.credentials._issuer
				309	assert new_credentials._subject == self.credentials._subject
				310	assert new_credentials._audience == new_audience
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	311	assert new_credentials._additional_claims == self.credentials._additional_claims
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	312
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	313	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	314	to_sign = b"123"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	315	signature = self.credentials.sign_bytes(to_sign)
				316	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				317
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	318	def test_signer(self):
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	319	assert isinstance(self.credentials.signer, crypt.RSASigner)
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	320
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	321	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	322	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	323
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	324	def _verify_token(self, token):
				325	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	326	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	327	return payload
				328
				329	def test_refresh(self):
				330	self.credentials.refresh(None)
				331	assert self.credentials.valid
				332	assert not self.credentials.expired
				333
				334	def test_expired(self):
				335	assert not self.credentials.expired
				336
				337	self.credentials.refresh(None)
				338	assert not self.credentials.expired
				339
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	340	with mock.patch("google.auth._helpers.utcnow") as now:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	341	one_day = datetime.timedelta(days=1)
				342	now.return_value = self.credentials.expiry + one_day
				343	assert self.credentials.expired
				344
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	345	def test_before_request(self):
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	346	headers = {}
				347
				348	self.credentials.refresh(None)
				349	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	350	None, "GET", "http://example.com?a=1#3", headers
				351	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	352
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	353	header_value = headers["authorization"]
				354	_, token = header_value.split(" ")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	355
				356	# Since the audience is set, it should use the existing token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	357	assert token.encode("utf-8") == self.credentials.token
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	358
				359	payload = self._verify_token(token)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	360	assert payload["aud"] == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	361
				362	def test_before_request_refreshes(self):
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	363	assert not self.credentials.valid
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	364	self.credentials.before_request(None, "GET", "http://example.com?a=1#3", {})
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	365	assert self.credentials.valid
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	366
				367
				368	class TestOnDemandCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	369	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				370	SUBJECT = "subject"
				371	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	372	credentials = None
				373
				374	@pytest.fixture(autouse=True)
				375	def credentials_fixture(self, signer):
				376	self.credentials = jwt.OnDemandCredentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	377	signer,
				378	self.SERVICE_ACCOUNT_EMAIL,
				379	self.SERVICE_ACCOUNT_EMAIL,
				380	max_cache_size=2,
				381	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	382
				383	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	384	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	385	info = json.load(fh)
				386
				387	credentials = jwt.OnDemandCredentials.from_service_account_info(info)
				388
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	389	assert credentials._signer.key_id == info["private_key_id"]
				390	assert credentials._issuer == info["client_email"]
				391	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	392
				393	def test_from_service_account_info_args(self):
				394	info = SERVICE_ACCOUNT_INFO.copy()
				395
				396	credentials = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	397	info, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS
				398	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	399
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	400	assert credentials._signer.key_id == info["private_key_id"]
				401	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	402	assert credentials._subject == self.SUBJECT
				403	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				404
				405	def test_from_service_account_file(self):
				406	info = SERVICE_ACCOUNT_INFO.copy()
				407
				408	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	409	SERVICE_ACCOUNT_JSON_FILE
				410	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	411
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	412	assert credentials._signer.key_id == info["private_key_id"]
				413	assert credentials._issuer == info["client_email"]
				414	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	415
				416	def test_from_service_account_file_args(self):
				417	info = SERVICE_ACCOUNT_INFO.copy()
				418
				419	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	420	SERVICE_ACCOUNT_JSON_FILE,
				421	subject=self.SUBJECT,
				422	additional_claims=self.ADDITIONAL_CLAIMS,
				423	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	424
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	425	assert credentials._signer.key_id == info["private_key_id"]
				426	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	427	assert credentials._subject == self.SUBJECT
				428	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				429
				430	def test_from_signing_credentials(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	431	jwt_from_signing = self.credentials.from_signing_credentials(self.credentials)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	432	jwt_from_info = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	433	SERVICE_ACCOUNT_INFO
				434	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	435
				436	assert isinstance(jwt_from_signing, jwt.OnDemandCredentials)
				437	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				438	assert jwt_from_signing._issuer == jwt_from_info._issuer
				439	assert jwt_from_signing._subject == jwt_from_info._subject
				440
				441	def test_default_state(self):
				442	# Credentials are always valid.
				443	assert self.credentials.valid
				444	# Credentials never expire.
				445	assert not self.credentials.expired
				446
				447	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	448	new_claims = {"meep": "moop"}
				449	new_credentials = self.credentials.with_claims(additional_claims=new_claims)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	450
				451	assert new_credentials._signer == self.credentials._signer
				452	assert new_credentials._issuer == self.credentials._issuer
				453	assert new_credentials._subject == self.credentials._subject
				454	assert new_credentials._additional_claims == new_claims
				455
				456	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	457	to_sign = b"123"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	458	signature = self.credentials.sign_bytes(to_sign)
				459	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				460
				461	def test_signer(self):
				462	assert isinstance(self.credentials.signer, crypt.RSASigner)
				463
				464	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	465	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	466
				467	def _verify_token(self, token):
				468	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	469	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	470	return payload
				471
				472	def test_refresh(self):
				473	with pytest.raises(exceptions.RefreshError):
				474	self.credentials.refresh(None)
				475
				476	def test_before_request(self):
				477	headers = {}
				478
				479	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	480	None, "GET", "http://example.com?a=1#3", headers
				481	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	482
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	483	_, token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	484	payload = self._verify_token(token)
				485
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	486	assert payload["aud"] == "http://example.com"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	487
				488	# Making another request should re-use the same token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	489	self.credentials.before_request(None, "GET", "http://example.com?b=2", headers)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	490
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	491	_, new_token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	492
				493	assert new_token == token
				494
				495	def test_expired_token(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	496	self.credentials._cache["audience"] = (
				497	mock.sentinel.token,
				498	datetime.datetime.min,
				499	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	500
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	501	token = self.credentials._get_jwt_for_audience("audience")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	502
				503	assert token != mock.sentinel.token