File manager

File manager - Edit - /home/u478019808/domains/bestandroidphones.store/public_html/static/img/logo/tests.tar

Back
test_metrics.py��0000644��00000006260�15025175543�0007636 0��ustar�00��# Copyright 2014 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import platform import mock from google.auth import metrics from google.auth import version def test_add_metric_header(): headers = {} metrics.add_metric_header(headers, None) assert headers == {} headers = {"x-goog-api-client": "foo"} metrics.add_metric_header(headers, "bar") assert headers == {"x-goog-api-client": "foo bar"} headers = {} metrics.add_metric_header(headers, "bar") assert headers == {"x-goog-api-client": "bar"} @mock.patch.object(platform, "python_version", return_value="3.7") def test_versions(mock_python_version): version_save = version.__version__ version.__version__ = "1.1" assert metrics.python_and_auth_lib_version() == "gl-python/3.7 auth/1.1" version.__version__ = version_save @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value="gl-python/3.7 auth/1.1", ) def test_metric_values(mock_python_and_auth_lib_version): assert ( metrics.token_request_access_token_mds() == "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/mds" ) assert ( metrics.token_request_id_token_mds() == "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/mds" ) assert ( metrics.token_request_access_token_impersonate() == "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) assert ( metrics.token_request_id_token_impersonate() == "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/imp" ) assert ( metrics.token_request_access_token_sa_assertion() == "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/sa" ) assert ( metrics.token_request_id_token_sa_assertion() == "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/sa" ) assert metrics.token_request_user() == "gl-python/3.7 auth/1.1 cred-type/u" assert metrics.mds_ping() == "gl-python/3.7 auth/1.1 auth-request-type/mds" assert metrics.reauth_start() == "gl-python/3.7 auth/1.1 auth-request-type/re-start" assert ( metrics.reauth_continue() == "gl-python/3.7 auth/1.1 auth-request-type/re-cont" ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value="gl-python/3.7 auth/1.1", ) def test_byoid_metric_header(mock_python_and_auth_lib_version): metrics_options = {} assert ( metrics.byoid_metrics_header(metrics_options) == "gl-python/3.7 auth/1.1 google-byoid-sdk" ) metrics_options["testKey"] = "testValue" assert ( metrics.byoid_metrics_header(metrics_options) == "gl-python/3.7 auth/1.1 google-byoid-sdk testKey/testValue" ) ��test__service_account_info.py��0000644��00000005072�15025175543�0012516 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import os import pytest # type: ignore from google.auth import _service_account_info from google.auth import crypt DATA_DIR = os.path.join(os.path.dirname(__file__), "data") SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") GDCH_SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "gdch_service_account.json") with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) with open(GDCH_SERVICE_ACCOUNT_JSON_FILE, "r") as fh: GDCH_SERVICE_ACCOUNT_INFO = json.load(fh) def test_from_dict(): signer = _service_account_info.from_dict(SERVICE_ACCOUNT_INFO) assert isinstance(signer, crypt.RSASigner) assert signer.key_id == SERVICE_ACCOUNT_INFO["private_key_id"] def test_from_dict_es256_signer(): signer = _service_account_info.from_dict( GDCH_SERVICE_ACCOUNT_INFO, use_rsa_signer=False ) assert isinstance(signer, crypt.ES256Signer) assert signer.key_id == GDCH_SERVICE_ACCOUNT_INFO["private_key_id"] def test_from_dict_bad_private_key(): info = SERVICE_ACCOUNT_INFO.copy() info["private_key"] = "garbage" with pytest.raises(ValueError) as excinfo: _service_account_info.from_dict(info) assert excinfo.match(r"key") def test_from_dict_bad_format(): with pytest.raises(ValueError) as excinfo: _service_account_info.from_dict({}, require=("meep",)) assert excinfo.match(r"missing fields") def test_from_filename(): info, signer = _service_account_info.from_filename(SERVICE_ACCOUNT_JSON_FILE) for key, value in SERVICE_ACCOUNT_INFO.items(): assert info[key] == value assert isinstance(signer, crypt.RSASigner) assert signer.key_id == SERVICE_ACCOUNT_INFO["private_key_id"] def test_from_filename_es256_signer(): _, signer = _service_account_info.from_filename( GDCH_SERVICE_ACCOUNT_JSON_FILE, use_rsa_signer=False ) assert isinstance(signer, crypt.ES256Signer) assert signer.key_id == GDCH_SERVICE_ACCOUNT_INFO["private_key_id"] ��test__cloud_sdk.py��0000644��00000013226�15025175543�0010276 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import io import json import os import subprocess import sys import mock import pytest # type: ignore from google.auth import _cloud_sdk from google.auth import environment_vars from google.auth import exceptions DATA_DIR = os.path.join(os.path.dirname(__file__), "data") AUTHORIZED_USER_FILE = os.path.join(DATA_DIR, "authorized_user.json") with io.open(AUTHORIZED_USER_FILE, "rb") as fh: AUTHORIZED_USER_FILE_DATA = json.load(fh) SERVICE_ACCOUNT_FILE = os.path.join(DATA_DIR, "service_account.json") with io.open(SERVICE_ACCOUNT_FILE, "rb") as fh: SERVICE_ACCOUNT_FILE_DATA = json.load(fh) @pytest.mark.parametrize( "data, expected_project_id", [(b"example-project\n", "example-project"), (b"", None)], ) def test_get_project_id(data, expected_project_id): check_output_patch = mock.patch( "subprocess.check_output", autospec=True, return_value=data ) with check_output_patch as check_output: project_id = _cloud_sdk.get_project_id() assert project_id == expected_project_id assert check_output.called @mock.patch( "subprocess.check_output", autospec=True, side_effect=subprocess.CalledProcessError(-1, "testing"), ) def test_get_project_id_call_error(check_output): project_id = _cloud_sdk.get_project_id() assert project_id is None assert check_output.called def test__run_subprocess_ignore_stderr(): command = [ sys.executable, "-c", "from __future__ import print_function;" + "import sys;" + "print('error', file=sys.stderr);" + "print('output', file=sys.stdout)", ] # If we ignore stderr, then the output only has stdout output = _cloud_sdk._run_subprocess_ignore_stderr(command) assert output == b"output\n" # If we pipe stderr to stdout, then the output is mixed with stdout and stderr. output = subprocess.check_output(command, stderr=subprocess.STDOUT) assert output == b"output\nerror\n" or output == b"error\noutput\n" @mock.patch("os.name", new="nt") def test_get_project_id_windows(): check_output_patch = mock.patch( "subprocess.check_output", autospec=True, return_value=b"example-project\n" ) with check_output_patch as check_output: project_id = _cloud_sdk.get_project_id() assert project_id == "example-project" assert check_output.called # Make sure the executable is `gcloud.cmd`. args = check_output.call_args[0] command = args[0] executable = command[0] assert executable == "gcloud.cmd" @mock.patch("google.auth._cloud_sdk.get_config_path", autospec=True) def test_get_application_default_credentials_path(get_config_dir): config_path = "config_path" get_config_dir.return_value = config_path credentials_path = _cloud_sdk.get_application_default_credentials_path() assert credentials_path == os.path.join( config_path, _cloud_sdk._CREDENTIALS_FILENAME ) def test_get_config_path_env_var(monkeypatch): config_path_sentinel = "config_path" monkeypatch.setenv(environment_vars.CLOUD_SDK_CONFIG_DIR, config_path_sentinel) config_path = _cloud_sdk.get_config_path() assert config_path == config_path_sentinel @mock.patch("os.path.expanduser") def test_get_config_path_unix(expanduser): expanduser.side_effect = lambda path: path config_path = _cloud_sdk.get_config_path() assert os.path.split(config_path) == ("~/.config", _cloud_sdk._CONFIG_DIRECTORY) @mock.patch("os.name", new="nt") def test_get_config_path_windows(monkeypatch): appdata = "appdata" monkeypatch.setenv(_cloud_sdk._WINDOWS_CONFIG_ROOT_ENV_VAR, appdata) config_path = _cloud_sdk.get_config_path() assert os.path.split(config_path) == (appdata, _cloud_sdk._CONFIG_DIRECTORY) @mock.patch("os.name", new="nt") def test_get_config_path_no_appdata(monkeypatch): monkeypatch.delenv(_cloud_sdk._WINDOWS_CONFIG_ROOT_ENV_VAR, raising=False) monkeypatch.setenv("SystemDrive", "G:") config_path = _cloud_sdk.get_config_path() assert os.path.split(config_path) == ("G:/\\", _cloud_sdk._CONFIG_DIRECTORY) @mock.patch("os.name", new="nt") @mock.patch("subprocess.check_output", autospec=True) def test_get_auth_access_token_windows(check_output): check_output.return_value = b"access_token\n" token = _cloud_sdk.get_auth_access_token() assert token == "access_token" check_output.assert_called_with( ("gcloud.cmd", "auth", "print-access-token"), stderr=subprocess.STDOUT ) @mock.patch("subprocess.check_output", autospec=True) def test_get_auth_access_token_with_account(check_output): check_output.return_value = b"access_token\n" token = _cloud_sdk.get_auth_access_token(account="account") assert token == "access_token" check_output.assert_called_with( ("gcloud", "auth", "print-access-token", "--account=account"), stderr=subprocess.STDOUT, ) @mock.patch("subprocess.check_output", autospec=True) def test_get_auth_access_token_with_exception(check_output): check_output.side_effect = OSError() with pytest.raises(exceptions.UserAccessTokenError): _cloud_sdk.get_auth_access_token(account="account") ��test_app_engine.py��0000644��00000016377�15025175543�0010307 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import mock import pytest # type: ignore from google.auth import app_engine class _AppIdentityModule(object): """The interface of the App Idenity app engine module. See https://cloud.google.com/appengine/docs/standard/python/refdocs /google.appengine.api.app_identity.app_identity """ def get_application_id(self): raise NotImplementedError() def sign_blob(self, bytes_to_sign, deadline=None): raise NotImplementedError() def get_service_account_name(self, deadline=None): raise NotImplementedError() def get_access_token(self, scopes, service_account_id=None): raise NotImplementedError() @pytest.fixture def app_identity(monkeypatch): """Mocks the app_identity module for google.auth.app_engine.""" app_identity_module = mock.create_autospec(_AppIdentityModule, instance=True) monkeypatch.setattr(app_engine, "app_identity", app_identity_module) yield app_identity_module def test_get_project_id(app_identity): app_identity.get_application_id.return_value = mock.sentinel.project assert app_engine.get_project_id() == mock.sentinel.project @mock.patch.object(app_engine, "app_identity", new=None) def test_get_project_id_missing_apis(): with pytest.raises(EnvironmentError) as excinfo: assert app_engine.get_project_id() assert excinfo.match(r"App Engine APIs are not available") class TestSigner(object): def test_key_id(self, app_identity): app_identity.sign_blob.return_value = ( mock.sentinel.key_id, mock.sentinel.signature, ) signer = app_engine.Signer() assert signer.key_id is None def test_sign(self, app_identity): app_identity.sign_blob.return_value = ( mock.sentinel.key_id, mock.sentinel.signature, ) signer = app_engine.Signer() to_sign = b"123" signature = signer.sign(to_sign) assert signature == mock.sentinel.signature app_identity.sign_blob.assert_called_with(to_sign) class TestCredentials(object): @mock.patch.object(app_engine, "app_identity", new=None) def test_missing_apis(self): with pytest.raises(EnvironmentError) as excinfo: app_engine.Credentials() assert excinfo.match(r"App Engine APIs are not available") def test_default_state(self, app_identity): credentials = app_engine.Credentials() # Not token acquired yet assert not credentials.valid # Expiration hasn't been set yet assert not credentials.expired # Scopes are required assert not credentials.scopes assert not credentials.default_scopes assert credentials.requires_scopes assert not credentials.quota_project_id def test_with_scopes(self, app_identity): credentials = app_engine.Credentials() assert not credentials.scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes(["email"]) assert scoped_credentials.has_scopes(["email"]) assert not scoped_credentials.requires_scopes def test_with_default_scopes(self, app_identity): credentials = app_engine.Credentials() assert not credentials.scopes assert not credentials.default_scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes( scopes=None, default_scopes=["email"] ) assert scoped_credentials.has_scopes(["email"]) assert not scoped_credentials.requires_scopes def test_with_quota_project(self, app_identity): credentials = app_engine.Credentials() assert not credentials.scopes assert not credentials.quota_project_id quota_project_creds = credentials.with_quota_project("project-foo") assert quota_project_creds.quota_project_id == "project-foo" def test_service_account_email_implicit(self, app_identity): app_identity.get_service_account_name.return_value = ( mock.sentinel.service_account_email ) credentials = app_engine.Credentials() assert credentials.service_account_email == mock.sentinel.service_account_email assert app_identity.get_service_account_name.called def test_service_account_email_explicit(self, app_identity): credentials = app_engine.Credentials( service_account_id=mock.sentinel.service_account_email ) assert credentials.service_account_email == mock.sentinel.service_account_email assert not app_identity.get_service_account_name.called @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh(self, utcnow, app_identity): token = "token" ttl = 643942923 app_identity.get_access_token.return_value = token, ttl credentials = app_engine.Credentials( scopes=["email"], default_scopes=["profile"] ) credentials.refresh(None) app_identity.get_access_token.assert_called_with( credentials.scopes, credentials._service_account_id ) assert credentials.token == token assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3) assert credentials.valid assert not credentials.expired @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_with_default_scopes(self, utcnow, app_identity): token = "token" ttl = 643942923 app_identity.get_access_token.return_value = token, ttl credentials = app_engine.Credentials(default_scopes=["email"]) credentials.refresh(None) app_identity.get_access_token.assert_called_with( credentials.default_scopes, credentials._service_account_id ) assert credentials.token == token assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3) assert credentials.valid assert not credentials.expired def test_sign_bytes(self, app_identity): app_identity.sign_blob.return_value = ( mock.sentinel.key_id, mock.sentinel.signature, ) credentials = app_engine.Credentials() to_sign = b"123" signature = credentials.sign_bytes(to_sign) assert signature == mock.sentinel.signature app_identity.sign_blob.assert_called_with(to_sign) def test_signer(self, app_identity): credentials = app_engine.Credentials() assert isinstance(credentials.signer, app_engine.Signer) def test_signer_email(self, app_identity): credentials = app_engine.Credentials() assert credentials.signer_email == credentials.service_account_email ��test_identity_pool.py��0000644��00000145612�15025175543�0011057 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import os import urllib import mock import pytest # type: ignore from google.auth import _helpers from google.auth import exceptions from google.auth import identity_pool from google.auth import metrics from google.auth import transport CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password". BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com" SERVICE_ACCOUNT_IMPERSONATION_URL_BASE = ( "https://us-east1-iamcredentials.googleapis.com" ) SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE = "/v1/projects/-/serviceAccounts/{}:generateAccessToken".format( SERVICE_ACCOUNT_EMAIL ) SERVICE_ACCOUNT_IMPERSONATION_URL = ( SERVICE_ACCOUNT_IMPERSONATION_URL_BASE + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID" SCOPES = ["scope1", "scope2"] DATA_DIR = os.path.join(os.path.dirname(__file__), "data") SUBJECT_TOKEN_TEXT_FILE = os.path.join(DATA_DIR, "external_subject_token.txt") SUBJECT_TOKEN_JSON_FILE = os.path.join(DATA_DIR, "external_subject_token.json") SUBJECT_TOKEN_FIELD_NAME = "access_token" with open(SUBJECT_TOKEN_TEXT_FILE) as fh: TEXT_FILE_SUBJECT_TOKEN = fh.read() with open(SUBJECT_TOKEN_JSON_FILE) as fh: JSON_FILE_CONTENT = json.load(fh) JSON_FILE_SUBJECT_TOKEN = JSON_FILE_CONTENT.get(SUBJECT_TOKEN_FIELD_NAME) TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" WORKFORCE_AUDIENCE = ( "//iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID" ) WORKFORCE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token" WORKFORCE_POOL_USER_PROJECT = "WORKFORCE_POOL_USER_PROJECT_NUMBER" DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" VALID_TOKEN_URLS = [ "https://sts.googleapis.com", "https://us-east-1.sts.googleapis.com", "https://US-EAST-1.sts.googleapis.com", "https://sts.us-east-1.googleapis.com", "https://sts.US-WEST-1.googleapis.com", "https://us-east-1-sts.googleapis.com", "https://US-WEST-1-sts.googleapis.com", "https://us-west-1-sts.googleapis.com/path?query", "https://sts-us-east-1.p.googleapis.com", ] INVALID_TOKEN_URLS = [ "https://iamcredentials.googleapis.com", "sts.googleapis.com", "https://", "http://sts.googleapis.com", "https://st.s.googleapis.com", "https://us-eas\t-1.sts.googleapis.com", "https:/us-east-1.sts.googleapis.com", "https://US-WE/ST-1-sts.googleapis.com", "https://sts-us-east-1.googleapis.com", "https://sts-US-WEST-1.googleapis.com", "testhttps://us-east-1.sts.googleapis.com", "https://us-east-1.sts.googleapis.comevil.com", "https://us-east-1.us-east-1.sts.googleapis.com", "https://us-ea.s.t.sts.googleapis.com", "https://sts.googleapis.comevil.com", "hhttps://us-east-1.sts.googleapis.com", "https://us- -1.sts.googleapis.com", "https://-sts.googleapis.com", "https://us-east-1.sts.googleapis.com.evil.com", "https://sts.pgoogleapis.com", "https://p.googleapis.com", "https://sts.p.com", "http://sts.p.googleapis.com", "https://xyz-sts.p.googleapis.com", "https://sts-xyz.123.p.googleapis.com", "https://sts-xyz.p1.googleapis.com", "https://sts-xyz.p.foo.com", "https://sts-xyz.p.foo.googleapis.com", ] VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com", "https://US-EAST-1.iamcredentials.googleapis.com", "https://iamcredentials.us-east-1.googleapis.com", "https://iamcredentials.US-WEST-1.googleapis.com", "https://us-east-1-iamcredentials.googleapis.com", "https://US-WEST-1-iamcredentials.googleapis.com", "https://us-west-1-iamcredentials.googleapis.com/path?query", "https://iamcredentials-us-east-1.p.googleapis.com", ] INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://sts.googleapis.com", "iamcredentials.googleapis.com", "https://", "http://iamcredentials.googleapis.com", "https://iamcre.dentials.googleapis.com", "https://us-eas\t-1.iamcredentials.googleapis.com", "https:/us-east-1.iamcredentials.googleapis.com", "https://US-WE/ST-1-iamcredentials.googleapis.com", "https://iamcredentials-us-east-1.googleapis.com", "https://iamcredentials-US-WEST-1.googleapis.com", "testhttps://us-east-1.iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.comevil.com", "https://us-east-1.us-east-1.iamcredentials.googleapis.com", "https://us-ea.s.t.iamcredentials.googleapis.com", "https://iamcredentials.googleapis.comevil.com", "hhttps://us-east-1.iamcredentials.googleapis.com", "https://us- -1.iamcredentials.googleapis.com", "https://-iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com.evil.com", "https://iamcredentials.pgoogleapis.com", "https://p.googleapis.com", "https://iamcredentials.p.com", "http://iamcredentials.p.googleapis.com", "https://xyz-iamcredentials.p.googleapis.com", "https://iamcredentials-xyz.123.p.googleapis.com", "https://iamcredentials-xyz.p1.googleapis.com", "https://iamcredentials-xyz.p.foo.com", "https://iamcredentials-xyz.p.foo.googleapis.com", ] class TestCredentials(object): CREDENTIAL_SOURCE_TEXT = {"file": SUBJECT_TOKEN_TEXT_FILE} CREDENTIAL_SOURCE_JSON = { "file": SUBJECT_TOKEN_JSON_FILE, "format": {"type": "json", "subject_token_field_name": "access_token"}, } CREDENTIAL_URL = "http://fakeurl.com" CREDENTIAL_SOURCE_TEXT_URL = {"url": CREDENTIAL_URL} CREDENTIAL_SOURCE_JSON_URL = { "url": CREDENTIAL_URL, "format": {"type": "json", "subject_token_field_name": "access_token"}, } SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, "scope": " ".join(SCOPES), } @classmethod def make_mock_response(cls, status, data): response = mock.create_autospec(transport.Response, instance=True) response.status = status if isinstance(data, dict): response.data = json.dumps(data).encode("utf-8") else: response.data = data return response @classmethod def make_mock_request( cls, token_status=http_client.OK, token_data=None, extra_requests ): responses = [] responses.append(cls.make_mock_response(token_status, token_data)) while len(extra_requests) > 0: # If service account impersonation is requested, mock the expected response. status, data, extra_requests = ( extra_requests[0], extra_requests[1], extra_requests[2:], ) responses.append(cls.make_mock_response(status, data)) request = mock.create_autospec(transport.Request) request.side_effect = responses return request @classmethod def assert_credential_request_kwargs( cls, request_kwargs, headers, url=CREDENTIAL_URL ): assert request_kwargs["url"] == url assert request_kwargs["method"] == "GET" assert request_kwargs["headers"] == headers assert request_kwargs.get("body", None) is None @classmethod def assert_token_request_kwargs( cls, request_kwargs, headers, request_data, token_url=TOKEN_URL ): assert request_kwargs["url"] == token_url assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_tuples = urllib.parse.parse_qsl(request_kwargs["body"]) assert len(body_tuples) == len(request_data.keys()) for (k, v) in body_tuples: assert v.decode("utf-8") == request_data[k.decode("utf-8")] @classmethod def assert_impersonation_request_kwargs( cls, request_kwargs, headers, request_data, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, ): assert request_kwargs["url"] == service_account_impersonation_url assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_json = json.loads(request_kwargs["body"].decode("utf-8")) assert body_json == request_data @classmethod def assert_underlying_credentials_refresh( cls, credentials, audience, subject_token, subject_token_type, token_url, service_account_impersonation_url=None, basic_auth_encoding=None, quota_project_id=None, used_scopes=None, credential_data=None, scopes=None, default_scopes=None, workforce_pool_user_project=None, ): """Utility to assert that a credentials are initialized with the expected attributes by calling refresh functionality and confirming response matches expected one and that the underlying requests were populated with the expected parameters. """ # STS token exchange request/response. token_response = cls.SUCCESS_RESPONSE.copy() token_headers = {"Content-Type": "application/x-www-form-urlencoded"} if basic_auth_encoding: token_headers["Authorization"] = "Basic " + basic_auth_encoding metrics_options = {} if credentials._service_account_impersonation_url: metrics_options["sa-impersonation"] = "true" else: metrics_options["sa-impersonation"] = "false" metrics_options["config-lifetime"] = "false" if credentials._credential_source_file: metrics_options["source"] = "file" else: metrics_options["source"] = "url" token_headers["x-goog-api-client"] = metrics.byoid_metrics_header( metrics_options ) if service_account_impersonation_url: token_scopes = "https://www.googleapis.com/auth/iam" else: token_scopes = " ".join(used_scopes or []) token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": audience, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": token_scopes, "subject_token": subject_token, "subject_token_type": subject_token_type, } if workforce_pool_user_project: token_request_data["options"] = urllib.parse.quote( json.dumps({"userProject": workforce_pool_user_project}) ) metrics_header_value = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) if service_account_impersonation_url: # Service account impersonation request/response. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": metrics_header_value, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": used_scopes, "lifetime": "3600s", } # Initialize mock request to handle token retrieval, token exchange and # service account impersonation request. requests = [] if credential_data: requests.append((http_client.OK, credential_data)) token_request_index = len(requests) requests.append((http_client.OK, token_response)) if service_account_impersonation_url: impersonation_request_index = len(requests) requests.append((http_client.OK, impersonation_response)) request = cls.make_mock_request([el for req in requests for el in req]) with mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=metrics_header_value, ): credentials.refresh(request) assert len(request.call_args_list) == len(requests) if credential_data: cls.assert_credential_request_kwargs(request.call_args_list[0][1], None) # Verify token exchange request parameters. cls.assert_token_request_kwargs( request.call_args_list[token_request_index][1], token_headers, token_request_data, token_url, ) # Verify service account impersonation request parameters if the request # is processed. if service_account_impersonation_url: cls.assert_impersonation_request_kwargs( request.call_args_list[impersonation_request_index][1], impersonation_headers, impersonation_request_data, service_account_impersonation_url, ) assert credentials.token == impersonation_response["accessToken"] else: assert credentials.token == token_response["access_token"] assert credentials.quota_project_id == quota_project_id assert credentials.scopes == scopes assert credentials.default_scopes == default_scopes @classmethod def make_credentials( cls, audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, client_id=None, client_secret=None, quota_project_id=None, scopes=None, default_scopes=None, service_account_impersonation_url=None, credential_source=None, workforce_pool_user_project=None, ): return identity_pool.Credentials( audience=audience, subject_token_type=subject_token_type, token_url=token_url, token_info_url=token_info_url, service_account_impersonation_url=service_account_impersonation_url, credential_source=credential_source, client_id=client_id, client_secret=client_secret, quota_project_id=quota_project_id, scopes=scopes, default_scopes=default_scopes, workforce_pool_user_project=workforce_pool_user_project, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_info_full_options(self, mock_init): credentials = identity_pool.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE_TEXT, } ) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_info_required_options_only(self, mock_init): credentials = identity_pool.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT, } ) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_info_workforce_pool(self, mock_init): credentials = identity_pool.Credentials.from_info( { "audience": WORKFORCE_AUDIENCE, "subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT, "workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT, } ) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=None, workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_file_full_options(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE_TEXT, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = identity_pool.Credentials.from_file(str(config_file)) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_file_required_options_only(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = identity_pool.Credentials.from_file(str(config_file)) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None) def test_from_file_workforce_pool(self, mock_init, tmpdir): info = { "audience": WORKFORCE_AUDIENCE, "subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT, "workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = identity_pool.Credentials.from_file(str(config_file)) # Confirm identity_pool.Credentials instantiated with expected attributes. assert isinstance(credentials, identity_pool.Credentials) mock_init.assert_called_once_with( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE_TEXT, quota_project_id=None, workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) def test_constructor_nonworkforce_with_workforce_pool_user_project(self): with pytest.raises(ValueError) as excinfo: self.make_credentials( audience=AUDIENCE, workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) assert excinfo.match( "workforce_pool_user_project should not be set for non-workforce " "pool credentials" ) def test_constructor_invalid_options(self): credential_source = {"unsupported": "value"} with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"Missing credential_source") def test_constructor_invalid_options_url_and_file(self): credential_source = { "url": self.CREDENTIAL_URL, "file": SUBJECT_TOKEN_TEXT_FILE, } with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"Ambiguous credential_source") def test_constructor_invalid_options_environment_id(self): credential_source = {"url": self.CREDENTIAL_URL, "environment_id": "aws1"} with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match( r"Invalid Identity Pool credential_source field 'environment_id'" ) def test_constructor_invalid_credential_source(self): with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source="non-dict") assert excinfo.match(r"Missing credential_source") def test_constructor_invalid_credential_source_format_type(self): credential_source = {"format": {"type": "xml"}} with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"Invalid credential_source format 'xml'") def test_constructor_missing_subject_token_field_name(self): credential_source = {"format": {"type": "json"}} with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match( r"Missing subject_token_field_name for JSON credential_source format" ) def test_info_with_workforce_pool_user_project(self): credentials = self.make_credentials( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, credential_source=self.CREDENTIAL_SOURCE_TEXT_URL.copy(), workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) assert credentials.info == { "type": "external_account", "audience": WORKFORCE_AUDIENCE, "subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT_URL, "workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_info_with_file_credential_source(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_TEXT_URL.copy() ) assert credentials.info == { "type": "external_account", "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "credential_source": self.CREDENTIAL_SOURCE_TEXT_URL, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_info_with_url_credential_source(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON_URL.copy() ) assert credentials.info == { "type": "external_account", "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "credential_source": self.CREDENTIAL_SOURCE_JSON_URL, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_retrieve_subject_token_missing_subject_token(self, tmpdir): # Provide empty text file. empty_file = tmpdir.join("empty.txt") empty_file.write("") credential_source = {"file": str(empty_file)} credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(None) assert excinfo.match(r"Missing subject_token in the credential_source file") def test_retrieve_subject_token_text_file(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_TEXT ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == TEXT_FILE_SUBJECT_TOKEN def test_retrieve_subject_token_json_file(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == JSON_FILE_SUBJECT_TOKEN def test_retrieve_subject_token_json_file_invalid_field_name(self): credential_source = { "file": SUBJECT_TOKEN_JSON_FILE, "format": {"type": "json", "subject_token_field_name": "not_found"}, } credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(None) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( SUBJECT_TOKEN_JSON_FILE, "not_found" ) ) def test_retrieve_subject_token_invalid_json(self, tmpdir): # Provide JSON file. This should result in JSON parsing error. invalid_json_file = tmpdir.join("invalid.json") invalid_json_file.write("{") credential_source = { "file": str(invalid_json_file), "format": {"type": "json", "subject_token_field_name": "access_token"}, } credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(None) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( str(invalid_json_file), "access_token" ) ) def test_retrieve_subject_token_file_not_found(self): credential_source = {"file": "./not_found.txt"} credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(None) assert excinfo.match(r"File './not_found.txt' was not found") def test_token_info_url(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON ) assert credentials.token_info_url == TOKEN_INFO_URL def test_token_info_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), token_info_url=(url + "/introspect"), ) assert credentials.token_info_url == url + "/introspect" def test_token_info_url_negative(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), token_info_url=None ) assert not credentials.token_info_url def test_token_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), token_url=(url + "/token"), ) assert credentials._token_url == (url + "/token") def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), service_account_impersonation_url=( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ), ) assert credentials._service_account_impersonation_url == ( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) def test_refresh_text_file_success_without_impersonation_ignore_default_scopes( self, ): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=SCOPES, # Default scopes should be ignored. default_scopes=["ignored"], ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=["ignored"], ) def test_refresh_workforce_success_with_client_auth_without_impersonation(self): credentials = self.make_credentials( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=SCOPES, # This will be ignored in favor of client auth. workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=WORKFORCE_AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, workforce_pool_user_project=None, ) def test_refresh_workforce_success_with_client_auth_and_no_workforce_project(self): credentials = self.make_credentials( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=SCOPES, # This is not needed when client Auth is used. workforce_pool_user_project=None, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=WORKFORCE_AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, workforce_pool_user_project=None, ) def test_refresh_workforce_success_without_client_auth_without_impersonation(self): credentials = self.make_credentials( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, client_id=None, client_secret=None, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=SCOPES, # This will not be ignored as client auth is not used. workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=WORKFORCE_AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) def test_refresh_workforce_success_without_client_auth_with_impersonation(self): credentials = self.make_credentials( audience=WORKFORCE_AUDIENCE, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, client_id=None, client_secret=None, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=SCOPES, # This will not be ignored as client auth is not used. workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=WORKFORCE_AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT, ) def test_refresh_text_file_success_without_impersonation_use_default_scopes(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, scopes=None, # Default scopes should be used since user specified scopes are none. default_scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=None, default_scopes=SCOPES, ) def test_refresh_text_file_success_with_impersonation_ignore_default_scopes(self): # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=SCOPES, # Default scopes should be ignored. default_scopes=["ignored"], ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=["ignored"], ) def test_refresh_text_file_success_with_impersonation_use_default_scopes(self): # Initialize credentials with service account impersonation, basic auth # and default scopes (no user scopes). credentials = self.make_credentials( # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=None, # Default scopes should be used since user specified scopes are none. default_scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=None, default_scopes=SCOPES, ) def test_refresh_json_file_success_without_impersonation(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with JSON format type. credential_source=self.CREDENTIAL_SOURCE_JSON, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=JSON_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, ) def test_refresh_json_file_success_with_impersonation(self): # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( # Test with JSON format type. credential_source=self.CREDENTIAL_SOURCE_JSON, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=JSON_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, ) def test_refresh_with_retrieve_subject_token_error(self): credential_source = { "file": SUBJECT_TOKEN_JSON_FILE, "format": {"type": "json", "subject_token_field_name": "not_found"}, } credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(None) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( SUBJECT_TOKEN_JSON_FILE, "not_found" ) ) def test_retrieve_subject_token_from_url(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_TEXT_URL ) request = self.make_mock_request(token_data=TEXT_FILE_SUBJECT_TOKEN) subject_token = credentials.retrieve_subject_token(request) assert subject_token == TEXT_FILE_SUBJECT_TOKEN self.assert_credential_request_kwargs(request.call_args_list[0][1], None) def test_retrieve_subject_token_from_url_with_headers(self): credentials = self.make_credentials( credential_source={"url": self.CREDENTIAL_URL, "headers": {"foo": "bar"}} ) request = self.make_mock_request(token_data=TEXT_FILE_SUBJECT_TOKEN) subject_token = credentials.retrieve_subject_token(request) assert subject_token == TEXT_FILE_SUBJECT_TOKEN self.assert_credential_request_kwargs( request.call_args_list[0][1], {"foo": "bar"} ) def test_retrieve_subject_token_from_url_json(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON_URL ) request = self.make_mock_request(token_data=JSON_FILE_CONTENT) subject_token = credentials.retrieve_subject_token(request) assert subject_token == JSON_FILE_SUBJECT_TOKEN self.assert_credential_request_kwargs(request.call_args_list[0][1], None) def test_retrieve_subject_token_from_url_json_with_headers(self): credentials = self.make_credentials( credential_source={ "url": self.CREDENTIAL_URL, "format": {"type": "json", "subject_token_field_name": "access_token"}, "headers": {"foo": "bar"}, } ) request = self.make_mock_request(token_data=JSON_FILE_CONTENT) subject_token = credentials.retrieve_subject_token(request) assert subject_token == JSON_FILE_SUBJECT_TOKEN self.assert_credential_request_kwargs( request.call_args_list[0][1], {"foo": "bar"} ) def test_retrieve_subject_token_from_url_not_found(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_TEXT_URL ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token( self.make_mock_request(token_status=404, token_data=JSON_FILE_CONTENT) ) assert excinfo.match("Unable to retrieve Identity Pool subject token") def test_retrieve_subject_token_from_url_json_invalid_field(self): credential_source = { "url": self.CREDENTIAL_URL, "format": {"type": "json", "subject_token_field_name": "not_found"}, } credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token( self.make_mock_request(token_data=JSON_FILE_CONTENT) ) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( self.CREDENTIAL_URL, "not_found" ) ) def test_retrieve_subject_token_from_url_json_invalid_format(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON_URL ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(self.make_mock_request(token_data="{")) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( self.CREDENTIAL_URL, "access_token" ) ) def test_refresh_text_file_success_without_impersonation_url(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT_URL, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, credential_data=TEXT_FILE_SUBJECT_TOKEN, ) def test_refresh_text_file_success_with_impersonation_url(self): # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( # Test with text format type. credential_source=self.CREDENTIAL_SOURCE_TEXT_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=TEXT_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, credential_data=TEXT_FILE_SUBJECT_TOKEN, ) def test_refresh_json_file_success_without_impersonation_url(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, # Test with JSON format type. credential_source=self.CREDENTIAL_SOURCE_JSON_URL, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=JSON_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=None, basic_auth_encoding=BASIC_AUTH_ENCODING, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, credential_data=JSON_FILE_CONTENT, ) def test_refresh_json_file_success_with_impersonation_url(self): # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( # Test with JSON format type. credential_source=self.CREDENTIAL_SOURCE_JSON_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=SCOPES, ) self.assert_underlying_credentials_refresh( credentials=credentials, audience=AUDIENCE, subject_token=JSON_FILE_SUBJECT_TOKEN, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, basic_auth_encoding=None, quota_project_id=None, used_scopes=SCOPES, scopes=SCOPES, default_scopes=None, credential_data=JSON_FILE_CONTENT, ) def test_refresh_with_retrieve_subject_token_error_url(self): credential_source = { "url": self.CREDENTIAL_URL, "format": {"type": "json", "subject_token_field_name": "not_found"}, } credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(self.make_mock_request(token_data=JSON_FILE_CONTENT)) assert excinfo.match( "Unable to parse subject_token from JSON file '{}' using key '{}'".format( self.CREDENTIAL_URL, "not_found" ) ) ��test_jwt.py��0000644��00000056305�15025175543�0007001 0��ustar�00��# Copyright 2014 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import base64 import datetime import json import os import mock import pytest # type: ignore from google.auth import _helpers from google.auth import crypt from google.auth import exceptions from google.auth import jwt DATA_DIR = os.path.join(os.path.dirname(__file__), "data") with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh: OTHER_CERT_BYTES = fh.read() with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh: EC_PRIVATE_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh: EC_PUBLIC_CERT_BYTES = fh.read() SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) @pytest.fixture def signer(): return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1") def test_encode_basic(signer): test_payload = {"test": "value"} encoded = jwt.encode(signer, test_payload) header, payload, _, _ = jwt._unverified_decode(encoded) assert payload == test_payload assert header == {"typ": "JWT", "alg": "RS256", "kid": signer.key_id} def test_encode_extra_headers(signer): encoded = jwt.encode(signer, {}, header={"extra": "value"}) header = jwt.decode_header(encoded) assert header == { "typ": "JWT", "alg": "RS256", "kid": signer.key_id, "extra": "value", } def test_encode_custom_alg_in_headers(signer): encoded = jwt.encode(signer, {}, header={"alg": "foo"}) header = jwt.decode_header(encoded) assert header == {"typ": "JWT", "alg": "foo", "kid": signer.key_id} @pytest.fixture def es256_signer(): return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1") def test_encode_basic_es256(es256_signer): test_payload = {"test": "value"} encoded = jwt.encode(es256_signer, test_payload) header, payload, _, _ = jwt._unverified_decode(encoded) assert payload == test_payload assert header == {"typ": "JWT", "alg": "ES256", "kid": es256_signer.key_id} @pytest.fixture def token_factory(signer, es256_signer): def factory(claims=None, key_id=None, use_es256_signer=False): now = _helpers.datetime_to_secs(_helpers.utcnow()) payload = { "aud": "audience@example.com", "iat": now, "exp": now + 300, "user": "billy bob", "metadata": {"meta": "data"}, } payload.update(claims or {}) # False is specified to remove the signer's key id for testing # headers without key ids. if key_id is False: signer._key_id = None key_id = None if use_es256_signer: return jwt.encode(es256_signer, payload, key_id=key_id) else: return jwt.encode(signer, payload, key_id=key_id) return factory def test_decode_valid(token_factory): payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES) assert payload["aud"] == "audience@example.com" assert payload["user"] == "billy bob" assert payload["metadata"]["meta"] == "data" def test_decode_header_object(token_factory): payload = token_factory() # Create a malformed JWT token with a number as a header instead of a # dictionary (3 == base64d(M7==)) payload = b"M7." + b".".join(payload.split(b".")