Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / ec2fb18e7f0f452fb20e43fd0bfbb788bcf7f46b / . / tests / test_impersonated_credentials.py
blob: 90de704a265c1f1d79035fa2b0fb5fddb4ab4f6c [file] [log] [blame]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]1# Copyright 2018 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15import datetime
16import json
17import os
18
19import mock
20import pytest
21from six.moves import http_client
22
23from google.auth import _helpers
24from google.auth import crypt
25from google.auth import exceptions
26from google.auth import impersonated_credentials
27from google.auth import transport
28from google.auth.impersonated_credentials import Credentials
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]29from google.oauth2 import credentials
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]30from google.oauth2 import service_account
31
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]32DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]33
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]34with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]35 PRIVATE_KEY_BYTES = fh.read()
36
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]37SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]38
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]39ID_TOKEN_DATA = (
40 "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew"
41 "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc"
42 "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle"
43 "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L"
44 "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN"
45 "zA4NTY4In0.redacted"
46)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]47ID_TOKEN_EXPIRY = 1564475051
48
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]49with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]50 SERVICE_ACCOUNT_INFO = json.load(fh)
51
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]52SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
53TOKEN_URI = "https://example.com/oauth2/token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]54
55
56@pytest.fixture
57def mock_donor_credentials():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]58 with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant:
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]59 grant.return_value = (
60 "source token",
61 _helpers.utcnow() + datetime.timedelta(seconds=500),
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]62 {},
63 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]64 yield grant
65
66
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]67class MockResponse:
68 def __init__(self, json_data, status_code):
69 self.json_data = json_data
70 self.status_code = status_code
71
72 def json(self):
73 return self.json_data
74
75
76@pytest.fixture
77def mock_authorizedsession_sign():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]78 with mock.patch(
79 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
80 ) as auth_session:
81 data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]82 auth_session.return_value = MockResponse(data, http_client.OK)
83 yield auth_session
84
85
86@pytest.fixture
87def mock_authorizedsession_idtoken():
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]88 with mock.patch(
89 "google.auth.transport.requests.AuthorizedSession.request", autospec=True
90 ) as auth_session:
91 data = {"token": ID_TOKEN_DATA}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]92 auth_session.return_value = MockResponse(data, http_client.OK)
93 yield auth_session
94
95
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]96class TestImpersonatedCredentials(object):
97
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]98 SERVICE_ACCOUNT_EMAIL = "service-account@example.com"
99 TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com"
100 TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"]
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]101 DELEGATES = []
102 LIFETIME = 3600
103 SOURCE_CREDENTIALS = service_account.Credentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]104 SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI
105 )
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]106 USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE")
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]107 IAM_ENDPOINT_OVERRIDE = (
108 "https://us-east1-iamcredentials.googleapis.com/v1/projects/-"
109 + "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL)
110 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]111
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]112 def make_credentials(
113 self,
114 source_credentials=SOURCE_CREDENTIALS,
115 lifetime=LIFETIME,
116 target_principal=TARGET_PRINCIPAL,
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]117 iam_endpoint_override=None,
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]118 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]119
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]120 return Credentials(
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]121 source_credentials=source_credentials,
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]122 target_principal=target_principal,
