Blame - tests/test_jwt.py - platform/external/python/google-auth-library-python

blob: 488aee4671df4d90ae744d9bb0d0cf542ba9fadb [file] [log] [blame]

Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	1	# Copyright 2014 Google Inc.
				2	#
				3	# Licensed under the Apache License, Version 2.0 (the "License");
				4	# you may not use this file except in compliance with the License.
				5	# You may obtain a copy of the License at
				6	#
				7	# http://www.apache.org/licenses/LICENSE-2.0
				8	#
				9	# Unless required by applicable law or agreed to in writing, software
				10	# distributed under the License is distributed on an "AS IS" BASIS,
				11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	# See the License for the specific language governing permissions and
				13	# limitations under the License.
				14
				15	import base64
				16	import datetime
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	17	import json
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	18	import os
				19
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	20	import mock
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	21	import pytest
				22
				23	from google.auth import _helpers
				24	from google.auth import crypt
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	25	from google.auth import exceptions
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	26	from google.auth import jwt
				27
				28
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	29	DATA_DIR = os.path.join(os.path.dirname(__file__), "data")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	30
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	31	with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	32	PRIVATE_KEY_BYTES = fh.read()
				33
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	34	with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	35	PUBLIC_CERT_BYTES = fh.read()
				36
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	37	with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh:
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	38	OTHER_CERT_BYTES = fh.read()
				39
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame^]	40	with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh:
				41	EC_PRIVATE_KEY_BYTES = fh.read()
				42
				43	with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh:
				44	EC_PUBLIC_CERT_BYTES = fh.read()
				45
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	46	SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	47
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	48	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	49	SERVICE_ACCOUNT_INFO = json.load(fh)
				50
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	51
				52	@pytest.fixture
				53	def signer():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	54	return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	55
				56
				57	def test_encode_basic(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	58	test_payload = {"test": "value"}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	59	encoded = jwt.encode(signer, test_payload)
				60	header, payload, _, _ = jwt._unverified_decode(encoded)
				61	assert payload == test_payload
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	62	assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	63
				64
				65	def test_encode_extra_headers(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	66	encoded = jwt.encode(signer, {}, header={"extra": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	67	header = jwt.decode_header(encoded)
				68	assert header == {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	69	"typ": "JWT",
				70	"alg": "RS256",
				71	"kid": signer.key_id,
				72	"extra": "value",
				73	}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	74
				75
				76	@pytest.fixture
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame^]	77	def es256_signer():
				78	return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")
				79
				80
				81	def test_encode_basic_es256(es256_signer):
				82	test_payload = {"test": "value"}
				83	encoded = jwt.encode(es256_signer, test_payload)
				84	header, payload, _, _ = jwt._unverified_decode(encoded)
				85	assert payload == test_payload
				86	assert header == {"typ": "JWT", "alg": "ES256", "kid": es256_signer.key_id}
				87
				88
				89	@pytest.fixture
				90	def token_factory(signer, es256_signer):
				91	def factory(claims=None, key_id=None, use_es256_signer=False):
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	92	now = _helpers.datetime_to_secs(_helpers.utcnow())
				93	payload = {
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	94	"aud": "audience@example.com",
				95	"iat": now,
				96	"exp": now + 300,
				97	"user": "billy bob",
				98	"metadata": {"meta": "data"},
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	99	}
				100	payload.update(claims or {})
				101
				102	# False is specified to remove the signer's key id for testing
				103	# headers without key ids.