[1:]) with pytest.raises(ValueError) as excinfo: jwt.decode(payload, certs=PUBLIC_CERT_BYTES) assert excinfo.match(r"Header segment should be a JSON object: " + str(b"M7")) def test_decode_payload_object(signer): # Create a malformed JWT token with a payload containing both "iat" and # "exp" strings, although not as fields of a dictionary payload = jwt.encode(signer, "iatexp") with pytest.raises(ValueError) as excinfo: jwt.decode(payload, certs=PUBLIC_CERT_BYTES) assert excinfo.match( r"Payload segment should be a JSON object: " + str(b"ImlhdGV4cCI") ) def test_decode_valid_es256(token_factory): payload = jwt.decode( token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES ) assert payload["aud"] == "audience@example.com" assert payload["user"] == "billy bob" assert payload["metadata"]["meta"] == "data" def test_decode_valid_with_audience(token_factory): payload = jwt.decode( token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com" ) assert payload["aud"] == "audience@example.com" assert payload["user"] == "billy bob" assert payload["metadata"]["meta"] == "data" def test_decode_valid_with_audience_list(token_factory): payload = jwt.decode( token_factory(), certs=PUBLIC_CERT_BYTES, audience=["audience@example.com", "another_audience@example.com"], ) assert payload["aud"] == "audience@example.com" assert payload["user"] == "billy bob" assert payload["metadata"]["meta"] == "data" def test_decode_valid_unverified(token_factory): payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False) assert payload["aud"] == "audience@example.com" assert payload["user"] == "billy bob" assert payload["metadata"]["meta"] == "data" def test_decode_bad_token_wrong_number_of_segments(): with pytest.raises(ValueError) as excinfo: jwt.decode("1.2", PUBLIC_CERT_BYTES) assert excinfo.match(r"Wrong number of segments") def test_decode_bad_token_not_base64(): with pytest.raises((ValueError, TypeError)) as excinfo: jwt.decode("1.2.3", PUBLIC_CERT_BYTES) assert excinfo.match(r"Incorrect padding\|more than a multiple of 4") def test_decode_bad_token_not_json(): token = b".".join([base64.urlsafe_b64encode(b"123!")] * 3) with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES) assert excinfo.match(r"Can\'t parse segment") def test_decode_bad_token_no_iat_or_exp(signer): token = jwt.encode(signer, {"test": "value"}) with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES) assert excinfo.match(r"Token does not contain required claim") def test_decode_bad_token_too_early(token_factory): token = token_factory( claims={ "iat": _helpers.datetime_to_secs( _helpers.utcnow() + datetime.timedelta(hours=1) ) } ) with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59) assert excinfo.match(r"Token used too early") def test_decode_bad_token_expired(token_factory): token = token_factory( claims={ "exp": _helpers.datetime_to_secs( _helpers.utcnow() - datetime.timedelta(hours=1) ) } ) with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59) assert excinfo.match(r"Token expired") def test_decode_success_with_no_clock_skew(token_factory): token = token_factory( claims={ "exp": _helpers.datetime_to_secs( _helpers.utcnow() + datetime.timedelta(seconds=1) ), "iat": _helpers.datetime_to_secs( _helpers.utcnow() - datetime.timedelta(seconds=1) ), } ) jwt.decode(token, PUBLIC_CERT_BYTES) def test_decode_success_with_custom_clock_skew(token_factory): token = token_factory( claims={ "exp": _helpers.datetime_to_secs( _helpers.utcnow() + datetime.timedelta(seconds=2) ), "iat": _helpers.datetime_to_secs( _helpers.utcnow() - datetime.timedelta(seconds=2) ), } ) jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=1) def test_decode_bad_token_wrong_audience(token_factory): token = token_factory() audience = "audience2@example.com" with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience) assert excinfo.match(r"Token has wrong audience") def test_decode_bad_token_wrong_audience_list(token_factory): token = token_factory() audience = ["audience2@example.com", "audience3@example.com"] with pytest.raises(ValueError) as excinfo: jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience) assert excinfo.match(r"Token has wrong audience") def test_decode_wrong_cert(token_factory): with pytest.raises(ValueError) as excinfo: jwt.decode(token_factory(), OTHER_CERT_BYTES) assert excinfo.match(r"Could not verify token signature") def test_decode_multicert_bad_cert(token_factory): certs = {"1": OTHER_CERT_BYTES, "2": PUBLIC_CERT_BYTES} with pytest.raises(ValueError) as excinfo: jwt.decode(token_factory(), certs) assert excinfo.match(r"Could not verify token signature") def test_decode_no_cert(token_factory): certs = {"2": PUBLIC_CERT_BYTES} with pytest.raises(ValueError) as excinfo: jwt.decode(token_factory(), certs) assert excinfo.match(r"Certificate for key id 1 not found") def test_decode_no_key_id(token_factory): token = token_factory(key_id=False) certs = {"2": PUBLIC_CERT_BYTES} payload = jwt.decode(token, certs) assert payload["user"] == "billy bob" def test_decode_unknown_alg(): headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"}) token = b".".join( map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"]) ) with pytest.raises(ValueError) as excinfo: jwt.decode(token) assert excinfo.match(r"fakealg") def test_decode_missing_crytography_alg(monkeypatch): monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256") headers = json.dumps({u"kid": u"1", u"alg": u"ES256"}) token = b".".join( map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"]) ) with pytest.raises(ValueError) as excinfo: jwt.decode(token) assert excinfo.match(r"cryptography") def test_roundtrip_explicit_key_id(token_factory): token = token_factory(key_id="3") certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES} payload = jwt.decode(token, certs) assert payload["user"] == "billy bob" class TestCredentials(object): SERVICE_ACCOUNT_EMAIL = "service-account@example.com" SUBJECT = "subject" AUDIENCE = "audience" ADDITIONAL_CLAIMS = {"meta": "data"} credentials = None @pytest.fixture(autouse=True) def credentials_fixture(self, signer): self.credentials = jwt.Credentials( signer, self.SERVICE_ACCOUNT_EMAIL, self.SERVICE_ACCOUNT_EMAIL, self.AUDIENCE, ) def test_from_service_account_info(self): with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh: info = json.load(fh) credentials = jwt.Credentials.from_service_account_info( info, audience=self.AUDIENCE ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == info["client_email"] assert credentials._audience == self.AUDIENCE def test_from_service_account_info_args(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.Credentials.from_service_account_info( info, subject=self.SUBJECT, audience=self.AUDIENCE, additional_claims=self.ADDITIONAL_CLAIMS, ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == self.SUBJECT assert credentials._audience == self.AUDIENCE assert credentials._additional_claims == self.ADDITIONAL_CLAIMS def test_from_service_account_file(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.Credentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == info["client_email"] assert credentials._audience == self.AUDIENCE def test_from_service_account_file_args(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.Credentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE, subject=self.SUBJECT, audience=self.AUDIENCE, additional_claims=self.ADDITIONAL_CLAIMS, ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == self.SUBJECT assert credentials._audience == self.AUDIENCE assert credentials._additional_claims == self.ADDITIONAL_CLAIMS def test_from_signing_credentials(self): jwt_from_signing = self.credentials.from_signing_credentials( self.credentials, audience=mock.sentinel.new_audience ) jwt_from_info = jwt.Credentials.from_service_account_info( SERVICE_ACCOUNT_INFO, audience=mock.sentinel.new_audience ) assert isinstance(jwt_from_signing, jwt.Credentials) assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id assert jwt_from_signing._issuer == jwt_from_info._issuer assert jwt_from_signing._subject == jwt_from_info._subject assert jwt_from_signing._audience == jwt_from_info._audience def test_default_state(self): assert not self.credentials.valid # Expiration hasn't been set yet assert not self.credentials.expired def test_with_claims(self): new_audience = "new_audience" new_credentials = self.credentials.with_claims(audience=new_audience) assert new_credentials._signer == self.credentials._signer assert new_credentials._issuer == self.credentials._issuer assert new_credentials._subject == self.credentials._subject assert new_credentials._audience == new_audience assert new_credentials._additional_claims == self.credentials._additional_claims assert new_credentials._quota_project_id == self.credentials._quota_project_id def test__make_jwt_without_audience(self): cred = jwt.Credentials.from_service_account_info( SERVICE_ACCOUNT_INFO.copy(), subject=self.SUBJECT, audience=None, additional_claims={"scope": "foo bar"}, ) token, _ = cred._make_jwt() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["scope"] == "foo bar" assert "aud" not in payload def test_with_quota_project(self): quota_project_id = "project-foo" new_credentials = self.credentials.with_quota_project(quota_project_id) assert new_credentials._signer == self.credentials._signer assert new_credentials._issuer == self.credentials._issuer assert new_credentials._subject == self.credentials._subject assert new_credentials._audience == self.credentials._audience assert new_credentials._additional_claims == self.credentials._additional_claims assert new_credentials.additional_claims == self.credentials._additional_claims assert new_credentials._quota_project_id == quota_project_id def test_sign_bytes(self): to_sign = b"123" signature = self.credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) def test_signer(self): assert isinstance(self.credentials.signer, crypt.RSASigner) def test_signer_email(self): assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"] def _verify_token(self, token): payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL return payload def test_refresh(self): self.credentials.refresh(None) assert self.credentials.valid assert not self.credentials.expired def test_expired(self): assert not self.credentials.expired self.credentials.refresh(None) assert not self.credentials.expired with mock.patch("google.auth._helpers.utcnow") as now: one_day = datetime.timedelta(days=1) now.return_value = self.credentials.expiry + one_day assert self.credentials.expired def test_before_request(self): headers = {} self.credentials.refresh(None) self.credentials.before_request( None, "GET", "http://example.com?a=1#3", headers ) header_value = headers["authorization"] _, token = header_value.split(" ") # Since the audience is set, it should use the existing token. assert token.encode("utf-8") == self.credentials.token payload = self._verify_token(token) assert payload["aud"] == self.AUDIENCE def test_before_request_refreshes(self): assert not self.credentials.valid self.credentials.before_request(None, "GET", "http://example.com?a=1#3", {}) assert self.credentials.valid class TestOnDemandCredentials(object): SERVICE_ACCOUNT_EMAIL = "service-account@example.com" SUBJECT = "subject" ADDITIONAL_CLAIMS = {"meta": "data"} credentials = None @pytest.fixture(autouse=True) def credentials_fixture(self, signer): self.credentials = jwt.OnDemandCredentials( signer, self.SERVICE_ACCOUNT_EMAIL, self.SERVICE_ACCOUNT_EMAIL, max_cache_size=2, ) def test_from_service_account_info(self): with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh: info = json.load(fh) credentials = jwt.OnDemandCredentials.from_service_account_info(info) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == info["client_email"] def test_from_service_account_info_args(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.OnDemandCredentials.from_service_account_info( info, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == self.SUBJECT assert credentials._additional_claims == self.ADDITIONAL_CLAIMS def test_from_service_account_file(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.OnDemandCredentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == info["client_email"] def test_from_service_account_file_args(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = jwt.OnDemandCredentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE, subject=self.SUBJECT, additional_claims=self.ADDITIONAL_CLAIMS, ) assert credentials._signer.key_id == info["private_key_id"] assert credentials._issuer == info["client_email"] assert credentials._subject == self.SUBJECT assert credentials._additional_claims == self.ADDITIONAL_CLAIMS def test_from_signing_credentials(self): jwt_from_signing = self.credentials.from_signing_credentials(self.credentials) jwt_from_info = jwt.OnDemandCredentials.from_service_account_info( SERVICE_ACCOUNT_INFO ) assert isinstance(jwt_from_signing, jwt.OnDemandCredentials) assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id assert jwt_from_signing._issuer == jwt_from_info._issuer assert jwt_from_signing._subject == jwt_from_info._subject def test_default_state(self): # Credentials are always valid. assert self.credentials.valid # Credentials never expire. assert not self.credentials.expired def test_with_claims(self): new_claims = {"meep": "moop"} new_credentials = self.credentials.with_claims(additional_claims=new_claims) assert new_credentials._signer == self.credentials._signer assert new_credentials._issuer == self.credentials._issuer assert new_credentials._subject == self.credentials._subject assert new_credentials._additional_claims == new_claims def test_with_quota_project(self): quota_project_id = "project-foo" new_credentials = self.credentials.with_quota_project(quota_project_id) assert new_credentials._signer == self.credentials._signer assert new_credentials._issuer == self.credentials._issuer assert new_credentials._subject == self.credentials._subject assert new_credentials._additional_claims == self.credentials._additional_claims assert new_credentials._quota_project_id == quota_project_id def test_sign_bytes(self): to_sign = b"123" signature = self.credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) def test_signer(self): assert isinstance(self.credentials.signer, crypt.RSASigner) def test_signer_email(self): assert self.credentials.signer_email == SERVICE_ACCOUNT_INFO["client_email"] def _verify_token(self, token): payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL return payload def test_refresh(self): with pytest.raises(exceptions.RefreshError): self.credentials.refresh(None) def test_before_request(self): headers = {} self.credentials.before_request( None, "GET", "http://example.com?a=1#3", headers ) _, token = headers["authorization"].split(" ") payload = self._verify_token(token) assert payload["aud"] == "http://example.com" # Making another request should re-use the same token. self.credentials.before_request(None, "GET", "http://example.com?b=2", headers) _, new_token = headers["authorization"].split(" ") assert new_token == token def test_expired_token(self): self.credentials._cache["audience"] = ( mock.sentinel.token, datetime.datetime.min, ) token = self.credentials._get_jwt_for_audience("audience") assert token != mock.sentinel.token ��test_external_account.py��0000644��00000231020�15025175543�0011520 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import urllib import mock import pytest # type: ignore from google.auth import _helpers from google.auth import exceptions from google.auth import external_account from google.auth import transport IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) LANG_LIBRARY_METRICS_HEADER_VALUE = "gl-python/3.7 auth/1.1" CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password" BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com" # List of valid workforce pool audiences. TEST_USER_AUDIENCES = [ "//iam.googleapis.com/locations/global/workforcePools/pool-id/providers/provider-id", "//iam.googleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id", "//iam.googleapis.com/locations/eu/workforcePools/workloadIdentityPools/providers/provider-id", ] # Workload identity pool audiences or invalid workforce pool audiences. TEST_NON_USER_AUDIENCES = [ # Legacy K8s audience format. "identitynamespace:1f12345:my_provider", ( "//iam.googleapis.com/projects/123456/locations/" "global/workloadIdentityPools/pool-id/providers/" "provider-id" ), ( "//iam.googleapis.com/projects/123456/locations/" "eu/workloadIdentityPools/pool-id/providers/" "provider-id" ), # Pool ID with workforcePools string. ( "//iam.googleapis.com/projects/123456/locations/" "global/workloadIdentityPools/workforcePools/providers/" "provider-id" ), # Unrealistic / incorrect workforce pool audiences. "//iamgoogleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id", "//iam.googleapiscom/locations/eu/workforcePools/pool-id/providers/provider-id", "//iam.googleapis.com/locations/workforcePools/pool-id/providers/provider-id", "//iam.googleapis.com/locations/eu/workforcePool/pool-id/providers/provider-id", "//iam.googleapis.com/locations//workforcePool/pool-id/providers/provider-id", ] class CredentialsImpl(external_account.Credentials): def __init__(self, kwargs): super(CredentialsImpl, self).__init__(kwargs) self._counter = 0 def retrieve_subject_token(self, request): counter = self._counter self._counter += 1 return "subject_token_{}".format(counter) class TestCredentials(object): TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" PROJECT_NUMBER = "123456" POOL_ID = "POOL_ID" PROVIDER_ID = "PROVIDER_ID" AUDIENCE = ( "//iam.googleapis.com/projects/{}" "/locations/global/workloadIdentityPools/{}" "/providers/{}" ).format(PROJECT_NUMBER, POOL_ID, PROVIDER_ID) WORKFORCE_AUDIENCE = ( "//iam.googleapis.com/locations/global/workforcePools/{}/providers/{}" ).format(POOL_ID, PROVIDER_ID) WORKFORCE_POOL_USER_PROJECT = "WORKFORCE_POOL_USER_PROJECT_NUMBER" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" WORKFORCE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token" CREDENTIAL_SOURCE = {"file": "/var/run/secrets/goog.id/token"} SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, "scope": "scope1 scope2", } ERROR_RESPONSE = { "error": "invalid_request", "error_description": "Invalid subject token", "error_uri": "https://tools.ietf.org/html/rfc6749", } QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID" SERVICE_ACCOUNT_IMPERSONATION_URL = ( "https://us-east1-iamcredentials.googleapis.com/v1/projects/-" + "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL) ) SCOPES = ["scope1", "scope2"] IMPERSONATION_ERROR_RESPONSE = { "error": { "code": 400, "message": "Request contains an invalid argument", "status": "INVALID_ARGUMENT", } } PROJECT_ID = "my-proj-id" CLOUD_RESOURCE_MANAGER_URL = ( "https://cloudresourcemanager.googleapis.com/v1/projects/" ) CLOUD_RESOURCE_MANAGER_SUCCESS_RESPONSE = { "projectNumber": PROJECT_NUMBER, "projectId": PROJECT_ID, "lifecycleState": "ACTIVE", "name": "project-name", "createTime": "2018-11-06T04:42:54.109Z", "parent": {"type": "folder", "id": "12345678901"}, } @classmethod def make_credentials( cls, client_id=None, client_secret=None, quota_project_id=None, token_info_url=None, scopes=None, default_scopes=None, service_account_impersonation_url=None, service_account_impersonation_options={}, universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, ): return CredentialsImpl( audience=cls.AUDIENCE, subject_token_type=cls.SUBJECT_TOKEN_TYPE, token_url=cls.TOKEN_URL, token_info_url=token_info_url, service_account_impersonation_url=service_account_impersonation_url, service_account_impersonation_options=service_account_impersonation_options, credential_source=cls.CREDENTIAL_SOURCE, client_id=client_id, client_secret=client_secret, quota_project_id=quota_project_id, scopes=scopes, default_scopes=default_scopes, universe_domain=universe_domain, ) @classmethod def make_workforce_pool_credentials( cls, client_id=None, client_secret=None, quota_project_id=None, scopes=None, default_scopes=None, service_account_impersonation_url=None, workforce_pool_user_project=None, ): return CredentialsImpl( audience=cls.WORKFORCE_AUDIENCE, subject_token_type=cls.WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=cls.TOKEN_URL, service_account_impersonation_url=service_account_impersonation_url, credential_source=cls.CREDENTIAL_SOURCE, client_id=client_id, client_secret=client_secret, quota_project_id=quota_project_id, scopes=scopes, default_scopes=default_scopes, workforce_pool_user_project=workforce_pool_user_project, ) @classmethod def make_mock_request( cls, status=http_client.OK, data=None, impersonation_status=None, impersonation_data=None, cloud_resource_manager_status=None, cloud_resource_manager_data=None, ): # STS token exchange request. token_response = mock.create_autospec(transport.Response, instance=True) token_response.status = status token_response.data = json.dumps(data).encode("utf-8") responses = [token_response] # If service account impersonation is requested, mock the expected response. if impersonation_status: impersonation_response = mock.create_autospec( transport.Response, instance=True ) impersonation_response.status = impersonation_status impersonation_response.data = json.dumps(impersonation_data).encode("utf-8") responses.append(impersonation_response) # If cloud resource manager is requested, mock the expected response. if cloud_resource_manager_status: cloud_resource_manager_response = mock.create_autospec( transport.Response, instance=True ) cloud_resource_manager_response.status = cloud_resource_manager_status cloud_resource_manager_response.data = json.dumps( cloud_resource_manager_data ).encode("utf-8") responses.append(cloud_resource_manager_response) request = mock.create_autospec(transport.Request) request.side_effect = responses return request @classmethod def assert_token_request_kwargs(cls, request_kwargs, headers, request_data): assert request_kwargs["url"] == cls.TOKEN_URL assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_tuples = urllib.parse.parse_qsl(request_kwargs["body"]) for (k, v) in body_tuples: assert v.decode("utf-8") == request_data[k.decode("utf-8")] assert len(body_tuples) == len(request_data.keys()) @classmethod def assert_impersonation_request_kwargs(cls, request_kwargs, headers, request_data): assert request_kwargs["url"] == cls.SERVICE_ACCOUNT_IMPERSONATION_URL assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_json = json.loads(request_kwargs["body"].decode("utf-8")) assert body_json == request_data @classmethod def assert_resource_manager_request_kwargs( cls, request_kwargs, project_number, headers ): assert request_kwargs["url"] == cls.CLOUD_RESOURCE_MANAGER_URL + project_number assert request_kwargs["method"] == "GET" assert request_kwargs["headers"] == headers assert "body" not in request_kwargs def test_default_state(self): credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL ) # Token url and service account impersonation url should be set assert credentials._token_url assert credentials._service_account_impersonation_url # Not token acquired yet assert not credentials.token assert not credentials.valid # Expiration hasn't been set yet assert not credentials.expiry assert not credentials.expired # Scopes are required assert not credentials.scopes assert credentials.requires_scopes assert not credentials.quota_project_id # Token info url not set yet assert not credentials.token_info_url def test_nonworkforce_with_workforce_pool_user_project(self): with pytest.raises(ValueError) as excinfo: CredentialsImpl( audience=self.AUDIENCE, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT, ) assert excinfo.match( "workforce_pool_user_project should not be set for non-workforce " "pool credentials" ) def test_with_scopes(self): credentials = self.make_credentials() assert not credentials.scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes(["email"]) assert scoped_credentials.has_scopes(["email"]) assert not scoped_credentials.requires_scopes def test_with_scopes_workforce_pool(self): credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) assert not credentials.scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes(["email"]) assert scoped_credentials.has_scopes(["email"]) assert not scoped_credentials.requires_scopes assert ( scoped_credentials.info.get("workforce_pool_user_project") == self.WORKFORCE_POOL_USER_PROJECT ) def test_with_scopes_using_user_and_default_scopes(self): credentials = self.make_credentials() assert not credentials.scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes( ["email"], default_scopes=["profile"] ) assert scoped_credentials.has_scopes(["email"]) assert not scoped_credentials.has_scopes(["profile"]) assert not scoped_credentials.requires_scopes assert scoped_credentials.scopes == ["email"] assert scoped_credentials.default_scopes == ["profile"] def test_with_scopes_using_default_scopes_only(self): credentials = self.make_credentials() assert not credentials.scopes assert credentials.requires_scopes scoped_credentials = credentials.with_scopes(None, default_scopes=["profile"]) assert scoped_credentials.has_scopes(["profile"]) assert not scoped_credentials.requires_scopes def test_with_scopes_full_options_propagated(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, quota_project_id=self.QUOTA_PROJECT_ID, scopes=self.SCOPES, token_info_url=self.TOKEN_INFO_URL, default_scopes=["default1"], service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, ) with mock.patch.object( external_account.Credentials, "__init__", return_value=None ) as mock_init: credentials.with_scopes(["email"], ["default2"]) # Confirm with_scopes initialized the credential with the expected # parameters and scopes. mock_init.assert_called_once_with( audience=self.AUDIENCE, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, token_info_url=self.TOKEN_INFO_URL, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, quota_project_id=self.QUOTA_PROJECT_ID, scopes=["email"], default_scopes=["default2"], universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, ) def test_with_token_uri(self): credentials = self.make_credentials() new_token_uri = "https://eu-sts.googleapis.com/v1/token" assert credentials._token_url == self.TOKEN_URL creds_with_new_token_uri = credentials.with_token_uri(new_token_uri) assert creds_with_new_token_uri._token_url == new_token_uri def test_with_token_uri_workforce_pool(self): credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) new_token_uri = "https://eu-sts.googleapis.com/v1/token" assert credentials._token_url == self.TOKEN_URL creds_with_new_token_uri = credentials.with_token_uri(new_token_uri) assert creds_with_new_token_uri._token_url == new_token_uri assert ( creds_with_new_token_uri.info.get("workforce_pool_user_project") == self.WORKFORCE_POOL_USER_PROJECT ) def test_with_quota_project(self): credentials = self.make_credentials() assert not credentials.scopes assert not credentials.quota_project_id quota_project_creds = credentials.with_quota_project("project-foo") assert quota_project_creds.quota_project_id == "project-foo" def test_with_quota_project_workforce_pool(self): credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) assert not credentials.scopes assert not credentials.quota_project_id quota_project_creds = credentials.with_quota_project("project-foo") assert quota_project_creds.quota_project_id == "project-foo" assert ( quota_project_creds.info.get("workforce_pool_user_project") == self.WORKFORCE_POOL_USER_PROJECT ) def test_with_quota_project_full_options_propagated(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, token_info_url=self.TOKEN_INFO_URL, quota_project_id=self.QUOTA_PROJECT_ID, scopes=self.SCOPES, default_scopes=["default1"], service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, ) with mock.patch.object( external_account.Credentials, "__init__", return_value=None ) as mock_init: credentials.with_quota_project("project-foo") # Confirm with_quota_project initialized the credential with the # expected parameters and quota project ID. mock_init.assert_called_once_with( audience=self.AUDIENCE, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, token_info_url=self.TOKEN_INFO_URL, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, quota_project_id="project-foo", scopes=self.SCOPES, default_scopes=["default1"], universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, ) def test_with_invalid_impersonation_target_principal(self): invalid_url = "https://iamcredentials.googleapis.com/v1/invalid" with pytest.raises(exceptions.RefreshError) as excinfo: self.make_credentials(service_account_impersonation_url=invalid_url) assert excinfo.match( r"Unable to determine target principal from service account impersonation URL." ) def test_info(self): credentials = self.make_credentials(universe_domain="dummy_universe.com") assert credentials.info == { "type": "external_account", "audience": self.AUDIENCE, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "token_url": self.TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE.copy(), "universe_domain": "dummy_universe.com", } def test_universe_domain(self): credentials = self.make_credentials(universe_domain="dummy_universe.com") assert credentials.universe_domain == "dummy_universe.com" credentials = self.make_credentials() assert credentials.universe_domain == external_account._DEFAULT_UNIVERSE_DOMAIN def test_info_workforce_pool(self): credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) assert credentials.info == { "type": "external_account", "audience": self.WORKFORCE_AUDIENCE, "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, "token_url": self.TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE.copy(), "workforce_pool_user_project": self.WORKFORCE_POOL_USER_PROJECT, "universe_domain": external_account._DEFAULT_UNIVERSE_DOMAIN, } def test_info_with_full_options(self): credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, quota_project_id=self.QUOTA_PROJECT_ID, token_info_url=self.TOKEN_INFO_URL, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, ) assert credentials.info == { "type": "external_account", "audience": self.AUDIENCE, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "token_url": self.TOKEN_URL, "token_info_url": self.TOKEN_INFO_URL, "service_account_impersonation_url": self.SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "credential_source": self.CREDENTIAL_SOURCE.copy(), "quota_project_id": self.QUOTA_PROJECT_ID, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "universe_domain": external_account._DEFAULT_UNIVERSE_DOMAIN, } def test_service_account_email_without_impersonation(self): credentials = self.make_credentials() assert credentials.service_account_email is None def test_service_account_email_with_impersonation(self): credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL ) assert credentials.service_account_email == SERVICE_ACCOUNT_EMAIL @pytest.mark.parametrize("audience", TEST_NON_USER_AUDIENCES) def test_is_user_with_non_users(self, audience): credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.is_user is False @pytest.mark.parametrize("audience", TEST_USER_AUDIENCES) def test_is_user_with_users(self, audience): credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.is_user is True @pytest.mark.parametrize("audience", TEST_USER_AUDIENCES) def test_is_user_with_users_and_impersonation(self, audience): # Initialize the credentials with service account impersonation. credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, ) # Even though the audience is for a workforce pool, since service account # impersonation is used, the credentials will represent a service account and # not a user. assert credentials.is_user is False @pytest.mark.parametrize("audience", TEST_NON_USER_AUDIENCES) def test_is_workforce_pool_with_non_users(self, audience): credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.is_workforce_pool is False @pytest.mark.parametrize("audience", TEST_USER_AUDIENCES) def test_is_workforce_pool_with_users(self, audience): credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.is_workforce_pool is True @pytest.mark.parametrize("audience", TEST_USER_AUDIENCES) def test_is_workforce_pool_with_users_and_impersonation(self, audience): # Initialize the credentials with workforce audience and service account # impersonation. credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, ) # Even though impersonation is used, is_workforce_pool should still return True. assert credentials.is_workforce_pool is True @pytest.mark.parametrize("mock_expires_in", [2800, "2800"]) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_without_client_auth_success( self, unused_utcnow, mock_auth_lib_value, mock_expires_in ): response = self.SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. response["expires_in"] = mock_expires_in expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=int(mock_expires_in) ) headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request(status=http_client.OK, data=response) credentials = self.make_credentials() credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_workforce_without_client_auth_success( self, unused_utcnow, test_auth_lib_value ): response = self.SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. response["expires_in"] = 2800 expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=response["expires_in"] ) headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.WORKFORCE_AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, "options": urllib.parse.quote( json.dumps({"userProject": self.WORKFORCE_POOL_USER_PROJECT}) ), } request = self.make_mock_request(status=http_client.OK, data=response) credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_workforce_with_client_auth_success( self, unused_utcnow, mock_auth_lib_value ): response = self.SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. response["expires_in"] = 2800 expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=response["expires_in"] ) headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.WORKFORCE_AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, } request = self.make_mock_request(status=http_client.OK, data=response) # Client Auth will have higher priority over workforce_pool_user_project. credentials = self.make_workforce_pool_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT, ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_workforce_with_client_auth_and_no_workforce_project_success( self, unused_utcnow, mock_lib_version_value ): response = self.SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. response["expires_in"] = 2800 expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=response["expires_in"] ) headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.WORKFORCE_AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, } request = self.make_mock_request(status=http_client.OK, data=response) # Client Auth will be sufficient for user project determination. credentials = self.make_workforce_pool_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, workforce_pool_user_project=None, ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_impersonation_without_client_auth_success( self, mock_metrics_header_value, mock_auth_lib_value ): # Simulate service account access token expires in 2800 seconds. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=2800) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "3600s", } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=token_response, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation. credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, ) credentials.refresh(request) # Only 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_workforce_impersonation_without_client_auth_success( self, mock_metrics_header_value, mock_auth_lib_value ): # Simulate service account access token expires in 2800 seconds. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=2800) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.WORKFORCE_AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", "options": urllib.parse.quote( json.dumps({"userProject": self.WORKFORCE_POOL_USER_PROJECT}) ), } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "3600s", } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=token_response, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation. credentials = self.make_workforce_pool_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT, ) credentials.refresh(request) # Only 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_without_client_auth_success_explicit_user_scopes_ignore_default_scopes( self, mock_auth_lib_value ): headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": "scope1 scope2", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials( scopes=["scope1", "scope2"], # Default scopes will be ignored in favor of user scopes. default_scopes=["ignored"], ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert not credentials.expired assert credentials.token == self.SUCCESS_RESPONSE["access_token"] assert credentials.has_scopes(["scope1", "scope2"]) assert not credentials.has_scopes(["ignored"]) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_without_client_auth_success_explicit_default_scopes_only( self, mock_auth_lib_value ): headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": "scope1 scope2", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials( scopes=None, # Default scopes will be used since user scopes are none. default_scopes=["scope1", "scope2"], ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert not credentials.expired assert credentials.token == self.SUCCESS_RESPONSE["access_token"] assert credentials.has_scopes(["scope1", "scope2"]) def test_refresh_without_client_auth_error(self): request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) credentials = self.make_credentials() with pytest.raises(exceptions.OAuthError) as excinfo: credentials.refresh(request) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) assert not credentials.expired assert credentials.token is None def test_refresh_impersonation_without_client_auth_error(self): request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE, impersonation_status=http_client.BAD_REQUEST, impersonation_data=self.IMPERSONATION_ERROR_RESPONSE, ) credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(request) assert excinfo.match(r"Unable to acquire impersonated credentials") assert not credentials.expired assert credentials.token is None @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_with_client_auth_success(self, mock_auth_lib_value): headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET ) credentials.refresh(request) self.assert_token_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert not credentials.expired assert credentials.token == self.SUCCESS_RESPONSE["access_token"] @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_impersonation_with_client_auth_success_ignore_default_scopes( self, mock_metrics_header_value, mock_auth_lib_value ): # Simulate service account access token expires in 2800 seconds. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=2800) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "3600s", } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=token_response, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, # Default scopes will be ignored since user scopes are specified. default_scopes=["ignored"], ) credentials.refresh(request) # Only 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_impersonation_with_client_auth_success_use_default_scopes( self, mock_metrics_header_value, mock_auth_lib_value ): # Simulate service account access token expires in 2800 seconds. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=2800) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "3600s", } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=token_response, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation and basic auth. credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=None, # Default scopes will be used since user specified scopes are none. default_scopes=self.SCOPES, ) credentials.refresh(request) # Only 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] def test_apply_without_quota_project_id(self): headers = {} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials() credentials.refresh(request) credentials.apply(headers) assert headers == { "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } def test_apply_workforce_without_quota_project_id(self): headers = {} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) credentials.refresh(request) credentials.apply(headers) assert headers == { "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } def test_apply_impersonation_without_quota_project_id(self): expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" # Service account impersonation response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation. credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, ) headers = {} credentials.refresh(request) credentials.apply(headers) assert headers == { "authorization": "Bearer {}".format(impersonation_response["accessToken"]), "x-allowed-locations": "0x0", } def test_apply_with_quota_project_id(self): headers = {"other": "header-value"} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials(quota_project_id=self.QUOTA_PROJECT_ID) credentials.refresh(request) credentials.apply(headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-goog-user-project": self.QUOTA_PROJECT_ID, "x-allowed-locations": "0x0", } def test_apply_impersonation_with_quota_project_id(self): expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" # Service account impersonation response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation. credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, quota_project_id=self.QUOTA_PROJECT_ID, ) headers = {"other": "header-value"} credentials.refresh(request) credentials.apply(headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(impersonation_response["accessToken"]), "x-goog-user-project": self.QUOTA_PROJECT_ID, "x-allowed-locations": "0x0", } def test_before_request(self): headers = {"other": "header-value"} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials() # First call should call refresh, setting the token. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } # Second call shouldn't call refresh. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } def test_before_request_workforce(self): headers = {"other": "header-value"} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_workforce_pool_credentials( workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT ) # First call should call refresh, setting the token. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } # Second call shouldn't call refresh. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } def test_before_request_impersonation(self): expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" # Service account impersonation response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) headers = {"other": "header-value"} credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL ) # First call should call refresh, setting the token. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(impersonation_response["accessToken"]), "x-allowed-locations": "0x0", } # Second call shouldn't call refresh. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(impersonation_response["accessToken"]), "x-allowed-locations": "0x0", } @mock.patch("google.auth._helpers.utcnow") def test_before_request_expired(self, utcnow): headers = {} request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) credentials = self.make_credentials() credentials.token = "token" utcnow.return_value = datetime.datetime.min # Set the expiration to one second more than now plus the clock skew # accomodation. These credentials should be valid. credentials.expiry = ( datetime.datetime.min + _helpers.REFRESH_THRESHOLD + datetime.timedelta(seconds=1) ) assert credentials.valid assert not credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # Cached token should be used. assert headers == { "authorization": "Bearer token", "x-allowed-locations": "0x0", } # Next call should simulate 1 second passed. utcnow.return_value = datetime.datetime.min + datetime.timedelta(seconds=1) assert not credentials.valid assert credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # New token should be retrieved. assert headers == { "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-allowed-locations": "0x0", } @mock.patch("google.auth._helpers.utcnow") def test_before_request_impersonation_expired(self, utcnow): headers = {} expire_time = ( datetime.datetime.min + datetime.timedelta(seconds=3601) ).isoformat("T") + "Z" # Service account impersonation response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL ) credentials.token = "token" utcnow.return_value = datetime.datetime.min # Set the expiration to one second more than now plus the clock skew # accomodation. These credentials should be valid. credentials.expiry = ( datetime.datetime.min + _helpers.REFRESH_THRESHOLD + datetime.timedelta(seconds=1) ) assert credentials.valid assert not credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # Cached token should be used. assert headers == { "authorization": "Bearer token", "x-allowed-locations": "0x0", } # Next call should simulate 1 second passed. This will trigger the expiration # threshold. utcnow.return_value = datetime.datetime.min + datetime.timedelta(seconds=1) assert not credentials.valid assert credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # New token should be retrieved. assert headers == { "authorization": "Bearer {}".format(impersonation_response["accessToken"]), "x-allowed-locations": "0x0", } @pytest.mark.parametrize( "audience", [ # Legacy K8s audience format. "identitynamespace:1f12345:my_provider", # Unrealistic audiences. "//iam.googleapis.com/projects", "//iam.googleapis.com/projects/", "//iam.googleapis.com/project/123456", "//iam.googleapis.com/projects//123456", "//iam.googleapis.com/prefix_projects/123456", "//iam.googleapis.com/projects_suffix/123456", ], ) def test_project_number_indeterminable(self, audience): credentials = CredentialsImpl( audience=audience, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.project_number is None assert credentials.get_project_id(None) is None def test_project_number_determinable(self): credentials = CredentialsImpl( audience=self.AUDIENCE, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.project_number == self.PROJECT_NUMBER def test_project_number_workforce(self): credentials = CredentialsImpl( audience=self.WORKFORCE_AUDIENCE, subject_token_type=self.WORKFORCE_SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT, ) assert credentials.project_number is None def test_project_id_without_scopes(self): # Initialize credentials with no scopes. credentials = CredentialsImpl( audience=self.AUDIENCE, subject_token_type=self.SUBJECT_TOKEN_TYPE, token_url=self.TOKEN_URL, credential_source=self.CREDENTIAL_SOURCE, ) assert credentials.get_project_id(None) is None @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_get_project_id_cloud_resource_manager_success( self, mock_metrics_header_value, mock_auth_lib_value ): # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", } # Service account impersonation request/response. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "x-goog-user-project": self.QUOTA_PROJECT_ID, "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "3600s", } # Initialize mock request to handle token exchange, service account # impersonation and cloud resource manager request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), impersonation_status=http_client.OK, impersonation_data=impersonation_response, cloud_resource_manager_status=http_client.OK, cloud_resource_manager_data=self.CLOUD_RESOURCE_MANAGER_SUCCESS_RESPONSE, ) credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, scopes=self.SCOPES, quota_project_id=self.QUOTA_PROJECT_ID, ) # Expected project ID from cloud resource manager response should be returned. project_id = credentials.get_project_id(request) assert project_id == self.PROJECT_ID # 3 requests should be processed. assert len(request.call_args_list) == 3 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) # In the process of getting project ID, an access token should be # retrieved. assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] # Verify cloud resource manager request parameters. self.assert_resource_manager_request_kwargs( request.call_args_list[2][1], self.PROJECT_NUMBER, { "x-goog-user-project": self.QUOTA_PROJECT_ID, "authorization": "Bearer {}".format( impersonation_response["accessToken"] ), "x-allowed-locations": "0x0", }, ) # Calling get_project_id again should return the cached project_id. project_id = credentials.get_project_id(request) assert project_id == self.PROJECT_ID # No additional requests. assert len(request.call_args_list) == 3 @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_workforce_pool_get_project_id_cloud_resource_manager_success( self, mock_auth_lib_value ): # STS token exchange request/response. token_headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.WORKFORCE_AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.WORKFORCE_SUBJECT_TOKEN_TYPE, "scope": "scope1 scope2", "options": urllib.parse.quote( json.dumps({"userProject": self.WORKFORCE_POOL_USER_PROJECT}) ), } # Initialize mock request to handle token exchange and cloud resource # manager request. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), cloud_resource_manager_status=http_client.OK, cloud_resource_manager_data=self.CLOUD_RESOURCE_MANAGER_SUCCESS_RESPONSE, ) credentials = self.make_workforce_pool_credentials( scopes=self.SCOPES, quota_project_id=self.QUOTA_PROJECT_ID, workforce_pool_user_project=self.WORKFORCE_POOL_USER_PROJECT, ) # Expected project ID from cloud resource manager response should be returned. project_id = credentials.get_project_id(request) assert project_id == self.PROJECT_ID # 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # In the process of getting project ID, an access token should be # retrieved. assert credentials.valid assert not credentials.expired assert credentials.token == self.SUCCESS_RESPONSE["access_token"] # Verify cloud resource manager request parameters. self.assert_resource_manager_request_kwargs( request.call_args_list[1][1], self.WORKFORCE_POOL_USER_PROJECT, { "x-goog-user-project": self.QUOTA_PROJECT_ID, "authorization": "Bearer {}".format( self.SUCCESS_RESPONSE["access_token"] ), "x-allowed-locations": "0x0", }, ) # Calling get_project_id again should return the cached project_id. project_id = credentials.get_project_id(request) assert project_id == self.PROJECT_ID # No additional requests. assert len(request.call_args_list) == 2 @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) def test_refresh_impersonation_with_lifetime( self, mock_metrics_header_value, mock_auth_lib_value ): # Simulate service account access token expires in 2800 seconds. expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=2800) ).isoformat("T") + "Z" expected_expiry = datetime.datetime.strptime(expire_time, "%Y-%m-%dT%H:%M:%SZ") # STS token exchange request/response. token_response = self.SUCCESS_RESPONSE.copy() token_headers = { "Content-Type": "application/x-www-form-urlencoded", "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/true", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": self.AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "subject_token": "subject_token_0", "subject_token_type": self.SUBJECT_TOKEN_TYPE, "scope": "https://www.googleapis.com/auth/iam", } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(token_response["access_token"]), "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": self.SCOPES, "lifetime": "2800s", } # Initialize mock request to handle token exchange and service account # impersonation request. request = self.make_mock_request( status=http_client.OK, data=token_response, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) # Initialize credentials with service account impersonation. credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, scopes=self.SCOPES, ) credentials.refresh(request) # Only 2 requests should be processed. assert len(request.call_args_list) == 2 # Verify token exchange request parameters. self.assert_token_request_kwargs( request.call_args_list[0][1], token_headers, token_request_data ) # Verify service account impersonation request parameters. self.assert_impersonation_request_kwargs( request.call_args_list[1][1], impersonation_headers, impersonation_request_data, ) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == impersonation_response["accessToken"] def test_get_project_id_cloud_resource_manager_error(self): # Simulate resource doesn't have sufficient permissions to access # cloud resource manager. request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE.copy(), cloud_resource_manager_status=http_client.UNAUTHORIZED, ) credentials = self.make_credentials(scopes=self.SCOPES) project_id = credentials.get_project_id(request) assert project_id is None # Only 2 requests to STS and cloud resource manager should be sent. assert len(request.call_args_list) == 2 ��compute_engine/test_credentials.py��0000644��00000103240�15025175543�0013462 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import base64 import datetime import mock import pytest # type: ignore import responses # type: ignore from google.auth import _helpers from google.auth import exceptions from google.auth import jwt from google.auth import transport from google.auth.compute_engine import credentials from google.auth.transport import requests SAMPLE_ID_TOKEN_EXP = 1584393400 # header: {"alg": "RS256", "typ": "JWT", "kid": "1"} # payload: {"iss": "issuer", "iat": 1584393348, "sub": "subject", # "exp": 1584393400,"aud": "audience"} SAMPLE_ID_TOKEN = ( b"eyJhbGciOiAiUlMyNTYiLCAidHlwIjogIkpXVCIsICJraWQiOiAiMSJ9." b"eyJpc3MiOiAiaXNzdWVyIiwgImlhdCI6IDE1ODQzOTMzNDgsICJzdWIiO" b"iAic3ViamVjdCIsICJleHAiOiAxNTg0MzkzNDAwLCAiYXVkIjogImF1ZG" b"llbmNlIn0." b"OquNjHKhTmlgCk361omRo18F_uY-7y0f_AmLbzW062Q1Zr61HAwHYP5FM" b"316CK4_0cH8MUNGASsvZc3VqXAqub6PUTfhemH8pFEwBdAdG0LhrNkU0H" b"WN1YpT55IiQ31esLdL5q-qDsOPpNZJUti1y1lAreM5nIn2srdWzGXGs4i" b"TRQsn0XkNUCL4RErpciXmjfhMrPkcAjKA-mXQm2fa4jmTlEZFqFmUlym1" b"ozJ0yf5grjN6AslN4OGvAv1pS-_Ko_pGBS6IQtSBC6vVKCUuBfaqNjykg" b"bsxbLa6Fp0SYeYwO8ifEnkRvasVpc1WTQqfRB2JCj5pTBDzJpIpFCMmnQ" ) ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/mds" ) ID_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/mds" ) class TestCredentials(object): credentials = None @pytest.fixture(autouse=True) def credentials_fixture(self): self.credentials = credentials.Credentials() def test_default_state(self): assert not self.credentials.valid # Expiration hasn't been set yet assert not self.credentials.expired # Scopes are needed assert self.credentials.requires_scopes # Service account email hasn't been populated assert self.credentials.service_account_email == "default" # No quota project assert not self.credentials._quota_project_id @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_refresh_success(self, get, utcnow): get.side_effect = [ { # First request is for sevice account info. "email": "service-account@example.com", "scopes": ["one", "two"], }, { # Second request is for the token. "access_token": "token", "expires_in": 500, }, ] # Refresh credentials self.credentials.refresh(None) # Check that the credentials have the token and proper expiration assert self.credentials.token == "token" assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500)) # Check the credential info assert self.credentials.service_account_email == "service-account@example.com" assert self.credentials._scopes == ["one", "two"] # Check that the credentials are valid (have a token and are not # expired) assert self.credentials.valid @mock.patch( "google.auth.metrics.token_request_access_token_mds", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_value): get.side_effect = [ { # First request is for sevice account info. "email": "service-account@example.com", "scopes": ["one", "two"], }, { # Second request is for the token. "access_token": "token", "expires_in": 500, }, ] # Refresh credentials scopes = ["three", "four"] self.credentials = self.credentials.with_scopes(scopes) self.credentials.refresh(None) # Check that the credentials have the token and proper expiration assert self.credentials.token == "token" assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500)) # Check the credential info assert self.credentials.service_account_email == "service-account@example.com" assert self.credentials._scopes == scopes # Check that the credentials are valid (have a token and are not # expired) assert self.credentials.valid kwargs = get.call_args[1] assert kwargs["params"] == {"scopes": "three,four"} assert kwargs["headers"] == { "x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE } @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_refresh_error(self, get): get.side_effect = exceptions.TransportError("http error") with pytest.raises(exceptions.RefreshError) as excinfo: self.credentials.refresh(None) assert excinfo.match(r"http error") @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_before_request_refreshes(self, get): get.side_effect = [ { # First request is for sevice account info. "email": "service-account@example.com", "scopes": "one two", }, { # Second request is for the token. "access_token": "token", "expires_in": 500, }, ] # Credentials should start as invalid assert not self.credentials.valid # before_request should cause a refresh request = mock.create_autospec(transport.Request, instance=True) self.credentials.before_request(request, "GET", "http://example.com?a=1#3", {}) # The refresh endpoint should've been called. assert get.called # Credentials should now be valid. assert self.credentials.valid def test_with_quota_project(self): quota_project_creds = self.credentials.with_quota_project("project-foo") assert quota_project_creds._quota_project_id == "project-foo" def test_with_scopes(self): assert self.credentials._scopes is None scopes = ["one", "two"] self.credentials = self.credentials.with_scopes(scopes) assert self.credentials._scopes == scopes def test_token_usage_metrics(self): self.credentials.token = "token" self.credentials.expiry = None headers = {} self.credentials.before_request(mock.Mock(), None, None, headers) assert headers["authorization"] == "Bearer token" assert headers["x-goog-api-client"] == "cred-type/mds" @mock.patch( "google.auth.compute_engine._metadata.get_universe_domain", return_value="fake_universe_domain", ) def test_universe_domain(self, get_universe_domain): self.credentials._universe_domain_cached = False self.credentials._universe_domain = "googleapis.com" # calling the universe_domain property should trigger a call to # get_universe_domain to fetch the value. The value should be cached. assert self.credentials.universe_domain == "fake_universe_domain" assert self.credentials._universe_domain == "fake_universe_domain" assert self.credentials._universe_domain_cached get_universe_domain.assert_called_once() # calling the universe_domain property the second time should use the # cached value instead of calling get_universe_domain assert self.credentials.universe_domain == "fake_universe_domain" get_universe_domain.assert_called_once() class TestIDTokenCredentials(object): credentials = None @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_default_state(self, get): get.side_effect = [ {"email": "service-account@example.com", "scope": ["one", "two"]} ] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://example.com" ) assert not self.credentials.valid # Expiration hasn't been set yet assert not self.credentials.expired # Service account email hasn't been populated assert self.credentials.service_account_email == "service-account@example.com" # Signer is initialized assert self.credentials.signer assert self.credentials.signer_email == "service-account@example.com" # No quota project assert not self.credentials._quota_project_id @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_make_authorization_grant_assertion(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) # Generate authorization grant: token = self.credentials._make_authorization_grant_assertion() payload = jwt.decode(token, verify=False) # The JWT token signature is 'signature' encoded in base 64: assert token.endswith(b".c2lnbmF0dXJl") # Check that the credentials have the token and proper expiration assert payload == { "aud": "https://www.googleapis.com/oauth2/v4/token", "exp": 3600, "iat": 0, "iss": "service-account@example.com", "target_audience": "https://audience.com", } @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_with_service_account(self, sign, get, utcnow): sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com", service_account_email="service-account@other.com", ) # Generate authorization grant: token = self.credentials._make_authorization_grant_assertion() payload = jwt.decode(token, verify=False) # The JWT token signature is 'signature' encoded in base 64: assert token.endswith(b".c2lnbmF0dXJl") # Check that the credentials have the token and proper expiration assert payload == { "aud": "https://www.googleapis.com/oauth2/v4/token", "exp": 3600, "iat": 0, "iss": "service-account@other.com", "target_audience": "https://audience.com", } @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_additional_claims(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com", additional_claims={"foo": "bar"}, ) # Generate authorization grant: token = self.credentials._make_authorization_grant_assertion() payload = jwt.decode(token, verify=False) # The JWT token signature is 'signature' encoded in base 64: assert token.endswith(b".c2lnbmF0dXJl") # Check that the credentials have the token and proper expiration assert payload == { "aud": "https://www.googleapis.com/oauth2/v4/token", "exp": 3600, "iat": 0, "iss": "service-account@example.com", "target_audience": "https://audience.com", "foo": "bar", } def test_token_uri(self): request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, signer=mock.Mock(), service_account_email="foo@example.com", target_audience="https://audience.com", ) assert self.credentials._token_uri == credentials._DEFAULT_TOKEN_URI self.credentials = credentials.IDTokenCredentials( request=request, signer=mock.Mock(), service_account_email="foo@example.com", target_audience="https://audience.com", token_uri="https://example.com/token", ) assert self.credentials._token_uri == "https://example.com/token" @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_with_target_audience(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) self.credentials = self.credentials.with_target_audience("https://actually.not") # Generate authorization grant: token = self.credentials._make_authorization_grant_assertion() payload = jwt.decode(token, verify=False) # The JWT token signature is 'signature' encoded in base 64: assert token.endswith(b".c2lnbmF0dXJl") # Check that the credentials have the token and proper expiration assert payload == { "aud": "https://www.googleapis.com/oauth2/v4/token", "exp": 3600, "iat": 0, "iss": "service-account@example.com", "target_audience": "https://actually.not", } # Check that the signer have been initialized with a Request object assert isinstance(self.credentials._signer._request, transport.Request) @responses.activate def test_with_target_audience_integration(self): """ Test that it is possible to refresh credentials generated from `with_target_audience`. Instead of mocking the methods, the HTTP responses have been mocked. """ # mock information about credentials responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" "service-accounts/default/?recursive=true", status=200, content_type="application/json", json={ "scopes": "email", "email": "service-account@example.com", "aliases": ["default"], }, ) # mock token for credentials responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" "service-accounts/service-account@example.com/token", status=200, content_type="application/json", json={ "access_token": "some-token", "expires_in": 3210, "token_type": "Bearer", }, ) # mock sign blob endpoint signature = base64.b64encode(b"some-signature").decode("utf-8") responses.add( responses.POST, "https://iamcredentials.googleapis.com/v1/projects/-/" "serviceAccounts/service-account@example.com:signBlob?alt=json", status=200, content_type="application/json", json={"keyId": "some-key-id", "signedBlob": signature}, ) id_token = "{}.{}.{}".format( base64.b64encode(b'{"some":"some"}').decode("utf-8"), base64.b64encode(b'{"exp": 3210}').decode("utf-8"), base64.b64encode(b"token").decode("utf-8"), ) # mock id token endpoint responses.add( responses.POST, "https://www.googleapis.com/oauth2/v4/token", status=200, content_type="application/json", json={"id_token": id_token, "expiry": 3210}, ) self.credentials = credentials.IDTokenCredentials( request=requests.Request(), service_account_email="service-account@example.com", target_audience="https://audience.com", ) self.credentials = self.credentials.with_target_audience("https://actually.not") self.credentials.refresh(requests.Request()) assert self.credentials.token is not None @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_with_quota_project(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) self.credentials = self.credentials.with_quota_project("project-foo") assert self.credentials._quota_project_id == "project-foo" # Generate authorization grant: token = self.credentials._make_authorization_grant_assertion() payload = jwt.decode(token, verify=False) # The JWT token signature is 'signature' encoded in base 64: assert token.endswith(b".c2lnbmF0dXJl") # Check that the credentials have the token and proper expiration assert payload == { "aud": "https://www.googleapis.com/oauth2/v4/token", "exp": 3600, "iat": 0, "iss": "service-account@example.com", "target_audience": "https://audience.com", } # Check that the signer have been initialized with a Request object assert isinstance(self.credentials._signer._request, transport.Request) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_with_token_uri(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com", token_uri="http://xyz.com", ) assert self.credentials._token_uri == "http://xyz.com" creds_with_token_uri = self.credentials.with_token_uri("http://example.com") assert creds_with_token_uri._token_uri == "http://example.com" @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_with_token_uri_exception(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com", use_metadata_identity_endpoint=True, ) assert self.credentials._token_uri is None with pytest.raises(ValueError): self.credentials.with_token_uri("http://example.com") @responses.activate def test_with_quota_project_integration(self): """ Test that it is possible to refresh credentials generated from `with_quota_project`. Instead of mocking the methods, the HTTP responses have been mocked. """ # mock information about credentials responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" "service-accounts/default/?recursive=true", status=200, content_type="application/json", json={ "scopes": "email", "email": "service-account@example.com", "aliases": ["default"], }, ) # mock token for credentials responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" "service-accounts/service-account@example.com/token", status=200, content_type="application/json", json={ "access_token": "some-token", "expires_in": 3210, "token_type": "Bearer", }, ) # mock sign blob endpoint signature = base64.b64encode(b"some-signature").decode("utf-8") responses.add( responses.POST, "https://iamcredentials.googleapis.com/v1/projects/-/" "serviceAccounts/service-account@example.com:signBlob?alt=json", status=200, content_type="application/json", json={"keyId": "some-key-id", "signedBlob": signature}, ) id_token = "{}.{}.{}".format( base64.b64encode(b'{"some":"some"}').decode("utf-8"), base64.b64encode(b'{"exp": 3210}').decode("utf-8"), base64.b64encode(b"token").decode("utf-8"), ) # mock id token endpoint responses.add( responses.POST, "https://www.googleapis.com/oauth2/v4/token", status=200, content_type="application/json", json={"id_token": id_token, "expiry": 3210}, ) self.credentials = credentials.IDTokenCredentials( request=requests.Request(), service_account_email="service-account@example.com", target_audience="https://audience.com", ) self.credentials = self.credentials.with_quota_project("project-foo") self.credentials.refresh(requests.Request()) assert self.credentials.token is not None assert self.credentials._quota_project_id == "project-foo" @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] id_token_jwt_grant.side_effect = [ ("idtoken", datetime.datetime.utcfromtimestamp(3600), {}) ] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) # Refresh credentials self.credentials.refresh(None) # Check that the credentials have the token and proper expiration assert self.credentials.token == "idtoken" assert self.credentials.expiry == (datetime.datetime.utcfromtimestamp(3600)) # Check the credential info assert self.credentials.service_account_email == "service-account@example.com" # Check that the credentials are valid (have a token and are not # expired) assert self.credentials.valid @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_refresh_error(self, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) response = mock.Mock() response.data = b'{"error": "http error"}' response.status = 404 # Throw a 404 so the request is not retried. request.side_effect = [response] self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) with pytest.raises(exceptions.RefreshError) as excinfo: self.credentials.refresh(request) assert excinfo.match(r"http error") @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.utcfromtimestamp(0), ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) def test_before_request_refreshes(self, id_token_jwt_grant, sign, get, utcnow): get.side_effect = [ {"email": "service-account@example.com", "scopes": "one two"} ] sign.side_effect = [b"signature"] id_token_jwt_grant.side_effect = [ ("idtoken", datetime.datetime.utcfromtimestamp(3600), {}) ] request = mock.create_autospec(transport.Request, instance=True) self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) # Credentials should start as invalid assert not self.credentials.valid # before_request should cause a refresh request = mock.create_autospec(transport.Request, instance=True) self.credentials.before_request(request, "GET", "http://example.com?a=1#3", {}) # The refresh endpoint should've been called. assert get.called # Credentials should now be valid. assert self.credentials.valid @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) @mock.patch("google.auth.iam.Signer.sign", autospec=True) def test_sign_bytes(self, sign, get): get.side_effect = [ {"email": "service-account@example.com", "scopes": ["one", "two"]} ] sign.side_effect = [b"signature"] request = mock.create_autospec(transport.Request, instance=True) response = mock.Mock() response.data = b'{"signature": "c2lnbmF0dXJl"}' response.status = 200 request.side_effect = [response] self.credentials = credentials.IDTokenCredentials( request=request, target_audience="https://audience.com" ) # Generate authorization grant: signature = self.credentials.sign_bytes(b"some bytes") # The JWT token signature is 'signature' encoded in base 64: assert signature == b"signature" @mock.patch( "google.auth.metrics.token_request_id_token_mds", return_value=ID_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.compute_engine._metadata.get_service_account_info", autospec=True ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_get_id_token_from_metadata( self, get, get_service_account_info, mock_metrics_header_value ): get.return_value = SAMPLE_ID_TOKEN get_service_account_info.return_value = {"email": "foo@example.com"} cred = credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True ) cred.refresh(request=mock.Mock()) assert get.call_args.kwargs["headers"] == { "x-goog-api-client": ID_TOKEN_REQUEST_METRICS_HEADER_VALUE } assert cred.token == SAMPLE_ID_TOKEN assert cred.expiry == datetime.datetime.utcfromtimestamp(SAMPLE_ID_TOKEN_EXP) assert cred._use_metadata_identity_endpoint assert cred._signer is None assert cred._token_uri is None assert cred._service_account_email == "foo@example.com" assert cred._target_audience == "audience" with pytest.raises(ValueError): cred.sign_bytes(b"bytes") @mock.patch( "google.auth.compute_engine._metadata.get_service_account_info", autospec=True ) def test_with_target_audience_for_metadata(self, get_service_account_info): get_service_account_info.return_value = {"email": "foo@example.com"} cred = credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True ) cred = cred.with_target_audience("new_audience") assert cred._target_audience == "new_audience" assert cred._use_metadata_identity_endpoint assert cred._signer is None assert cred._token_uri is None assert cred._service_account_email == "foo@example.com" @mock.patch( "google.auth.compute_engine._metadata.get_service_account_info", autospec=True ) def test_id_token_with_quota_project(self, get_service_account_info): get_service_account_info.return_value = {"email": "foo@example.com"} cred = credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True ) cred = cred.with_quota_project("project-foo") assert cred._quota_project_id == "project-foo" assert cred._use_metadata_identity_endpoint assert cred._signer is None assert cred._token_uri is None assert cred._service_account_email == "foo@example.com" @mock.patch( "google.auth.compute_engine._metadata.get_service_account_info", autospec=True ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_invalid_id_token_from_metadata(self, get, get_service_account_info): get.return_value = "invalid_id_token" get_service_account_info.return_value = {"email": "foo@example.com"} cred = credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True ) with pytest.raises(ValueError): cred.refresh(request=mock.Mock()) @mock.patch( "google.auth.compute_engine._metadata.get_service_account_info", autospec=True ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_transport_error_from_metadata(self, get, get_service_account_info): get.side_effect = exceptions.TransportError("transport error") get_service_account_info.return_value = {"email": "foo@example.com"} cred = credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True ) with pytest.raises(exceptions.RefreshError) as excinfo: cred.refresh(request=mock.Mock()) assert excinfo.match(r"transport error") def test_get_id_token_from_metadata_constructor(self): with pytest.raises(ValueError): credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True, token_uri="token_uri", ) with pytest.raises(ValueError): credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True, signer=mock.Mock(), ) with pytest.raises(ValueError): credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True, additional_claims={"key", "value"}, ) with pytest.raises(ValueError): credentials.IDTokenCredentials( mock.Mock(), "audience", use_metadata_identity_endpoint=True, service_account_email="foo@example.com", ) ��compute_engine/test__metadata.py��0000644��00000037341�15025175543�0013114 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import importlib import json import os import mock import pytest # type: ignore from google.auth import _helpers from google.auth import environment_vars from google.auth import exceptions from google.auth import transport from google.auth.compute_engine import _metadata PATH = "instance/service-accounts/default" DATA_DIR = os.path.join(os.path.dirname(__file__), "data") SMBIOS_PRODUCT_NAME_FILE = os.path.join(DATA_DIR, "smbios_product_name") SMBIOS_PRODUCT_NAME_NONEXISTENT_FILE = os.path.join( DATA_DIR, "smbios_product_name_nonexistent" ) SMBIOS_PRODUCT_NAME_NON_GOOGLE = os.path.join( DATA_DIR, "smbios_product_name_non_google" ) ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/mds" ) MDS_PING_METRICS_HEADER_VALUE = "gl-python/3.7 auth/1.1 auth-request-type/mds" MDS_PING_REQUEST_HEADER = { "metadata-flavor": "Google", "x-goog-api-client": MDS_PING_METRICS_HEADER_VALUE, } def make_request(data, status=http_client.OK, headers=None, retry=False): response = mock.create_autospec(transport.Response, instance=True) response.status = status response.data = _helpers.to_bytes(data) response.headers = headers or {} request = mock.create_autospec(transport.Request) if retry: request.side_effect = [exceptions.TransportError(), response] else: request.return_value = response return request def test_detect_gce_residency_linux_success(): _metadata._GCE_PRODUCT_NAME_FILE = SMBIOS_PRODUCT_NAME_FILE assert _metadata.detect_gce_residency_linux() def test_detect_gce_residency_linux_non_google(): _metadata._GCE_PRODUCT_NAME_FILE = SMBIOS_PRODUCT_NAME_NON_GOOGLE assert not _metadata.detect_gce_residency_linux() def test_detect_gce_residency_linux_nonexistent(): _metadata._GCE_PRODUCT_NAME_FILE = SMBIOS_PRODUCT_NAME_NONEXISTENT_FILE assert not _metadata.detect_gce_residency_linux() def test_is_on_gce_ping_success(): request = make_request("", headers=_metadata._METADATA_HEADERS) assert _metadata.is_on_gce(request) @mock.patch("os.name", new="nt") def test_is_on_gce_windows_success(): request = make_request("", headers={_metadata._METADATA_FLAVOR_HEADER: "meep"}) assert not _metadata.is_on_gce(request) @mock.patch("os.name", new="posix") def test_is_on_gce_linux_success(): request = make_request("", headers={_metadata._METADATA_FLAVOR_HEADER: "meep"}) _metadata._GCE_PRODUCT_NAME_FILE = SMBIOS_PRODUCT_NAME_FILE assert _metadata.is_on_gce(request) @mock.patch("google.auth.metrics.mds_ping", return_value=MDS_PING_METRICS_HEADER_VALUE) def test_ping_success(mock_metrics_header_value): request = make_request("", headers=_metadata._METADATA_HEADERS) assert _metadata.ping(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_IP_ROOT, headers=MDS_PING_REQUEST_HEADER, timeout=_metadata._METADATA_DEFAULT_TIMEOUT, ) @mock.patch("google.auth.metrics.mds_ping", return_value=MDS_PING_METRICS_HEADER_VALUE) def test_ping_success_retry(mock_metrics_header_value): request = make_request("", headers=_metadata._METADATA_HEADERS, retry=True) assert _metadata.ping(request) request.assert_called_with( method="GET", url=_metadata._METADATA_IP_ROOT, headers=MDS_PING_REQUEST_HEADER, timeout=_metadata._METADATA_DEFAULT_TIMEOUT, ) assert request.call_count == 2 def test_ping_failure_bad_flavor(): request = make_request("", headers={_metadata._METADATA_FLAVOR_HEADER: "meep"}) assert not _metadata.ping(request) def test_ping_failure_connection_failed(): request = make_request("") request.side_effect = exceptions.TransportError() assert not _metadata.ping(request) @mock.patch("google.auth.metrics.mds_ping", return_value=MDS_PING_METRICS_HEADER_VALUE) def test_ping_success_custom_root(mock_metrics_header_value): request = make_request("", headers=_metadata._METADATA_HEADERS) fake_ip = "1.2.3.4" os.environ[environment_vars.GCE_METADATA_IP] = fake_ip importlib.reload(_metadata) try: assert _metadata.ping(request) finally: del os.environ[environment_vars.GCE_METADATA_IP] importlib.reload(_metadata) request.assert_called_once_with( method="GET", url="http://" + fake_ip, headers=MDS_PING_REQUEST_HEADER, timeout=_metadata._METADATA_DEFAULT_TIMEOUT, ) def test_get_success_json(): key, value = "foo", "bar" data = json.dumps({key: value}) request = make_request(data, headers={"content-type": "application/json"}) result = _metadata.get(request, PATH) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) assert result[key] == value def test_get_success_json_content_type_charset(): key, value = "foo", "bar" data = json.dumps({key: value}) request = make_request( data, headers={"content-type": "application/json; charset=UTF-8"} ) result = _metadata.get(request, PATH) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) assert result[key] == value def test_get_success_retry(): key, value = "foo", "bar" data = json.dumps({key: value}) request = make_request( data, headers={"content-type": "application/json"}, retry=True ) result = _metadata.get(request, PATH) request.assert_called_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) assert request.call_count == 2 assert result[key] == value def test_get_success_text(): data = "foobar" request = make_request(data, headers={"content-type": "text/plain"}) result = _metadata.get(request, PATH) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) assert result == data def test_get_success_params(): data = "foobar" request = make_request(data, headers={"content-type": "text/plain"}) params = {"recursive": "true"} result = _metadata.get(request, PATH, params=params) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "?recursive=true", headers=_metadata._METADATA_HEADERS, ) assert result == data def test_get_success_recursive_and_params(): data = "foobar" request = make_request(data, headers={"content-type": "text/plain"}) params = {"recursive": "false"} result = _metadata.get(request, PATH, recursive=True, params=params) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "?recursive=true", headers=_metadata._METADATA_HEADERS, ) assert result == data def test_get_success_recursive(): data = "foobar" request = make_request(data, headers={"content-type": "text/plain"}) result = _metadata.get(request, PATH, recursive=True) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "?recursive=true", headers=_metadata._METADATA_HEADERS, ) assert result == data def test_get_success_custom_root_new_variable(): request = make_request("{}", headers={"content-type": "application/json"}) fake_root = "another.metadata.service" os.environ[environment_vars.GCE_METADATA_HOST] = fake_root importlib.reload(_metadata) try: _metadata.get(request, PATH) finally: del os.environ[environment_vars.GCE_METADATA_HOST] importlib.reload(_metadata) request.assert_called_once_with( method="GET", url="http://{}/computeMetadata/v1/{}".format(fake_root, PATH), headers=_metadata._METADATA_HEADERS, ) def test_get_success_custom_root_old_variable(): request = make_request("{}", headers={"content-type": "application/json"}) fake_root = "another.metadata.service" os.environ[environment_vars.GCE_METADATA_ROOT] = fake_root importlib.reload(_metadata) try: _metadata.get(request, PATH) finally: del os.environ[environment_vars.GCE_METADATA_ROOT] importlib.reload(_metadata) request.assert_called_once_with( method="GET", url="http://{}/computeMetadata/v1/{}".format(fake_root, PATH), headers=_metadata._METADATA_HEADERS, ) def test_get_failure(): request = make_request("Metadata error", status=http_client.NOT_FOUND) with pytest.raises(exceptions.TransportError) as excinfo: _metadata.get(request, PATH) assert excinfo.match(r"Metadata error") request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) def test_get_return_none_for_not_found_error(): request = make_request("Metadata error", status=http_client.NOT_FOUND) assert _metadata.get(request, PATH, return_none_for_not_found_error=True) is None request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) def test_get_failure_connection_failed(): request = make_request("") request.side_effect = exceptions.TransportError() with pytest.raises(exceptions.TransportError) as excinfo: _metadata.get(request, PATH) assert excinfo.match(r"Compute Engine Metadata server unavailable") request.assert_called_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) assert request.call_count == 5 def test_get_failure_bad_json(): request = make_request("{", headers={"content-type": "application/json"}) with pytest.raises(exceptions.TransportError) as excinfo: _metadata.get(request, PATH) assert excinfo.match(r"invalid JSON") request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH, headers=_metadata._METADATA_HEADERS, ) def test_get_project_id(): project = "example-project" request = make_request(project, headers={"content-type": "text/plain"}) project_id = _metadata.get_project_id(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + "project/project-id", headers=_metadata._METADATA_HEADERS, ) assert project_id == project def test_get_universe_domain_success(): request = make_request( "fake_universe_domain", headers={"content-type": "text/plain"} ) universe_domain = _metadata.get_universe_domain(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + "universe/universe_domain", headers=_metadata._METADATA_HEADERS, ) assert universe_domain == "fake_universe_domain" def test_get_universe_domain_not_found(): # Test that if the universe domain endpoint returns 404 error, we should # use googleapis.com as the universe domain request = make_request("not found", status=http_client.NOT_FOUND) universe_domain = _metadata.get_universe_domain(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + "universe/universe_domain", headers=_metadata._METADATA_HEADERS, ) assert universe_domain == "googleapis.com" def test_get_universe_domain_other_error(): # Test that if the universe domain endpoint returns an error other than 404 # we should throw the error request = make_request("unauthorized", status=http_client.UNAUTHORIZED) with pytest.raises(exceptions.TransportError) as excinfo: _metadata.get_universe_domain(request) assert excinfo.match(r"unauthorized") request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + "universe/universe_domain", headers=_metadata._METADATA_HEADERS, ) @mock.patch( "google.auth.metrics.token_request_access_token_mds", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_get_service_account_token(utcnow, mock_metrics_header_value): ttl = 500 request = make_request( json.dumps({"access_token": "token", "expires_in": ttl}), headers={"content-type": "application/json"}, ) token, expiry = _metadata.get_service_account_token(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "/token", headers={ "metadata-flavor": "Google", "x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, }, ) assert token == "token" assert expiry == utcnow() + datetime.timedelta(seconds=ttl) @mock.patch( "google.auth.metrics.token_request_access_token_mds", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_get_service_account_token_with_scopes_list(utcnow, mock_metrics_header_value): ttl = 500 request = make_request( json.dumps({"access_token": "token", "expires_in": ttl}), headers={"content-type": "application/json"}, ) token, expiry = _metadata.get_service_account_token(request, scopes=["foo", "bar"]) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "/token" + "?scopes=foo%2Cbar", headers={ "metadata-flavor": "Google", "x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, }, ) assert token == "token" assert expiry == utcnow() + datetime.timedelta(seconds=ttl) @mock.patch( "google.auth.metrics.token_request_access_token_mds", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_get_service_account_token_with_scopes_string( utcnow, mock_metrics_header_value ): ttl = 500 request = make_request( json.dumps({"access_token": "token", "expires_in": ttl}), headers={"content-type": "application/json"}, ) token, expiry = _metadata.get_service_account_token(request, scopes="foo,bar") request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "/token" + "?scopes=foo%2Cbar", headers={ "metadata-flavor": "Google", "x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, }, ) assert token == "token" assert expiry == utcnow() + datetime.timedelta(seconds=ttl) def test_get_service_account_info(): key, value = "foo", "bar" request = make_request( json.dumps({key: value}), headers={"content-type": "application/json"} ) info = _metadata.get_service_account_info(request) request.assert_called_once_with( method="GET", url=_metadata._METADATA_ROOT + PATH + "/?recursive=true", headers=_metadata._METADATA_HEADERS, ) assert info[key] == value ��compute_engine/data/smbios_product_name_non_google��0000644��00000000023�15025175543�0016645 0��ustar�00��ABC Compute Engine ��compute_engine/data/smbios_product_name��0000644��00000000026�15025175543�0014442 0��ustar�00��Google Compute Engine ��compute_engine/__init__.py��0000644��00000000000�15025175543�0011653 0��ustar�00��test_credentials.py��0000644��00000015372�15025175543�0010471 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import pytest # type: ignore from google.auth import _helpers from google.auth import credentials class CredentialsImpl(credentials.Credentials): def refresh(self, request): self.token = request def with_quota_project(self, quota_project_id): raise NotImplementedError() class CredentialsImplWithMetrics(credentials.Credentials): def refresh(self, request): self.token = request def _metric_header_for_usage(self): return "foo" def test_credentials_constructor(): credentials = CredentialsImpl() assert not credentials.token assert not credentials.expiry assert not credentials.expired assert not credentials.valid assert credentials.universe_domain == "googleapis.com" def test_expired_and_valid(): credentials = CredentialsImpl() credentials.token = "token" assert credentials.valid assert not credentials.expired # Set the expiration to one second more than now plus the clock skew # accomodation. These credentials should be valid. credentials.expiry = ( _helpers.utcnow() + _helpers.REFRESH_THRESHOLD + datetime.timedelta(seconds=1) ) assert credentials.valid assert not credentials.expired # Set the credentials expiration to now. Because of the clock skew # accomodation, these credentials should report as expired. credentials.expiry = _helpers.utcnow() assert not credentials.valid assert credentials.expired def test_before_request(): credentials = CredentialsImpl() request = "token" headers = {} # First call should call refresh, setting the token. credentials.before_request(request, "http://example.com", "GET", headers) assert credentials.valid assert credentials.token == "token" assert headers["authorization"] == "Bearer token" assert "x-allowed-locations" not in headers request = "token2" headers = {} # Second call shouldn't call refresh. credentials.before_request(request, "http://example.com", "GET", headers) assert credentials.valid assert credentials.token == "token" assert headers["authorization"] == "Bearer token" assert "x-allowed-locations" not in headers def test_before_request_with_trust_boundary(): DUMMY_BOUNDARY = "0xA30" credentials = CredentialsImpl() credentials._trust_boundary = {"locations": [], "encoded_locations": DUMMY_BOUNDARY} request = "token" headers = {} # First call should call refresh, setting the token. credentials.before_request(request, "http://example.com", "GET", headers) assert credentials.valid assert credentials.token == "token" assert headers["authorization"] == "Bearer token" assert headers["x-allowed-locations"] == DUMMY_BOUNDARY request = "token2" headers = {} # Second call shouldn't call refresh. credentials.before_request(request, "http://example.com", "GET", headers) assert credentials.valid assert credentials.token == "token" assert headers["authorization"] == "Bearer token" assert headers["x-allowed-locations"] == DUMMY_BOUNDARY def test_before_request_metrics(): credentials = CredentialsImplWithMetrics() request = "token" headers = {} credentials.before_request(request, "http://example.com", "GET", headers) assert headers["x-goog-api-client"] == "foo" def test_anonymous_credentials_ctor(): anon = credentials.AnonymousCredentials() assert anon.token is None assert anon.expiry is None assert not anon.expired assert anon.valid def test_anonymous_credentials_refresh(): anon = credentials.AnonymousCredentials() request = object() with pytest.raises(ValueError): anon.refresh(request) def test_anonymous_credentials_apply_default(): anon = credentials.AnonymousCredentials() headers = {} anon.apply(headers) assert headers == {} with pytest.raises(ValueError): anon.apply(headers, token="TOKEN") def test_anonymous_credentials_before_request(): anon = credentials.AnonymousCredentials() request = object() method = "GET" url = "https://example.com/api/endpoint" headers = {} anon.before_request(request, method, url, headers) assert headers == {} class ReadOnlyScopedCredentialsImpl(credentials.ReadOnlyScoped, CredentialsImpl): @property def requires_scopes(self): return super(ReadOnlyScopedCredentialsImpl, self).requires_scopes def test_readonly_scoped_credentials_constructor(): credentials = ReadOnlyScopedCredentialsImpl() assert credentials._scopes is None def test_readonly_scoped_credentials_scopes(): credentials = ReadOnlyScopedCredentialsImpl() credentials._scopes = ["one", "two"] assert credentials.scopes == ["one", "two"] assert credentials.has_scopes(["one"]) assert credentials.has_scopes(["two"]) assert credentials.has_scopes(["one", "two"]) assert not credentials.has_scopes(["three"]) def test_readonly_scoped_credentials_requires_scopes(): credentials = ReadOnlyScopedCredentialsImpl() assert not credentials.requires_scopes class RequiresScopedCredentialsImpl(credentials.Scoped, CredentialsImpl): def __init__(self, scopes=None, default_scopes=None): super(RequiresScopedCredentialsImpl, self).