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]123 target_scopes=self.TARGET_SCOPES,
124 delegates=self.DELEGATES,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]125 lifetime=lifetime,
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]126 iam_endpoint_override=iam_endpoint_override,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]127 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]128
Bu Sun Kim82e224b2020-03-13 13:21:18 -0700[diff] [blame]129 def test_make_from_user_credentials(self):
130 credentials = self.make_credentials(
131 source_credentials=self.USER_SOURCE_CREDENTIALS
132 )
133 assert not credentials.valid
134 assert credentials.expired
135
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]136 def test_default_state(self):
137 credentials = self.make_credentials()
138 assert not credentials.valid
139 assert credentials.expired
140
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame]141 def make_request(
142 self,
143 data,
144 status=http_client.OK,
145 headers=None,
146 side_effect=None,
147 use_data_bytes=True,
148 ):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]149 response = mock.create_autospec(transport.Response, instance=False)
150 response.status = status
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame]151 response.data = _helpers.to_bytes(data) if use_data_bytes else data
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]152 response.headers = headers or {}
153
154 request = mock.create_autospec(transport.Request, instance=False)
155 request.side_effect = side_effect
156 request.return_value = response
157
158 return request
159
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame]160 @pytest.mark.parametrize("use_data_bytes", [True, False])
161 def test_refresh_success(self, use_data_bytes, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]162 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]163 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]164
165 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]166 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
167 ).isoformat("T") + "Z"
168 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]169
170 request = self.make_request(
arithmetic1728e115bae2020-05-06 16:00:17 -0700[diff] [blame]171 data=json.dumps(response_body),
172 status=http_client.OK,
173 use_data_bytes=use_data_bytes,
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]174 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]175
176 credentials.refresh(request)
177
178 assert credentials.valid
179 assert not credentials.expired
180
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]181 @pytest.mark.parametrize("use_data_bytes", [True, False])
182 def test_refresh_success_iam_endpoint_override(
183 self, use_data_bytes, mock_donor_credentials
184 ):
185 credentials = self.make_credentials(
186 lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE
187 )
188 token = "token"
189
190 expire_time = (
191 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
192 ).isoformat("T") + "Z"
193 response_body = {"accessToken": token, "expireTime": expire_time}
194
195 request = self.make_request(
196 data=json.dumps(response_body),
197 status=http_client.OK,
198 use_data_bytes=use_data_bytes,
199 )
200
201 credentials.refresh(request)
202
203 assert credentials.valid
204 assert not credentials.expired
205 # Confirm override endpoint used.
arithmetic1728d80c85f2021-03-08 13:35:44 -0800[diff] [blame]206 request_kwargs = request.call_args[1]
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]207 assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE
208
arithmetic1728eb7be3f2020-05-28 11:01:24 -0700[diff] [blame]209 @pytest.mark.parametrize("time_skew", [100, -100])
210 def test_refresh_source_credentials(self, time_skew):
211 credentials = self.make_credentials(lifetime=None)
212
213 # Source credentials is refreshed only if it is expired within
214 # _helpers.CLOCK_SKEW from now. We add a time_skew to the expiry, so
215 # source credentials is refreshed only if time_skew <= 0.
216 credentials._source_credentials.expiry = (
217 _helpers.utcnow()
218 + _helpers.CLOCK_SKEW
219 + datetime.timedelta(seconds=time_skew)
220 )
221 credentials._source_credentials.token = "Token"
222
223 with mock.patch(
224 "google.oauth2.service_account.Credentials.refresh", autospec=True
225 ) as source_cred_refresh:
226 expire_time = (
227 _helpers.utcnow().replace(microsecond=0)
228 + datetime.timedelta(seconds=500)
229 ).isoformat("T") + "Z"
230 response_body = {"accessToken": "token", "expireTime": expire_time}
231 request = self.make_request(
232 data=json.dumps(response_body), status=http_client.OK
233 )
234
235 credentials.refresh(request)
236
237 assert credentials.valid
238 assert not credentials.expired
239
240 # Source credentials is refreshed only if it is expired within
241 # _helpers.CLOCK_SKEW
242 if time_skew > 0:
243 source_cred_refresh.assert_not_called()
244 else:
245 source_cred_refresh.assert_called_once()
246
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]247 def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials):
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]248 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]249 token = "token"