				104	if key_id is False:
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	105	signer._key_id = None
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	106	key_id = None
				107
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame^]	108	if use_es256_signer:
				109	return jwt.encode(es256_signer, payload, key_id=key_id)
				110	else:
				111	return jwt.encode(signer, payload, key_id=key_id)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	112
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	113	return factory
				114
				115
				116	def test_decode_valid(token_factory):
				117	payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	118	assert payload["aud"] == "audience@example.com"
				119	assert payload["user"] == "billy bob"
				120	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	121
				122
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame^]	123	def test_decode_valid_es256(token_factory):
				124	payload = jwt.decode(
				125	token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES
				126	)
				127	assert payload["aud"] == "audience@example.com"
				128	assert payload["user"] == "billy bob"
				129	assert payload["metadata"]["meta"] == "data"
				130
				131
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	132	def test_decode_valid_with_audience(token_factory):
				133	payload = jwt.decode(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	134	token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com"
				135	)
				136	assert payload["aud"] == "audience@example.com"
				137	assert payload["user"] == "billy bob"
				138	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	139
				140
				141	def test_decode_valid_unverified(token_factory):
				142	payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	143	assert payload["aud"] == "audience@example.com"
				144	assert payload["user"] == "billy bob"
				145	assert payload["metadata"]["meta"] == "data"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	146
				147
				148	def test_decode_bad_token_wrong_number_of_segments():
				149	with pytest.raises(ValueError) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	150	jwt.decode("1.2", PUBLIC_CERT_BYTES)
				151	assert excinfo.match(r"Wrong number of segments")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	152
				153
				154	def test_decode_bad_token_not_base64():
				155	with pytest.raises((ValueError, TypeError)) as excinfo:
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	156	jwt.decode("1.2.3", PUBLIC_CERT_BYTES)
				157	assert excinfo.match(r"Incorrect padding\|more than a multiple of 4")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	158
				159
				160	def test_decode_bad_token_not_json():
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	161	token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	162	with pytest.raises(ValueError) as excinfo:
				163	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	164	assert excinfo.match(r"Can\'t parse segment")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	165
				166
				167	def test_decode_bad_token_no_iat_or_exp(signer):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	168	token = jwt.encode(signer, {"test": "value"})
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	169	with pytest.raises(ValueError) as excinfo:
				170	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	171	assert excinfo.match(r"Token does not contain required claim")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	172
				173
				174	def test_decode_bad_token_too_early(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	175	token = token_factory(
				176	claims={
				177	"iat": _helpers.datetime_to_secs(
				178	_helpers.utcnow() + datetime.timedelta(hours=1)
				179	)
				180	}
				181	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	182	with pytest.raises(ValueError) as excinfo:
				183	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	184	assert excinfo.match(r"Token used too early")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	185
				186
				187	def test_decode_bad_token_expired(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	188	token = token_factory(
				189	claims={
				190	"exp": _helpers.datetime_to_secs(
				191	_helpers.utcnow() - datetime.timedelta(hours=1)
				192	)
				193	}
				194	)
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	195	with pytest.raises(ValueError) as excinfo:
				196	jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	197	assert excinfo.match(r"Token expired")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	198
				199
				200	def test_decode_bad_token_wrong_audience(token_factory):
				201	token = token_factory()
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	202	audience = "audience2@example.com"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	203	with pytest.raises(ValueError) as excinfo:
				204	jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	205	assert excinfo.match(r"Token has wrong audience")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	206
				207
				208	def test_decode_wrong_cert(token_factory):
				209	with pytest.raises(ValueError) as excinfo:
				210	jwt.decode(token_factory(), OTHER_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	211	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	212
				213
				214	def test_decode_multicert_bad_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	215	certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	216	with pytest.raises(ValueError) as excinfo:
				217	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	218	assert excinfo.match(r"Could not verify token signature")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	219
				220
				221	def test_decode_no_cert(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	222	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	223	with pytest.raises(ValueError) as excinfo:
				224	jwt.decode(token_factory(), certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	225	assert excinfo.match(r"Certificate for key id 1 not found")
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	226
				227
				228	def test_decode_no_key_id(token_factory):
				229	token = token_factory(key_id=False)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	230	certs = {"2": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	231	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	232	assert payload["user"] == "billy bob"
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	233
				234
Thea Flowers	e290a3d	2020-04-01 10:11:42 -0700	[diff] [blame^]	235	def test_decode_unknown_alg():
				236	headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"})
				237	token = b".".join(
				238	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				239	)
				240
				241	with pytest.raises(ValueError) as excinfo:
				242	jwt.decode(token)
				243	assert excinfo.match(r"fakealg")
				244
				245
				246	def test_decode_missing_crytography_alg(monkeypatch):
				247	monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256")
				248	headers = json.dumps({u"kid": u"1", u"alg": u"ES256"})
				249	token = b".".join(
				250	map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
				251	)
				252
				253	with pytest.raises(ValueError) as excinfo:
				254	jwt.decode(token)
				255	assert excinfo.match(r"cryptography")
				256
				257
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	258	def test_roundtrip_explicit_key_id(token_factory):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	259	token = token_factory(key_id="3")
				260	certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}
Jon Wayne Parrott	5824ad8	2016-10-06 09:27:44 -0700	[diff] [blame]	261	payload = jwt.decode(token, certs)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	262	assert payload["user"] == "billy bob"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	263
				264
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	265	class TestCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	266	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				267	SUBJECT = "subject"
				268	AUDIENCE = "audience"
				269	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	270	credentials = None
				271
				272	@pytest.fixture(autouse=True)
				273	def credentials_fixture(self, signer):
				274	self.credentials = jwt.Credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	275	signer,
				276	self.SERVICE_ACCOUNT_EMAIL,
				277	self.SERVICE_ACCOUNT_EMAIL,
				278	self.AUDIENCE,
				279	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	280
				281	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	282	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	283	info = json.load(fh)
				284
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	285	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	286	info, audience=self.AUDIENCE
				287	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	288
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	289	assert credentials._signer.key_id == info["private_key_id"]
				290	assert credentials._issuer == info["client_email"]
				291	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	292	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	293
				294	def test_from_service_account_info_args(self):
				295	info = SERVICE_ACCOUNT_INFO.copy()
				296
				297	credentials = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	298	info,
				299	subject=self.SUBJECT,
				300	audience=self.AUDIENCE,
				301	additional_claims=self.ADDITIONAL_CLAIMS,
				302	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	303
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	304	assert credentials._signer.key_id == info["private_key_id"]
				305	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	306	assert credentials._subject == self.SUBJECT
				307	assert credentials._audience == self.AUDIENCE
				308	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				309
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	310	def test_from_service_account_file(self):
				311	info = SERVICE_ACCOUNT_INFO.copy()
				312
				313	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	314	SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE
				315	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	316
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	317	assert credentials._signer.key_id == info["private_key_id"]
				318	assert credentials._issuer == info["client_email"]
				319	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	320	assert credentials._audience == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	321
				322	def test_from_service_account_file_args(self):
				323	info = SERVICE_ACCOUNT_INFO.copy()
				324
				325	credentials = jwt.Credentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	326	SERVICE_ACCOUNT_JSON_FILE,
				327	subject=self.SUBJECT,
				328	audience=self.AUDIENCE,
				329	additional_claims=self.ADDITIONAL_CLAIMS,
				330	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	331
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	332	assert credentials._signer.key_id == info["private_key_id"]
				333	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	334	assert credentials._subject == self.SUBJECT
				335	assert credentials._audience == self.AUDIENCE
				336	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				337
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	338	def test_from_signing_credentials(self):
				339	jwt_from_signing = self.credentials.from_signing_credentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	340	self.credentials, audience=mock.sentinel.new_audience