__init__() self._scopes = scopes self._default_scopes = default_scopes @property def requires_scopes(self): return not self.scopes def with_scopes(self, scopes, default_scopes=None): return RequiresScopedCredentialsImpl( scopes=scopes, default_scopes=default_scopes ) def test_create_scoped_if_required_scoped(): unscoped_credentials = RequiresScopedCredentialsImpl() scoped_credentials = credentials.with_scopes_if_required( unscoped_credentials, ["one", "two"] ) assert scoped_credentials is not unscoped_credentials assert not scoped_credentials.requires_scopes assert scoped_credentials.has_scopes(["one", "two"]) def test_create_scoped_if_required_not_scopes(): unscoped_credentials = CredentialsImpl() scoped_credentials = credentials.with_scopes_if_required( unscoped_credentials, ["one", "two"] ) assert scoped_credentials is unscoped_credentials ��test_exceptions.py��0000644��00000003434�15025175543�0010351 0��ustar�00��# Copyright 2022 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import pytest # type: ignore from google.auth import exceptions # type:ignore @pytest.fixture( params=[ exceptions.GoogleAuthError, exceptions.TransportError, exceptions.RefreshError, exceptions.UserAccessTokenError, exceptions.DefaultCredentialsError, exceptions.MutualTLSChannelError, exceptions.OAuthError, exceptions.ReauthFailError, exceptions.ReauthSamlChallengeFailError, ] ) def retryable_exception(request): return request.param @pytest.fixture(params=[exceptions.ClientCertError]) def non_retryable_exception(request): return request.param def test_default_retryable_exceptions(retryable_exception): assert not retryable_exception().retryable @pytest.mark.parametrize("retryable", [True, False]) def test_retryable_exceptions(retryable_exception, retryable): retryable_exception = retryable_exception(retryable=retryable) assert retryable_exception.retryable == retryable @pytest.mark.parametrize("retryable", [True, False]) def test_non_retryable_exceptions(non_retryable_exception, retryable): non_retryable_exception = non_retryable_exception(retryable=retryable) assert not non_retryable_exception.retryable ��test__exponential_backoff.py��0000644��00000003164�15025175543�0012330 0��ustar�00��# Copyright 2022 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import mock from google.auth import _exponential_backoff @mock.patch("time.sleep", return_value=None) def test_exponential_backoff(mock_time): eb = _exponential_backoff.ExponentialBackoff() curr_wait = eb._current_wait_in_seconds iteration_count = 0 for attempt in eb: backoff_interval = mock_time.call_args[0][0] jitter = curr_wait * eb._randomization_factor assert (curr_wait - jitter) <= backoff_interval <= (curr_wait + jitter) assert attempt == iteration_count + 1 assert eb.backoff_count == iteration_count + 1 assert eb._current_wait_in_seconds == eb._multiplier ** (iteration_count + 1) curr_wait = eb._current_wait_in_seconds iteration_count += 1 assert eb.total_attempts == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS assert eb.backoff_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS assert iteration_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS assert mock_time.call_count == _exponential_backoff._DEFAULT_RETRY_TOTAL_ATTEMPTS ��transport/test__http_client.py��0000644��00000002146�15025175543�0012677 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import pytest # type: ignore from google.auth import exceptions import google.auth.transport._http_client from tests.transport import compliance class TestRequestResponse(compliance.RequestResponseTests): def make_request(self): return google.auth.transport._http_client.Request() def test_non_http(self): request = self.make_request() with pytest.raises(exceptions.TransportError) as excinfo: request(url="https://{}".format(compliance.NXDOMAIN), method="GET") assert excinfo.match("https") ��transport/compliance.py��0000644��00000007236�15025175543�0011303 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import http.client as http_client import time import flask # type: ignore import pytest # type: ignore from pytest_localserver.http import WSGIServer # type: ignore from google.auth import exceptions # .invalid will never resolve, see https://tools.ietf.org/html/rfc2606 NXDOMAIN = "test.invalid" class RequestResponseTests(object): @pytest.fixture(scope="module") def server(self): """Provides a test HTTP server. The test server is automatically created before a test and destroyed at the end. The server is serving a test application that can be used to verify requests. """ app = flask.Flask(__name__) app.debug = True # pylint: disable=unused-variable # (pylint thinks the flask routes are unusued.) @app.route("/basic") def index(): header_value = flask.request.headers.get("x-test-header", "value") headers = {"X-Test-Header": header_value} return "Basic Content", http_client.OK, headers @app.route("/server_error") def server_error(): return "Error", http_client.INTERNAL_SERVER_ERROR @app.route("/wait") def wait(): time.sleep(3) return "Waited" # pylint: enable=unused-variable server = WSGIServer(application=app.wsgi_app) server.start() yield server server.stop() def test_request_basic(self, server): request = self.make_request() response = request(url=server.url + "/basic", method="GET") assert response.status == http_client.OK assert response.headers["x-test-header"] == "value" assert response.data == b"Basic Content" def test_request_with_timeout_success(self, server): request = self.make_request() response = request(url=server.url + "/basic", method="GET", timeout=2) assert response.status == http_client.OK assert response.headers["x-test-header"] == "value" assert response.data == b"Basic Content" def test_request_with_timeout_failure(self, server): request = self.make_request() with pytest.raises(exceptions.TransportError): request(url=server.url + "/wait", method="GET", timeout=1) def test_request_headers(self, server): request = self.make_request() response = request( url=server.url + "/basic", method="GET", headers={"x-test-header": "hello world"}, ) assert response.status == http_client.OK assert response.headers["x-test-header"] == "hello world" assert response.data == b"Basic Content" def test_request_error(self, server): request = self.make_request() response = request(url=server.url + "/server_error", method="GET") assert response.status == http_client.INTERNAL_SERVER_ERROR assert response.data == b"Error" def test_connection_error(self): request = self.make_request() with pytest.raises(exceptions.TransportError): request(url="http://{}".format(NXDOMAIN), method="GET") ��transport/test_grpc.py��0000644��00000044055�15025175543�0011163 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import os import time import mock import pytest # type: ignore from google.auth import _helpers from google.auth import credentials from google.auth import environment_vars from google.auth import exceptions from google.auth import transport from google.oauth2 import service_account try: # pylint: disable=ungrouped-imports import grpc # type: ignore import google.auth.transport.grpc HAS_GRPC = True except ImportError: # pragma: NO COVER HAS_GRPC = False DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") METADATA_PATH = os.path.join(DATA_DIR, "context_aware_metadata.json") with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() pytestmark = pytest.mark.skipif(not HAS_GRPC, reason="gRPC is unavailable.") class CredentialsStub(credentials.Credentials): def __init__(self, token="token"): super(CredentialsStub, self).__init__() self.token = token self.expiry = None def refresh(self, request): self.token += "1" def with_quota_project(self, quota_project_id): raise NotImplementedError() class TestAuthMetadataPlugin(object): def test_call_no_refresh(self): credentials = CredentialsStub() request = mock.create_autospec(transport.Request) plugin = google.auth.transport.grpc.AuthMetadataPlugin(credentials, request) context = mock.create_autospec(grpc.AuthMetadataContext, instance=True) context.method_name = mock.sentinel.method_name context.service_url = mock.sentinel.service_url callback = mock.create_autospec(grpc.AuthMetadataPluginCallback) plugin(context, callback) time.sleep(2) callback.assert_called_once_with( [("authorization", "Bearer {}".format(credentials.token))], None ) def test_call_refresh(self): credentials = CredentialsStub() credentials.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD request = mock.create_autospec(transport.Request) plugin = google.auth.transport.grpc.AuthMetadataPlugin(credentials, request) context = mock.create_autospec(grpc.AuthMetadataContext, instance=True) context.method_name = mock.sentinel.method_name context.service_url = mock.sentinel.service_url callback = mock.create_autospec(grpc.AuthMetadataPluginCallback) plugin(context, callback) time.sleep(2) assert credentials.token == "token1" callback.assert_called_once_with( [("authorization", "Bearer {}".format(credentials.token))], None ) def test__get_authorization_headers_with_service_account(self): credentials = mock.create_autospec(service_account.Credentials) request = mock.create_autospec(transport.Request) plugin = google.auth.transport.grpc.AuthMetadataPlugin(credentials, request) context = mock.create_autospec(grpc.AuthMetadataContext, instance=True) context.method_name = "methodName" context.service_url = "https://pubsub.googleapis.com/methodName" plugin._get_authorization_headers(context) credentials._create_self_signed_jwt.assert_called_once_with(None) def test__get_authorization_headers_with_service_account_and_default_host(self): credentials = mock.create_autospec(service_account.Credentials) request = mock.create_autospec(transport.Request) default_host = "pubsub.googleapis.com" plugin = google.auth.transport.grpc.AuthMetadataPlugin( credentials, request, default_host=default_host ) context = mock.create_autospec(grpc.AuthMetadataContext, instance=True) context.method_name = "methodName" context.service_url = "https://pubsub.googleapis.com/methodName" plugin._get_authorization_headers(context) credentials._create_self_signed_jwt.assert_called_once_with( "https://{}/".format(default_host) ) @mock.patch( "google.auth.transport._mtls_helper.get_client_ssl_credentials", autospec=True ) @mock.patch("grpc.composite_channel_credentials", autospec=True) @mock.patch("grpc.metadata_call_credentials", autospec=True) @mock.patch("grpc.ssl_channel_credentials", autospec=True) @mock.patch("grpc.secure_channel", autospec=True) class TestSecureAuthorizedChannel(object): @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_secure_authorized_channel_adc( self, check_dca_metadata_path, read_dca_metadata_file, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): credentials = CredentialsStub() request = mock.create_autospec(transport.Request) target = "example.com:80" # Mock the context aware metadata and client cert/key so mTLS SSL channel # will be used. check_dca_metadata_path.return_value = METADATA_PATH read_dca_metadata_file.return_value = { "cert_provider_command": ["some command"] } get_client_ssl_credentials.return_value = ( True, PUBLIC_CERT_BYTES, PRIVATE_KEY_BYTES, None, ) channel = None with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): channel = google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, options=mock.sentinel.options ) # Check the auth plugin construction. auth_plugin = metadata_call_credentials.call_args[0][0] assert isinstance(auth_plugin, google.auth.transport.grpc.AuthMetadataPlugin) assert auth_plugin._credentials == credentials assert auth_plugin._request == request # Check the ssl channel call. ssl_channel_credentials.assert_called_once_with( certificate_chain=PUBLIC_CERT_BYTES, private_key=PRIVATE_KEY_BYTES ) # Check the composite credentials call. composite_channel_credentials.assert_called_once_with( ssl_channel_credentials.return_value, metadata_call_credentials.return_value ) # Check the channel call. secure_channel.assert_called_once_with( target, composite_channel_credentials.return_value, options=mock.sentinel.options, ) assert channel == secure_channel.return_value @mock.patch("google.auth.transport.grpc.SslCredentials", autospec=True) def test_secure_authorized_channel_adc_without_client_cert_env( self, ssl_credentials_adc_method, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): # Test client cert won't be used if GOOGLE_API_USE_CLIENT_CERTIFICATE # environment variable is not set. credentials = CredentialsStub() request = mock.create_autospec(transport.Request) target = "example.com:80" channel = google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, options=mock.sentinel.options ) # Check the auth plugin construction. auth_plugin = metadata_call_credentials.call_args[0][0] assert isinstance(auth_plugin, google.auth.transport.grpc.AuthMetadataPlugin) assert auth_plugin._credentials == credentials assert auth_plugin._request == request # Check the ssl channel call. ssl_channel_credentials.assert_called_once() ssl_credentials_adc_method.assert_not_called() # Check the composite credentials call. composite_channel_credentials.assert_called_once_with( ssl_channel_credentials.return_value, metadata_call_credentials.return_value ) # Check the channel call. secure_channel.assert_called_once_with( target, composite_channel_credentials.return_value, options=mock.sentinel.options, ) assert channel == secure_channel.return_value def test_secure_authorized_channel_explicit_ssl( self, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): credentials = mock.Mock() request = mock.Mock() target = "example.com:80" ssl_credentials = mock.Mock() google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, ssl_credentials=ssl_credentials ) # Since explicit SSL credentials are provided, get_client_ssl_credentials # shouldn't be called. assert not get_client_ssl_credentials.called # Check the ssl channel call. assert not ssl_channel_credentials.called # Check the composite credentials call. composite_channel_credentials.assert_called_once_with( ssl_credentials, metadata_call_credentials.return_value ) def test_secure_authorized_channel_mutual_exclusive( self, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): credentials = mock.Mock() request = mock.Mock() target = "example.com:80" ssl_credentials = mock.Mock() client_cert_callback = mock.Mock() with pytest.raises(ValueError): google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, ssl_credentials=ssl_credentials, client_cert_callback=client_cert_callback, ) def test_secure_authorized_channel_with_client_cert_callback_success( self, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): credentials = mock.Mock() request = mock.Mock() target = "example.com:80" client_cert_callback = mock.Mock() client_cert_callback.return_value = (PUBLIC_CERT_BYTES, PRIVATE_KEY_BYTES) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, client_cert_callback=client_cert_callback ) client_cert_callback.assert_called_once() # Check we are using the cert and key provided by client_cert_callback. ssl_channel_credentials.assert_called_once_with( certificate_chain=PUBLIC_CERT_BYTES, private_key=PRIVATE_KEY_BYTES ) # Check the composite credentials call. composite_channel_credentials.assert_called_once_with( ssl_channel_credentials.return_value, metadata_call_credentials.return_value ) @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_secure_authorized_channel_with_client_cert_callback_failure( self, check_dca_metadata_path, read_dca_metadata_file, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): credentials = mock.Mock() request = mock.Mock() target = "example.com:80" client_cert_callback = mock.Mock() client_cert_callback.side_effect = Exception("callback exception") with pytest.raises(Exception) as excinfo: with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, client_cert_callback=client_cert_callback, ) assert str(excinfo.value) == "callback exception" def test_secure_authorized_channel_cert_callback_without_client_cert_env( self, secure_channel, ssl_channel_credentials, metadata_call_credentials, composite_channel_credentials, get_client_ssl_credentials, ): # Test client cert won't be used if GOOGLE_API_USE_CLIENT_CERTIFICATE # environment variable is not set. credentials = mock.Mock() request = mock.Mock() target = "example.com:80" client_cert_callback = mock.Mock() google.auth.transport.grpc.secure_authorized_channel( credentials, request, target, client_cert_callback=client_cert_callback ) # Check client_cert_callback is not called because GOOGLE_API_USE_CLIENT_CERTIFICATE # is not set. client_cert_callback.assert_not_called() ssl_channel_credentials.assert_called_once() # Check the composite credentials call. composite_channel_credentials.assert_called_once_with( ssl_channel_credentials.return_value, metadata_call_credentials.return_value ) @mock.patch("grpc.ssl_channel_credentials", autospec=True) @mock.patch( "google.auth.transport._mtls_helper.get_client_ssl_credentials", autospec=True ) @mock.patch("google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) class TestSslCredentials(object): def test_no_context_aware_metadata( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_get_client_ssl_credentials, mock_ssl_channel_credentials, ): # Mock that the metadata file doesn't exist. mock_check_dca_metadata_path.return_value = None with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): ssl_credentials = google.auth.transport.grpc.SslCredentials() # Since no context aware metadata is found, we wouldn't call # get_client_ssl_credentials, and the SSL channel credentials created is # non mTLS. assert ssl_credentials.ssl_credentials is not None assert not ssl_credentials.is_mtls mock_get_client_ssl_credentials.assert_not_called() mock_ssl_channel_credentials.assert_called_once_with() def test_get_client_ssl_credentials_failure( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_get_client_ssl_credentials, mock_ssl_channel_credentials, ): mock_check_dca_metadata_path.return_value = METADATA_PATH mock_read_dca_metadata_file.return_value = { "cert_provider_command": ["some command"] } # Mock that client cert and key are not loaded and exception is raised. mock_get_client_ssl_credentials.side_effect = exceptions.ClientCertError() with pytest.raises(exceptions.MutualTLSChannelError): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): assert google.auth.transport.grpc.SslCredentials().ssl_credentials def test_get_client_ssl_credentials_success( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_get_client_ssl_credentials, mock_ssl_channel_credentials, ): mock_check_dca_metadata_path.return_value = METADATA_PATH mock_read_dca_metadata_file.return_value = { "cert_provider_command": ["some command"] } mock_get_client_ssl_credentials.return_value = ( True, PUBLIC_CERT_BYTES, PRIVATE_KEY_BYTES, None, ) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): ssl_credentials = google.auth.transport.grpc.SslCredentials() assert ssl_credentials.ssl_credentials is not None assert ssl_credentials.is_mtls mock_get_client_ssl_credentials.assert_called_once() mock_ssl_channel_credentials.assert_called_once_with( certificate_chain=PUBLIC_CERT_BYTES, private_key=PRIVATE_KEY_BYTES ) def test_get_client_ssl_credentials_without_client_cert_env( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_get_client_ssl_credentials, mock_ssl_channel_credentials, ): # Test client cert won't be used if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set. ssl_credentials = google.auth.transport.grpc.SslCredentials() assert ssl_credentials.ssl_credentials is not None assert not ssl_credentials.is_mtls mock_check_dca_metadata_path.assert_not_called() mock_read_dca_metadata_file.assert_not_called() mock_get_client_ssl_credentials.assert_not_called() mock_ssl_channel_credentials.assert_called_once() ��transport/test_requests.py��0000644��00000052603�15025175543�0012101 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import functools import http.client as http_client import os import sys import freezegun import mock import OpenSSL import pytest # type: ignore import requests import requests.adapters from google.auth import environment_vars from google.auth import exceptions import google.auth.credentials import google.auth.transport._custom_tls_signer import google.auth.transport._mtls_helper import google.auth.transport.requests from google.oauth2 import service_account from tests.transport import compliance @pytest.fixture def frozen_time(): with freezegun.freeze_time("1970-01-01 00:00:00", tick=False) as frozen: yield frozen class TestRequestResponse(compliance.RequestResponseTests): def make_request(self): return google.auth.transport.requests.Request() def test_timeout(self): http = mock.create_autospec(requests.Session, instance=True) request = google.auth.transport.requests.Request(http) request(url="http://example.com", method="GET", timeout=5) assert http.request.call_args[1]["timeout"] == 5 def test_session_closed_on_del(self): http = mock.create_autospec(requests.Session, instance=True) request = google.auth.transport.requests.Request(http) request.__del__() http.close.assert_called_with() http = mock.create_autospec(requests.Session, instance=True) http.close.side_effect = TypeError("test injected TypeError") request = google.auth.transport.requests.Request(http) request.__del__() http.close.assert_called_with() class TestTimeoutGuard(object): def make_guard(self, args, kwargs): return google.auth.transport.requests.TimeoutGuard(args, kwargs) def test_tracks_elapsed_time_w_numeric_timeout(self, frozen_time): with self.make_guard(timeout=10) as guard: frozen_time.tick(delta=datetime.timedelta(seconds=3.8)) assert guard.remaining_timeout == 6.2 def test_tracks_elapsed_time_w_tuple_timeout(self, frozen_time): with self.make_guard(timeout=(16, 19)) as guard: frozen_time.tick(delta=datetime.timedelta(seconds=3.8)) assert guard.remaining_timeout == (12.2, 15.2) def test_noop_if_no_timeout(self, frozen_time): with self.make_guard(timeout=None) as guard: frozen_time.tick(delta=datetime.timedelta(days=3650)) # NOTE: no timeout error raised, despite years have passed assert guard.remaining_timeout is None def test_timeout_error_w_numeric_timeout(self, frozen_time): with pytest.raises(requests.exceptions.Timeout): with self.make_guard(timeout=10) as guard: frozen_time.tick(delta=datetime.timedelta(seconds=10.001)) assert guard.remaining_timeout == pytest.approx(-0.001) def test_timeout_error_w_tuple_timeout(self, frozen_time): with pytest.raises(requests.exceptions.Timeout): with self.make_guard(timeout=(11, 10)) as guard: frozen_time.tick(delta=datetime.timedelta(seconds=10.001)) assert guard.remaining_timeout == pytest.approx((0.999, -0.001)) def test_custom_timeout_error_type(self, frozen_time): class FooError(Exception): pass with pytest.raises(FooError): with self.make_guard(timeout=1, timeout_error_type=FooError): frozen_time.tick(delta=datetime.timedelta(seconds=2)) def test_lets_suite_errors_bubble_up(self, frozen_time): with pytest.raises(IndexError): with self.make_guard(timeout=1): [1, 2, 3][3] class CredentialsStub(google.auth.credentials.Credentials): def __init__(self, token="token"): super(CredentialsStub, self).__init__() self.token = token def apply(self, headers, token=None): headers["authorization"] = self.token def before_request(self, request, method, url, headers): self.apply(headers) def refresh(self, request): self.token += "1" def with_quota_project(self, quota_project_id): raise NotImplementedError() class TimeTickCredentialsStub(CredentialsStub): """Credentials that spend some (mocked) time when refreshing a token.""" def __init__(self, time_tick, token="token"): self._time_tick = time_tick super(TimeTickCredentialsStub, self).__init__(token=token) def refresh(self, request): self._time_tick() super(TimeTickCredentialsStub, self).refresh(requests) class AdapterStub(requests.adapters.BaseAdapter): def __init__(self, responses, headers=None): super(AdapterStub, self).__init__() self.responses = responses self.requests = [] self.headers = headers or {} def send(self, request, kwargs): # pylint: disable=arguments-differ # request is the only required argument here and the only argument # we care about. self.requests.append(request) return self.responses.pop(0) def close(self): # pragma: NO COVER # pylint wants this to be here because it's abstract in the base # class, but requests never actually calls it. return class TimeTickAdapterStub(AdapterStub): """Adapter that spends some (mocked) time when making a request.""" def __init__(self, time_tick, responses, headers=None): self._time_tick = time_tick super(TimeTickAdapterStub, self).__init__(responses, headers=headers) def send(self, request, kwargs): self._time_tick() return super(TimeTickAdapterStub, self).send(request, kwargs) class TestMutualTlsAdapter(object): @mock.patch.object(requests.adapters.HTTPAdapter, "init_poolmanager") @mock.patch.object(requests.adapters.HTTPAdapter, "proxy_manager_for") def test_success(self, mock_proxy_manager_for, mock_init_poolmanager): adapter = google.auth.transport.requests._MutualTlsAdapter( pytest.public_cert_bytes, pytest.private_key_bytes ) adapter.init_poolmanager() mock_init_poolmanager.assert_called_with(ssl_context=adapter._ctx_poolmanager) adapter.proxy_manager_for() mock_proxy_manager_for.assert_called_with(ssl_context=adapter._ctx_proxymanager) def test_invalid_cert_or_key(self): with pytest.raises(OpenSSL.crypto.Error): google.auth.transport.requests._MutualTlsAdapter( b"invalid cert", b"invalid key" ) @mock.patch.dict("sys.modules", {"OpenSSL.crypto": None}) def test_import_error(self): with pytest.raises(ImportError): google.auth.transport.requests._MutualTlsAdapter( pytest.public_cert_bytes, pytest.private_key_bytes ) def make_response(status=http_client.OK, data=None): response = requests.Response() response.status_code = status response._content = data return response class TestAuthorizedSession(object): TEST_URL = "http://example.com/" def test_constructor(self): authed_session = google.auth.transport.requests.AuthorizedSession( mock.sentinel.credentials ) assert authed_session.credentials == mock.sentinel.credentials def test_constructor_with_auth_request(self): http = mock.create_autospec(requests.Session) auth_request = google.auth.transport.requests.Request(http) authed_session = google.auth.transport.requests.AuthorizedSession( mock.sentinel.credentials, auth_request=auth_request ) assert authed_session._auth_request is auth_request def test_request_default_timeout(self): credentials = mock.Mock(wraps=CredentialsStub()) response = make_response() adapter = AdapterStub([response]) authed_session = google.auth.transport.requests.AuthorizedSession(credentials) authed_session.mount(self.TEST_URL, adapter) patcher = mock.patch("google.auth.transport.requests.requests.Session.request") with patcher as patched_request: authed_session.request("GET", self.TEST_URL) expected_timeout = google.auth.transport.requests._DEFAULT_TIMEOUT assert patched_request.call_args[1]["timeout"] == expected_timeout def test_request_no_refresh(self): credentials = mock.Mock(wraps=CredentialsStub()) response = make_response() adapter = AdapterStub([response]) authed_session = google.auth.transport.requests.AuthorizedSession(credentials) authed_session.mount(self.TEST_URL, adapter) result = authed_session.request("GET", self.TEST_URL) assert response == result assert credentials.before_request.called assert not credentials.refresh.called assert len(adapter.requests) == 1 assert adapter.requests[0].url == self.TEST_URL assert adapter.requests[0].headers["authorization"] == "token" def test_request_refresh(self): credentials = mock.Mock(wraps=CredentialsStub()) final_response = make_response(status=http_client.OK) # First request will 401, second request will succeed. adapter = AdapterStub( [make_response(status=http_client.UNAUTHORIZED), final_response] ) authed_session = google.auth.transport.requests.AuthorizedSession( credentials, refresh_timeout=60 ) authed_session.mount(self.TEST_URL, adapter) result = authed_session.request("GET", self.TEST_URL) assert result == final_response assert credentials.before_request.call_count == 2 assert credentials.refresh.called assert len(adapter.requests) == 2 assert adapter.requests[0].url == self.TEST_URL assert adapter.requests[0].headers["authorization"] == "token" assert adapter.requests[1].url == self.TEST_URL assert adapter.requests[1].headers["authorization"] == "token1" def test_request_max_allowed_time_timeout_error(self, frozen_time): tick_one_second = functools.partial( frozen_time.tick, delta=datetime.timedelta(seconds=1.0) ) credentials = mock.Mock( wraps=TimeTickCredentialsStub(time_tick=tick_one_second) ) adapter = TimeTickAdapterStub( time_tick=tick_one_second, responses=[make_response(status=http_client.OK)] ) authed_session = google.auth.transport.requests.AuthorizedSession(credentials) authed_session.mount(self.TEST_URL, adapter) # Because a request takes a full mocked second, max_allowed_time shorter # than that will cause a timeout error. with pytest.raises(requests.exceptions.Timeout): authed_session.request("GET", self.TEST_URL, max_allowed_time=0.9) def test_request_max_allowed_time_w_transport_timeout_no_error(self, frozen_time): tick_one_second = functools.partial( frozen_time.tick, delta=datetime.timedelta(seconds=1.0) ) credentials = mock.Mock( wraps=TimeTickCredentialsStub(time_tick=tick_one_second) ) adapter = TimeTickAdapterStub( time_tick=tick_one_second, responses=[ make_response(status=http_client.UNAUTHORIZED), make_response(status=http_client.OK), ], ) authed_session = google.auth.transport.requests.AuthorizedSession(credentials) authed_session.mount(self.TEST_URL, adapter) # A short configured transport timeout does not affect max_allowed_time. # The latter is not adjusted to it and is only concerned with the actual # execution time. The call below should thus not raise a timeout error. authed_session.request("GET", self.TEST_URL, timeout=0.5, max_allowed_time=3.1) def test_request_max_allowed_time_w_refresh_timeout_no_error(self, frozen_time): tick_one_second = functools.partial( frozen_time.tick, delta=datetime.timedelta(seconds=1.0) ) credentials = mock.Mock( wraps=TimeTickCredentialsStub(time_tick=tick_one_second) ) adapter = TimeTickAdapterStub( time_tick=tick_one_second, responses=[ make_response(status=http_client.UNAUTHORIZED), make_response(status=http_client.OK), ], ) authed_session = google.auth.transport.requests.AuthorizedSession( credentials, refresh_timeout=1.1 ) authed_session.mount(self.TEST_URL, adapter) # A short configured refresh timeout does not affect max_allowed_time. # The latter is not adjusted to it and is only concerned with the actual # execution time. The call below should thus not raise a timeout error # (and `timeout` does not come into play either, as it's very long). authed_session.request("GET", self.TEST_URL, timeout=60, max_allowed_time=3.1) def test_request_timeout_w_refresh_timeout_timeout_error(self, frozen_time): tick_one_second = functools.partial( frozen_time.tick, delta=datetime.timedelta(seconds=1.0) ) credentials = mock.Mock( wraps=TimeTickCredentialsStub(time_tick=tick_one_second) ) adapter = TimeTickAdapterStub( time_tick=tick_one_second, responses=[ make_response(status=http_client.UNAUTHORIZED), make_response(status=http_client.OK), ], ) authed_session = google.auth.transport.requests.AuthorizedSession( credentials, refresh_timeout=100 ) authed_session.mount(self.TEST_URL, adapter) # An UNAUTHORIZED response triggers a refresh (an extra request), thus # the final request that otherwise succeeds results in a timeout error # (all three requests together last 3 mocked seconds). with pytest.raises(requests.exceptions.Timeout): authed_session.request( "GET", self.TEST_URL, timeout=60, max_allowed_time=2.9 ) def test_authorized_session_without_default_host(self): credentials = mock.create_autospec(service_account.Credentials) authed_session = google.auth.transport.requests.AuthorizedSession(credentials) authed_session.credentials._create_self_signed_jwt.assert_called_once_with(None) def test_authorized_session_with_default_host(self): default_host = "pubsub.googleapis.com" credentials = mock.create_autospec(service_account.Credentials) authed_session = google.auth.transport.requests.AuthorizedSession( credentials, default_host=default_host ) authed_session.credentials._create_self_signed_jwt.assert_called_once_with( "https://{}/".format(default_host) ) def test_configure_mtls_channel_with_callback(self): mock_callback = mock.Mock() mock_callback.return_value = ( pytest.public_cert_bytes, pytest.private_key_bytes, ) auth_session = google.auth.transport.requests.AuthorizedSession( credentials=mock.Mock() ) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): auth_session.configure_mtls_channel(mock_callback) assert auth_session.is_mtls assert isinstance( auth_session.adapters["https://"], google.auth.transport.requests._MutualTlsAdapter, ) @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_with_metadata(self, mock_get_client_cert_and_key): mock_get_client_cert_and_key.return_value = ( True, pytest.public_cert_bytes, pytest.private_key_bytes, ) auth_session = google.auth.transport.requests.AuthorizedSession( credentials=mock.Mock() ) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): auth_session.configure_mtls_channel() assert auth_session.is_mtls assert isinstance( auth_session.adapters["https://"], google.auth.transport.requests._MutualTlsAdapter, ) @mock.patch.object(google.auth.transport.requests._MutualTlsAdapter, "__init__") @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_non_mtls( self, mock_get_client_cert_and_key, mock_adapter_ctor ): mock_get_client_cert_and_key.return_value = (False, None, None) auth_session = google.auth.transport.requests.AuthorizedSession( credentials=mock.Mock() ) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): auth_session.configure_mtls_channel() assert not auth_session.is_mtls # Assert _MutualTlsAdapter constructor is not called. mock_adapter_ctor.assert_not_called() @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_exceptions(self, mock_get_client_cert_and_key): mock_get_client_cert_and_key.side_effect = exceptions.ClientCertError() auth_session = google.auth.transport.requests.AuthorizedSession( credentials=mock.Mock() ) with pytest.raises(exceptions.MutualTLSChannelError): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): auth_session.configure_mtls_channel() mock_get_client_cert_and_key.return_value = (False, None, None) with mock.patch.dict("sys.modules"): sys.modules["OpenSSL"] = None with pytest.raises(exceptions.MutualTLSChannelError): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"}, ): auth_session.configure_mtls_channel() @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_without_client_cert_env( self, get_client_cert_and_key ): # Test client cert won't be used if GOOGLE_API_USE_CLIENT_CERTIFICATE # environment variable is not set. auth_session = google.auth.transport.requests.AuthorizedSession( credentials=mock.Mock() ) auth_session.configure_mtls_channel() assert not auth_session.is_mtls get_client_cert_and_key.assert_not_called() mock_callback = mock.Mock() auth_session.configure_mtls_channel(mock_callback) assert not auth_session.is_mtls mock_callback.assert_not_called() def test_close_wo_passed_in_auth_request(self): authed_session = google.auth.transport.requests.AuthorizedSession( mock.sentinel.credentials ) authed_session._auth_request_session = mock.Mock(spec=["close"]) authed_session.close() authed_session._auth_request_session.close.assert_called_once_with() def test_close_w_passed_in_auth_request(self): http = mock.create_autospec(requests.Session) auth_request = google.auth.transport.requests.Request(http) authed_session = google.auth.transport.requests.AuthorizedSession( mock.sentinel.credentials, auth_request=auth_request ) authed_session.close() # no raise class TestMutualTlsOffloadAdapter(object): @mock.patch.object(requests.adapters.HTTPAdapter, "init_poolmanager") @mock.patch.object(requests.adapters.HTTPAdapter, "proxy_manager_for") @mock.patch.object( google.auth.transport._custom_tls_signer.CustomTlsSigner, "load_libraries" ) @mock.patch.object( google.auth.transport._custom_tls_signer.CustomTlsSigner, "set_up_custom_key" ) @mock.patch.object( google.auth.transport._custom_tls_signer.CustomTlsSigner, "attach_to_ssl_context", ) def test_success( self, mock_attach_to_ssl_context, mock_set_up_custom_key, mock_load_libraries, mock_proxy_manager_for, mock_init_poolmanager, ): enterprise_cert_file_path = "/path/to/enterprise/cert/json" adapter = google.auth.transport.requests._MutualTlsOffloadAdapter( enterprise_cert_file_path ) mock_load_libraries.assert_called_once() mock_set_up_custom_key.assert_called_once() assert mock_attach_to_ssl_context.call_count == 2 adapter.init_poolmanager() mock_init_poolmanager.assert_called_with(ssl_context=adapter._ctx_poolmanager) adapter.proxy_manager_for() mock_proxy_manager_for.assert_called_with(ssl_context=adapter._ctx_proxymanager) ��transport/test_urllib3.py��0000644��00000026360�15025175543�0011603 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import http.client as http_client import os import sys import mock import OpenSSL import pytest # type: ignore import urllib3 # type: ignore from google.auth import environment_vars from google.auth import exceptions import google.auth.credentials import google.auth.transport._mtls_helper import google.auth.transport.urllib3 from google.oauth2 import service_account from tests.transport import compliance class TestRequestResponse(compliance.RequestResponseTests): def make_request(self): http = urllib3.PoolManager() return google.auth.transport.urllib3.Request(http) def test_timeout(self): http = mock.create_autospec(urllib3.PoolManager) request = google.auth.transport.urllib3.Request(http) request(url="http://example.com", method="GET", timeout=5) assert http.request.call_args[1]["timeout"] == 5 def test__make_default_http_with_certifi(): http = google.auth.transport.urllib3._make_default_http() assert "cert_reqs" in http.connection_pool_kw @mock.patch.object(google.auth.transport.urllib3, "certifi", new=None) def test__make_default_http_without_certifi(): http = google.auth.transport.urllib3._make_default_http() assert "cert_reqs" not in http.connection_pool_kw class CredentialsStub(google.auth.credentials.Credentials): def __init__(self, token="token"): super(CredentialsStub, self).__init__() self.token = token def apply(self, headers, token=None): headers["authorization"] = self.token def before_request(self, request, method, url, headers): self.apply(headers) def refresh(self, request): self.token += "1" def with_quota_project(self, quota_project_id): raise NotImplementedError() class HttpStub(object): def __init__(self, responses, headers=None): self.responses = responses self.requests = [] self.headers = headers or {} def urlopen(self, method, url, body=None, headers=None, kwargs): self.requests.append((method, url, body, headers, kwargs)) return self.responses.pop(0) def clear(self): pass class ResponseStub(object): def __init__(self, status=http_client.OK, data=None): self.status = status self.data = data class TestMakeMutualTlsHttp(object): def test_success(self): http = google.auth.transport.urllib3._make_mutual_tls_http( pytest.public_cert_bytes, pytest.private_key_bytes ) assert isinstance(http, urllib3.PoolManager) def test_crypto_error(self): with pytest.raises(OpenSSL.crypto.Error): google.auth.transport.urllib3._make_mutual_tls_http( b"invalid cert", b"invalid key" ) @mock.patch.dict("sys.modules", {"OpenSSL.crypto": None}) def test_import_error(self): with pytest.raises(ImportError): google.auth.transport.urllib3._make_mutual_tls_http( pytest.public_cert_bytes, pytest.private_key_bytes ) class TestAuthorizedHttp(object): TEST_URL = "http://example.com" def test_authed_http_defaults(self): authed_http = google.auth.transport.urllib3.AuthorizedHttp( mock.sentinel.credentials ) assert authed_http.credentials == mock.sentinel.credentials assert isinstance(authed_http.http, urllib3.PoolManager) def test_urlopen_no_refresh(self): credentials = mock.Mock(wraps=CredentialsStub()) response = ResponseStub() http = HttpStub([response]) authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials, http=http ) result = authed_http.urlopen("GET", self.TEST_URL) assert result == response assert credentials.before_request.called assert not credentials.refresh.called assert http.requests == [ ("GET", self.TEST_URL, None, {"authorization": "token"}, {}) ] def test_urlopen_refresh(self): credentials = mock.Mock(wraps=CredentialsStub()) final_response = ResponseStub(status=http_client.OK) # First request will 401, second request will succeed. http = HttpStub([ResponseStub(status=http_client.UNAUTHORIZED), final_response]) authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials, http=http ) authed_http = authed_http.urlopen("GET", "http://example.com") assert authed_http == final_response assert credentials.before_request.call_count == 2 assert credentials.refresh.called assert http.requests == [ ("GET", self.TEST_URL, None, {"authorization": "token"}, {}), ("GET", self.TEST_URL, None, {"authorization": "token1"}, {}), ] def test_urlopen_no_default_host(self): credentials = mock.create_autospec(service_account.Credentials) authed_http = google.auth.transport.urllib3.AuthorizedHttp(credentials) authed_http.credentials._create_self_signed_jwt.assert_called_once_with(None) def test_urlopen_with_default_host(self): default_host = "pubsub.googleapis.com" credentials = mock.create_autospec(service_account.Credentials) authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials, default_host=default_host ) authed_http.credentials._create_self_signed_jwt.assert_called_once_with( "https://{}/".format(default_host) ) def test_proxies(self): http = mock.create_autospec(urllib3.PoolManager) authed_http = google.auth.transport.urllib3.AuthorizedHttp(None, http=http) with authed_http: pass assert http.__enter__.called assert http.__exit__.called authed_http.headers = mock.sentinel.headers assert authed_http.headers == http.headers @mock.patch("google.auth.transport.urllib3._make_mutual_tls_http", autospec=True) def test_configure_mtls_channel_with_callback(self, mock_make_mutual_tls_http): callback = mock.Mock() callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes) authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock(), http=mock.Mock() ) with pytest.warns(UserWarning): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): is_mtls = authed_http.configure_mtls_channel(callback) assert is_mtls mock_make_mutual_tls_http.assert_called_once_with( cert=pytest.public_cert_bytes, key=pytest.private_key_bytes ) @mock.patch("google.auth.transport.urllib3._make_mutual_tls_http", autospec=True) @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_with_metadata( self, mock_get_client_cert_and_key, mock_make_mutual_tls_http ): authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock() ) mock_get_client_cert_and_key.return_value = ( True, pytest.public_cert_bytes, pytest.private_key_bytes, ) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): is_mtls = authed_http.configure_mtls_channel() assert is_mtls mock_get_client_cert_and_key.assert_called_once() mock_make_mutual_tls_http.assert_called_once_with( cert=pytest.public_cert_bytes, key=pytest.private_key_bytes ) @mock.patch("google.auth.transport.urllib3._make_mutual_tls_http", autospec=True) @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_non_mtls( self, mock_get_client_cert_and_key, mock_make_mutual_tls_http ): authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock() ) mock_get_client_cert_and_key.return_value = (False, None, None) with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): is_mtls = authed_http.configure_mtls_channel() assert not is_mtls mock_get_client_cert_and_key.assert_called_once() mock_make_mutual_tls_http.assert_not_called() @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_exceptions(self, mock_get_client_cert_and_key): authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock() ) mock_get_client_cert_and_key.side_effect = exceptions.ClientCertError() with pytest.raises(exceptions.MutualTLSChannelError): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"} ): authed_http.configure_mtls_channel() mock_get_client_cert_and_key.return_value = (False, None, None) with mock.patch.dict("sys.modules"): sys.modules["OpenSSL"] = None with pytest.raises(exceptions.MutualTLSChannelError): with mock.patch.dict( os.environ, {environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE: "true"}, ): authed_http.configure_mtls_channel() @mock.patch( "google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True ) def test_configure_mtls_channel_without_client_cert_env( self, get_client_cert_and_key ): callback = mock.Mock() authed_http = google.auth.transport.urllib3.AuthorizedHttp( credentials=mock.Mock(), http=mock.Mock() ) # Test the callback is not called if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set. is_mtls = authed_http.configure_mtls_channel(callback) assert not is_mtls callback.assert_not_called() # Test ADC client cert is not used if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set. is_mtls = authed_http.configure_mtls_channel(callback) assert not is_mtls get_client_cert_and_key.assert_not_called() def test_clear_pool_on_del(self): http = mock.create_autospec(urllib3.PoolManager) authed_http = google.auth.transport.urllib3.AuthorizedHttp( mock.sentinel.credentials, http=http ) authed_http.__del__() http.clear.assert_called_with() authed_http.http = None authed_http.