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]250
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]251 expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat(
252 "T"
253 )
254 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]255
256 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]257 data=json.dumps(response_body), status=http_client.OK
258 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]259
260 with pytest.raises(exceptions.RefreshError) as excinfo:
261 credentials.refresh(request)
262
263 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
264
265 assert not credentials.valid
266 assert credentials.expired
267
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]268 def test_refresh_failure_unauthorzed(self, mock_donor_credentials):
269 credentials = self.make_credentials(lifetime=None)
270
271 response_body = {
272 "error": {
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]273 "code": 403,
274 "message": "The caller does not have permission",
275 "status": "PERMISSION_DENIED",
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]276 }
277 }
278
279 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]280 data=json.dumps(response_body), status=http_client.UNAUTHORIZED
281 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]282
283 with pytest.raises(exceptions.RefreshError) as excinfo:
284 credentials.refresh(request)
285
286 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
287
288 assert not credentials.valid
289 assert credentials.expired
290
291 def test_refresh_failure_http_error(self, mock_donor_credentials):
292 credentials = self.make_credentials(lifetime=None)
293
294 response_body = {}
295
296 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]297 data=json.dumps(response_body), status=http_client.HTTPException
298 )
salrashid1231fbc6792018-11-09 11:05:34 -0800[diff] [blame]299
300 with pytest.raises(exceptions.RefreshError) as excinfo:
301 credentials.refresh(request)
302
303 assert excinfo.match(impersonated_credentials._REFRESH_ERROR)
304
305 assert not credentials.valid
306 assert credentials.expired
307
308 def test_expired(self):
309 credentials = self.make_credentials(lifetime=None)
310 assert credentials.expired
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]311
312 def test_signer(self):
313 credentials = self.make_credentials()
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]314 assert isinstance(credentials.signer, impersonated_credentials.Credentials)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]315
316 def test_signer_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]317 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]318 assert credentials.signer_email == self.TARGET_PRINCIPAL
319
320 def test_service_account_email(self):
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]321 credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]322 assert credentials.service_account_email == self.TARGET_PRINCIPAL
323
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]324 def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]325 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]326 token = "token"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]327
328 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]329 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
330 ).isoformat("T") + "Z"
331 token_response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]332
333 response = mock.create_autospec(transport.Response, instance=False)
334 response.status = http_client.OK
335 response.data = _helpers.to_bytes(json.dumps(token_response_body))
336
337 request = mock.create_autospec(transport.Request, instance=False)
338 request.return_value = response
339
340 credentials.refresh(request)
341
342 assert credentials.valid
343 assert not credentials.expired
344
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]345 signature = credentials.sign_bytes(b"signed bytes")
346 assert signature == b"signature"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]347
Bu Sun Kim3dda7b22020-07-09 10:39:39 -0700[diff] [blame]348 def test_with_quota_project(self):
349 credentials = self.make_credentials()
350
351 quota_project_creds = credentials.with_quota_project("project-foo")
352 assert quota_project_creds._quota_project_id == "project-foo"
353
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]354 @pytest.mark.parametrize("use_data_bytes", [True, False])
355 def test_with_quota_project_iam_endpoint_override(
356 self, use_data_bytes, mock_donor_credentials
357 ):
358 credentials = self.make_credentials(
359 lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE
360 )
361 token = "token"
362 # iam_endpoint_override should be copied to created credentials.
363 quota_project_creds = credentials.with_quota_project("project-foo")
364
365 expire_time = (
366 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
367 ).isoformat("T") + "Z"
368 response_body = {"accessToken": token, "expireTime": expire_time}
369
370 request = self.make_request(
371 data=json.dumps(response_body),
372 status=http_client.OK,
373 use_data_bytes=use_data_bytes,
374 )
375
376 quota_project_creds.refresh(request)
377
378 assert quota_project_creds.valid
379 assert not quota_project_creds.expired
380 # Confirm override endpoint used.