				341	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	342	jwt_from_info = jwt.Credentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	343	SERVICE_ACCOUNT_INFO, audience=mock.sentinel.new_audience
				344	)
Jon Wayne Parrott	b8f48d0	2017-02-24 09:03:24 -0800	[diff] [blame]	345
				346	assert isinstance(jwt_from_signing, jwt.Credentials)
				347	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				348	assert jwt_from_signing._issuer == jwt_from_info._issuer
				349	assert jwt_from_signing._subject == jwt_from_info._subject
				350	assert jwt_from_signing._audience == jwt_from_info._audience
				351
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	352	def test_default_state(self):
				353	assert not self.credentials.valid
				354	# Expiration hasn't been set yet
				355	assert not self.credentials.expired
				356
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	357	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	358	new_audience = "new_audience"
				359	new_credentials = self.credentials.with_claims(audience=new_audience)
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	360
				361	assert new_credentials._signer == self.credentials._signer
				362	assert new_credentials._issuer == self.credentials._issuer
				363	assert new_credentials._subject == self.credentials._subject
				364	assert new_credentials._audience == new_audience
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	365	assert new_credentials._additional_claims == self.credentials._additional_claims
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	366
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	367	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	368	to_sign = b"123"
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	369	signature = self.credentials.sign_bytes(to_sign)
				370	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				371
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	372	def test_signer(self):
Jon Wayne Parrott	254befe	2017-02-22 14:37:31 -0800	[diff] [blame]	373	assert isinstance(self.credentials.signer, crypt.RSASigner)
Jon Wayne Parrott	d722167	2017-02-16 09:05:11 -0800	[diff] [blame]	374
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	375	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	376	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	4c883f0	2016-12-02 14:26:33 -0800	[diff] [blame]	377
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	378	def _verify_token(self, token):
				379	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	380	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	381	return payload
				382
				383	def test_refresh(self):
				384	self.credentials.refresh(None)
				385	assert self.credentials.valid
				386	assert not self.credentials.expired
				387
				388	def test_expired(self):
				389	assert not self.credentials.expired
				390
				391	self.credentials.refresh(None)
				392	assert not self.credentials.expired
				393
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	394	with mock.patch("google.auth._helpers.utcnow") as now:
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	395	one_day = datetime.timedelta(days=1)
				396	now.return_value = self.credentials.expiry + one_day
				397	assert self.credentials.expired
				398
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	399	def test_before_request(self):
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	400	headers = {}
				401
				402	self.credentials.refresh(None)
				403	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	404	None, "GET", "http://example.com?a=1#3", headers
				405	)
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	406
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	407	header_value = headers["authorization"]
				408	_, token = header_value.split(" ")
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	409
				410	# Since the audience is set, it should use the existing token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	411	assert token.encode("utf-8") == self.credentials.token
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	412
				413	payload = self._verify_token(token)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	414	assert payload["aud"] == self.AUDIENCE
Jon Wayne Parrott	abcd3ed	2016-10-17 11:23:47 -0700	[diff] [blame]	415
				416	def test_before_request_refreshes(self):
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	417	assert not self.credentials.valid
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	418	self.credentials.before_request(None, "GET", "http://example.com?a=1#3", {})
Jon Wayne Parrott	ab08689	2017-02-23 09:20:14 -0800	[diff] [blame]	419	assert self.credentials.valid
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	420
				421
				422	class TestOnDemandCredentials(object):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	423	SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
				424	SUBJECT = "subject"
				425	ADDITIONAL_CLAIMS = {"meta": "data"}
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	426	credentials = None
				427
				428	@pytest.fixture(autouse=True)
				429	def credentials_fixture(self, signer):
				430	self.credentials = jwt.OnDemandCredentials(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	431	signer,
				432	self.SERVICE_ACCOUNT_EMAIL,
				433	self.SERVICE_ACCOUNT_EMAIL,
				434	max_cache_size=2,
				435	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	436
				437	def test_from_service_account_info(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	438	with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	439	info = json.load(fh)
				440
				441	credentials = jwt.OnDemandCredentials.from_service_account_info(info)
				442
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	443	assert credentials._signer.key_id == info["private_key_id"]
				444	assert credentials._issuer == info["client_email"]
				445	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	446