__del__() # Expect it to not crash ��transport/test_mtls.py��0000644��00000006502�15025175543�0011202 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import mock import pytest # type: ignore from google.auth import exceptions from google.auth.transport import mtls @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_has_default_client_cert_source(check_dca_metadata_path): check_dca_metadata_path.return_value = mock.Mock() assert mtls.has_default_client_cert_source() check_dca_metadata_path.return_value = None assert not mtls.has_default_client_cert_source() @mock.patch("google.auth.transport._mtls_helper.get_client_cert_and_key", autospec=True) @mock.patch("google.auth.transport.mtls.has_default_client_cert_source", autospec=True) def test_default_client_cert_source( has_default_client_cert_source, get_client_cert_and_key ): # Test default client cert source doesn't exist. has_default_client_cert_source.return_value = False with pytest.raises(exceptions.MutualTLSChannelError): mtls.default_client_cert_source() # The following tests will assume default client cert source exists. has_default_client_cert_source.return_value = True # Test good callback. get_client_cert_and_key.return_value = (True, b"cert", b"key") callback = mtls.default_client_cert_source() assert callback() == (b"cert", b"key") # Test bad callback which throws exception. get_client_cert_and_key.side_effect = ValueError() callback = mtls.default_client_cert_source() with pytest.raises(exceptions.MutualTLSChannelError): callback() @mock.patch( "google.auth.transport._mtls_helper.get_client_ssl_credentials", autospec=True ) @mock.patch("google.auth.transport.mtls.has_default_client_cert_source", autospec=True) def test_default_client_encrypted_cert_source( has_default_client_cert_source, get_client_ssl_credentials ): # Test default client cert source doesn't exist. has_default_client_cert_source.return_value = False with pytest.raises(exceptions.MutualTLSChannelError): mtls.default_client_encrypted_cert_source("cert_path", "key_path") # The following tests will assume default client cert source exists. has_default_client_cert_source.return_value = True # Test good callback. get_client_ssl_credentials.return_value = (True, b"cert", b"key", b"passphrase") callback = mtls.default_client_encrypted_cert_source("cert_path", "key_path") with mock.patch("{}.open".format(__name__), return_value=mock.MagicMock()): assert callback() == ("cert_path", "key_path", b"passphrase") # Test bad callback which throws exception. get_client_ssl_credentials.side_effect = exceptions.ClientCertError() callback = mtls.default_client_encrypted_cert_source("cert_path", "key_path") with pytest.raises(exceptions.MutualTLSChannelError): callback() ��transport/test__custom_tls_signer.py��0000644��00000020762�15025175543�0014131 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import base64 import ctypes import os import mock import pytest # type: ignore from requests.packages.urllib3.util.ssl_ import create_urllib3_context # type: ignore import urllib3.contrib.pyopenssl # type: ignore from google.auth import exceptions from google.auth.transport import _custom_tls_signer urllib3.contrib.pyopenssl.inject_into_urllib3() FAKE_ENTERPRISE_CERT_FILE_PATH = "/path/to/enterprise/cert/file" ENTERPRISE_CERT_FILE = os.path.join( os.path.dirname(__file__), "../data/enterprise_cert_valid.json" ) INVALID_ENTERPRISE_CERT_FILE = os.path.join( os.path.dirname(__file__), "../data/enterprise_cert_invalid.json" ) def test_load_offload_lib(): with mock.patch("ctypes.CDLL", return_value=mock.MagicMock()): lib = _custom_tls_signer.load_offload_lib("/path/to/offload/lib") assert lib.ConfigureSslContext.argtypes == [ _custom_tls_signer.SIGN_CALLBACK_CTYPE, ctypes.c_char_p, ctypes.c_void_p, ] assert lib.ConfigureSslContext.restype == ctypes.c_int def test_load_signer_lib(): with mock.patch("ctypes.CDLL", return_value=mock.MagicMock()): lib = _custom_tls_signer.load_signer_lib("/path/to/signer/lib") assert lib.SignForPython.restype == ctypes.c_int assert lib.SignForPython.argtypes == [ ctypes.c_char_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_char_p, ctypes.c_int, ] assert lib.GetCertPemForPython.restype == ctypes.c_int assert lib.GetCertPemForPython.argtypes == [ ctypes.c_char_p, ctypes.c_char_p, ctypes.c_int, ] def test__compute_sha256_digest(): to_be_signed = ctypes.create_string_buffer(b"foo") sig = _custom_tls_signer._compute_sha256_digest(to_be_signed, 4) assert ( base64.b64encode(sig).decode() == "RG5gyEH8CAAh3lxgbt2PLPAHPO8p6i9+cn5dqHfUUYM=" ) def test_get_sign_callback(): # mock signer lib's SignForPython function mock_sig_len = 10 mock_signer_lib = mock.MagicMock() mock_signer_lib.SignForPython.return_value = mock_sig_len # create a sign callback. The callback calls signer lib's SignForPython method sign_callback = _custom_tls_signer.get_sign_callback( mock_signer_lib, FAKE_ENTERPRISE_CERT_FILE_PATH ) # mock the parameters used to call the sign callback to_be_signed = ctypes.POINTER(ctypes.c_ubyte)() to_be_signed_len = 4 returned_sig_array = ctypes.c_ubyte() mock_sig_array = ctypes.byref(returned_sig_array) returned_sign_len = ctypes.c_ulong() mock_sig_len_array = ctypes.byref(returned_sign_len) # call the callback, make sure the signature len is returned via mock_sig_len_array[0] assert sign_callback( mock_sig_array, mock_sig_len_array, to_be_signed, to_be_signed_len ) assert returned_sign_len.value == mock_sig_len def test_get_sign_callback_failed_to_sign(): # mock signer lib's SignForPython function. Set the sig len to be 0 to # indicate the signing failed. mock_sig_len = 0 mock_signer_lib = mock.MagicMock() mock_signer_lib.SignForPython.return_value = mock_sig_len # create a sign callback. The callback calls signer lib's SignForPython method sign_callback = _custom_tls_signer.get_sign_callback( mock_signer_lib, FAKE_ENTERPRISE_CERT_FILE_PATH ) # mock the parameters used to call the sign callback to_be_signed = ctypes.POINTER(ctypes.c_ubyte)() to_be_signed_len = 4 returned_sig_array = ctypes.c_ubyte() mock_sig_array = ctypes.byref(returned_sig_array) returned_sign_len = ctypes.c_ulong() mock_sig_len_array = ctypes.byref(returned_sign_len) sign_callback(mock_sig_array, mock_sig_len_array, to_be_signed, to_be_signed_len) # sign callback should return 0 assert not sign_callback( mock_sig_array, mock_sig_len_array, to_be_signed, to_be_signed_len ) def test_get_cert_no_cert(): # mock signer lib's GetCertPemForPython function to return 0 to indicts # the cert doesn't exit (cert len = 0) mock_signer_lib = mock.MagicMock() mock_signer_lib.GetCertPemForPython.return_value = 0 # call the get cert method with pytest.raises(exceptions.MutualTLSChannelError) as excinfo: _custom_tls_signer.get_cert(mock_signer_lib, FAKE_ENTERPRISE_CERT_FILE_PATH) assert excinfo.match("failed to get certificate") def test_get_cert(): # mock signer lib's GetCertPemForPython function mock_cert_len = 10 mock_signer_lib = mock.MagicMock() mock_signer_lib.GetCertPemForPython.return_value = mock_cert_len # call the get cert method mock_cert = _custom_tls_signer.get_cert( mock_signer_lib, FAKE_ENTERPRISE_CERT_FILE_PATH ) # make sure the signer lib's GetCertPemForPython is called twice, and the # mock_cert has length mock_cert_len assert mock_signer_lib.GetCertPemForPython.call_count == 2 assert len(mock_cert) == mock_cert_len def test_custom_tls_signer(): offload_lib = mock.MagicMock() signer_lib = mock.MagicMock() # Test load_libraries method with mock.patch( "google.auth.transport._custom_tls_signer.load_signer_lib" ) as load_signer_lib: with mock.patch( "google.auth.transport._custom_tls_signer.load_offload_lib" ) as load_offload_lib: load_offload_lib.return_value = offload_lib load_signer_lib.return_value = signer_lib signer_object = _custom_tls_signer.CustomTlsSigner(ENTERPRISE_CERT_FILE) signer_object.load_libraries() assert signer_object._cert is None assert signer_object._enterprise_cert_file_path == ENTERPRISE_CERT_FILE assert signer_object._offload_lib == offload_lib assert signer_object._signer_lib == signer_lib load_signer_lib.assert_called_with("/path/to/signer/lib") load_offload_lib.assert_called_with("/path/to/offload/lib") # Test set_up_custom_key and set_up_ssl_context methods with mock.patch("google.auth.transport._custom_tls_signer.get_cert") as get_cert: with mock.patch( "google.auth.transport._custom_tls_signer.get_sign_callback" ) as get_sign_callback: get_cert.return_value = b"mock_cert" signer_object.set_up_custom_key() signer_object.attach_to_ssl_context(create_urllib3_context()) get_cert.assert_called_once() get_sign_callback.assert_called_once() offload_lib.ConfigureSslContext.assert_called_once() def test_custom_tls_signer_failed_to_load_libraries(): # Test load_libraries method with pytest.raises(exceptions.MutualTLSChannelError) as excinfo: signer_object = _custom_tls_signer.CustomTlsSigner(INVALID_ENTERPRISE_CERT_FILE) signer_object.load_libraries() assert excinfo.match("enterprise cert file is invalid") def test_custom_tls_signer_fail_to_offload(): offload_lib = mock.MagicMock() signer_lib = mock.MagicMock() with mock.patch( "google.auth.transport._custom_tls_signer.load_signer_lib" ) as load_signer_lib: with mock.patch( "google.auth.transport._custom_tls_signer.load_offload_lib" ) as load_offload_lib: load_offload_lib.return_value = offload_lib load_signer_lib.return_value = signer_lib signer_object = _custom_tls_signer.CustomTlsSigner(ENTERPRISE_CERT_FILE) signer_object.load_libraries() # set the return value to be 0 which indicts offload fails offload_lib.ConfigureSslContext.return_value = 0 with pytest.raises(exceptions.MutualTLSChannelError) as excinfo: with mock.patch( "google.auth.transport._custom_tls_signer.get_cert" ) as get_cert: with mock.patch( "google.auth.transport._custom_tls_signer.get_sign_callback" ): get_cert.return_value = b"mock_cert" signer_object.set_up_custom_key() signer_object.attach_to_ssl_context(create_urllib3_context()) assert excinfo.match("failed to configure SSL context") ��transport/__init__.py��0000644��00000000000�15025175543�0010706 0��ustar�00��transport/test__mtls_helper.py��0000644��00000041601�15025175543�0012677 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import os import re import mock from OpenSSL import crypto import pytest # type: ignore from google.auth import exceptions from google.auth.transport import _mtls_helper CONTEXT_AWARE_METADATA = {"cert_provider_command": ["some command"]} ENCRYPTED_EC_PRIVATE_KEY = b"""-----BEGIN ENCRYPTED PRIVATE KEY----- MIHkME8GCSqGSIb3DQEFDTBCMCkGCSqGSIb3DQEFDDAcBAgl2/yVgs1h3QICCAAw DAYIKoZIhvcNAgkFADAVBgkrBgEEAZdVAQIECJk2GRrvxOaJBIGQXIBnMU4wmciT uA6yD8q0FxuIzjG7E2S6tc5VRgSbhRB00eBO3jWmO2pBybeQW+zVioDcn50zp2ts wYErWC+LCm1Zg3r+EGnT1E1GgNoODbVQ3AEHlKh1CGCYhEovxtn3G+Fjh7xOBrNB saVVeDb4tHD4tMkiVVUBrUcTZPndP73CtgyGHYEphasYPzEz3+AU -----END ENCRYPTED PRIVATE KEY-----""" EC_PUBLIC_KEY = b"""-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvCNi1NoDY1oMqPHIgXI8RBbTYGi/ brEjbre1nSiQW11xRTJbVeETdsuP0EAu2tG3PcRhhwDfeJ8zXREgTBurNw== -----END PUBLIC KEY-----""" PASSPHRASE = b"""-----BEGIN PASSPHRASE----- password -----END PASSPHRASE-----""" PASSPHRASE_VALUE = b"password" def check_cert_and_key(content, expected_cert, expected_key): success = True cert_match = re.findall(_mtls_helper._CERT_REGEX, content) success = success and len(cert_match) == 1 and cert_match[0] == expected_cert key_match = re.findall(_mtls_helper._KEY_REGEX, content) success = success and len(key_match) == 1 and key_match[0] == expected_key return success class TestCertAndKeyRegex(object): def test_cert_and_key(self): # Test single cert and single key check_cert_and_key( pytest.public_cert_bytes + pytest.private_key_bytes, pytest.public_cert_bytes, pytest.private_key_bytes, ) check_cert_and_key( pytest.private_key_bytes + pytest.public_cert_bytes, pytest.public_cert_bytes, pytest.private_key_bytes, ) # Test cert chain and single key check_cert_and_key( pytest.public_cert_bytes + pytest.public_cert_bytes + pytest.private_key_bytes, pytest.public_cert_bytes + pytest.public_cert_bytes, pytest.private_key_bytes, ) check_cert_and_key( pytest.private_key_bytes + pytest.public_cert_bytes + pytest.public_cert_bytes, pytest.public_cert_bytes + pytest.public_cert_bytes, pytest.private_key_bytes, ) def test_key(self): # Create some fake keys for regex check. KEY = b"""-----BEGIN PRIVATE KEY----- MIIBCgKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj7wZg /fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQAB -----END PRIVATE KEY-----""" RSA_KEY = b"""-----BEGIN RSA PRIVATE KEY----- MIIBCgKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj7wZg /fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQAB -----END RSA PRIVATE KEY-----""" EC_KEY = b"""-----BEGIN EC PRIVATE KEY----- MIIBCgKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj7wZg /fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQAB -----END EC PRIVATE KEY-----""" check_cert_and_key( pytest.public_cert_bytes + KEY, pytest.public_cert_bytes, KEY ) check_cert_and_key( pytest.public_cert_bytes + RSA_KEY, pytest.public_cert_bytes, RSA_KEY ) check_cert_and_key( pytest.public_cert_bytes + EC_KEY, pytest.public_cert_bytes, EC_KEY ) class TestCheckaMetadataPath(object): def test_success(self): metadata_path = os.path.join(pytest.data_dir, "context_aware_metadata.json") returned_path = _mtls_helper._check_dca_metadata_path(metadata_path) assert returned_path is not None def test_failure(self): metadata_path = os.path.join(pytest.data_dir, "not_exists.json") returned_path = _mtls_helper._check_dca_metadata_path(metadata_path) assert returned_path is None class TestReadMetadataFile(object): def test_success(self): metadata_path = os.path.join(pytest.data_dir, "context_aware_metadata.json") metadata = _mtls_helper._read_dca_metadata_file(metadata_path) assert "cert_provider_command" in metadata def test_file_not_json(self): # read a file which is not json format. metadata_path = os.path.join(pytest.data_dir, "privatekey.pem") with pytest.raises(exceptions.ClientCertError): _mtls_helper._read_dca_metadata_file(metadata_path) class TestRunCertProviderCommand(object): def create_mock_process(self, output, error): # There are two steps to execute a script with subprocess.Popen. # (1) process = subprocess.Popen([comannds]) # (2) stdout, stderr = process.communicate() # This function creates a mock process which can be returned by a mock # subprocess.Popen. The mock process returns the given output and error # when mock_process.communicate() is called. mock_process = mock.Mock() attrs = {"communicate.return_value": (output, error), "returncode": 0} mock_process.configure_mock(attrs) return mock_process @mock.patch("subprocess.Popen", autospec=True) def test_success(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + pytest.private_key_bytes, b"" ) cert, key, passphrase = _mtls_helper._run_cert_provider_command(["command"]) assert cert == pytest.public_cert_bytes assert key == pytest.private_key_bytes assert passphrase is None mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + ENCRYPTED_EC_PRIVATE_KEY + PASSPHRASE, b"" ) cert, key, passphrase = _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) assert cert == pytest.public_cert_bytes assert key == ENCRYPTED_EC_PRIVATE_KEY assert passphrase == PASSPHRASE_VALUE @mock.patch("subprocess.Popen", autospec=True) def test_success_with_cert_chain(self, mock_popen): PUBLIC_CERT_CHAIN_BYTES = pytest.public_cert_bytes + pytest.public_cert_bytes mock_popen.return_value = self.create_mock_process( PUBLIC_CERT_CHAIN_BYTES + pytest.private_key_bytes, b"" ) cert, key, passphrase = _mtls_helper._run_cert_provider_command(["command"]) assert cert == PUBLIC_CERT_CHAIN_BYTES assert key == pytest.private_key_bytes assert passphrase is None mock_popen.return_value = self.create_mock_process( PUBLIC_CERT_CHAIN_BYTES + ENCRYPTED_EC_PRIVATE_KEY + PASSPHRASE, b"" ) cert, key, passphrase = _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) assert cert == PUBLIC_CERT_CHAIN_BYTES assert key == ENCRYPTED_EC_PRIVATE_KEY assert passphrase == PASSPHRASE_VALUE @mock.patch("subprocess.Popen", autospec=True) def test_missing_cert(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.private_key_bytes, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) mock_popen.return_value = self.create_mock_process( ENCRYPTED_EC_PRIVATE_KEY + PASSPHRASE, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) @mock.patch("subprocess.Popen", autospec=True) def test_missing_key(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + PASSPHRASE, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) @mock.patch("subprocess.Popen", autospec=True) def test_missing_passphrase(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + ENCRYPTED_EC_PRIVATE_KEY, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) @mock.patch("subprocess.Popen", autospec=True) def test_passphrase_not_expected(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + pytest.private_key_bytes + PASSPHRASE, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) @mock.patch("subprocess.Popen", autospec=True) def test_encrypted_key_expected(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + pytest.private_key_bytes + PASSPHRASE, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command( ["command"], expect_encrypted_key=True ) @mock.patch("subprocess.Popen", autospec=True) def test_unencrypted_key_expected(self, mock_popen): mock_popen.return_value = self.create_mock_process( pytest.public_cert_bytes + ENCRYPTED_EC_PRIVATE_KEY, b"" ) with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) @mock.patch("subprocess.Popen", autospec=True) def test_cert_provider_returns_error(self, mock_popen): mock_popen.return_value = self.create_mock_process(b"", b"some error") mock_popen.return_value.returncode = 1 with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) @mock.patch("subprocess.Popen", autospec=True) def test_popen_raise_exception(self, mock_popen): mock_popen.side_effect = OSError() with pytest.raises(exceptions.ClientCertError): _mtls_helper._run_cert_provider_command(["command"]) class TestGetClientSslCredentials(object): @mock.patch( "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_success( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_run_cert_provider_command, ): mock_check_dca_metadata_path.return_value = True mock_read_dca_metadata_file.return_value = { "cert_provider_command": ["command"] } mock_run_cert_provider_command.return_value = (b"cert", b"key", None) has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials() assert has_cert assert cert == b"cert" assert key == b"key" assert passphrase is None @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_success_without_metadata(self, mock_check_dca_metadata_path): mock_check_dca_metadata_path.return_value = False has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials() assert not has_cert assert cert is None assert key is None assert passphrase is None @mock.patch( "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_success_with_encrypted_key( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_run_cert_provider_command, ): mock_check_dca_metadata_path.return_value = True mock_read_dca_metadata_file.return_value = { "cert_provider_command": ["command"] } mock_run_cert_provider_command.return_value = (b"cert", b"key", b"passphrase") has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials( generate_encrypted_key=True ) assert has_cert assert cert == b"cert" assert key == b"key" assert passphrase == b"passphrase" mock_run_cert_provider_command.assert_called_once_with( ["command", "--with_passphrase"], expect_encrypted_key=True ) @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_missing_cert_command( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file ): mock_check_dca_metadata_path.return_value = True mock_read_dca_metadata_file.return_value = {} with pytest.raises(exceptions.ClientCertError): _mtls_helper.get_client_ssl_credentials() @mock.patch( "google.auth.transport._mtls_helper._run_cert_provider_command", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._read_dca_metadata_file", autospec=True ) @mock.patch( "google.auth.transport._mtls_helper._check_dca_metadata_path", autospec=True ) def test_customize_context_aware_metadata_path( self, mock_check_dca_metadata_path, mock_read_dca_metadata_file, mock_run_cert_provider_command, ): context_aware_metadata_path = "/path/to/metata/data" mock_check_dca_metadata_path.return_value = context_aware_metadata_path mock_read_dca_metadata_file.return_value = { "cert_provider_command": ["command"] } mock_run_cert_provider_command.return_value = (b"cert", b"key", None) has_cert, cert, key, passphrase = _mtls_helper.get_client_ssl_credentials( context_aware_metadata_path=context_aware_metadata_path ) assert has_cert assert cert == b"cert" assert key == b"key" assert passphrase is None mock_check_dca_metadata_path.assert_called_with(context_aware_metadata_path) mock_read_dca_metadata_file.assert_called_with(context_aware_metadata_path) class TestGetClientCertAndKey(object): def test_callback_success(self): callback = mock.Mock() callback.return_value = (pytest.public_cert_bytes, pytest.private_key_bytes) found_cert_key, cert, key = _mtls_helper.get_client_cert_and_key(callback) assert found_cert_key assert cert == pytest.public_cert_bytes assert key == pytest.private_key_bytes @mock.patch( "google.auth.transport._mtls_helper.get_client_ssl_credentials", autospec=True ) def test_use_metadata(self, mock_get_client_ssl_credentials): mock_get_client_ssl_credentials.return_value = ( True, pytest.public_cert_bytes, pytest.private_key_bytes, None, ) found_cert_key, cert, key = _mtls_helper.get_client_cert_and_key() assert found_cert_key assert cert == pytest.public_cert_bytes assert key == pytest.private_key_bytes class TestDecryptPrivateKey(object): def test_success(self): decrypted_key = _mtls_helper.decrypt_private_key( ENCRYPTED_EC_PRIVATE_KEY, PASSPHRASE_VALUE ) private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, decrypted_key) public_key = crypto.load_publickey(crypto.FILETYPE_PEM, EC_PUBLIC_KEY) x509 = crypto.X509() x509.set_pubkey(public_key) # Test the decrypted key works by signing and verification. signature = crypto.sign(private_key, b"data", "sha256") crypto.verify(x509, signature, b"data", "sha256") def test_crypto_error(self): with pytest.raises(crypto.Error): _mtls_helper.decrypt_private_key( ENCRYPTED_EC_PRIVATE_KEY, b"wrong_password" ) ��test_downscoped.py��0000644��00000065337�15025175543�0010347 0��ustar�00��# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import urllib import mock import pytest # type: ignore from google.auth import _helpers from google.auth import credentials from google.auth import downscoped from google.auth import exceptions from google.auth import transport EXPRESSION = ( "resource.name.startsWith('projects/_/buckets/example-bucket/objects/customer-a')" ) TITLE = "customer-a-objects" DESCRIPTION = ( "Condition to make permissions available for objects starting with customer-a" ) AVAILABLE_RESOURCE = "//storage.googleapis.com/projects/_/buckets/example-bucket" AVAILABLE_PERMISSIONS = ["inRole:roles/storage.objectViewer"] OTHER_EXPRESSION = ( "resource.name.startsWith('projects/_/buckets/example-bucket/objects/customer-b')" ) OTHER_TITLE = "customer-b-objects" OTHER_DESCRIPTION = ( "Condition to make permissions available for objects starting with customer-b" ) OTHER_AVAILABLE_RESOURCE = "//storage.googleapis.com/projects/_/buckets/other-bucket" OTHER_AVAILABLE_PERMISSIONS = ["inRole:roles/storage.objectCreator"] QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID" GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange" REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" TOKEN_EXCHANGE_ENDPOINT = "https://sts.googleapis.com/v1/token" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, } ERROR_RESPONSE = { "error": "invalid_grant", "error_description": "Subject token is invalid.", "error_uri": "https://tools.ietf.org/html/rfc6749", } CREDENTIAL_ACCESS_BOUNDARY_JSON = { "accessBoundary": { "accessBoundaryRules": [ { "availablePermissions": AVAILABLE_PERMISSIONS, "availableResource": AVAILABLE_RESOURCE, "availabilityCondition": { "expression": EXPRESSION, "title": TITLE, "description": DESCRIPTION, }, } ] } } class SourceCredentials(credentials.Credentials): def __init__(self, raise_error=False, expires_in=3600): super(SourceCredentials, self).__init__() self._counter = 0 self._raise_error = raise_error self._expires_in = expires_in def refresh(self, request): if self._raise_error: raise exceptions.RefreshError( "Failed to refresh access token in source credentials." ) now = _helpers.utcnow() self._counter += 1 self.token = "ACCESS_TOKEN_{}".format(self._counter) self.expiry = now + datetime.timedelta(seconds=self._expires_in) def make_availability_condition(expression, title=None, description=None): return downscoped.AvailabilityCondition(expression, title, description) def make_access_boundary_rule( available_resource, available_permissions, availability_condition=None ): return downscoped.AccessBoundaryRule( available_resource, available_permissions, availability_condition ) def make_credential_access_boundary(rules): return downscoped.CredentialAccessBoundary(rules) class TestAvailabilityCondition(object): def test_constructor(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) assert availability_condition.expression == EXPRESSION assert availability_condition.title == TITLE assert availability_condition.description == DESCRIPTION def test_constructor_required_params_only(self): availability_condition = make_availability_condition(EXPRESSION) assert availability_condition.expression == EXPRESSION assert availability_condition.title is None assert availability_condition.description is None def test_setters(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) availability_condition.expression = OTHER_EXPRESSION availability_condition.title = OTHER_TITLE availability_condition.description = OTHER_DESCRIPTION assert availability_condition.expression == OTHER_EXPRESSION assert availability_condition.title == OTHER_TITLE assert availability_condition.description == OTHER_DESCRIPTION def test_invalid_expression_type(self): with pytest.raises(TypeError) as excinfo: make_availability_condition([EXPRESSION], TITLE, DESCRIPTION) assert excinfo.match("The provided expression is not a string.") def test_invalid_title_type(self): with pytest.raises(TypeError) as excinfo: make_availability_condition(EXPRESSION, False, DESCRIPTION) assert excinfo.match("The provided title is not a string or None.") def test_invalid_description_type(self): with pytest.raises(TypeError) as excinfo: make_availability_condition(EXPRESSION, TITLE, False) assert excinfo.match("The provided description is not a string or None.") def test_to_json_required_params_only(self): availability_condition = make_availability_condition(EXPRESSION) assert availability_condition.to_json() == {"expression": EXPRESSION} def test_to_json_(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) assert availability_condition.to_json() == { "expression": EXPRESSION, "title": TITLE, "description": DESCRIPTION, } class TestAccessBoundaryRule(object): def test_constructor(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) assert access_boundary_rule.available_resource == AVAILABLE_RESOURCE assert access_boundary_rule.available_permissions == tuple( AVAILABLE_PERMISSIONS ) assert access_boundary_rule.availability_condition == availability_condition def test_constructor_required_params_only(self): access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS ) assert access_boundary_rule.available_resource == AVAILABLE_RESOURCE assert access_boundary_rule.available_permissions == tuple( AVAILABLE_PERMISSIONS ) assert access_boundary_rule.availability_condition is None def test_setters(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) other_availability_condition = make_availability_condition( OTHER_EXPRESSION, OTHER_TITLE, OTHER_DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) access_boundary_rule.available_resource = OTHER_AVAILABLE_RESOURCE access_boundary_rule.available_permissions = OTHER_AVAILABLE_PERMISSIONS access_boundary_rule.availability_condition = other_availability_condition assert access_boundary_rule.available_resource == OTHER_AVAILABLE_RESOURCE assert access_boundary_rule.available_permissions == tuple( OTHER_AVAILABLE_PERMISSIONS ) assert ( access_boundary_rule.availability_condition == other_availability_condition ) def test_invalid_available_resource_type(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) with pytest.raises(TypeError) as excinfo: make_access_boundary_rule( None, AVAILABLE_PERMISSIONS, availability_condition ) assert excinfo.match("The provided available_resource is not a string.") def test_invalid_available_permissions_type(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) with pytest.raises(TypeError) as excinfo: make_access_boundary_rule( AVAILABLE_RESOURCE, [0, 1, 2], availability_condition ) assert excinfo.match( "Provided available_permissions are not a list of strings." ) def test_invalid_available_permissions_value(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) with pytest.raises(ValueError) as excinfo: make_access_boundary_rule( AVAILABLE_RESOURCE, ["roles/storage.objectViewer"], availability_condition, ) assert excinfo.match("available_permissions must be prefixed with 'inRole:'.") def test_invalid_availability_condition_type(self): with pytest.raises(TypeError) as excinfo: make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, {"foo": "bar"} ) assert excinfo.match( "The provided availability_condition is not a 'google.auth.downscoped.AvailabilityCondition' or None." ) def test_to_json(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) assert access_boundary_rule.to_json() == { "availablePermissions": AVAILABLE_PERMISSIONS, "availableResource": AVAILABLE_RESOURCE, "availabilityCondition": { "expression": EXPRESSION, "title": TITLE, "description": DESCRIPTION, }, } def test_to_json_required_params_only(self): access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS ) assert access_boundary_rule.to_json() == { "availablePermissions": AVAILABLE_PERMISSIONS, "availableResource": AVAILABLE_RESOURCE, } class TestCredentialAccessBoundary(object): def test_constructor(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] credential_access_boundary = make_credential_access_boundary(rules) assert credential_access_boundary.rules == tuple(rules) def test_setters(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] other_availability_condition = make_availability_condition( OTHER_EXPRESSION, OTHER_TITLE, OTHER_DESCRIPTION ) other_access_boundary_rule = make_access_boundary_rule( OTHER_AVAILABLE_RESOURCE, OTHER_AVAILABLE_PERMISSIONS, other_availability_condition, ) other_rules = [other_access_boundary_rule] credential_access_boundary = make_credential_access_boundary(rules) credential_access_boundary.rules = other_rules assert credential_access_boundary.rules == tuple(other_rules) def test_add_rule(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] * 9 credential_access_boundary = make_credential_access_boundary(rules) # Add one more rule. This should not raise an error. additional_access_boundary_rule = make_access_boundary_rule( OTHER_AVAILABLE_RESOURCE, OTHER_AVAILABLE_PERMISSIONS ) credential_access_boundary.add_rule(additional_access_boundary_rule) assert len(credential_access_boundary.rules) == 10 assert credential_access_boundary.rules[9] == additional_access_boundary_rule def test_add_rule_invalid_value(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] * 10 credential_access_boundary = make_credential_access_boundary(rules) # Add one more rule to exceed maximum allowed rules. with pytest.raises(ValueError) as excinfo: credential_access_boundary.add_rule(access_boundary_rule) assert excinfo.match( "Credential access boundary rules can have a maximum of 10 rules." ) assert len(credential_access_boundary.rules) == 10 def test_add_rule_invalid_type(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] credential_access_boundary = make_credential_access_boundary(rules) # Add an invalid rule to exceed maximum allowed rules. with pytest.raises(TypeError) as excinfo: credential_access_boundary.add_rule("invalid") assert excinfo.match( "The provided rule does not contain a valid 'google.auth.downscoped.AccessBoundaryRule'." ) assert len(credential_access_boundary.rules) == 1 assert credential_access_boundary.rules[0] == access_boundary_rule def test_invalid_rules_type(self): with pytest.raises(TypeError) as excinfo: make_credential_access_boundary(["invalid"]) assert excinfo.match( "List of rules provided do not contain a valid 'google.auth.downscoped.AccessBoundaryRule'." ) def test_invalid_rules_value(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) too_many_rules = [access_boundary_rule] * 11 with pytest.raises(ValueError) as excinfo: make_credential_access_boundary(too_many_rules) assert excinfo.match( "Credential access boundary rules can have a maximum of 10 rules." ) def test_to_json(self): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] credential_access_boundary = make_credential_access_boundary(rules) assert credential_access_boundary.to_json() == { "accessBoundary": { "accessBoundaryRules": [ { "availablePermissions": AVAILABLE_PERMISSIONS, "availableResource": AVAILABLE_RESOURCE, "availabilityCondition": { "expression": EXPRESSION, "title": TITLE, "description": DESCRIPTION, }, } ] } } class TestCredentials(object): @staticmethod def make_credentials(source_credentials=SourceCredentials(), quota_project_id=None): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) access_boundary_rule = make_access_boundary_rule( AVAILABLE_RESOURCE, AVAILABLE_PERMISSIONS, availability_condition ) rules = [access_boundary_rule] credential_access_boundary = make_credential_access_boundary(rules) return downscoped.Credentials( source_credentials, credential_access_boundary, quota_project_id ) @staticmethod def make_mock_request(data, status=http_client.OK): response = mock.create_autospec(transport.Response, instance=True) response.status = status response.data = json.dumps(data).encode("utf-8") request = mock.create_autospec(transport.Request) request.return_value = response return request @staticmethod def assert_request_kwargs(request_kwargs, headers, request_data): """Asserts the request was called with the expected parameters. """ assert request_kwargs["url"] == TOKEN_EXCHANGE_ENDPOINT assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_tuples = urllib.parse.parse_qsl(request_kwargs["body"]) for (k, v) in body_tuples: assert v.decode("utf-8") == request_data[k.decode("utf-8")] assert len(body_tuples) == len(request_data.keys()) def test_default_state(self): credentials = self.make_credentials() # No token acquired yet. assert not credentials.token assert not credentials.valid # Expiration hasn't been set yet. assert not credentials.expiry assert not credentials.expired # No quota project ID set. assert not credentials.quota_project_id def test_with_quota_project(self): credentials = self.make_credentials() assert not credentials.quota_project_id quota_project_creds = credentials.with_quota_project("project-foo") assert quota_project_creds.quota_project_id == "project-foo" @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh(self, unused_utcnow): response = SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. response["expires_in"] = 2800 expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=response["expires_in"] ) headers = {"Content-Type": "application/x-www-form-urlencoded"} request_data = { "grant_type": GRANT_TYPE, "subject_token": "ACCESS_TOKEN_1", "subject_token_type": SUBJECT_TOKEN_TYPE, "requested_token_type": REQUESTED_TOKEN_TYPE, "options": urllib.parse.quote(json.dumps(CREDENTIAL_ACCESS_BOUNDARY_JSON)), } request = self.make_mock_request(status=http_client.OK, data=response) source_credentials = SourceCredentials() credentials = self.make_credentials(source_credentials=source_credentials) # Spy on calls to source credentials refresh to confirm the expected request # instance is used. with mock.patch.object( source_credentials, "refresh", wraps=source_credentials.refresh ) as wrapped_souce_cred_refresh: credentials.refresh(request) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] # Confirm source credentials called with the same request instance. wrapped_souce_cred_refresh.assert_called_with(request) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_without_response_expires_in(self, unused_utcnow): response = SUCCESS_RESPONSE.copy() # Simulate the response is missing the expires_in field. # The downscoped token expiration should match the source credentials # expiration. del response["expires_in"] expected_expires_in = 1800 # Simulate the source credentials generates a token with 1800 second # expiration time. The generated downscoped token should have the same # expiration time. source_credentials = SourceCredentials(expires_in=expected_expires_in) expected_expiry = datetime.datetime.min + datetime.timedelta( seconds=expected_expires_in ) headers = {"Content-Type": "application/x-www-form-urlencoded"} request_data = { "grant_type": GRANT_TYPE, "subject_token": "ACCESS_TOKEN_1", "subject_token_type": SUBJECT_TOKEN_TYPE, "requested_token_type": REQUESTED_TOKEN_TYPE, "options": urllib.parse.quote(json.dumps(CREDENTIAL_ACCESS_BOUNDARY_JSON)), } request = self.make_mock_request(status=http_client.OK, data=response) credentials = self.make_credentials(source_credentials=source_credentials) # Spy on calls to source credentials refresh to confirm the expected request # instance is used. with mock.patch.object( source_credentials, "refresh", wraps=source_credentials.refresh ) as wrapped_souce_cred_refresh: credentials.refresh(request) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert credentials.valid assert credentials.expiry == expected_expiry assert not credentials.expired assert credentials.token == response["access_token"] # Confirm source credentials called with the same request instance. wrapped_souce_cred_refresh.assert_called_with(request) def test_refresh_token_exchange_error(self): request = self.make_mock_request( status=http_client.BAD_REQUEST, data=ERROR_RESPONSE ) credentials = self.make_credentials() with pytest.raises(exceptions.OAuthError) as excinfo: credentials.refresh(request) assert excinfo.match( r"Error code invalid_grant: Subject token is invalid. - https://tools.ietf.org/html/rfc6749" ) assert not credentials.expired assert credentials.token is None def test_refresh_source_credentials_refresh_error(self): # Initialize downscoped credentials with source credentials that raise # an error on refresh. credentials = self.make_credentials( source_credentials=SourceCredentials(raise_error=True) ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(mock.sentinel.request) assert excinfo.match(r"Failed to refresh access token in source credentials.") assert not credentials.expired assert credentials.token is None def test_apply_without_quota_project_id(self): headers = {} request = self.make_mock_request(status=http_client.OK, data=SUCCESS_RESPONSE) credentials = self.make_credentials() credentials.refresh(request) credentials.apply(headers) assert headers == { "authorization": "Bearer {}".format(SUCCESS_RESPONSE["access_token"]) } def test_apply_with_quota_project_id(self): headers = {"other": "header-value"} request = self.make_mock_request(status=http_client.OK, data=SUCCESS_RESPONSE) credentials = self.make_credentials(quota_project_id=QUOTA_PROJECT_ID) credentials.refresh(request) credentials.apply(headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(SUCCESS_RESPONSE["access_token"]), "x-goog-user-project": QUOTA_PROJECT_ID, } def test_before_request(self): headers = {"other": "header-value"} request = self.make_mock_request(status=http_client.OK, data=SUCCESS_RESPONSE) credentials = self.make_credentials() # First call should call refresh, setting the token. credentials.before_request(request, "POST", "https://example.com/api", headers) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(SUCCESS_RESPONSE["access_token"]), } # Second call shouldn't call refresh (request should be untouched). credentials.before_request( mock.sentinel.request, "POST", "https://example.com/api", headers ) assert headers == { "other": "header-value", "authorization": "Bearer {}".format(SUCCESS_RESPONSE["access_token"]), } @mock.patch("google.auth._helpers.utcnow") def test_before_request_expired(self, utcnow): headers = {} request = self.make_mock_request(status=http_client.OK, data=SUCCESS_RESPONSE) credentials = self.make_credentials() credentials.token = "token" utcnow.return_value = datetime.datetime.min # Set the expiration to one second more than now plus the clock skew # accommodation. These credentials should be valid. credentials.expiry = ( datetime.datetime.min + _helpers.REFRESH_THRESHOLD + datetime.timedelta(seconds=1) ) assert credentials.valid assert not credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # Cached token should be used. assert headers == {"authorization": "Bearer token"} # Next call should simulate 1 second passed. utcnow.return_value = datetime.datetime.min + datetime.timedelta(seconds=1) assert not credentials.valid assert credentials.expired credentials.before_request(request, "POST", "https://example.com/api", headers) # New token should be retrieved. assert headers == { "authorization": "Bearer {}".format(SUCCESS_RESPONSE["access_token"]) } ��test_api_key.py��0000644��00000002535�15025175543�0007612 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import pytest # type: ignore from google.auth import api_key def test_credentials_constructor(): with pytest.raises(ValueError) as excinfo: api_key.Credentials("") assert excinfo.match(r"Token must be a non-empty API key string") def test_expired_and_valid(): credentials = api_key.Credentials("api-key") assert credentials.valid assert credentials.token == "api-key" assert not credentials.expired credentials.refresh(None) assert credentials.valid assert credentials.token == "api-key" assert not credentials.expired def test_before_request(): credentials = api_key.Credentials("api-key") headers = {} credentials.before_request(None, "http://example.com", "GET", headers) assert headers["x-goog-api-key"] == "api-key" ��test_iam.py��0000644��00000006311�15025175543�0006733 0��ustar�00��# Copyright 2017 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import base64 import datetime import http.client as http_client import json import mock import pytest # type: ignore from google.auth import _helpers from google.auth import exceptions from google.auth import iam from google.auth import transport import google.auth.credentials def make_request(status, data=None): response = mock.create_autospec(transport.Response, instance=True) response.status = status if data is not None: response.data = json.dumps(data).encode("utf-8") request = mock.create_autospec(transport.Request) request.return_value = response return request def make_credentials(): class CredentialsImpl(google.auth.credentials.Credentials): def __init__(self): super(CredentialsImpl, self).__init__() self.token = "token" # Force refresh self.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD def refresh(self, request): pass def with_quota_project(self, quota_project_id): raise NotImplementedError() return CredentialsImpl() class TestSigner(object): def test_constructor(self): request = mock.sentinel.request credentials = mock.create_autospec( google.auth.credentials.Credentials, instance=True ) signer = iam.Signer(request, credentials, mock.sentinel.service_account_email) assert signer._request == mock.sentinel.request assert signer._credentials == credentials assert signer._service_account_email == mock.sentinel.service_account_email def test_key_id(self): signer = iam.Signer( mock.sentinel.request, mock.sentinel.credentials, mock.sentinel.service_account_email, ) assert signer.key_id is None def test_sign_bytes(self): signature = b"DEADBEEF" encoded_signature = base64.b64encode(signature).decode("utf-8") request = make_request(http_client.OK, data={"signedBlob": encoded_signature}) credentials = make_credentials() signer = iam.Signer(request, credentials, mock.sentinel.service_account_email) returned_signature = signer.sign("123") assert returned_signature == signature kwargs = request.call_args[1] assert kwargs["headers"]["Content-Type"] == "application/json" def test_sign_bytes_failure(self): request = make_request(http_client.UNAUTHORIZED) credentials = make_credentials() signer = iam.Signer(request, credentials, mock.sentinel.service_account_email) with pytest.raises(exceptions.TransportError): signer.sign("123") ��crypt/test__cryptography_rsa.py��0000644��00000015627�15025175543�0013077 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import os import pickle from cryptography.hazmat.primitives.asymmetric import rsa import pytest # type: ignore from google.auth import _helpers from google.auth.crypt import _cryptography_rsa from google.auth.crypt import base DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") # To generate privatekey.pem, privatekey.pub, and public_cert.pem: # $ openssl req -new -newkey rsa:1024 -x509 -nodes -out public_cert.pem \ # > -keyout privatekey.pem # $ openssl rsa -in privatekey.pem -pubout -out privatekey.pub with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() PKCS1_KEY_BYTES = PRIVATE_KEY_BYTES with open(os.path.join(DATA_DIR, "privatekey.pub"), "rb") as fh: PUBLIC_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() # To generate pem_from_pkcs12.pem and privatekey.p12: # $ openssl pkcs12 -export -out privatekey.p12 -inkey privatekey.pem \ # > -in public_cert.pem # $ openssl pkcs12 -in privatekey.p12 -nocerts -nodes \ # > -out pem_from_pkcs12.pem with open(os.path.join(DATA_DIR, "pem_from_pkcs12.pem"), "rb") as fh: PKCS8_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "privatekey.p12"), "rb") as fh: PKCS12_KEY_BYTES = fh.read() # The service account JSON file can be generated from the Google Cloud Console. SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) class TestRSAVerifier(object): def test_verify_success(self): to_sign = b"foo" signer = _cryptography_rsa.RSASigner.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = _cryptography_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_unicode_success(self): to_sign = u"foo" signer = _cryptography_rsa.RSASigner.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = _cryptography_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_failure(self): verifier = _cryptography_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) bad_signature1 = b"" assert not verifier.verify(b"foo", bad_signature1) bad_signature2 = b"a" assert not verifier.verify(b"foo", bad_signature2) def test_from_string_pub_key(self): verifier = _cryptography_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert isinstance(verifier, _cryptography_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.RSAPublicKey) def test_from_string_pub_key_unicode(self): public_key = _helpers.from_bytes(PUBLIC_KEY_BYTES) verifier = _cryptography_rsa.RSAVerifier.from_string(public_key) assert isinstance(verifier, _cryptography_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.RSAPublicKey) def test_from_string_pub_cert(self): verifier = _cryptography_rsa.RSAVerifier.from_string(PUBLIC_CERT_BYTES) assert isinstance(verifier, _cryptography_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.RSAPublicKey) def test_from_string_pub_cert_unicode(self): public_cert = _helpers.from_bytes(PUBLIC_CERT_BYTES) verifier = _cryptography_rsa.RSAVerifier.from_string(public_cert) assert isinstance(verifier, _cryptography_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.RSAPublicKey) class TestRSASigner(object): def test_from_string_pkcs1(self): signer = _cryptography_rsa.RSASigner.from_string(PKCS1_KEY_BYTES) assert isinstance(signer, _cryptography_rsa.RSASigner) assert isinstance(signer._key, rsa.RSAPrivateKey) def test_from_string_pkcs1_unicode(self): key_bytes = _helpers.from_bytes(PKCS1_KEY_BYTES) signer = _cryptography_rsa.RSASigner.from_string(key_bytes) assert isinstance(signer, _cryptography_rsa.RSASigner) assert isinstance(signer._key, rsa.RSAPrivateKey) def test_from_string_pkcs8(self): signer = _cryptography_rsa.RSASigner.from_string(PKCS8_KEY_BYTES) assert isinstance(signer, _cryptography_rsa.RSASigner) assert isinstance(signer._key, rsa.RSAPrivateKey) def test_from_string_pkcs8_unicode(self): key_bytes = _helpers.from_bytes(PKCS8_KEY_BYTES) signer = _cryptography_rsa.RSASigner.from_string(key_bytes) assert isinstance(signer, _cryptography_rsa.RSASigner) assert isinstance(signer._key, rsa.RSAPrivateKey) def test_from_string_pkcs12(self): with pytest.raises(ValueError): _cryptography_rsa.RSASigner.from_string(PKCS12_KEY_BYTES) def test_from_string_bogus_key(self): key_bytes = "bogus-key" with pytest.raises(ValueError): _cryptography_rsa.RSASigner.from_string(key_bytes) def test_from_service_account_info(self): signer = _cryptography_rsa.RSASigner.from_service_account_info( SERVICE_ACCOUNT_INFO ) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.RSAPrivateKey) def test_from_service_account_info_missing_key(self): with pytest.raises(ValueError) as excinfo: _cryptography_rsa.RSASigner.from_service_account_info({}) assert excinfo.match(base._JSON_FILE_PRIVATE_KEY) def test_from_service_account_file(self): signer = _cryptography_rsa.RSASigner.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE ) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.RSAPrivateKey) def test_pickle(self): signer = _cryptography_rsa.RSASigner.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE ) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.RSAPrivateKey) pickled_signer = pickle.dumps(signer) signer = pickle.loads(pickled_signer) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.RSAPrivateKey) ��crypt/test_crypt.py��0000644��00000003572�15025175543�0010475 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import os from google.auth import crypt DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") # To generate privatekey.pem, privatekey.pub, and public_cert.pem: # $ openssl req -new -newkey rsa:1024 -x509 -nodes -out public_cert.pem \ # > -keyout privatekey.pem # $ openssl rsa -in privatekey.pem -pubout -out privatekey.pub with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() # To generate other_cert.pem: # $ openssl req -new -newkey rsa:1024 -x509 -nodes -out other_cert.pem with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh: OTHER_CERT_BYTES = fh.read() def test_verify_signature(): to_sign = b"foo" signer = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES) signature = signer.sign(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) # List of certs assert crypt.verify_signature( to_sign, signature, [OTHER_CERT_BYTES, PUBLIC_CERT_BYTES] ) def test_verify_signature_failure(): to_sign = b"foo" signer = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES) signature = signer.sign(to_sign) assert not crypt.verify_signature(to_sign, signature, OTHER_CERT_BYTES) ��crypt/test__python_rsa.py��0000644��00000016654�15025175543�0011666 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import io import json import os import mock from pyasn1_modules import pem # type: ignore import pytest # type: ignore import rsa # type: ignore from google.auth import _helpers from google.auth.crypt import _python_rsa from google.auth.crypt import base DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") # To generate privatekey.pem, privatekey.pub, and public_cert.pem: # $ openssl req -new -newkey rsa:1024 -x509 -nodes -out public_cert.pem \ # > -keyout privatekey.pem # $ openssl rsa -in privatekey.pem -pubout -out privatekey.pub with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() PKCS1_KEY_BYTES = PRIVATE_KEY_BYTES with open(os.path.join(DATA_DIR, "privatekey.pub"), "rb") as fh: PUBLIC_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() # To generate pem_from_pkcs12.pem and privatekey.p12: # $ openssl pkcs12 -export -out privatekey.p12 -inkey privatekey.pem \ # > -in public_cert.pem # $ openssl pkcs12 -in privatekey.p12 -nocerts -nodes \ # > -out pem_from_pkcs12.pem with open(os.path.join(DATA_DIR, "pem_from_pkcs12.pem"), "rb") as fh: PKCS8_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "privatekey.p12"), "rb") as fh: PKCS12_KEY_BYTES = fh.read() # The service account JSON file can be generated from the Google Cloud Console. SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) class TestRSAVerifier(object): def test_verify_success(self): to_sign = b"foo" signer = _python_rsa.RSASigner.