arithmetic1728d80c85f2021-03-08 13:35:44 -0800[diff] [blame]381 request_kwargs = request.call_args[1]
bojeil-googled4d7f382021-02-16 12:33:20 -0800[diff] [blame]382 assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE
383
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]384 def test_id_token_success(
385 self, mock_donor_credentials, mock_authorizedsession_idtoken
386 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]387 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]388 token = "token"
389 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]390
391 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]392 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
393 ).isoformat("T") + "Z"
394 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]395
396 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]397 data=json.dumps(response_body), status=http_client.OK
398 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]399
400 credentials.refresh(request)
401
402 assert credentials.valid
403 assert not credentials.expired
404
405 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]406 credentials, target_audience=target_audience
407 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]408 id_creds.refresh(request)
409
410 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]411 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]412
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]413 def test_id_token_from_credential(
414 self, mock_donor_credentials, mock_authorizedsession_idtoken
415 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]416 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]417 token = "token"
418 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]419
420 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]421 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
422 ).isoformat("T") + "Z"
423 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]424
425 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]426 data=json.dumps(response_body), status=http_client.OK
427 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]428
429 credentials.refresh(request)
430
431 assert credentials.valid
432 assert not credentials.expired
433
434 id_creds = impersonated_credentials.IDTokenCredentials(
Pietro De Nicolaofd9b5b12020-12-11 20:00:30 +0100[diff] [blame]435 credentials, target_audience=target_audience, include_email=True
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]436 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]437 id_creds = id_creds.from_credentials(target_credentials=credentials)
438 id_creds.refresh(request)
439
440 assert id_creds.token == ID_TOKEN_DATA
Pietro De Nicolaofd9b5b12020-12-11 20:00:30 +0100[diff] [blame]441 assert id_creds._include_email is True
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]442
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]443 def test_id_token_with_target_audience(
444 self, mock_donor_credentials, mock_authorizedsession_idtoken
445 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]446 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]447 token = "token"
448 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]449
450 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]451 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
452 ).isoformat("T") + "Z"
453 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]454
455 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]456 data=json.dumps(response_body), status=http_client.OK
457 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]458
459 credentials.refresh(request)
460
461 assert credentials.valid
462 assert not credentials.expired
463
Pietro De Nicolaofd9b5b12020-12-11 20:00:30 +0100[diff] [blame]464 id_creds = impersonated_credentials.IDTokenCredentials(
465 credentials, include_email=True
466 )
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]467 id_creds = id_creds.with_target_audience(target_audience=target_audience)
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]468 id_creds.refresh(request)
469
470 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]471 assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY)
Pietro De Nicolaofd9b5b12020-12-11 20:00:30 +0100[diff] [blame]472 assert id_creds._include_email is True
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]473
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]474 def test_id_token_invalid_cred(
475 self, mock_donor_credentials, mock_authorizedsession_idtoken
476 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]477 credentials = None
478
479 with pytest.raises(exceptions.GoogleAuthError) as excinfo:
480 impersonated_credentials.IDTokenCredentials(credentials)
481
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]482 assert excinfo.match("Provided Credential must be" " impersonated_credentials")
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]483
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]484 def test_id_token_with_include_email(
485 self, mock_donor_credentials, mock_authorizedsession_idtoken
486 ):
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]487 credentials = self.make_credentials(lifetime=None)
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]488 token = "token"
489 target_audience = "https://foo.bar"
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]490
491 expire_time = (
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]492 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
493 ).isoformat("T") + "Z"
494 response_body = {"accessToken": token, "expireTime": expire_time}
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]495
496 request = self.make_request(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]497 data=json.dumps(response_body), status=http_client.OK
498 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]499
500 credentials.refresh(request)
501
502 assert credentials.valid
503 assert not credentials.expired
504
505 id_creds = impersonated_credentials.IDTokenCredentials(
Bu Sun Kim9eec0912019-10-21 17:04:21 -0700[diff] [blame]506 credentials, target_audience=target_audience
507 )
salrashid1237a8641a2019-08-07 14:31:33 -0700[diff] [blame]508 id_creds = id_creds.with_include_email(True)
509 id_creds.refresh(request)
510
511 assert id_creds.token == ID_TOKEN_DATA
Bu Sun Kim3dda7b22020-07-09 10:39:39 -0700[diff] [blame]512
513 def test_id_token_with_quota_project(
514 self, mock_donor_credentials, mock_authorizedsession_idtoken
515 ):
516 credentials = self.make_credentials(lifetime=None)
517 token = "token"
518 target_audience = "https://foo.bar"
519
520 expire_time = (
521 _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
522 ).isoformat("T") + "Z"
523 response_body = {"accessToken": token, "expireTime": expire_time}
524
525 request = self.make_request(
526 data=json.dumps(response_body), status=http_client.OK
527 )
528
529 credentials.refresh(request)
530
531 assert credentials.valid
532 assert not credentials.expired
533
534 id_creds = impersonated_credentials.IDTokenCredentials(
535 credentials, target_audience=target_audience
536 )
537 id_creds = id_creds.with_quota_project("project-foo")
538 id_creds.refresh(request)
539
540 assert id_creds.quota_project_id == "project-foo"