				447	def test_from_service_account_info_args(self):
				448	info = SERVICE_ACCOUNT_INFO.copy()
				449
				450	credentials = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	451	info, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS
				452	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	453
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	454	assert credentials._signer.key_id == info["private_key_id"]
				455	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	456	assert credentials._subject == self.SUBJECT
				457	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				458
				459	def test_from_service_account_file(self):
				460	info = SERVICE_ACCOUNT_INFO.copy()
				461
				462	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	463	SERVICE_ACCOUNT_JSON_FILE
				464	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	465
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	466	assert credentials._signer.key_id == info["private_key_id"]
				467	assert credentials._issuer == info["client_email"]
				468	assert credentials._subject == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	469
				470	def test_from_service_account_file_args(self):
				471	info = SERVICE_ACCOUNT_INFO.copy()
				472
				473	credentials = jwt.OnDemandCredentials.from_service_account_file(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	474	SERVICE_ACCOUNT_JSON_FILE,
				475	subject=self.SUBJECT,
				476	additional_claims=self.ADDITIONAL_CLAIMS,
				477	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	478
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	479	assert credentials._signer.key_id == info["private_key_id"]
				480	assert credentials._issuer == info["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	481	assert credentials._subject == self.SUBJECT
				482	assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
				483
				484	def test_from_signing_credentials(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	485	jwt_from_signing = self.credentials.from_signing_credentials(self.credentials)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	486	jwt_from_info = jwt.OnDemandCredentials.from_service_account_info(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	487	SERVICE_ACCOUNT_INFO
				488	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	489
				490	assert isinstance(jwt_from_signing, jwt.OnDemandCredentials)
				491	assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
				492	assert jwt_from_signing._issuer == jwt_from_info._issuer
				493	assert jwt_from_signing._subject == jwt_from_info._subject
				494
				495	def test_default_state(self):
				496	# Credentials are always valid.
				497	assert self.credentials.valid
				498	# Credentials never expire.
				499	assert not self.credentials.expired
				500
				501	def test_with_claims(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	502	new_claims = {"meep": "moop"}
				503	new_credentials = self.credentials.with_claims(additional_claims=new_claims)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	504
				505	assert new_credentials._signer == self.credentials._signer
				506	assert new_credentials._issuer == self.credentials._issuer
				507	assert new_credentials._subject == self.credentials._subject
				508	assert new_credentials._additional_claims == new_claims
				509
				510	def test_sign_bytes(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	511	to_sign = b"123"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	512	signature = self.credentials.sign_bytes(to_sign)
				513	assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
				514
				515	def test_signer(self):
				516	assert isinstance(self.credentials.signer, crypt.RSASigner)
				517
				518	def test_signer_email(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	519	assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"]
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	520
				521	def _verify_token(self, token):
				522	payload = jwt.decode(token, PUBLIC_CERT_BYTES)
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	523	assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	524	return payload
				525
				526	def test_refresh(self):
				527	with pytest.raises(exceptions.RefreshError):
				528	self.credentials.refresh(None)
				529
				530	def test_before_request(self):
				531	headers = {}
				532
				533	self.credentials.before_request(
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	534	None, "GET", "http://example.com?a=1#3", headers
				535	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	536
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	537	_, token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	538	payload = self._verify_token(token)
				539
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	540	assert payload["aud"] == "http://example.com"
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	541
				542	# Making another request should re-use the same token.
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	543	self.credentials.before_request(None, "GET", "http://example.com?b=2", headers)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	544
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	545	_, new_token = headers["authorization"].split(" ")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	546
				547	assert new_token == token
				548
				549	def test_expired_token(self):
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	550	self.credentials._cache["audience"] = (
				551	mock.sentinel.token,
				552	datetime.datetime.min,
				553	)
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	554
Bu Sun Kim	9eec091	2019-10-21 17:04:21 -0700	[diff] [blame]	555	token = self.credentials._get_jwt_for_audience("audience")
Jon Wayne Parrott	cfbfd25	2017-03-28 13:03:11 -0700	[diff] [blame]	556
				557	assert token != mock.sentinel.token