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = _python_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_unicode_success(self): to_sign = u"foo" signer = _python_rsa.RSASigner.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = _python_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_failure(self): verifier = _python_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) bad_signature1 = b"" assert not verifier.verify(b"foo", bad_signature1) bad_signature2 = b"a" assert not verifier.verify(b"foo", bad_signature2) def test_from_string_pub_key(self): verifier = _python_rsa.RSAVerifier.from_string(PUBLIC_KEY_BYTES) assert isinstance(verifier, _python_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_key_unicode(self): public_key = _helpers.from_bytes(PUBLIC_KEY_BYTES) verifier = _python_rsa.RSAVerifier.from_string(public_key) assert isinstance(verifier, _python_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert(self): verifier = _python_rsa.RSAVerifier.from_string(PUBLIC_CERT_BYTES) assert isinstance(verifier, _python_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert_unicode(self): public_cert = _helpers.from_bytes(PUBLIC_CERT_BYTES) verifier = _python_rsa.RSAVerifier.from_string(public_cert) assert isinstance(verifier, _python_rsa.RSAVerifier) assert isinstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert_failure(self): cert_bytes = PUBLIC_CERT_BYTES true_der = rsa.pem.load_pem(cert_bytes, "CERTIFICATE") load_pem_patch = mock.patch( "rsa.pem.load_pem", return_value=true_der + b"extra", autospec=True ) with load_pem_patch as load_pem: with pytest.raises(ValueError): _python_rsa.RSAVerifier.from_string(cert_bytes) load_pem.assert_called_once_with(cert_bytes, "CERTIFICATE") class TestRSASigner(object): def test_from_string_pkcs1(self): signer = _python_rsa.RSASigner.from_string(PKCS1_KEY_BYTES) assert isinstance(signer, _python_rsa.RSASigner) assert isinstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs1_unicode(self): key_bytes = _helpers.from_bytes(PKCS1_KEY_BYTES) signer = _python_rsa.RSASigner.from_string(key_bytes) assert isinstance(signer, _python_rsa.RSASigner) assert isinstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs8(self): signer = _python_rsa.RSASigner.from_string(PKCS8_KEY_BYTES) assert isinstance(signer, _python_rsa.RSASigner) assert isinstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs8_extra_bytes(self): key_bytes = PKCS8_KEY_BYTES _, pem_bytes = pem.readPemBlocksFromFile( io.StringIO(_helpers.from_bytes(key_bytes)), _python_rsa._PKCS8_MARKER ) key_info, remaining = None, "extra" decode_patch = mock.patch( "pyasn1.codec.der.decoder.decode", return_value=(key_info, remaining), autospec=True, ) with decode_patch as decode: with pytest.raises(ValueError): _python_rsa.RSASigner.from_string(key_bytes) # Verify mock was called. decode.assert_called_once_with(pem_bytes, asn1Spec=_python_rsa._PKCS8_SPEC) def test_from_string_pkcs8_unicode(self): key_bytes = _helpers.from_bytes(PKCS8_KEY_BYTES) signer = _python_rsa.RSASigner.from_string(key_bytes) assert isinstance(signer, _python_rsa.RSASigner) assert isinstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs12(self): with pytest.raises(ValueError): _python_rsa.RSASigner.from_string(PKCS12_KEY_BYTES) def test_from_string_bogus_key(self): key_bytes = "bogus-key" with pytest.raises(ValueError): _python_rsa.RSASigner.from_string(key_bytes) def test_from_service_account_info(self): signer = _python_rsa.RSASigner.from_service_account_info(SERVICE_ACCOUNT_INFO) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.key.PrivateKey) def test_from_service_account_info_missing_key(self): with pytest.raises(ValueError) as excinfo: _python_rsa.RSASigner.from_service_account_info({}) assert excinfo.match(base._JSON_FILE_PRIVATE_KEY) def test_from_service_account_file(self): signer = _python_rsa.RSASigner.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE ) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, rsa.key.PrivateKey) ��crypt/__init__.py��0000644��00000000000�15025175543�0010013 0��ustar�00��crypt/test_es256.py��0000644��00000014147�15025175543�0010200 0��ustar�00��# Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import base64 import json import os import pickle from cryptography.hazmat.primitives.asymmetric import ec import pytest # type: ignore from google.auth import _helpers from google.auth.crypt import base from google.auth.crypt import es256 DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") # To generate es256_privatekey.pem, es256_privatekey.pub, and # es256_public_cert.pem: # $ openssl ecparam -genkey -name prime256v1 -noout -out es256_privatekey.pem # $ openssl ec -in es256-private-key.pem -pubout -out es256-publickey.pem # $ openssl req -new -x509 -key es256_privatekey.pem -out \ # > es256_public_cert.pem with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() PKCS1_KEY_BYTES = PRIVATE_KEY_BYTES with open(os.path.join(DATA_DIR, "es256_publickey.pem"), "rb") as fh: PUBLIC_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "es256_service_account.json") with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) class TestES256Verifier(object): def test_verify_success(self): to_sign = b"foo" signer = es256.ES256Signer.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_unicode_success(self): to_sign = u"foo" signer = es256.ES256Signer.from_string(PRIVATE_KEY_BYTES) actual_signature = signer.sign(to_sign) verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES) assert verifier.verify(to_sign, actual_signature) def test_verify_failure(self): verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES) bad_signature1 = b"" assert not verifier.verify(b"foo", bad_signature1) bad_signature2 = b"a" assert not verifier.verify(b"foo", bad_signature2) def test_verify_failure_with_wrong_raw_signature(self): to_sign = b"foo" # This signature has a wrong "r" value in the "(r,s)" raw signature. wrong_signature = base64.urlsafe_b64decode( b"m7oaRxUDeYqjZ8qiMwo0PZLTMZWKJLFQREpqce1StMIa_yXQQ-C5WgeIRHW7OqlYSDL0XbUrj_uAw9i-QhfOJQ==" ) verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES) assert not verifier.verify(to_sign, wrong_signature) def test_from_string_pub_key(self): verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES) assert isinstance(verifier, es256.ES256Verifier) assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey) def test_from_string_pub_key_unicode(self): public_key = _helpers.from_bytes(PUBLIC_KEY_BYTES) verifier = es256.ES256Verifier.from_string(public_key) assert isinstance(verifier, es256.ES256Verifier) assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey) def test_from_string_pub_cert(self): verifier = es256.ES256Verifier.from_string(PUBLIC_CERT_BYTES) assert isinstance(verifier, es256.ES256Verifier) assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey) def test_from_string_pub_cert_unicode(self): public_cert = _helpers.from_bytes(PUBLIC_CERT_BYTES) verifier = es256.ES256Verifier.from_string(public_cert) assert isinstance(verifier, es256.ES256Verifier) assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey) class TestES256Signer(object): def test_from_string_pkcs1(self): signer = es256.ES256Signer.from_string(PKCS1_KEY_BYTES) assert isinstance(signer, es256.ES256Signer) assert isinstance(signer._key, ec.EllipticCurvePrivateKey) def test_from_string_pkcs1_unicode(self): key_bytes = _helpers.from_bytes(PKCS1_KEY_BYTES) signer = es256.ES256Signer.from_string(key_bytes) assert isinstance(signer, es256.ES256Signer) assert isinstance(signer._key, ec.EllipticCurvePrivateKey) def test_from_string_bogus_key(self): key_bytes = "bogus-key" with pytest.raises(ValueError): es256.ES256Signer.from_string(key_bytes) def test_from_service_account_info(self): signer = es256.ES256Signer.from_service_account_info(SERVICE_ACCOUNT_INFO) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, ec.EllipticCurvePrivateKey) def test_from_service_account_info_missing_key(self): with pytest.raises(ValueError) as excinfo: es256.ES256Signer.from_service_account_info({}) assert excinfo.match(base._JSON_FILE_PRIVATE_KEY) def test_from_service_account_file(self): signer = es256.ES256Signer.from_service_account_file(SERVICE_ACCOUNT_JSON_FILE) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, ec.EllipticCurvePrivateKey) def test_pickle(self): signer = es256.ES256Signer.from_service_account_file(SERVICE_ACCOUNT_JSON_FILE) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, ec.EllipticCurvePrivateKey) pickled_signer = pickle.dumps(signer) signer = pickle.loads(pickled_signer) assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID] assert isinstance(signer._key, ec.EllipticCurvePrivateKey) ��test__default.py��0000644��00000141642�15025175543�0007757 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import os import mock import pytest # type: ignore from google.auth import _default from google.auth import api_key from google.auth import app_engine from google.auth import aws from google.auth import compute_engine from google.auth import credentials from google.auth import environment_vars from google.auth import exceptions from google.auth import external_account from google.auth import external_account_authorized_user from google.auth import identity_pool from google.auth import impersonated_credentials from google.auth import pluggable from google.oauth2 import gdch_credentials from google.oauth2 import service_account import google.oauth2.credentials DATA_DIR = os.path.join(os.path.dirname(__file__), "data") AUTHORIZED_USER_FILE = os.path.join(DATA_DIR, "authorized_user.json") with open(AUTHORIZED_USER_FILE) as fh: AUTHORIZED_USER_FILE_DATA = json.load(fh) AUTHORIZED_USER_CLOUD_SDK_FILE = os.path.join( DATA_DIR, "authorized_user_cloud_sdk.json" ) AUTHORIZED_USER_CLOUD_SDK_WITH_QUOTA_PROJECT_ID_FILE = os.path.join( DATA_DIR, "authorized_user_cloud_sdk_with_quota_project_id.json" ) SERVICE_ACCOUNT_FILE = os.path.join(DATA_DIR, "service_account.json") CLIENT_SECRETS_FILE = os.path.join(DATA_DIR, "client_secrets.json") GDCH_SERVICE_ACCOUNT_FILE = os.path.join(DATA_DIR, "gdch_service_account.json") with open(SERVICE_ACCOUNT_FILE) as fh: SERVICE_ACCOUNT_FILE_DATA = json.load(fh) SUBJECT_TOKEN_TEXT_FILE = os.path.join(DATA_DIR, "external_subject_token.txt") TOKEN_URL = "https://sts.googleapis.com/v1/token" AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" WORKFORCE_AUDIENCE = ( "//iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID" ) WORKFORCE_POOL_USER_PROJECT = "WORKFORCE_POOL_USER_PROJECT_NUMBER" REGION_URL = "http://169.254.169.254/latest/meta-data/placement/availability-zone" SECURITY_CREDS_URL = "http://169.254.169.254/latest/meta-data/iam/security-credentials" CRED_VERIFICATION_URL = ( "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" ) IDENTITY_POOL_DATA = { "type": "external_account", "audience": AUDIENCE, "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": TOKEN_URL, "credential_source": {"file": SUBJECT_TOKEN_TEXT_FILE}, } PLUGGABLE_DATA = { "type": "external_account", "audience": AUDIENCE, "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": TOKEN_URL, "credential_source": {"executable": {"command": "command"}}, } AWS_DATA = { "type": "external_account", "audience": AUDIENCE, "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "token_url": TOKEN_URL, "credential_source": { "environment_id": "aws1", "region_url": REGION_URL, "url": SECURITY_CREDS_URL, "regional_cred_verification_url": CRED_VERIFICATION_URL, }, } SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com" SERVICE_ACCOUNT_IMPERSONATION_URL = ( "https://us-east1-iamcredentials.googleapis.com/v1/projects/-" + "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL) ) IMPERSONATED_IDENTITY_POOL_DATA = { "type": "external_account", "audience": AUDIENCE, "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": TOKEN_URL, "credential_source": {"file": SUBJECT_TOKEN_TEXT_FILE}, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, } IMPERSONATED_AWS_DATA = { "type": "external_account", "audience": AUDIENCE, "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "token_url": TOKEN_URL, "credential_source": { "environment_id": "aws1", "region_url": REGION_URL, "url": SECURITY_CREDS_URL, "regional_cred_verification_url": CRED_VERIFICATION_URL, }, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, } IDENTITY_POOL_WORKFORCE_DATA = { "type": "external_account", "audience": WORKFORCE_AUDIENCE, "subject_token_type": "urn:ietf:params:oauth:token-type:id_token", "token_url": TOKEN_URL, "credential_source": {"file": SUBJECT_TOKEN_TEXT_FILE}, "workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT, } IMPERSONATED_IDENTITY_POOL_WORKFORCE_DATA = { "type": "external_account", "audience": WORKFORCE_AUDIENCE, "subject_token_type": "urn:ietf:params:oauth:token-type:id_token", "token_url": TOKEN_URL, "credential_source": {"file": SUBJECT_TOKEN_TEXT_FILE}, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT, } IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE = os.path.join( DATA_DIR, "impersonated_service_account_authorized_user_source.json" ) IMPERSONATED_SERVICE_ACCOUNT_WITH_QUOTA_PROJECT_FILE = os.path.join( DATA_DIR, "impersonated_service_account_with_quota_project.json" ) IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE = os.path.join( DATA_DIR, "impersonated_service_account_service_account_source.json" ) EXTERNAL_ACCOUNT_AUTHORIZED_USER_FILE = os.path.join( DATA_DIR, "external_account_authorized_user.json" ) MOCK_CREDENTIALS = mock.Mock(spec=credentials.CredentialsWithQuotaProject) MOCK_CREDENTIALS.with_quota_project.return_value = MOCK_CREDENTIALS def get_project_id_side_effect(self, request=None): # If no scopes are set, this will always return None. if not self.scopes: return None return mock.sentinel.project_id LOAD_FILE_PATCH = mock.patch( "google.auth._default.load_credentials_from_file", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH = mock.patch.object( external_account.Credentials, "get_project_id", side_effect=get_project_id_side_effect, autospec=True, ) def test_load_credentials_from_missing_file(): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file("") assert excinfo.match(r"not found") def test_load_credentials_from_dict_non_dict_object(): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_dict("") assert excinfo.match(r"dict type was expected") with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_dict(None) assert excinfo.match(r"dict type was expected") with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_dict(1) assert excinfo.match(r"dict type was expected") def test_load_credentials_from_dict_authorized_user(): credentials, project_id = _default.load_credentials_from_dict( AUTHORIZED_USER_FILE_DATA ) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None def test_load_credentials_from_file_invalid_json(tmpdir): jsonfile = tmpdir.join("invalid.json") jsonfile.write("{") with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(jsonfile)) assert excinfo.match(r"not a valid json file") def test_load_credentials_from_file_invalid_type(tmpdir): jsonfile = tmpdir.join("invalid.json") jsonfile.write(json.dumps({"type": "not-a-real-type"})) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(jsonfile)) assert excinfo.match(r"does not have a valid type") def test_load_credentials_from_file_authorized_user(): credentials, project_id = _default.load_credentials_from_file(AUTHORIZED_USER_FILE) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None def test_load_credentials_from_file_no_type(tmpdir): # use the client_secrets.json, which is valid json but not a # loadable credentials type with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(CLIENT_SECRETS_FILE) assert excinfo.match(r"does not have a valid type") assert excinfo.match(r"Type is None") def test_load_credentials_from_file_authorized_user_bad_format(tmpdir): filename = tmpdir.join("authorized_user_bad.json") filename.write(json.dumps({"type": "authorized_user"})) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(filename)) assert excinfo.match(r"Failed to load authorized user") assert excinfo.match(r"missing fields") def test_load_credentials_from_file_authorized_user_cloud_sdk(): with pytest.warns(UserWarning, match="Cloud SDK"): credentials, project_id = _default.load_credentials_from_file( AUTHORIZED_USER_CLOUD_SDK_FILE ) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None # No warning if the json file has quota project id. credentials, project_id = _default.load_credentials_from_file( AUTHORIZED_USER_CLOUD_SDK_WITH_QUOTA_PROJECT_ID_FILE ) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None def test_load_credentials_from_file_authorized_user_cloud_sdk_with_scopes(): with pytest.warns(UserWarning, match="Cloud SDK"): credentials, project_id = _default.load_credentials_from_file( AUTHORIZED_USER_CLOUD_SDK_FILE, scopes=["https://www.google.com/calendar/feeds"], ) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None assert credentials.scopes == ["https://www.google.com/calendar/feeds"] def test_load_credentials_from_file_authorized_user_cloud_sdk_with_quota_project(): credentials, project_id = _default.load_credentials_from_file( AUTHORIZED_USER_CLOUD_SDK_FILE, quota_project_id="project-foo" ) assert isinstance(credentials, google.oauth2.credentials.Credentials) assert project_id is None assert credentials.quota_project_id == "project-foo" def test_load_credentials_from_file_service_account(): credentials, project_id = _default.load_credentials_from_file(SERVICE_ACCOUNT_FILE) assert isinstance(credentials, service_account.Credentials) assert project_id == SERVICE_ACCOUNT_FILE_DATA["project_id"] def test_load_credentials_from_file_service_account_with_scopes(): credentials, project_id = _default.load_credentials_from_file( SERVICE_ACCOUNT_FILE, scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, service_account.Credentials) assert project_id == SERVICE_ACCOUNT_FILE_DATA["project_id"] assert credentials.scopes == ["https://www.google.com/calendar/feeds"] def test_load_credentials_from_file_service_account_with_quota_project(): credentials, project_id = _default.load_credentials_from_file( SERVICE_ACCOUNT_FILE, quota_project_id="project-foo" ) assert isinstance(credentials, service_account.Credentials) assert project_id == SERVICE_ACCOUNT_FILE_DATA["project_id"] assert credentials.quota_project_id == "project-foo" def test_load_credentials_from_file_service_account_bad_format(tmpdir): filename = tmpdir.join("serivce_account_bad.json") filename.write(json.dumps({"type": "service_account"})) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(filename)) assert excinfo.match(r"Failed to load service account") assert excinfo.match(r"missing fields") def test_load_credentials_from_file_impersonated_with_authorized_user_source(): credentials, project_id = _default.load_credentials_from_file( IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE ) assert isinstance(credentials, impersonated_credentials.Credentials) assert isinstance( credentials._source_credentials, google.oauth2.credentials.Credentials ) assert credentials.service_account_email == "service-account-target@example.com" assert credentials._delegates == ["service-account-delegate@example.com"] assert not credentials._quota_project_id assert not credentials._target_scopes assert project_id is None def test_load_credentials_from_file_impersonated_with_quota_project(): credentials, _ = _default.load_credentials_from_file( IMPERSONATED_SERVICE_ACCOUNT_WITH_QUOTA_PROJECT_FILE ) assert isinstance(credentials, impersonated_credentials.Credentials) assert credentials._quota_project_id == "quota_project" def test_load_credentials_from_file_impersonated_with_service_account_source(): credentials, _ = _default.load_credentials_from_file( IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE ) assert isinstance(credentials, impersonated_credentials.Credentials) assert isinstance(credentials._source_credentials, service_account.Credentials) assert not credentials._quota_project_id def test_load_credentials_from_file_impersonated_passing_quota_project(): credentials, _ = _default.load_credentials_from_file( IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE, quota_project_id="new_quota_project", ) assert credentials._quota_project_id == "new_quota_project" def test_load_credentials_from_file_impersonated_passing_scopes(): credentials, _ = _default.load_credentials_from_file( IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE, scopes=["scope1", "scope2"], ) assert credentials._target_scopes == ["scope1", "scope2"] def test_load_credentials_from_file_impersonated_wrong_target_principal(tmpdir): with open(IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE) as fh: impersonated_credentials_info = json.load(fh) impersonated_credentials_info[ "service_account_impersonation_url" ] = "something_wrong" jsonfile = tmpdir.join("invalid.json") jsonfile.write(json.dumps(impersonated_credentials_info)) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(jsonfile)) assert excinfo.match(r"Cannot extract target principal") def test_load_credentials_from_file_impersonated_wrong_source_type(tmpdir): with open(IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE) as fh: impersonated_credentials_info = json.load(fh) impersonated_credentials_info["source_credentials"]["type"] = "external_account" jsonfile = tmpdir.join("invalid.json") jsonfile.write(json.dumps(impersonated_credentials_info)) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(jsonfile)) assert excinfo.match(r"source credential of type external_account is not supported") @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_identity_pool( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, identity_pool.Credentials) # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_aws(get_project_id, tmpdir): config_file = tmpdir.join("config.json") config_file.write(json.dumps(AWS_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, aws.Credentials) # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_identity_pool_impersonated( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_aws_impersonated( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_AWS_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, aws.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_workforce(get_project_id, tmpdir): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_WORKFORCE_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, identity_pool.Credentials) assert credentials.is_user assert credentials.is_workforce_pool # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_workforce_impersonated( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_WORKFORCE_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert credentials.is_workforce_pool # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_with_user_and_default_scopes( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) credentials, project_id = _default.load_credentials_from_file( str(config_file), scopes=["https://www.google.com/calendar/feeds"], default_scopes=["https://www.googleapis.com/auth/cloud-platform"], ) assert isinstance(credentials, identity_pool.Credentials) # Since scopes are specified, the project ID can be determined. assert project_id is mock.sentinel.project_id assert credentials.scopes == ["https://www.google.com/calendar/feeds"] assert credentials.default_scopes == [ "https://www.googleapis.com/auth/cloud-platform" ] @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_with_quota_project( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) credentials, project_id = _default.load_credentials_from_file( str(config_file), quota_project_id="project-foo" ) assert isinstance(credentials, identity_pool.Credentials) # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert credentials.quota_project_id == "project-foo" def test_load_credentials_from_file_external_account_bad_format(tmpdir): filename = tmpdir.join("external_account_bad.json") filename.write(json.dumps({"type": "external_account"})) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(filename)) assert excinfo.match( "Failed to load external account credentials from {}".format(str(filename)) ) @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_file_external_account_explicit_request( get_project_id, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) credentials, project_id = _default.load_credentials_from_file( str(config_file), request=mock.sentinel.request, scopes=["https://www.googleapis.com/auth/cloud-platform"], ) assert isinstance(credentials, identity_pool.Credentials) # Since scopes are specified, the project ID can be determined. assert project_id is mock.sentinel.project_id get_project_id.assert_called_with(credentials, request=mock.sentinel.request) @mock.patch.dict(os.environ, {}, clear=True) def test__get_explicit_environ_credentials_no_env(): assert _default._get_explicit_environ_credentials() == (None, None) def test_load_credentials_from_file_external_account_authorized_user(): credentials, project_id = _default.load_credentials_from_file( EXTERNAL_ACCOUNT_AUTHORIZED_USER_FILE, request=mock.sentinel.request ) assert isinstance(credentials, external_account_authorized_user.Credentials) assert project_id is None def test_load_credentials_from_file_external_account_authorized_user_bad_format(tmpdir): filename = tmpdir.join("external_account_authorized_user_bad.json") filename.write(json.dumps({"type": "external_account_authorized_user"})) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.load_credentials_from_file(str(filename)) assert excinfo.match( "Failed to load external account authorized user credentials from {}".format( str(filename) ) ) @pytest.mark.parametrize("quota_project_id", [None, "project-foo"]) @LOAD_FILE_PATCH def test__get_explicit_environ_credentials(load, quota_project_id, monkeypatch): monkeypatch.setenv(environment_vars.CREDENTIALS, "filename") credentials, project_id = _default._get_explicit_environ_credentials( quota_project_id=quota_project_id ) assert credentials is MOCK_CREDENTIALS assert project_id is mock.sentinel.project_id load.assert_called_with("filename", quota_project_id=quota_project_id) @LOAD_FILE_PATCH def test__get_explicit_environ_credentials_no_project_id(load, monkeypatch): load.return_value = MOCK_CREDENTIALS, None monkeypatch.setenv(environment_vars.CREDENTIALS, "filename") credentials, project_id = _default._get_explicit_environ_credentials() assert credentials is MOCK_CREDENTIALS assert project_id is None @pytest.mark.parametrize("quota_project_id", [None, "project-foo"]) @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) @mock.patch("google.auth._default._get_gcloud_sdk_credentials", autospec=True) def test__get_explicit_environ_credentials_fallback_to_gcloud( get_gcloud_creds, get_adc_path, quota_project_id, monkeypatch ): # Set explicit credentials path to cloud sdk credentials path. get_adc_path.return_value = "filename" monkeypatch.setenv(environment_vars.CREDENTIALS, "filename") _default._get_explicit_environ_credentials(quota_project_id=quota_project_id) # Check we fall back to cloud sdk flow since explicit credentials path is # cloud sdk credentials path get_gcloud_creds.assert_called_with(quota_project_id=quota_project_id) @pytest.mark.parametrize("quota_project_id", [None, "project-foo"]) @LOAD_FILE_PATCH @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test__get_gcloud_sdk_credentials(get_adc_path, load, quota_project_id): get_adc_path.return_value = SERVICE_ACCOUNT_FILE credentials, project_id = _default._get_gcloud_sdk_credentials( quota_project_id=quota_project_id ) assert credentials is MOCK_CREDENTIALS assert project_id is mock.sentinel.project_id load.assert_called_with(SERVICE_ACCOUNT_FILE, quota_project_id=quota_project_id) @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test__get_gcloud_sdk_credentials_non_existent(get_adc_path, tmpdir): non_existent = tmpdir.join("non-existent") get_adc_path.return_value = str(non_existent) credentials, project_id = _default._get_gcloud_sdk_credentials() assert credentials is None assert project_id is None @mock.patch( "google.auth._cloud_sdk.get_project_id", return_value=mock.sentinel.project_id, autospec=True, ) @mock.patch("os.path.isfile", return_value=True, autospec=True) @LOAD_FILE_PATCH def test__get_gcloud_sdk_credentials_project_id(load, unused_isfile, get_project_id): # Don't return a project ID from load file, make the function check # the Cloud SDK project. load.return_value = MOCK_CREDENTIALS, None credentials, project_id = _default._get_gcloud_sdk_credentials() assert credentials == MOCK_CREDENTIALS assert project_id == mock.sentinel.project_id assert get_project_id.called @mock.patch("google.auth._cloud_sdk.get_project_id", return_value=None, autospec=True) @mock.patch("os.path.isfile", return_value=True) @LOAD_FILE_PATCH def test__get_gcloud_sdk_credentials_no_project_id(load, unused_isfile, get_project_id): # Don't return a project ID from load file, make the function check # the Cloud SDK project. load.return_value = MOCK_CREDENTIALS, None credentials, project_id = _default._get_gcloud_sdk_credentials() assert credentials == MOCK_CREDENTIALS assert project_id is None assert get_project_id.called def test__get_gdch_service_account_credentials_invalid_format_version(): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default._get_gdch_service_account_credentials( "file_name", {"format_version": "2"} ) assert excinfo.match("Failed to load GDCH service account credentials") def test_get_api_key_credentials(): creds = _default.get_api_key_credentials("api_key") assert isinstance(creds, api_key.Credentials) assert creds.token == "api_key" class _AppIdentityModule(object): """The interface of the App Idenity app engine module. See https://cloud.google.com/appengine/docs/standard/python/refdocs\ /google.appengine.api.app_identity.app_identity """ def get_application_id(self): raise NotImplementedError() @pytest.fixture def app_identity(monkeypatch): """Mocks the app_identity module for google.auth.app_engine.""" app_identity_module = mock.create_autospec(_AppIdentityModule, instance=True) monkeypatch.setattr(app_engine, "app_identity", app_identity_module) yield app_identity_module @mock.patch.dict(os.environ) def test__get_gae_credentials_gen1(app_identity): os.environ[environment_vars.LEGACY_APPENGINE_RUNTIME] = "python27" app_identity.get_application_id.return_value = mock.sentinel.project credentials, project_id = _default._get_gae_credentials() assert isinstance(credentials, app_engine.Credentials) assert project_id == mock.sentinel.project @mock.patch.dict(os.environ) def test__get_gae_credentials_gen2(): os.environ["GAE_RUNTIME"] = "python37" credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None @mock.patch.dict(os.environ) def test__get_gae_credentials_gen2_backwards_compat(): # compat helpers may copy GAE_RUNTIME to APPENGINE_RUNTIME # for backwards compatibility with code that relies on it os.environ[environment_vars.LEGACY_APPENGINE_RUNTIME] = "python37" os.environ["GAE_RUNTIME"] = "python37" credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None def test__get_gae_credentials_env_unset(): assert environment_vars.LEGACY_APPENGINE_RUNTIME not in os.environ assert "GAE_RUNTIME" not in os.environ credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None @mock.patch.dict(os.environ) def test__get_gae_credentials_no_app_engine(): # test both with and without LEGACY_APPENGINE_RUNTIME setting assert environment_vars.LEGACY_APPENGINE_RUNTIME not in os.environ import sys with mock.patch.dict(sys.modules, {"google.auth.app_engine": None}): credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None os.environ[environment_vars.LEGACY_APPENGINE_RUNTIME] = "python27" credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None @mock.patch.dict(os.environ) @mock.patch.object(app_engine, "app_identity", new=None) def test__get_gae_credentials_no_apis(): # test both with and without LEGACY_APPENGINE_RUNTIME setting assert environment_vars.LEGACY_APPENGINE_RUNTIME not in os.environ credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None os.environ[environment_vars.LEGACY_APPENGINE_RUNTIME] = "python27" credentials, project_id = _default._get_gae_credentials() assert credentials is None assert project_id is None @mock.patch( "google.auth.compute_engine._metadata.is_on_gce", return_value=True, autospec=True ) @mock.patch( "google.auth.compute_engine._metadata.get_project_id", return_value="example-project", autospec=True, ) def test__get_gce_credentials(unused_get, unused_ping): credentials, project_id = _default._get_gce_credentials() assert isinstance(credentials, compute_engine.Credentials) assert project_id == "example-project" @mock.patch( "google.auth.compute_engine._metadata.is_on_gce", return_value=False, autospec=True ) def test__get_gce_credentials_no_ping(unused_ping): credentials, project_id = _default._get_gce_credentials() assert credentials is None assert project_id is None @mock.patch( "google.auth.compute_engine._metadata.is_on_gce", return_value=True, autospec=True ) @mock.patch( "google.auth.compute_engine._metadata.get_project_id", side_effect=exceptions.TransportError(), autospec=True, ) def test__get_gce_credentials_no_project_id(unused_get, unused_ping): credentials, project_id = _default._get_gce_credentials() assert isinstance(credentials, compute_engine.Credentials) assert project_id is None def test__get_gce_credentials_no_compute_engine(): import sys with mock.patch.dict("sys.modules"): sys.modules["google.auth.compute_engine"] = None credentials, project_id = _default._get_gce_credentials() assert credentials is None assert project_id is None @mock.patch( "google.auth.compute_engine._metadata.is_on_gce", return_value=False, autospec=True ) def test__get_gce_credentials_explicit_request(ping): _default._get_gce_credentials(mock.sentinel.request) ping.assert_called_with(request=mock.sentinel.request) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) def test_default_early_out(unused_get): assert _default.default() == (MOCK_CREDENTIALS, mock.sentinel.project_id) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) def test_default_explict_project_id(unused_get, monkeypatch): monkeypatch.setenv(environment_vars.PROJECT, "explicit-env") assert _default.default() == (MOCK_CREDENTIALS, "explicit-env") @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) def test_default_explict_legacy_project_id(unused_get, monkeypatch): monkeypatch.setenv(environment_vars.LEGACY_PROJECT, "explicit-env") assert _default.default() == (MOCK_CREDENTIALS, "explicit-env") @mock.patch("logging.Logger.warning", autospec=True) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, None), autospec=True, ) @mock.patch( "google.auth._default._get_gcloud_sdk_credentials", return_value=(MOCK_CREDENTIALS, None), autospec=True, ) @mock.patch( "google.auth._default._get_gae_credentials", return_value=(MOCK_CREDENTIALS, None), autospec=True, ) @mock.patch( "google.auth._default._get_gce_credentials", return_value=(MOCK_CREDENTIALS, None), autospec=True, ) def test_default_without_project_id( unused_gce, unused_gae, unused_sdk, unused_explicit, logger_warning ): assert _default.default() == (MOCK_CREDENTIALS, None) logger_warning.assert_called_with(mock.ANY, mock.ANY, mock.ANY) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(None, None), autospec=True, ) @mock.patch( "google.auth._default._get_gcloud_sdk_credentials", return_value=(None, None), autospec=True, ) @mock.patch( "google.auth._default._get_gae_credentials", return_value=(None, None), autospec=True, ) @mock.patch( "google.auth._default._get_gce_credentials", return_value=(None, None), autospec=True, ) def test_default_fail(unused_gce, unused_gae, unused_sdk, unused_explicit): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: assert _default.default() assert excinfo.match(_default._CLOUD_SDK_MISSING_CREDENTIALS) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) @mock.patch( "google.auth.credentials.with_scopes_if_required", return_value=MOCK_CREDENTIALS, autospec=True, ) def test_default_scoped(with_scopes, unused_get): scopes = ["one", "two"] credentials, project_id = _default.default(scopes=scopes) assert credentials == with_scopes.return_value assert project_id == mock.sentinel.project_id with_scopes.assert_called_once_with(MOCK_CREDENTIALS, scopes, default_scopes=None) @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) def test_default_quota_project(with_quota_project): credentials, project_id = _default.default(quota_project_id="project-foo") MOCK_CREDENTIALS.with_quota_project.assert_called_once_with("project-foo") assert project_id == mock.sentinel.project_id @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), autospec=True, ) def test_default_no_app_engine_compute_engine_module(unused_get): """ google.auth.compute_engine and google.auth.app_engine are both optional to allow not including them when using this package. This verifies that default fails gracefully if these modules are absent """ import sys with mock.patch.dict("sys.modules"): sys.modules["google.auth.compute_engine"] = None sys.modules["google.auth.app_engine"] = None assert _default.default() == (MOCK_CREDENTIALS, mock.sentinel.project_id) @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_identity_pool( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default() assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool # Without scopes, project ID cannot be determined. assert project_id is None @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_identity_pool_impersonated( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool assert project_id is mock.sentinel.project_id assert credentials.scopes == ["https://www.google.com/calendar/feeds"] # The credential.get_project_id should have been used in _get_external_account_credentials and default assert get_project_id.call_count == 2 @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH @mock.patch.dict(os.environ) def test_default_environ_external_credentials_project_from_env( get_project_id, monkeypatch, tmpdir ): project_from_env = "project_from_env" os.environ[environment_vars.PROJECT] = project_from_env config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool assert project_id == project_from_env assert credentials.scopes == ["https://www.google.com/calendar/feeds"] # The credential.get_project_id should have been used only in _get_external_account_credentials assert get_project_id.call_count == 1 @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH @mock.patch.dict(os.environ) def test_default_environ_external_credentials_legacy_project_from_env( get_project_id, monkeypatch, tmpdir ): project_from_env = "project_from_env" os.environ[environment_vars.LEGACY_PROJECT] = project_from_env config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool assert project_id == project_from_env assert credentials.scopes == ["https://www.google.com/calendar/feeds"] # The credential.get_project_id should have been used only in _get_external_account_credentials assert get_project_id.call_count == 1 @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_aws_impersonated( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_AWS_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, aws.Credentials) assert not credentials.is_user assert not credentials.is_workforce_pool assert project_id is mock.sentinel.project_id assert credentials.scopes == ["https://www.google.com/calendar/feeds"] @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_workforce( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_WORKFORCE_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, identity_pool.Credentials) assert credentials.is_user assert credentials.is_workforce_pool assert project_id is mock.sentinel.project_id assert credentials.scopes == ["https://www.google.com/calendar/feeds"] @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_workforce_impersonated( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_WORKFORCE_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"] ) assert isinstance(credentials, identity_pool.Credentials) assert not credentials.is_user assert credentials.is_workforce_pool assert project_id is mock.sentinel.project_id assert credentials.scopes == ["https://www.google.com/calendar/feeds"] @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_with_user_and_default_scopes_and_quota_project_id( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( scopes=["https://www.google.com/calendar/feeds"], default_scopes=["https://www.googleapis.com/auth/cloud-platform"], quota_project_id="project-foo", ) assert isinstance(credentials, identity_pool.Credentials) assert project_id is mock.sentinel.project_id assert credentials.quota_project_id == "project-foo" assert credentials.scopes == ["https://www.google.com/calendar/feeds"] assert credentials.default_scopes == [ "https://www.googleapis.com/auth/cloud-platform" ] @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_default_environ_external_credentials_explicit_request_with_scopes( get_project_id, monkeypatch, tmpdir ): config_file = tmpdir.join("config.json") config_file.write(json.dumps(IDENTITY_POOL_DATA)) monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file)) credentials, project_id = _default.default( request=mock.sentinel.request, scopes=["https://www.googleapis.com/auth/cloud-platform"], ) assert isinstance(credentials, identity_pool.Credentials) assert project_id is mock.sentinel.project_id # default() will initialize new credentials via with_scopes_if_required # and potentially with_quota_project. # As a result the caller of get_project_id() will not match the returned # credentials. get_project_id.assert_called_with(mock.ANY, request=mock.sentinel.request) def test_default_environ_external_credentials_bad_format(monkeypatch, tmpdir): filename = tmpdir.join("external_account_bad.json") filename.write(json.dumps({"type": "external_account"})) monkeypatch.setenv(environment_vars.CREDENTIALS, str(filename)) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: _default.default() assert excinfo.match( "Failed to load external account credentials from {}".format(str(filename)) ) @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_warning_without_quota_project_id_for_user_creds(get_adc_path): get_adc_path.return_value = AUTHORIZED_USER_CLOUD_SDK_FILE with pytest.warns(UserWarning, match=_default._CLOUD_SDK_CREDENTIALS_WARNING): credentials, project_id = _default.default(quota_project_id=None) @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_no_warning_with_quota_project_id_for_user_creds(get_adc_path): get_adc_path.return_value = AUTHORIZED_USER_CLOUD_SDK_FILE credentials, project_id = _default.default(quota_project_id="project-foo") @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_impersonated_service_account(get_adc_path): get_adc_path.return_value = IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE credentials, _ = _default.default() assert isinstance(credentials, impersonated_credentials.Credentials) assert isinstance( credentials._source_credentials, google.oauth2.credentials.Credentials ) assert credentials.service_account_email == "service-account-target@example.com" assert credentials._delegates == ["service-account-delegate@example.com"] assert not credentials._quota_project_id assert not credentials._target_scopes @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_impersonated_service_account_set_scopes(get_adc_path): get_adc_path.return_value = IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE scopes = ["scope1", "scope2"] credentials, _ = _default.default(scopes=scopes) assert credentials._target_scopes == scopes @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_impersonated_service_account_set_default_scopes(get_adc_path): get_adc_path.return_value = IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE default_scopes = ["scope1", "scope2"] credentials, _ = _default.default(default_scopes=default_scopes) assert credentials._target_scopes == default_scopes @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_impersonated_service_account_set_both_scopes_and_default_scopes( get_adc_path ): get_adc_path.return_value = IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE scopes = ["scope1", "scope2"] default_scopes = ["scope3", "scope4"] credentials, _ = _default.default(scopes=scopes, default_scopes=default_scopes) assert credentials._target_scopes == scopes @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH def test_load_credentials_from_external_account_pluggable(get_project_id, tmpdir): config_file = tmpdir.join("config.json") config_file.write(json.dumps(PLUGGABLE_DATA)) credentials, project_id = _default.load_credentials_from_file(str(config_file)) assert isinstance(credentials, pluggable.Credentials) # Since no scopes are specified, the project ID cannot be determined. assert project_id is None assert get_project_id.called @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_default_gdch_service_account_credentials(get_adc_path): get_adc_path.return_value = GDCH_SERVICE_ACCOUNT_FILE creds, project = _default.default(quota_project_id="project-foo") assert isinstance(creds, gdch_credentials.ServiceAccountCredentials) assert creds._service_identity_name == "service_identity_name" assert creds._audience is None assert creds._token_uri == "https://service-identity.<Domain>/authenticate" assert creds._ca_cert_path == "/path/to/ca/cert" assert project == "project_foo" @mock.patch.dict(os.environ) @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) def test_quota_project_from_environment(get_adc_path): get_adc_path.return_value = AUTHORIZED_USER_CLOUD_SDK_WITH_QUOTA_PROJECT_ID_FILE credentials, _ = _default.default(quota_project_id=None) assert credentials.quota_project_id == "quota_project_id" quota_from_env = "quota_from_env" os.environ[environment_vars.GOOGLE_CLOUD_QUOTA_PROJECT] = quota_from_env credentials, _ = _default.default(quota_project_id=None) assert credentials.quota_project_id == quota_from_env explicit_quota = "explicit_quota" credentials, _ = _default.default(quota_project_id=explicit_quota) assert credentials.quota_project_id == explicit_quota @mock.patch( "google.auth.compute_engine._metadata.is_on_gce", return_value=True, autospec=True ) @mock.patch( "google.auth.compute_engine._metadata.get_project_id", return_value="example-project", autospec=True, ) @mock.patch.dict(os.environ) def test_quota_gce_credentials(unused_get, unused_ping): # No quota credentials, project_id = _default._get_gce_credentials() assert project_id == "example-project" assert credentials.quota_project_id is None # Quota from environment quota_from_env = "quota_from_env" os.environ[environment_vars.GOOGLE_CLOUD_QUOTA_PROJECT] = quota_from_env credentials, project_id = _default._get_gce_credentials() assert credentials.quota_project_id == quota_from_env # Explicit quota explicit_quota = "explicit_quota" credentials, project_id = _default._get_gce_credentials( quota_project_id=explicit_quota ) assert credentials.quota_project_id == explicit_quota ��oauth2/test_sts.py��0000644��00000043777�15025175543�0010221 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import http.client as http_client import json import urllib import mock import pytest # type: ignore from google.auth import exceptions from google.auth import transport from google.oauth2 import sts from google.oauth2 import utils CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password" BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" class TestStsClient(object): GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange" RESOURCE = "https://api.example.com/" AUDIENCE = "urn:example:cooperation-context" SCOPES = ["scope1", "scope2"] REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" SUBJECT_TOKEN = "HEADER.SUBJECT_TOKEN_PAYLOAD.SIGNATURE" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" ACTOR_TOKEN = "HEADER.ACTOR_TOKEN_PAYLOAD.SIGNATURE" ACTOR_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" TOKEN_EXCHANGE_ENDPOINT = "https://example.com/token.oauth2" ADDON_HEADERS = {"x-client-version": "0.1.2"} ADDON_OPTIONS = {"additional": {"non-standard": ["options"], "other": "some-value"}} SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, "scope": "scope1 scope2", } SUCCESS_RESPONSE_WITH_REFRESH = { "access_token": "abc", "refresh_token": "xyz", "expires_in": 3600, } ERROR_RESPONSE = { "error": "invalid_request", "error_description": "Invalid subject token", "error_uri": "https://tools.ietf.org/html/rfc6749", } CLIENT_AUTH_BASIC = utils.ClientAuthentication( utils.ClientAuthType.basic, CLIENT_ID, CLIENT_SECRET ) CLIENT_AUTH_REQUEST_BODY = utils.ClientAuthentication( utils.ClientAuthType.request_body, CLIENT_ID, CLIENT_SECRET ) @classmethod def make_client(cls, client_auth=None): return sts.Client(cls.TOKEN_EXCHANGE_ENDPOINT, client_auth) @classmethod def make_mock_request(cls, data, status=http_client.OK): response = mock.create_autospec(transport.Response, instance=True) response.status = status response.data = json.dumps(data).encode("utf-8") request = mock.create_autospec(transport.Request) request.return_value = response return request @classmethod def assert_request_kwargs(cls, request_kwargs, headers, request_data): """Asserts the request was called with the expected parameters. """ assert request_kwargs["url"] == cls.TOKEN_EXCHANGE_ENDPOINT assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_tuples = urllib.parse.parse_qsl(request_kwargs["body"]) for (k, v) in body_tuples: assert v.decode("utf-8") == request_data[k.decode("utf-8")] assert len(body_tuples) == len(request_data.keys()) def test_exchange_token_full_success_without_auth(self): """Test token exchange success without client authentication using full parameters. """ client = self.make_client() headers = self.ADDON_HEADERS.copy() headers["Content-Type"] = "application/x-www-form-urlencoded" request_data = { "grant_type": self.GRANT_TYPE, "resource": self.RESOURCE, "audience": self.AUDIENCE, "scope": " ".join(self.SCOPES), "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "actor_token": self.ACTOR_TOKEN, "actor_token_type": self.ACTOR_TOKEN_TYPE, "options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)), } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_partial_success_without_auth(self): """Test token exchange success without client authentication using partial (required only) parameters. """ client = self.make_client() headers = {"Content-Type": "application/x-www-form-urlencoded"} request_data = { "grant_type": self.GRANT_TYPE, "audience": self.AUDIENCE, "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, grant_type=self.GRANT_TYPE, subject_token=self.SUBJECT_TOKEN, subject_token_type=self.SUBJECT_TOKEN_TYPE, audience=self.AUDIENCE, requested_token_type=self.REQUESTED_TOKEN_TYPE, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_non200_without_auth(self): """Test token exchange without client auth responding with non-200 status. """ client = self.make_client() request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) with pytest.raises(exceptions.OAuthError) as excinfo: client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) def test_exchange_token_full_success_with_basic_auth(self): """Test token exchange success with basic client authentication using full parameters. """ client = self.make_client(self.CLIENT_AUTH_BASIC) headers = self.ADDON_HEADERS.copy() headers["Content-Type"] = "application/x-www-form-urlencoded" headers["Authorization"] = "Basic {}".format(BASIC_AUTH_ENCODING) request_data = { "grant_type": self.GRANT_TYPE, "resource": self.RESOURCE, "audience": self.AUDIENCE, "scope": " ".join(self.SCOPES), "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "actor_token": self.ACTOR_TOKEN, "actor_token_type": self.ACTOR_TOKEN_TYPE, "options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)), } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_partial_success_with_basic_auth(self): """Test token exchange success with basic client authentication using partial (required only) parameters. """ client = self.make_client(self.CLIENT_AUTH_BASIC) headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), } request_data = { "grant_type": self.GRANT_TYPE, "audience": self.AUDIENCE, "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, grant_type=self.GRANT_TYPE, subject_token=self.SUBJECT_TOKEN, subject_token_type=self.SUBJECT_TOKEN_TYPE, audience=self.AUDIENCE, requested_token_type=self.REQUESTED_TOKEN_TYPE, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_non200_with_basic_auth(self): """Test token exchange with basic client auth responding with non-200 status. """ client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) with pytest.raises(exceptions.OAuthError) as excinfo: client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) def test_exchange_token_full_success_with_reqbody_auth(self): """Test token exchange success with request body client authenticaiton using full parameters. """ client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY) headers = self.ADDON_HEADERS.copy() headers["Content-Type"] = "application/x-www-form-urlencoded" request_data = { "grant_type": self.GRANT_TYPE, "resource": self.RESOURCE, "audience": self.AUDIENCE, "scope": " ".join(self.SCOPES), "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "actor_token": self.ACTOR_TOKEN, "actor_token_type": self.ACTOR_TOKEN_TYPE, "options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)), "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_partial_success_with_reqbody_auth(self): """Test token exchange success with request body client authentication using partial (required only) parameters. """ client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY) headers = {"Content-Type": "application/x-www-form-urlencoded"} request_data = { "grant_type": self.GRANT_TYPE, "audience": self.AUDIENCE, "requested_token_type": self.REQUESTED_TOKEN_TYPE, "subject_token": self.SUBJECT_TOKEN, "subject_token_type": self.SUBJECT_TOKEN_TYPE, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, } request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.exchange_token( request, grant_type=self.GRANT_TYPE, subject_token=self.SUBJECT_TOKEN, subject_token_type=self.SUBJECT_TOKEN_TYPE, audience=self.AUDIENCE, requested_token_type=self.REQUESTED_TOKEN_TYPE, ) self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_exchange_token_non200_with_reqbody_auth(self): """Test token exchange with POST request body client auth responding with non-200 status. """ client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY) request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) with pytest.raises(exceptions.OAuthError) as excinfo: client.exchange_token( request, self.GRANT_TYPE, self.SUBJECT_TOKEN, self.SUBJECT_TOKEN_TYPE, self.RESOURCE, self.AUDIENCE, self.SCOPES, self.REQUESTED_TOKEN_TYPE, self.ACTOR_TOKEN, self.ACTOR_TOKEN_TYPE, self.ADDON_OPTIONS, self.ADDON_HEADERS, ) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) def test_refresh_token_success(self): """Test refresh token with successful response.""" client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client.refresh_token(request, "refreshtoken") headers = { "Authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQ=", "Content-Type": "application/x-www-form-urlencoded", } request_data = {"grant_type": "refresh_token", "refresh_token": "refreshtoken"} self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_refresh_token_success_with_refresh(self): """Test refresh token with successful response.""" client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE_WITH_REFRESH ) response = client.refresh_token(request, "refreshtoken") headers = { "Authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQ=", "Content-Type": "application/x-www-form-urlencoded", } request_data = {"grant_type": "refresh_token", "refresh_token": "refreshtoken"} self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE_WITH_REFRESH def test_refresh_token_failure(self): """Test refresh token with failure response.""" client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) with pytest.raises(exceptions.OAuthError) as excinfo: client.refresh_token(request, "refreshtoken") assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) def test__make_request_success(self): """Test base method with successful response.""" client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.OK, data=self.SUCCESS_RESPONSE ) response = client._make_request(request, {"a": "b"}, {"c": "d"}) headers = { "Authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQ=", "Content-Type": "application/x-www-form-urlencoded", "a": "b", } request_data = {"c": "d"} self.assert_request_kwargs(request.call_args[1], headers, request_data) assert response == self.SUCCESS_RESPONSE def test_make_request_failure(self): """Test refresh token with failure response.""" client = self.make_client(self.CLIENT_AUTH_BASIC) request = self.make_mock_request( status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE ) with pytest.raises(exceptions.OAuthError) as excinfo: client._make_request(request, {"a": "b"}, {"c": "d"}) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) �oauth2/test_reauth.py��0000644��00000033345�15025175543�0010666 0��ustar�00��# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import copy import mock import pytest # type: ignore from google.auth import exceptions from google.oauth2 import reauth MOCK_REQUEST = mock.Mock() CHALLENGES_RESPONSE_TEMPLATE = { "status": "CHALLENGE_REQUIRED", "sessionId": "123", "challenges": [ { "status": "READY", "challengeId": 1, "challengeType": "PASSWORD", "securityKey": {}, } ], } CHALLENGES_RESPONSE_AUTHENTICATED = { "status": "AUTHENTICATED", "sessionId": "123", "encodedProofOfReauthToken": "new_rapt_token", } REAUTH_START_METRICS_HEADER_VALUE = "gl-python/3.7 auth/1.1 auth-request-type/re-start" REAUTH_CONTINUE_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/re-cont" ) TOKEN_REQUEST_METRICS_HEADER_VALUE = "gl-python/3.7 auth/1.1 cred-type/u" class MockChallenge(object): def __init__(self, name, locally_eligible, challenge_input): self.name = name self.is_locally_eligible = locally_eligible self.challenge_input = challenge_input def obtain_challenge_input(self, metadata): return self.challenge_input def test_is_interactive(): with mock.patch("sys.stdin.isatty", return_value=True): assert reauth.is_interactive() @mock.patch( "google.auth.metrics.reauth_start", return_value=REAUTH_START_METRICS_HEADER_VALUE ) def test__get_challenges(mock_metrics_header_value): with mock.patch( "google.oauth2._client._token_endpoint_request" ) as mock_token_endpoint_request: reauth._get_challenges(MOCK_REQUEST, ["SAML"], "token") mock_token_endpoint_request.assert_called_with( MOCK_REQUEST, reauth._REAUTH_API + ":start", {"supportedChallengeTypes": ["SAML"]}, access_token="token", use_json=True, headers={"x-goog-api-client": REAUTH_START_METRICS_HEADER_VALUE}, ) @mock.patch( "google.auth.metrics.reauth_start", return_value=REAUTH_START_METRICS_HEADER_VALUE ) def test__get_challenges_with_scopes(mock_metrics_header_value): with mock.patch( "google.oauth2._client._token_endpoint_request" ) as mock_token_endpoint_request: reauth._get_challenges( MOCK_REQUEST, ["SAML"], "token", requested_scopes=["scope"] ) mock_token_endpoint_request.assert_called_with( MOCK_REQUEST, reauth._REAUTH_API + ":start", { "supportedChallengeTypes": ["SAML"], "oauthScopesForDomainPolicyLookup": ["scope"], }, access_token="token", use_json=True, headers={"x-goog-api-client": REAUTH_START_METRICS_HEADER_VALUE}, ) @mock.patch( "google.auth.metrics.reauth_continue", return_value=REAUTH_CONTINUE_METRICS_HEADER_VALUE, ) def test__send_challenge_result(mock_metrics_header_value): with mock.patch( "google.oauth2._client._token_endpoint_request" ) as mock_token_endpoint_request: reauth._send_challenge_result( MOCK_REQUEST, "123", "1", {"credential": "password"}, "token" ) mock_token_endpoint_request.assert_called_with( MOCK_REQUEST, reauth._REAUTH_API + "/123:continue", { "sessionId": "123", "challengeId": "1", "action": "RESPOND", "proposalResponse": {"credential": "password"}, }, access_token="token", use_json=True, headers={"x-goog-api-client": REAUTH_CONTINUE_METRICS_HEADER_VALUE}, ) def test__run_next_challenge_not_ready(): challenges_response = copy.deepcopy(CHALLENGES_RESPONSE_TEMPLATE) challenges_response["challenges"][0]["status"] = "STATUS_UNSPECIFIED" assert ( reauth._run_next_challenge(challenges_response, MOCK_REQUEST, "token") is None ) def test__run_next_challenge_not_supported(): challenges_response = copy.deepcopy(CHALLENGES_RESPONSE_TEMPLATE) challenges_response["challenges"][0]["challengeType"] = "CHALLENGE_TYPE_UNSPECIFIED" with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._run_next_challenge(challenges_response, MOCK_REQUEST, "token") assert excinfo.match(r"Unsupported challenge type CHALLENGE_TYPE_UNSPECIFIED") def test__run_next_challenge_not_locally_eligible(): mock_challenge = MockChallenge("PASSWORD", False, "challenge_input") with mock.patch( "google.oauth2.challenges.AVAILABLE_CHALLENGES", {"PASSWORD": mock_challenge} ): with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._run_next_challenge( CHALLENGES_RESPONSE_TEMPLATE, MOCK_REQUEST, "token" ) assert excinfo.match(r"Challenge PASSWORD is not locally eligible") def test__run_next_challenge_no_challenge_input(): mock_challenge = MockChallenge("PASSWORD", True, None) with mock.patch( "google.oauth2.challenges.AVAILABLE_CHALLENGES", {"PASSWORD": mock_challenge} ): assert ( reauth._run_next_challenge( CHALLENGES_RESPONSE_TEMPLATE, MOCK_REQUEST, "token" ) is None ) def test__run_next_challenge_success(): mock_challenge = MockChallenge("PASSWORD", True, {"credential": "password"}) with mock.patch( "google.oauth2.challenges.AVAILABLE_CHALLENGES", {"PASSWORD": mock_challenge} ): with mock.patch( "google.oauth2.reauth._send_challenge_result" ) as mock_send_challenge_result: reauth._run_next_challenge( CHALLENGES_RESPONSE_TEMPLATE, MOCK_REQUEST, "token" ) mock_send_challenge_result.assert_called_with( MOCK_REQUEST, "123", 1, {"credential": "password"}, "token" ) def test__obtain_rapt_authenticated(): with mock.patch( "google.oauth2.reauth._get_challenges", return_value=CHALLENGES_RESPONSE_AUTHENTICATED, ): assert reauth._obtain_rapt(MOCK_REQUEST, "token", None) == "new_rapt_token" def test__obtain_rapt_authenticated_after_run_next_challenge(): with mock.patch( "google.oauth2.reauth._get_challenges", return_value=CHALLENGES_RESPONSE_TEMPLATE, ): with mock.patch( "google.oauth2.reauth._run_next_challenge", side_effect=[ CHALLENGES_RESPONSE_TEMPLATE, CHALLENGES_RESPONSE_AUTHENTICATED, ], ): with mock.patch("google.oauth2.reauth.is_interactive", return_value=True): assert ( reauth._obtain_rapt(MOCK_REQUEST, "token", None) == "new_rapt_token" ) def test__obtain_rapt_unsupported_status(): challenges_response = copy.deepcopy(CHALLENGES_RESPONSE_TEMPLATE) challenges_response["status"] = "STATUS_UNSPECIFIED" with mock.patch( "google.oauth2.reauth._get_challenges", return_value=challenges_response ): with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._obtain_rapt(MOCK_REQUEST, "token", None) assert excinfo.match(r"API error: STATUS_UNSPECIFIED") def test__obtain_rapt_no_challenge_output(): challenges_response = copy.deepcopy(CHALLENGES_RESPONSE_TEMPLATE) with mock.patch( "google.oauth2.reauth._get_challenges", return_value=challenges_response ): with mock.patch("google.oauth2.reauth.is_interactive", return_value=True): with mock.patch( "google.oauth2.reauth._run_next_challenge", return_value=None ): with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._obtain_rapt(MOCK_REQUEST, "token", None) assert excinfo.match(r"Failed to obtain rapt token") def test__obtain_rapt_not_interactive(): with mock.patch( "google.oauth2.reauth._get_challenges", return_value=CHALLENGES_RESPONSE_TEMPLATE, ): with mock.patch("google.oauth2.reauth.is_interactive", return_value=False): with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._obtain_rapt(MOCK_REQUEST, "token", None) assert excinfo.match(r"not in an interactive session") def test__obtain_rapt_not_authenticated(): with mock.patch( "google.oauth2.reauth._get_challenges", return_value=CHALLENGES_RESPONSE_TEMPLATE, ): with mock.patch("google.oauth2.reauth.RUN_CHALLENGE_RETRY_LIMIT", 0): with pytest.raises(exceptions.ReauthFailError) as excinfo: reauth._obtain_rapt(MOCK_REQUEST, "token", None) assert excinfo.match(r"Reauthentication failed") def test_get_rapt_token(): with mock.patch( "google.oauth2._client.refresh_grant", return_value=("token", None, None, None) ) as mock_refresh_grant: with mock.patch( "google.oauth2.reauth._obtain_rapt", return_value="new_rapt_token" ) as mock_obtain_rapt: assert ( reauth.get_rapt_token( MOCK_REQUEST, "client_id", "client_secret", "refresh_token", "token_uri", ) == "new_rapt_token" ) mock_refresh_grant.assert_called_with( request=MOCK_REQUEST, client_id="client_id", client_secret="client_secret", refresh_token="refresh_token", token_uri="token_uri", scopes=[reauth._REAUTH_SCOPE], ) mock_obtain_rapt.assert_called_with( MOCK_REQUEST, "token", requested_scopes=None ) @mock.patch( "google.auth.metrics.token_request_user", return_value=TOKEN_REQUEST_METRICS_HEADER_VALUE, ) def test_refresh_grant_failed(mock_metrics_header_value): with mock.patch( "google.oauth2._client._token_endpoint_request_no_throw" ) as mock_token_request: mock_token_request.return_value = (False, {"error": "Bad request"}, False) with pytest.raises(exceptions.RefreshError) as excinfo: reauth.refresh_grant( MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret", scopes=["foo", "bar"], rapt_token="rapt_token", enable_reauth_refresh=True, ) assert excinfo.match(r"Bad request") assert not excinfo.value.retryable mock_token_request.assert_called_with( MOCK_REQUEST, "token_uri", { "grant_type": "refresh_token", "client_id": "client_id", "client_secret": "client_secret", "refresh_token": "refresh_token", "scope": "foo bar", "rapt": "rapt_token", }, headers={"x-goog-api-client": TOKEN_REQUEST_METRICS_HEADER_VALUE}, ) def test_refresh_grant_failed_with_string_type_response(): with mock.patch( "google.oauth2._client._token_endpoint_request_no_throw" ) as mock_token_request: mock_token_request.return_value = (False, "string type error", False) with pytest.raises(exceptions.RefreshError) as excinfo: reauth.refresh_grant( MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret", scopes=["foo", "bar"], rapt_token="rapt_token", enable_reauth_refresh=True, ) assert excinfo.match(r"string type error") assert not excinfo.value.retryable def test_refresh_grant_success(): with mock.patch( "google.oauth2._client._token_endpoint_request_no_throw" ) as mock_token_request: mock_token_request.side_effect = [ (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True), (True, {"access_token": "access_token"}, None), ] with mock.patch( "google.oauth2.reauth.get_rapt_token", return_value="new_rapt_token" ): assert reauth.refresh_grant( MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret", enable_reauth_refresh=True, ) == ( "access_token", "refresh_token", None, {"access_token": "access_token"}, "new_rapt_token", ) def test_refresh_grant_reauth_refresh_disabled(): with mock.patch( "google.oauth2._client._token_endpoint_request_no_throw" ) as mock_token_request: mock_token_request.side_effect = [ (False, {"error": "invalid_grant", "error_subtype": "rapt_required"}, True), (True, {"access_token": "access_token"}, None), ] with pytest.raises(exceptions.RefreshError) as excinfo: reauth.refresh_grant( MOCK_REQUEST, "token_uri", "refresh_token", "client_id", "client_secret" ) assert excinfo.match(r"Reauthentication is needed") ��oauth2/test_credentials.py��0000644��00000106131�15025175543�0011665 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import json import os import pickle import sys import mock import pytest # type: ignore from google.auth import _helpers from google.auth import exceptions from google.auth import transport from google.oauth2 import credentials DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") AUTH_USER_JSON_FILE = os.path.join(DATA_DIR, "authorized_user.json") with open(AUTH_USER_JSON_FILE, "r") as fh: AUTH_USER_INFO = json.load(fh) class TestCredentials(object): TOKEN_URI = "https://example.com/oauth2/token" REFRESH_TOKEN = "refresh_token" RAPT_TOKEN = "rapt_token" CLIENT_ID = "client_id" CLIENT_SECRET = "client_secret" @classmethod def make_credentials(cls): return credentials.Credentials( token=None, refresh_token=cls.REFRESH_TOKEN, token_uri=cls.TOKEN_URI, client_id=cls.CLIENT_ID, client_secret=cls.CLIENT_SECRET, rapt_token=cls.RAPT_TOKEN, enable_reauth_refresh=True, ) def test_default_state(self): credentials = self.make_credentials() assert not credentials.valid # Expiration hasn't been set yet assert not credentials.expired # Scopes aren't required for these credentials assert not credentials.requires_scopes # Test properties assert credentials.refresh_token == self.REFRESH_TOKEN assert credentials.token_uri == self.TOKEN_URI assert credentials.client_id == self.CLIENT_ID assert credentials.client_secret == self.CLIENT_SECRET assert credentials.rapt_token == self.RAPT_TOKEN assert credentials.refresh_handler is None def test_token_usage_metrics(self): credentials = self.make_credentials() credentials.token = "token" credentials.expiry = None headers = {} credentials.before_request(mock.Mock(), None, None, headers) assert headers["authorization"] == "Bearer token" assert headers["x-goog-api-client"] == "cred-type/u" def test_refresh_handler_setter_and_getter(self): scopes = ["email", "profile"] original_refresh_handler = mock.Mock(return_value=("ACCESS_TOKEN_1", None)) updated_refresh_handler = mock.Mock(return_value=("ACCESS_TOKEN_2", None)) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=None, refresh_handler=original_refresh_handler, ) assert creds.refresh_handler is original_refresh_handler creds.refresh_handler = updated_refresh_handler assert creds.refresh_handler is updated_refresh_handler creds.refresh_handler = None assert creds.refresh_handler is None def test_invalid_refresh_handler(self): scopes = ["email", "profile"] with pytest.raises(TypeError) as excinfo: credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=None, refresh_handler=object(), ) assert excinfo.match("The provided refresh_handler is not a callable or None.") @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_refresh_success(self, unused_utcnow, refresh_grant): token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt_token new_rapt_token, ) request = mock.create_autospec(transport.Request) credentials = self.make_credentials() # Refresh credentials credentials.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, None, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert credentials.token == token assert credentials.expiry == expiry assert credentials.id_token == mock.sentinel.id_token assert credentials.rapt_token == new_rapt_token # Check that the credentials are valid (have a token and are not # expired) assert credentials.valid def test_refresh_no_refresh_token(self): request = mock.create_autospec(transport.Request) credentials_ = credentials.Credentials(token=None, refresh_token=None) with pytest.raises(exceptions.RefreshError, match="necessary fields"): credentials_.refresh(request) request.assert_not_called() @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_refresh_with_refresh_token_and_refresh_handler( self, unused_utcnow, refresh_grant ): token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt_token new_rapt_token, ) refresh_handler = mock.Mock() request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, rapt_token=self.RAPT_TOKEN, refresh_handler=refresh_handler, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, None, self.RAPT_TOKEN, False, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.rapt_token == new_rapt_token # Check that the credentials are valid (have a token and are not # expired) assert creds.valid # Assert refresh handler not called as the refresh token has # higher priority. refresh_handler.assert_not_called() @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_with_refresh_handler_success_scopes(self, unused_utcnow): expected_expiry = datetime.datetime.min + datetime.timedelta(seconds=2800) refresh_handler = mock.Mock(return_value=("ACCESS_TOKEN", expected_expiry)) scopes = ["email", "profile"] default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=default_scopes, refresh_handler=refresh_handler, ) creds.refresh(request) assert creds.token == "ACCESS_TOKEN" assert creds.expiry == expected_expiry assert creds.valid assert not creds.expired # Confirm refresh handler called with the expected arguments. refresh_handler.assert_called_with(request, scopes=scopes) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_with_refresh_handler_success_default_scopes(self, unused_utcnow): expected_expiry = datetime.datetime.min + datetime.timedelta(seconds=2800) original_refresh_handler = mock.Mock( return_value=("UNUSED_TOKEN", expected_expiry) ) refresh_handler = mock.Mock(return_value=("ACCESS_TOKEN", expected_expiry)) default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=None, default_scopes=default_scopes, refresh_handler=original_refresh_handler, ) # Test newly set refresh_handler is used instead of the original one. creds.refresh_handler = refresh_handler creds.refresh(request) assert creds.token == "ACCESS_TOKEN" assert creds.expiry == expected_expiry assert creds.valid assert not creds.expired # default_scopes should be used since no developer provided scopes # are provided. refresh_handler.assert_called_with(request, scopes=default_scopes) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_with_refresh_handler_invalid_token(self, unused_utcnow): expected_expiry = datetime.datetime.min + datetime.timedelta(seconds=2800) # Simulate refresh handler does not return a valid token. refresh_handler = mock.Mock(return_value=(None, expected_expiry)) scopes = ["email", "profile"] default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=default_scopes, refresh_handler=refresh_handler, ) with pytest.raises( exceptions.RefreshError, match="returned token is not a string" ): creds.refresh(request) assert creds.token is None assert creds.expiry is None assert not creds.valid # Confirm refresh handler called with the expected arguments. refresh_handler.assert_called_with(request, scopes=scopes) def test_refresh_with_refresh_handler_invalid_expiry(self): # Simulate refresh handler returns expiration time in an invalid unit. refresh_handler = mock.Mock(return_value=("TOKEN", 2800)) scopes = ["email", "profile"] default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=default_scopes, refresh_handler=refresh_handler, ) with pytest.raises( exceptions.RefreshError, match="returned expiry is not a datetime object" ): creds.refresh(request) assert creds.token is None assert creds.expiry is None assert not creds.valid # Confirm refresh handler called with the expected arguments. refresh_handler.assert_called_with(request, scopes=scopes) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_with_refresh_handler_expired_token(self, unused_utcnow): expected_expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD # Simulate refresh handler returns an expired token. refresh_handler = mock.Mock(return_value=("TOKEN", expected_expiry)) scopes = ["email", "profile"] default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, scopes=scopes, default_scopes=default_scopes, refresh_handler=refresh_handler, ) with pytest.raises(exceptions.RefreshError, match="already expired"): creds.refresh(request) assert creds.token is None assert creds.expiry is None assert not creds.valid # Confirm refresh handler called with the expected arguments. refresh_handler.assert_called_with(request, scopes=scopes) @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_credentials_with_scopes_requested_refresh_success( self, unused_utcnow, refresh_grant ): scopes = ["email", "profile"] default_scopes = ["https://www.googleapis.com/auth/cloud-platform"] token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token, "scope": "email profile"} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt token new_rapt_token, ) request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, scopes=scopes, default_scopes=default_scopes, rapt_token=self.RAPT_TOKEN, enable_reauth_refresh=True, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, scopes, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token assert creds.granted_scopes == scopes # Check that the credentials are valid (have a token and are not # expired.) assert creds.valid @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_credentials_with_only_default_scopes_requested( self, unused_utcnow, refresh_grant ): default_scopes = ["email", "profile"] token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token, "scope": "email profile"} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt token new_rapt_token, ) request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, default_scopes=default_scopes, rapt_token=self.RAPT_TOKEN, enable_reauth_refresh=True, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, default_scopes, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(default_scopes) assert creds.rapt_token == new_rapt_token assert creds.granted_scopes == default_scopes # Check that the credentials are valid (have a token and are not # expired.) assert creds.valid @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_credentials_with_scopes_returned_refresh_success( self, unused_utcnow, refresh_grant ): scopes = ["email", "profile"] token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token, "scope": " ".join(scopes)} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt token new_rapt_token, ) request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, scopes=scopes, rapt_token=self.RAPT_TOKEN, enable_reauth_refresh=True, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, scopes, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token assert creds.granted_scopes == scopes # Check that the credentials are valid (have a token and are not # expired.) assert creds.valid @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_credentials_with_only_default_scopes_requested_different_granted_scopes( self, unused_utcnow, refresh_grant ): default_scopes = ["email", "profile"] token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = {"id_token": mock.sentinel.id_token, "scope": "email"} refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt token new_rapt_token, ) request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, default_scopes=default_scopes, rapt_token=self.RAPT_TOKEN, enable_reauth_refresh=True, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, default_scopes, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(default_scopes) assert creds.rapt_token == new_rapt_token assert creds.granted_scopes == ["email"] # Check that the credentials are valid (have a token and are not # expired.) assert creds.valid @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) @mock.patch( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) def test_credentials_with_scopes_refresh_different_granted_scopes( self, unused_utcnow, refresh_grant ): scopes = ["email", "profile"] scopes_returned = ["email"] token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) grant_response = { "id_token": mock.sentinel.id_token, "scope": " ".join(scopes_returned), } refresh_grant.return_value = ( # Access token token, # New refresh token None, # Expiry, expiry, # Extra data grant_response, # rapt token new_rapt_token, ) request = mock.create_autospec(transport.Request) creds = credentials.Credentials( token=None, refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, scopes=scopes, rapt_token=self.RAPT_TOKEN, enable_reauth_refresh=True, ) # Refresh credentials creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( request, self.TOKEN_URI, self.REFRESH_TOKEN, self.CLIENT_ID, self.CLIENT_SECRET, scopes, self.RAPT_TOKEN, True, ) # Check that the credentials have the token and expiry assert creds.token == token assert creds.expiry == expiry assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token assert creds.granted_scopes == scopes_returned # Check that the credentials are valid (have a token and are not # expired.) assert creds.valid def test_apply_with_quota_project_id(self): creds = credentials.Credentials( token="token", refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, quota_project_id="quota-project-123", ) headers = {} creds.apply(headers) assert headers["x-goog-user-project"] == "quota-project-123" assert "token" in headers["authorization"] def test_apply_with_no_quota_project_id(self): creds = credentials.Credentials( token="token", refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, ) headers = {} creds.apply(headers) assert "x-goog-user-project" not in headers assert "token" in headers["authorization"] def test_with_quota_project(self): creds = credentials.Credentials( token="token", refresh_token=self.REFRESH_TOKEN, token_uri=self.TOKEN_URI, client_id=self.CLIENT_ID, client_secret=self.CLIENT_SECRET, quota_project_id="quota-project-123", ) new_creds = creds.with_quota_project("new-project-456") assert new_creds.quota_project_id == "new-project-456" headers = {} creds.apply(headers) assert "x-goog-user-project" in headers def test_with_token_uri(self): info = AUTH_USER_INFO.copy() creds = credentials.Credentials.from_authorized_user_info(info) new_token_uri = "https://oauth2-eu.googleapis.com/token" assert creds._token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT creds_with_new_token_uri = creds.with_token_uri(new_token_uri) assert creds_with_new_token_uri._token_uri == new_token_uri def test_from_authorized_user_info(self): info = AUTH_USER_INFO.copy() creds = credentials.Credentials.from_authorized_user_info(info) assert creds.client_secret == info["client_secret"] assert creds.client_id == info["client_id"] assert creds.refresh_token == info["refresh_token"] assert creds.token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert creds.scopes is None scopes = ["email", "profile"] creds = credentials.Credentials.from_authorized_user_info(info, scopes) assert creds.client_secret == info["client_secret"] assert creds.client_id == info["client_id"] assert creds.refresh_token == info["refresh_token"] assert creds.token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert creds.scopes == scopes info["scopes"] = "email" # single non-array scope from file creds = credentials.Credentials.from_authorized_user_info(info) assert creds.scopes == [info["scopes"]] info["scopes"] = ["email", "profile"] # array scope from file creds = credentials.Credentials.from_authorized_user_info(info) assert creds.scopes == info["scopes"] expiry = datetime.datetime(2020, 8, 14, 15, 54, 1) info["expiry"] = expiry.isoformat() + "Z" creds = credentials.Credentials.from_authorized_user_info(info) assert creds.expiry == expiry assert creds.expired def test_from_authorized_user_file(self): info = AUTH_USER_INFO.copy() creds = credentials.Credentials.from_authorized_user_file(AUTH_USER_JSON_FILE) assert creds.client_secret == info["client_secret"] assert creds.client_id == info["client_id"] assert creds.refresh_token == info["refresh_token"] assert creds.token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert creds.scopes is None assert creds.rapt_token is None scopes = ["email", "profile"] creds = credentials.Credentials.from_authorized_user_file( AUTH_USER_JSON_FILE, scopes ) assert creds.client_secret == info["client_secret"] assert creds.client_id == info["client_id"] assert creds.refresh_token == info["refresh_token"] assert creds.token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert creds.scopes == scopes def test_from_authorized_user_file_with_rapt_token(self): info = AUTH_USER_INFO.copy() file_path = os.path.join(DATA_DIR, "authorized_user_with_rapt_token.json") creds = credentials.Credentials.from_authorized_user_file(file_path) assert creds.client_secret == info["client_secret"] assert creds.client_id == info["client_id"] assert creds.refresh_token == info["refresh_token"] assert creds.token_uri == credentials._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert creds.scopes is None assert creds.rapt_token == "rapt" def test_to_json(self): info = AUTH_USER_INFO.copy() expiry = datetime.datetime(2020, 8, 14, 15, 54, 1) info["expiry"] = expiry.isoformat() + "Z" creds = credentials.Credentials.from_authorized_user_info(info) assert creds.expiry == expiry # Test with no `strip` arg json_output = creds.to_json() json_asdict = json.loads(json_output) assert json_asdict.get("token") == creds.token assert json_asdict.get("refresh_token") == creds.refresh_token assert json_asdict.get("token_uri") == creds.token_uri assert json_asdict.get("client_id") == creds.client_id assert json_asdict.get("scopes") == creds.scopes assert json_asdict.get("client_secret") == creds.client_secret assert json_asdict.get("expiry") == info["expiry"] # Test with a `strip` arg json_output = creds.to_json(strip=["client_secret"]) json_asdict = json.loads(json_output) assert json_asdict.get("token") == creds.token assert json_asdict.get("refresh_token") == creds.refresh_token assert json_asdict.get("token_uri") == creds.token_uri assert json_asdict.get("client_id") == creds.client_id assert json_asdict.get("scopes") == creds.scopes assert json_asdict.get("client_secret") is None # Test with no expiry creds.expiry = None json_output = creds.to_json() json_asdict = json.loads(json_output) assert json_asdict.get("expiry") is None def test_pickle_and_unpickle(self): creds = self.make_credentials() unpickled = pickle.loads(pickle.dumps(creds)) # make sure attributes aren't lost during pickling assert list(creds.__dict__).sort() == list(unpickled.__dict__).sort() for attr in list(creds.__dict__): assert getattr(creds, attr) == getattr(unpickled, attr) def test_pickle_and_unpickle_with_refresh_handler(self): expected_expiry = _helpers.utcnow() + datetime.timedelta(seconds=2800) refresh_handler = mock.Mock(return_value=("TOKEN", expected_expiry)) creds = credentials.Credentials( token=None, refresh_token=None, token_uri=None, client_id=None, client_secret=None, rapt_token=None, refresh_handler=refresh_handler, ) unpickled = pickle.loads(pickle.dumps(creds)) # make sure attributes aren't lost during pickling assert list(creds.__dict__).sort() == list(unpickled.__dict__).sort() for attr in list(creds.__dict__): # For the _refresh_handler property, the unpickled creds should be # set to None. if attr == "_refresh_handler": assert getattr(unpickled, attr) is None else: assert getattr(creds, attr) == getattr(unpickled, attr) def test_pickle_with_missing_attribute(self): creds = self.make_credentials() # remove an optional attribute before pickling # this mimics a pickle created with a previous class definition with # fewer attributes del creds.__dict__["_quota_project_id"] unpickled = pickle.loads(pickle.dumps(creds)) # Attribute should be initialized by `__setstate__` assert unpickled.quota_project_id is None # pickles are not compatible across versions @pytest.mark.skipif( sys.version_info < (3, 5), reason="pickle file can only be loaded with Python >= 3.5", ) def test_unpickle_old_credentials_pickle(self): # make sure a credentials file pickled with an older # library version (google-auth==1.5.1) can be unpickled with open( os.path.join(DATA_DIR, "old_oauth_credentials_py3.pickle"), "rb" ) as f: credentials = pickle.load(f) assert credentials.quota_project_id is None class TestUserAccessTokenCredentials(object): def test_instance(self): with pytest.warns( UserWarning, match="UserAccessTokenCredentials is deprecated" ): cred = credentials.UserAccessTokenCredentials() assert cred._account is None cred = cred.with_account("account") assert cred._account == "account" @mock.patch("google.auth._cloud_sdk.get_auth_access_token", autospec=True) def test_refresh(self, get_auth_access_token): with pytest.warns( UserWarning, match="UserAccessTokenCredentials is deprecated" ): get_auth_access_token.return_value = "access_token" cred = credentials.UserAccessTokenCredentials() cred.refresh(None) assert cred.token == "access_token" def test_with_quota_project(self): with pytest.warns( UserWarning, match="UserAccessTokenCredentials is deprecated" ): cred = credentials.UserAccessTokenCredentials() quota_project_cred = cred.with_quota_project("project-foo") assert quota_project_cred._quota_project_id == "project-foo" assert quota_project_cred._account == cred._account @mock.patch( "google.oauth2.credentials.UserAccessTokenCredentials.apply", autospec=True ) @mock.patch( "google.oauth2.credentials.UserAccessTokenCredentials.refresh", autospec=True ) def test_before_request(self, refresh, apply): with pytest.warns( UserWarning, match="UserAccessTokenCredentials is deprecated" ): cred = credentials.UserAccessTokenCredentials() cred.before_request(mock.Mock(), "GET", "https://example.com", {}) refresh.assert_called() apply.assert_called() ��oauth2/test_utils.py��0000644��00000022275�15025175543�0010536 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import pytest # type: ignore from google.auth import exceptions from google.oauth2 import utils CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password" BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" # Base64 encoding of "username:" BASIC_AUTH_ENCODING_SECRETLESS = "dXNlcm5hbWU6" class AuthHandler(utils.OAuthClientAuthHandler): def __init__(self, client_auth=None): super(AuthHandler, self).__init__(client_auth) def apply_client_authentication_options( self, headers, request_body=None, bearer_token=None ): return super(AuthHandler, self).apply_client_authentication_options( headers, request_body, bearer_token ) class TestClientAuthentication(object): @classmethod def make_client_auth(cls, client_secret=None): return utils.ClientAuthentication( utils.ClientAuthType.basic, CLIENT_ID, client_secret ) def test_initialization_with_client_secret(self): client_auth = self.make_client_auth(CLIENT_SECRET) assert client_auth.client_auth_type == utils.ClientAuthType.basic assert client_auth.client_id == CLIENT_ID assert client_auth.client_secret == CLIENT_SECRET def test_initialization_no_client_secret(self): client_auth = self.make_client_auth() assert client_auth.client_auth_type == utils.ClientAuthType.basic assert client_auth.client_id == CLIENT_ID assert client_auth.client_secret is None class TestOAuthClientAuthHandler(object): CLIENT_AUTH_BASIC = utils.ClientAuthentication( utils.ClientAuthType.basic, CLIENT_ID, CLIENT_SECRET ) CLIENT_AUTH_BASIC_SECRETLESS = utils.ClientAuthentication( utils.ClientAuthType.basic, CLIENT_ID ) CLIENT_AUTH_REQUEST_BODY = utils.ClientAuthentication( utils.ClientAuthType.request_body, CLIENT_ID, CLIENT_SECRET ) CLIENT_AUTH_REQUEST_BODY_SECRETLESS = utils.ClientAuthentication( utils.ClientAuthType.request_body, CLIENT_ID ) @classmethod def make_oauth_client_auth_handler(cls, client_auth=None): return AuthHandler(client_auth) def test_apply_client_authentication_options_none(self): headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler() auth_handler.apply_client_authentication_options(headers, request_body) assert headers == {"Content-Type": "application/json"} assert request_body == {"foo": "bar"} def test_apply_client_authentication_options_basic(self): headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler(self.CLIENT_AUTH_BASIC) auth_handler.apply_client_authentication_options(headers, request_body) assert headers == { "Content-Type": "application/json", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING), } assert request_body == {"foo": "bar"} def test_apply_client_authentication_options_basic_nosecret(self): headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler( self.CLIENT_AUTH_BASIC_SECRETLESS ) auth_handler.apply_client_authentication_options(headers, request_body) assert headers == { "Content-Type": "application/json", "Authorization": "Basic {}".format(BASIC_AUTH_ENCODING_SECRETLESS), } assert request_body == {"foo": "bar"} def test_apply_client_authentication_options_request_body(self): headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler( self.CLIENT_AUTH_REQUEST_BODY ) auth_handler.apply_client_authentication_options(headers, request_body) assert headers == {"Content-Type": "application/json"} assert request_body == { "foo": "bar", "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, } def test_apply_client_authentication_options_request_body_nosecret(self): headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler( self.CLIENT_AUTH_REQUEST_BODY_SECRETLESS ) auth_handler.apply_client_authentication_options(headers, request_body) assert headers == {"Content-Type": "application/json"} assert request_body == { "foo": "bar", "client_id": CLIENT_ID, "client_secret": "", } def test_apply_client_authentication_options_request_body_no_body(self): headers = {"Content-Type": "application/json"} auth_handler = self.make_oauth_client_auth_handler( self.CLIENT_AUTH_REQUEST_BODY ) with pytest.raises(exceptions.OAuthError) as excinfo: auth_handler.apply_client_authentication_options(headers) assert excinfo.match(r"HTTP request does not support request-body") def test_apply_client_authentication_options_bearer_token(self): bearer_token = "ACCESS_TOKEN" headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler() auth_handler.apply_client_authentication_options( headers, request_body, bearer_token ) assert headers == { "Content-Type": "application/json", "Authorization": "Bearer {}".format(bearer_token), } assert request_body == {"foo": "bar"} def test_apply_client_authentication_options_bearer_and_basic(self): bearer_token = "ACCESS_TOKEN" headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler(self.CLIENT_AUTH_BASIC) auth_handler.apply_client_authentication_options( headers, request_body, bearer_token ) # Bearer token should have higher priority. assert headers == { "Content-Type": "application/json", "Authorization": "Bearer {}".format(bearer_token), } assert request_body == {"foo": "bar"} def test_apply_client_authentication_options_bearer_and_request_body(self): bearer_token = "ACCESS_TOKEN" headers = {"Content-Type": "application/json"} request_body = {"foo": "bar"} auth_handler = self.make_oauth_client_auth_handler( self.CLIENT_AUTH_REQUEST_BODY ) auth_handler.apply_client_authentication_options( headers, request_body, bearer_token ) # Bearer token should have higher priority. assert headers == { "Content-Type": "application/json", "Authorization": "Bearer {}".format(bearer_token), } assert request_body == {"foo": "bar"} def test__handle_error_response_code_only(): error_resp = {"error": "unsupported_grant_type"} response_data = json.dumps(error_resp) with pytest.raises(exceptions.OAuthError) as excinfo: utils.handle_error_response(response_data) assert excinfo.match(r"Error code unsupported_grant_type") def test__handle_error_response_code_description(): error_resp = { "error": "unsupported_grant_type", "error_description": "The provided grant_type is unsupported", } response_data = json.dumps(error_resp) with pytest.raises(exceptions.OAuthError) as excinfo: utils.handle_error_response(response_data) assert excinfo.match( r"Error code unsupported_grant_type: The provided grant_type is unsupported" ) def test__handle_error_response_code_description_uri(): error_resp = { "error": "unsupported_grant_type", "error_description": "The provided grant_type is unsupported", "error_uri": "https://tools.ietf.org/html/rfc6749", } response_data = json.dumps(error_resp) with pytest.raises(exceptions.OAuthError) as excinfo: utils.handle_error_response(response_data) assert excinfo.match( r"Error code unsupported_grant_type: The provided grant_type is unsupported - https://tools.ietf.org/html/rfc6749" ) def test__handle_error_response_non_json(): response_data = "Oops, something wrong happened" with pytest.raises(exceptions.OAuthError) as excinfo: utils.handle_error_response(response_data) assert excinfo.match(r"Oops, something wrong happened") ��oauth2/test_challenges.py��0000644��00000017654�15025175543�0011510 0��ustar�00��# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Tests for the reauth module.""" import base64 import sys import mock import pytest # type: ignore import pyu2f # type: ignore from google.auth import exceptions from google.oauth2 import challenges def test_get_user_password(): with mock.patch("getpass.getpass", return_value="foo"): assert challenges.get_user_password("") == "foo" def test_security_key(): metadata = { "status": "READY", "challengeId": 2, "challengeType": "SECURITY_KEY", "securityKey": { "applicationId": "security_key_application_id", "challenges": [ { "keyHandle": "some_key", "challenge": base64.urlsafe_b64encode( "some_challenge".encode("ascii") ).decode("ascii"), } ], "relyingPartyId": "security_key_application_id", }, } mock_key = mock.Mock() challenge = challenges.SecurityKeyChallenge() # Test the case that security key challenge is passed with applicationId and # relyingPartyId the same. with mock.patch("pyu2f.model.RegisteredKey", return_value=mock_key): with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.return_value = "security key response" assert challenge.name == "SECURITY_KEY" assert challenge.is_locally_eligible assert challenge.obtain_challenge_input(metadata) == { "securityKey": "security key response" } mock_authenticate.assert_called_with( "security_key_application_id", [{"key": mock_key, "challenge": b"some_challenge"}], print_callback=sys.stderr.write, ) # Test the case that security key challenge is passed with applicationId and # relyingPartyId different, first call works. metadata["securityKey"]["relyingPartyId"] = "security_key_relying_party_id" sys.stderr.write("metadata=" + str(metadata) + "\n") with mock.patch("pyu2f.model.RegisteredKey", return_value=mock_key): with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.return_value = "security key response" assert challenge.name == "SECURITY_KEY" assert challenge.is_locally_eligible assert challenge.obtain_challenge_input(metadata) == { "securityKey": "security key response" } mock_authenticate.assert_called_with( "security_key_relying_party_id", [{"key": mock_key, "challenge": b"some_challenge"}], print_callback=sys.stderr.write, ) # Test the case that security key challenge is passed with applicationId and # relyingPartyId different, first call fails, requires retry. metadata["securityKey"]["relyingPartyId"] = "security_key_relying_party_id" with mock.patch("pyu2f.model.RegisteredKey", return_value=mock_key): with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: assert challenge.name == "SECURITY_KEY" assert challenge.is_locally_eligible mock_authenticate.side_effect = [ pyu2f.errors.U2FError(pyu2f.errors.U2FError.DEVICE_INELIGIBLE), "security key response", ] assert challenge.obtain_challenge_input(metadata) == { "securityKey": "security key response" } calls = [ mock.call( "security_key_relying_party_id", [{"key": mock_key, "challenge": b"some_challenge"}], print_callback=sys.stderr.write, ), mock.call( "security_key_application_id", [{"key": mock_key, "challenge": b"some_challenge"}], print_callback=sys.stderr.write, ), ] mock_authenticate.assert_has_calls(calls) # Test various types of exceptions. with mock.patch("pyu2f.model.RegisteredKey", return_value=mock_key): with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.U2FError( pyu2f.errors.U2FError.DEVICE_INELIGIBLE ) assert challenge.obtain_challenge_input(metadata) is None with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.U2FError( pyu2f.errors.U2FError.TIMEOUT ) assert challenge.obtain_challenge_input(metadata) is None with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.PluginError() assert challenge.obtain_challenge_input(metadata) is None with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.U2FError( pyu2f.errors.U2FError.BAD_REQUEST ) with pytest.raises(pyu2f.errors.U2FError): challenge.obtain_challenge_input(metadata) with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.NoDeviceFoundError() assert challenge.obtain_challenge_input(metadata) is None with mock.patch( "pyu2f.convenience.authenticator.CompositeAuthenticator.Authenticate" ) as mock_authenticate: mock_authenticate.side_effect = pyu2f.errors.UnsupportedVersionException() with pytest.raises(pyu2f.errors.UnsupportedVersionException): challenge.obtain_challenge_input(metadata) with mock.patch.dict("sys.modules"): sys.modules["pyu2f"] = None with pytest.raises(exceptions.ReauthFailError) as excinfo: challenge.obtain_challenge_input(metadata) assert excinfo.match(r"pyu2f dependency is required") @mock.patch("getpass.getpass", return_value="foo") def test_password_challenge(getpass_mock): challenge = challenges.PasswordChallenge() with mock.patch("getpass.getpass", return_value="foo"): assert challenge.is_locally_eligible assert challenge.name == "PASSWORD" assert challenges.PasswordChallenge().obtain_challenge_input({}) == { "credential": "foo" } with mock.patch("getpass.getpass", return_value=None): assert challenges.PasswordChallenge().obtain_challenge_input({}) == { "credential": " " } def test_saml_challenge(): challenge = challenges.SamlChallenge() assert challenge.is_locally_eligible assert challenge.name == "SAML" with pytest.raises(exceptions.ReauthSamlChallengeFailError): challenge.obtain_challenge_input(None) ��oauth2/test__client.py��0000644��00000046724�15025175543�0011020 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import os import urllib import mock import pytest # type: ignore from google.auth import _helpers from google.auth import crypt from google.auth import exceptions from google.auth import jwt from google.auth import transport from google.oauth2 import _client DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1") SCOPES_AS_LIST = [ "https://www.googleapis.com/auth/pubsub", "https://www.googleapis.com/auth/logging.write", ] SCOPES_AS_STRING = ( "https://www.googleapis.com/auth/pubsub" " https://www.googleapis.com/auth/logging.write" ) ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/sa" ) ID_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/sa" ) @pytest.mark.parametrize("retryable", [True, False]) def test__handle_error_response(retryable): response_data = {"error": "help", "error_description": "I'm alive"} with pytest.raises(exceptions.RefreshError) as excinfo: _client._handle_error_response(response_data, retryable) assert excinfo.value.retryable == retryable assert excinfo.match(r"help: I\'m alive") def test__handle_error_response_no_error(): response_data = {"foo": "bar"} with pytest.raises(exceptions.RefreshError) as excinfo: _client._handle_error_response(response_data, False) assert not excinfo.value.retryable assert excinfo.match(r"{\"foo\": \"bar\"}") def test__handle_error_response_not_json(): response_data = "this is an error message" with pytest.raises(exceptions.RefreshError) as excinfo: _client._handle_error_response(response_data, False) assert not excinfo.value.retryable assert excinfo.match(response_data) def test__can_retry_retryable(): retryable_codes = transport.DEFAULT_RETRYABLE_STATUS_CODES for status_code in range(100, 600): if status_code in retryable_codes: assert _client._can_retry(status_code, {"error": "invalid_scope"}) else: assert not _client._can_retry(status_code, {"error": "invalid_scope"}) @pytest.mark.parametrize( "response_data", [{"error": "internal_failure"}, {"error": "server_error"}] ) def test__can_retry_message(response_data): assert _client._can_retry(http_client.OK, response_data) @pytest.mark.parametrize( "response_data", [ {"error": "invalid_scope"}, {"error": {"foo": "bar"}}, {"error_description": {"foo", "bar"}}, ], ) def test__can_retry_no_retry_message(response_data): assert not _client._can_retry(http_client.OK, response_data) @pytest.mark.parametrize("mock_expires_in", [500, "500"]) @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test__parse_expiry(unused_utcnow, mock_expires_in): result = _client._parse_expiry({"expires_in": mock_expires_in}) assert result == datetime.datetime.min + datetime.timedelta(seconds=500) def test__parse_expiry_none(): assert _client._parse_expiry({}) is None def make_request(response_data, status=http_client.OK): response = mock.create_autospec(transport.Response, instance=True) response.status = status response.data = json.dumps(response_data).encode("utf-8") request = mock.create_autospec(transport.Request) request.return_value = response return request def test__token_endpoint_request(): request = make_request({"test": "response"}) result = _client._token_endpoint_request( request, "http://example.com", {"test": "params"} ) # Check request call request.assert_called_with( method="POST", url="http://example.com", headers={"Content-Type": "application/x-www-form-urlencoded"}, body="test=params".encode("utf-8"), ) # Check result assert result == {"test": "response"} def test__token_endpoint_request_use_json(): request = make_request({"test": "response"}) result = _client._token_endpoint_request( request, "http://example.com", {"test": "params"}, access_token="access_token", use_json=True, ) # Check request call request.assert_called_with( method="POST", url="http://example.com", headers={ "Content-Type": "application/json", "Authorization": "Bearer access_token", }, body=b'{"test": "params"}', ) # Check result assert result == {"test": "response"} def test__token_endpoint_request_error(): request = make_request({}, status=http_client.BAD_REQUEST) with pytest.raises(exceptions.RefreshError): _client._token_endpoint_request(request, "http://example.com", {}) def test__token_endpoint_request_internal_failure_error(): request = make_request( {"error_description": "internal_failure"}, status=http_client.BAD_REQUEST ) with pytest.raises(exceptions.RefreshError): _client._token_endpoint_request( request, "http://example.com", {"error_description": "internal_failure"} ) # request should be called once and then with 3 retries assert request.call_count == 4 request = make_request( {"error": "internal_failure"}, status=http_client.BAD_REQUEST ) with pytest.raises(exceptions.RefreshError): _client._token_endpoint_request( request, "http://example.com", {"error": "internal_failure"} ) # request should be called once and then with 3 retries assert request.call_count == 4 def test__token_endpoint_request_internal_failure_and_retry_failure_error(): retryable_error = mock.create_autospec(transport.Response, instance=True) retryable_error.status = http_client.BAD_REQUEST retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode( "utf-8" ) unretryable_error = mock.create_autospec(transport.Response, instance=True) unretryable_error.status = http_client.BAD_REQUEST unretryable_error.data = json.dumps({"error_description": "invalid_scope"}).encode( "utf-8" ) request = mock.create_autospec(transport.Request) request.side_effect = [retryable_error, retryable_error, unretryable_error] with pytest.raises(exceptions.RefreshError): _client._token_endpoint_request( request, "http://example.com", {"error_description": "invalid_scope"} ) # request should be called three times. Two retryable errors and one # unretryable error to break the retry loop. assert request.call_count == 3 def test__token_endpoint_request_internal_failure_and_retry_succeeds(): retryable_error = mock.create_autospec(transport.Response, instance=True) retryable_error.status = http_client.BAD_REQUEST retryable_error.data = json.dumps({"error_description": "internal_failure"}).encode( "utf-8" ) response = mock.create_autospec(transport.Response, instance=True) response.status = http_client.OK response.data = json.dumps({"hello": "world"}).encode("utf-8") request = mock.create_autospec(transport.Request) request.side_effect = [retryable_error, response] _ = _client._token_endpoint_request( request, "http://example.com", {"test": "params"} ) assert request.call_count == 2 def test__token_endpoint_request_string_error(): response = mock.create_autospec(transport.Response, instance=True) response.status = http_client.BAD_REQUEST response.data = "this is an error message" request = mock.create_autospec(transport.Request) request.return_value = response with pytest.raises(exceptions.RefreshError) as excinfo: _client._token_endpoint_request(request, "http://example.com", {}) assert excinfo.match("this is an error message") def verify_request_params(request, params): request_body = request.call_args[1]["body"].decode("utf-8") request_params = urllib.parse.parse_qs(request_body) for key, value in params.items(): assert request_params[key][0] == value @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_jwt_grant(utcnow): request = make_request( {"access_token": "token", "expires_in": 500, "extra": "data"} ) token, expiry, extra_data = _client.jwt_grant( request, "http://example.com", "assertion_value" ) # Check request call verify_request_params( request, {"grant_type": _client._JWT_GRANT_TYPE, "assertion": "assertion_value"} ) # Check result assert token == "token" assert expiry == utcnow() + datetime.timedelta(seconds=500) assert extra_data["extra"] == "data" def test_jwt_grant_no_access_token(): request = make_request( { # No access token. "expires_in": 500, "extra": "data", } ) with pytest.raises(exceptions.RefreshError) as excinfo: _client.jwt_grant(request, "http://example.com", "assertion_value") assert not excinfo.value.retryable def test_call_iam_generate_id_token_endpoint(): now = _helpers.utcnow() id_token_expiry = _helpers.datetime_to_secs(now) id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8") request = make_request({"token": id_token}) token, expiry = _client.call_iam_generate_id_token_endpoint( request, "fake_email", "fake_audience", "fake_access_token" ) assert ( request.call_args[1]["url"] == "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/fake_email:generateIdToken" ) assert request.call_args[1]["headers"]["Content-Type"] == "application/json" assert ( request.call_args[1]["headers"]["Authorization"] == "Bearer fake_access_token" ) response_body = json.loads(request.call_args[1]["body"]) assert response_body["audience"] == "fake_audience" assert response_body["includeEmail"] == "true" assert response_body["useEmailAzp"] == "true" # Check result assert token == id_token # JWT does not store microseconds now = now.replace(microsecond=0) assert expiry == now def test_call_iam_generate_id_token_endpoint_no_id_token(): request = make_request( { # No access token. "error": "no token" } ) with pytest.raises(exceptions.RefreshError) as excinfo: _client.call_iam_generate_id_token_endpoint( request, "fake_email", "fake_audience", "fake_access_token" ) assert excinfo.match("No ID token in response") def test_id_token_jwt_grant(): now = _helpers.utcnow() id_token_expiry = _helpers.datetime_to_secs(now) id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8") request = make_request({"id_token": id_token, "extra": "data"}) token, expiry, extra_data = _client.id_token_jwt_grant( request, "http://example.com", "assertion_value" ) # Check request call verify_request_params( request, {"grant_type": _client._JWT_GRANT_TYPE, "assertion": "assertion_value"} ) # Check result assert token == id_token # JWT does not store microseconds now = now.replace(microsecond=0) assert expiry == now assert extra_data["extra"] == "data" def test_id_token_jwt_grant_no_access_token(): request = make_request( { # No access token. "expires_in": 500, "extra": "data", } ) with pytest.raises(exceptions.RefreshError) as excinfo: _client.id_token_jwt_grant(request, "http://example.com", "assertion_value") assert not excinfo.value.retryable @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_grant(unused_utcnow): request = make_request( { "access_token": "token", "refresh_token": "new_refresh_token", "expires_in": 500, "extra": "data", } ) token, refresh_token, expiry, extra_data = _client.refresh_grant( request, "http://example.com", "refresh_token", "client_id", "client_secret", rapt_token="rapt_token", ) # Check request call verify_request_params( request, { "grant_type": _client._REFRESH_GRANT_TYPE, "refresh_token": "refresh_token", "client_id": "client_id", "client_secret": "client_secret", "rapt": "rapt_token", }, ) # Check result assert token == "token" assert refresh_token == "new_refresh_token" assert expiry == datetime.datetime.min + datetime.timedelta(seconds=500) assert extra_data["extra"] == "data" @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh_grant_with_scopes(unused_utcnow): request = make_request( { "access_token": "token", "refresh_token": "new_refresh_token", "expires_in": 500, "extra": "data", "scope": SCOPES_AS_STRING, } ) token, refresh_token, expiry, extra_data = _client.refresh_grant( request, "http://example.com", "refresh_token", "client_id", "client_secret", SCOPES_AS_LIST, ) # Check request call. verify_request_params( request, { "grant_type": _client._REFRESH_GRANT_TYPE, "refresh_token": "refresh_token", "client_id": "client_id", "client_secret": "client_secret", "scope": SCOPES_AS_STRING, }, ) # Check result. assert token == "token" assert refresh_token == "new_refresh_token" assert expiry == datetime.datetime.min + datetime.timedelta(seconds=500) assert extra_data["extra"] == "data" def test_refresh_grant_no_access_token(): request = make_request( { # No access token. "refresh_token": "new_refresh_token", "expires_in": 500, "extra": "data", } ) with pytest.raises(exceptions.RefreshError) as excinfo: _client.refresh_grant( request, "http://example.com", "refresh_token", "client_id", "client_secret" ) assert not excinfo.value.retryable @mock.patch( "google.auth.metrics.token_request_access_token_sa_assertion", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.oauth2._client._parse_expiry", return_value=None) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_jwt_grant_retry_default( mock_token_endpoint_request, mock_expiry, mock_metrics_header_value ): _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock()) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=True, headers={"x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE}, ) @pytest.mark.parametrize("can_retry", [True, False]) @mock.patch( "google.auth.metrics.token_request_access_token_sa_assertion", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.oauth2._client._parse_expiry", return_value=None) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_jwt_grant_retry_with_retry( mock_token_endpoint_request, mock_expiry, mock_metrics_header_value, can_retry ): _client.jwt_grant(mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry, headers={"x-goog-api-client": ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE}, ) @mock.patch( "google.auth.metrics.token_request_id_token_sa_assertion", return_value=ID_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.auth.jwt.decode", return_value={"exp": 0}) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_id_token_jwt_grant_retry_default( mock_token_endpoint_request, mock_jwt_decode, mock_metrics_header_value ): _client.id_token_jwt_grant(mock.Mock(), mock.Mock(), mock.Mock()) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=True, headers={"x-goog-api-client": ID_TOKEN_REQUEST_METRICS_HEADER_VALUE}, ) @pytest.mark.parametrize("can_retry", [True, False]) @mock.patch( "google.auth.metrics.token_request_id_token_sa_assertion", return_value=ID_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch("google.auth.jwt.decode", return_value={"exp": 0}) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_id_token_jwt_grant_retry_with_retry( mock_token_endpoint_request, mock_jwt_decode, mock_metrics_header_value, can_retry ): _client.id_token_jwt_grant( mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry ) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry, headers={"x-goog-api-client": ID_TOKEN_REQUEST_METRICS_HEADER_VALUE}, ) @mock.patch("google.oauth2._client._parse_expiry", return_value=None) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_refresh_grant_retry_default(mock_token_endpoint_request, mock_parse_expiry): _client.refresh_grant( mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock() ) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=True ) @pytest.mark.parametrize("can_retry", [True, False]) @mock.patch("google.oauth2._client._parse_expiry", return_value=None) @mock.patch.object(_client, "_token_endpoint_request", autospec=True) def test_refresh_grant_retry_with_retry( mock_token_endpoint_request, mock_parse_expiry, can_retry ): _client.refresh_grant( mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock(), mock.Mock(), can_retry=can_retry, ) mock_token_endpoint_request.assert_called_with( mock.ANY, mock.ANY, mock.ANY, can_retry=can_retry ) @pytest.mark.parametrize("can_retry", [True, False]) def test__token_endpoint_request_no_throw_with_retry(can_retry): response_data = {"error": "help", "error_description": "I'm alive"} body = "dummy body" mock_response = mock.create_autospec(transport.Response, instance=True) mock_response.status = http_client.INTERNAL_SERVER_ERROR mock_response.data = json.dumps(response_data).encode("utf-8") mock_request = mock.create_autospec(transport.Request) mock_request.return_value = mock_response _client._token_endpoint_request_no_throw( mock_request, mock.Mock(), body, mock.Mock(), mock.Mock(), can_retry=can_retry ) if can_retry: assert mock_request.call_count == 4 else: assert mock_request.call_count == 1 ��oauth2/test_gdch_credentials.py��0000644��00000014743�15025175543�0012661 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import copy import datetime import json import os import mock import pytest # type: ignore import requests from google.auth import exceptions from google.auth import jwt import google.auth.transport.requests from google.oauth2 import gdch_credentials from google.oauth2.gdch_credentials import ServiceAccountCredentials class TestServiceAccountCredentials(object): AUDIENCE = "https://service-identity.<Domain>/authenticate" PROJECT = "project_foo" PRIVATE_KEY_ID = "key_foo" NAME = "service_identity_name" CA_CERT_PATH = "/path/to/ca/cert" TOKEN_URI = "https://service-identity.<Domain>/authenticate" JSON_PATH = os.path.join( os.path.dirname(__file__), "..", "data", "gdch_service_account.json" ) with open(JSON_PATH, "rb") as fh: INFO = json.load(fh) def test_with_gdch_audience(self): mock_signer = mock.Mock() creds = ServiceAccountCredentials._from_signer_and_info(mock_signer, self.INFO) assert creds._signer == mock_signer assert creds._service_identity_name == self.NAME assert creds._audience is None assert creds._token_uri == self.TOKEN_URI assert creds._ca_cert_path == self.CA_CERT_PATH new_creds = creds.with_gdch_audience(self.AUDIENCE) assert new_creds._signer == mock_signer assert new_creds._service_identity_name == self.NAME assert new_creds._audience == self.AUDIENCE assert new_creds._token_uri == self.TOKEN_URI assert new_creds._ca_cert_path == self.CA_CERT_PATH def test__create_jwt(self): creds = ServiceAccountCredentials.from_service_account_file(self.JSON_PATH) with mock.patch("google.auth._helpers.utcnow") as utcnow: utcnow.return_value = datetime.datetime.now() jwt_token = creds._create_jwt() header, payload, _, _ = jwt._unverified_decode(jwt_token) expected_iss_sub_value = ( "system:serviceaccount:project_foo:service_identity_name" ) assert isinstance(jwt_token, str) assert header["alg"] == "ES256" assert header["kid"] == self.PRIVATE_KEY_ID assert payload["iss"] == expected_iss_sub_value assert payload["sub"] == expected_iss_sub_value assert payload["aud"] == self.AUDIENCE assert payload["exp"] == (payload["iat"] + 3600) @mock.patch( "google.oauth2.gdch_credentials.ServiceAccountCredentials._create_jwt", autospec=True, ) @mock.patch("google.oauth2._client._token_endpoint_request", autospec=True) def test_refresh(self, token_endpoint_request, create_jwt): creds = ServiceAccountCredentials.from_service_account_info(self.INFO) creds = creds.with_gdch_audience(self.AUDIENCE) req = google.auth.transport.requests.Request() mock_jwt_token = "jwt token" create_jwt.return_value = mock_jwt_token sts_token = "STS token" token_endpoint_request.return_value = { "access_token": sts_token, "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, } creds.refresh(req) token_endpoint_request.assert_called_with( req, self.TOKEN_URI, { "grant_type": gdch_credentials.TOKEN_EXCHANGE_TYPE, "audience": self.AUDIENCE, "requested_token_type": gdch_credentials.ACCESS_TOKEN_TOKEN_TYPE, "subject_token": mock_jwt_token, "subject_token_type": gdch_credentials.SERVICE_ACCOUNT_TOKEN_TYPE, }, access_token=None, use_json=True, verify=self.CA_CERT_PATH, ) assert creds.token == sts_token def test_refresh_wrong_requests_object(self): creds = ServiceAccountCredentials.from_service_account_info(self.INFO) creds = creds.with_gdch_audience(self.AUDIENCE) req = requests.Request() with pytest.raises(exceptions.RefreshError) as excinfo: creds.refresh(req) assert excinfo.match( "request must be a google.auth.transport.requests.Request object" ) def test__from_signer_and_info_wrong_format_version(self): with pytest.raises(ValueError) as excinfo: ServiceAccountCredentials._from_signer_and_info( mock.Mock(), {"format_version": "2"} ) assert excinfo.match("Only format version 1 is supported") def test_from_service_account_info_miss_field(self): for field in [ "format_version", "private_key_id", "private_key", "name", "project", "token_uri", ]: info_with_missing_field = copy.deepcopy(self.INFO) del info_with_missing_field[field] with pytest.raises(ValueError) as excinfo: ServiceAccountCredentials.from_service_account_info( info_with_missing_field ) assert excinfo.match("missing fields") @mock.patch("google.auth._service_account_info.from_filename") def test_from_service_account_file(self, from_filename): mock_signer = mock.Mock() from_filename.return_value = (self.INFO, mock_signer) creds = ServiceAccountCredentials.from_service_account_file(self.JSON_PATH) from_filename.assert_called_with( self.JSON_PATH, require=[ "format_version", "private_key_id", "private_key", "name", "project", "token_uri", ], use_rsa_signer=False, ) assert creds._signer == mock_signer assert creds._service_identity_name == self.NAME assert creds._audience is None assert creds._token_uri == self.TOKEN_URI assert creds._ca_cert_path == self.CA_CERT_PATH ��oauth2/test_id_token.py��0000644��00000025540�15025175543�0011170 0��ustar�00��# Copyright 2014 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import os import mock import pytest # type: ignore from google.auth import environment_vars from google.auth import exceptions from google.auth import transport from google.oauth2 import id_token from google.oauth2 import service_account SERVICE_ACCOUNT_FILE = os.path.join( os.path.dirname(__file__), "../data/service_account.json" ) ID_TOKEN_AUDIENCE = "https://pubsub.googleapis.com" def make_request(status, data=None): response = mock.create_autospec(transport.Response, instance=True) response.status = status if data is not None: response.data = json.dumps(data).encode("utf-8") request = mock.create_autospec(transport.Request) request.return_value = response return request def test__fetch_certs_success(): certs = {"1": "cert"} request = make_request(200, certs) returned_certs = id_token._fetch_certs(request, mock.sentinel.cert_url) request.assert_called_once_with(mock.sentinel.cert_url, method="GET") assert returned_certs == certs def test__fetch_certs_failure(): request = make_request(404) with pytest.raises(exceptions.TransportError): id_token._fetch_certs(request, mock.sentinel.cert_url) request.assert_called_once_with(mock.sentinel.cert_url, method="GET") @mock.patch("google.auth.jwt.decode", autospec=True) @mock.patch("google.oauth2.id_token._fetch_certs", autospec=True) def test_verify_token(_fetch_certs, decode): result = id_token.verify_token(mock.sentinel.token, mock.sentinel.request) assert result == decode.return_value _fetch_certs.assert_called_once_with( mock.sentinel.request, id_token._GOOGLE_OAUTH2_CERTS_URL ) decode.assert_called_once_with( mock.sentinel.token, certs=_fetch_certs.return_value, audience=None, clock_skew_in_seconds=0, ) @mock.patch("google.auth.jwt.decode", autospec=True) @mock.patch("google.oauth2.id_token._fetch_certs", autospec=True) def test_verify_token_args(_fetch_certs, decode): result = id_token.verify_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=mock.sentinel.certs_url, ) assert result == decode.return_value _fetch_certs.assert_called_once_with(mock.sentinel.request, mock.sentinel.certs_url) decode.assert_called_once_with( mock.sentinel.token, certs=_fetch_certs.return_value, audience=mock.sentinel.audience, clock_skew_in_seconds=0, ) @mock.patch("google.auth.jwt.decode", autospec=True) @mock.patch("google.oauth2.id_token._fetch_certs", autospec=True) def test_verify_token_clock_skew(_fetch_certs, decode): result = id_token.verify_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=mock.sentinel.certs_url, clock_skew_in_seconds=10, ) assert result == decode.return_value _fetch_certs.assert_called_once_with(mock.sentinel.request, mock.sentinel.certs_url) decode.assert_called_once_with( mock.sentinel.token, certs=_fetch_certs.return_value, audience=mock.sentinel.audience, clock_skew_in_seconds=10, ) @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_oauth2_token(verify_token): verify_token.return_value = {"iss": "accounts.google.com"} result = id_token.verify_oauth2_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience ) assert result == verify_token.return_value verify_token.assert_called_once_with( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=id_token._GOOGLE_OAUTH2_CERTS_URL, clock_skew_in_seconds=0, ) @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_oauth2_token_clock_skew(verify_token): verify_token.return_value = {"iss": "accounts.google.com"} result = id_token.verify_oauth2_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, clock_skew_in_seconds=10, ) assert result == verify_token.return_value verify_token.assert_called_once_with( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=id_token._GOOGLE_OAUTH2_CERTS_URL, clock_skew_in_seconds=10, ) @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_oauth2_token_invalid_iss(verify_token): verify_token.return_value = {"iss": "invalid_issuer"} with pytest.raises(exceptions.GoogleAuthError): id_token.verify_oauth2_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience ) @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_firebase_token(verify_token): result = id_token.verify_firebase_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience ) assert result == verify_token.return_value verify_token.assert_called_once_with( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=id_token._GOOGLE_APIS_CERTS_URL, clock_skew_in_seconds=0, ) @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_firebase_token_clock_skew(verify_token): result = id_token.verify_firebase_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, clock_skew_in_seconds=10, ) assert result == verify_token.return_value verify_token.assert_called_once_with( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience, certs_url=id_token._GOOGLE_APIS_CERTS_URL, clock_skew_in_seconds=10, ) def test_fetch_id_token_credentials_optional_request(monkeypatch): monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) # Test a request object is created if not provided with mock.patch("google.auth.compute_engine._metadata.ping", return_value=True): with mock.patch( "google.auth.compute_engine.IDTokenCredentials.__init__", return_value=None ): with mock.patch( "google.auth.transport.requests.Request.__init__", return_value=None ) as mock_request: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) mock_request.assert_called() def test_fetch_id_token_credentials_from_metadata_server(monkeypatch): monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) mock_req = mock.Mock() with mock.patch("google.auth.compute_engine._metadata.ping", return_value=True): with mock.patch( "google.auth.compute_engine.IDTokenCredentials.__init__", return_value=None ) as mock_init: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE, request=mock_req) mock_init.assert_called_once_with( mock_req, ID_TOKEN_AUDIENCE, use_metadata_identity_endpoint=True ) def test_fetch_id_token_credentials_from_explicit_cred_json_file(monkeypatch): monkeypatch.setenv(environment_vars.CREDENTIALS, SERVICE_ACCOUNT_FILE) cred = id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert isinstance(cred, service_account.IDTokenCredentials) assert cred._target_audience == ID_TOKEN_AUDIENCE def test_fetch_id_token_credentials_no_cred_exists(monkeypatch): monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) with mock.patch( "google.auth.compute_engine._metadata.ping", side_effect=exceptions.TransportError(), ): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) with mock.patch("google.auth.compute_engine._metadata.ping", return_value=False): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) def test_fetch_id_token_credentials_invalid_cred_file_type(monkeypatch): user_credentials_file = os.path.join( os.path.dirname(__file__), "../data/authorized_user.json" ) monkeypatch.setenv(environment_vars.CREDENTIALS, user_credentials_file) with mock.patch("google.auth.compute_engine._metadata.ping", return_value=False): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) def test_fetch_id_token_credentials_invalid_json(monkeypatch): not_json_file = os.path.join(os.path.dirname(__file__), "../data/public_cert.pem") monkeypatch.setenv(environment_vars.CREDENTIALS, not_json_file) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"GOOGLE_APPLICATION_CREDENTIALS is not valid service account credentials." ) def test_fetch_id_token_credentials_invalid_cred_path(monkeypatch): not_json_file = os.path.join(os.path.dirname(__file__), "../data/not_exists.json") monkeypatch.setenv(environment_vars.CREDENTIALS, not_json_file) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"GOOGLE_APPLICATION_CREDENTIALS path is either not found or invalid." ) def test_fetch_id_token(monkeypatch): mock_cred = mock.MagicMock() mock_cred.token = "token" mock_req = mock.Mock() with mock.patch( "google.oauth2.id_token.fetch_id_token_credentials", return_value=mock_cred ) as mock_fetch: token = id_token.fetch_id_token(mock_req, ID_TOKEN_AUDIENCE) mock_fetch.assert_called_once_with(ID_TOKEN_AUDIENCE, request=mock_req) mock_cred.refresh.assert_called_once_with(mock_req) assert token == "token" ��oauth2/test_service_account.py��0000644��00000075142�15025175543�0012553 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import json import os import mock import pytest # type: ignore from google.auth import _helpers from google.auth import crypt from google.auth import exceptions from google.auth import jwt from google.auth import transport from google.oauth2 import service_account DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data") with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() with open(os.path.join(DATA_DIR, "public_cert.pem"), "rb") as fh: PUBLIC_CERT_BYTES = fh.read() with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh: OTHER_CERT_BYTES = fh.read() SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") SERVICE_ACCOUNT_NON_GDU_JSON_FILE = os.path.join( DATA_DIR, "service_account_non_gdu.json" ) FAKE_UNIVERSE_DOMAIN = "universe.foo" with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) with open(SERVICE_ACCOUNT_NON_GDU_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO_NON_GDU = json.load(fh) SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1") class TestCredentials(object): SERVICE_ACCOUNT_EMAIL = "service-account@example.com" TOKEN_URI = "https://example.com/oauth2/token" @classmethod def make_credentials(cls, universe_domain=service_account._DEFAULT_UNIVERSE_DOMAIN): return service_account.Credentials( SIGNER, cls.SERVICE_ACCOUNT_EMAIL, cls.TOKEN_URI, universe_domain=universe_domain, ) def test_constructor_no_universe_domain(self): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, universe_domain=None ) assert credentials.universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN def test_from_service_account_info(self): credentials = service_account.Credentials.from_service_account_info( SERVICE_ACCOUNT_INFO ) assert credentials._signer.key_id == SERVICE_ACCOUNT_INFO["private_key_id"] assert credentials.service_account_email == SERVICE_ACCOUNT_INFO["client_email"] assert credentials._token_uri == SERVICE_ACCOUNT_INFO["token_uri"] assert credentials._universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN assert not credentials._always_use_jwt_access def test_from_service_account_info_non_gdu(self): credentials = service_account.Credentials.from_service_account_info( SERVICE_ACCOUNT_INFO_NON_GDU ) assert credentials.universe_domain == FAKE_UNIVERSE_DOMAIN assert credentials._always_use_jwt_access def test_from_service_account_info_args(self): info = SERVICE_ACCOUNT_INFO.copy() scopes = ["email", "profile"] subject = "subject" additional_claims = {"meta": "data"} credentials = service_account.Credentials.from_service_account_info( info, scopes=scopes, subject=subject, additional_claims=additional_claims ) assert credentials.service_account_email == info["client_email"] assert credentials.project_id == info["project_id"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] assert credentials._scopes == scopes assert credentials._subject == subject assert credentials._additional_claims == additional_claims assert not credentials._always_use_jwt_access def test_from_service_account_file(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = service_account.Credentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE ) assert credentials.service_account_email == info["client_email"] assert credentials.project_id == info["project_id"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] def test_from_service_account_file_non_gdu(self): info = SERVICE_ACCOUNT_INFO_NON_GDU.copy() credentials = service_account.Credentials.from_service_account_file( SERVICE_ACCOUNT_NON_GDU_JSON_FILE ) assert credentials.service_account_email == info["client_email"] assert credentials.project_id == info["project_id"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] assert credentials._universe_domain == FAKE_UNIVERSE_DOMAIN assert credentials._always_use_jwt_access def test_from_service_account_file_args(self): info = SERVICE_ACCOUNT_INFO.copy() scopes = ["email", "profile"] subject = "subject" additional_claims = {"meta": "data"} credentials = service_account.Credentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE, subject=subject, scopes=scopes, additional_claims=additional_claims, ) assert credentials.service_account_email == info["client_email"] assert credentials.project_id == info["project_id"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] assert credentials._scopes == scopes assert credentials._subject == subject assert credentials._additional_claims == additional_claims def test_default_state(self): credentials = self.make_credentials() assert not credentials.valid # Expiration hasn't been set yet assert not credentials.expired # Scopes haven't been specified yet assert credentials.requires_scopes def test_sign_bytes(self): credentials = self.make_credentials() to_sign = b"123" signature = credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) def test_signer(self): credentials = self.make_credentials() assert isinstance(credentials.signer, crypt.Signer) def test_signer_email(self): credentials = self.make_credentials() assert credentials.signer_email == self.SERVICE_ACCOUNT_EMAIL def test_create_scoped(self): credentials = self.make_credentials() scopes = ["email", "profile"] credentials = credentials.with_scopes(scopes) assert credentials._scopes == scopes def test_with_claims(self): credentials = self.make_credentials() new_credentials = credentials.with_claims({"meep": "moop"}) assert new_credentials._additional_claims == {"meep": "moop"} def test_with_quota_project(self): credentials = self.make_credentials() new_credentials = credentials.with_quota_project("new-project-456") assert new_credentials.quota_project_id == "new-project-456" hdrs = {} new_credentials.apply(hdrs, token="tok") assert "x-goog-user-project" in hdrs def test_with_token_uri(self): credentials = self.make_credentials() new_token_uri = "https://example2.com/oauth2/token" assert credentials._token_uri == self.TOKEN_URI creds_with_new_token_uri = credentials.with_token_uri(new_token_uri) assert creds_with_new_token_uri._token_uri == new_token_uri def test__with_always_use_jwt_access(self): credentials = self.make_credentials() assert not credentials._always_use_jwt_access new_credentials = credentials.with_always_use_jwt_access(True) assert new_credentials._always_use_jwt_access def test__with_always_use_jwt_access_non_default_universe_domain(self): credentials = self.make_credentials(universe_domain=FAKE_UNIVERSE_DOMAIN) with pytest.raises(exceptions.InvalidValue) as excinfo: credentials.with_always_use_jwt_access(False) assert excinfo.match( "always_use_jwt_access should be True for non-default universe domain" ) def test__make_authorization_grant_assertion(self): credentials = self.make_credentials() token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT def test__make_authorization_grant_assertion_scoped(self): credentials = self.make_credentials() scopes = ["email", "profile"] credentials = credentials.with_scopes(scopes) token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["scope"] == "email profile" def test__make_authorization_grant_assertion_subject(self): credentials = self.make_credentials() subject = "user@example.com" credentials = credentials.with_subject(subject) token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["sub"] == subject def test_apply_with_quota_project_id(self): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, quota_project_id="quota-project-123", ) headers = {} credentials.apply(headers, token="token") assert headers["x-goog-user-project"] == "quota-project-123" assert "token" in headers["authorization"] def test_apply_with_no_quota_project_id(self): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI ) headers = {} credentials.apply(headers, token="token") assert "x-goog-user-project" not in headers assert "token" in headers["authorization"] @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt(self, jwt): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) jwt.from_signing_credentials.assert_called_once_with(credentials, audience) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_with_user_scopes(self, jwt): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, scopes=["foo"] ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) # JWT should not be created if there are user-defined scopes jwt.from_signing_credentials.assert_not_called() @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_audience(self, jwt): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, default_scopes=["bar", "foo"], always_use_jwt_access=True, ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) jwt.from_signing_credentials.assert_called_once_with(credentials, audience) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_audience_similar_jwt_is_reused( self, jwt ): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, default_scopes=["bar", "foo"], always_use_jwt_access=True, ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) credentials._jwt_credentials._audience = audience credentials._create_self_signed_jwt(audience) jwt.from_signing_credentials.assert_called_once_with(credentials, audience) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_scopes(self, jwt): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, scopes=["bar", "foo"], always_use_jwt_access=True, ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) jwt.from_signing_credentials.assert_called_once_with( credentials, None, additional_claims={"scope": "bar foo"} ) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_scopes_similar_jwt_is_reused( self, jwt ): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, scopes=["bar", "foo"], always_use_jwt_access=True, ) audience = "https://pubsub.googleapis.com" credentials._create_self_signed_jwt(audience) credentials._jwt_credentials.additional_claims = {"scope": "bar foo"} credentials._create_self_signed_jwt(audience) jwt.from_signing_credentials.assert_called_once_with( credentials, None, additional_claims={"scope": "bar foo"} ) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_default_scopes( self, jwt ): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, default_scopes=["bar", "foo"], always_use_jwt_access=True, ) credentials._create_self_signed_jwt(None) jwt.from_signing_credentials.assert_called_once_with( credentials, None, additional_claims={"scope": "bar foo"} ) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access_with_default_scopes_similar_jwt_is_reused( self, jwt ): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, default_scopes=["bar", "foo"], always_use_jwt_access=True, ) credentials._create_self_signed_jwt(None) credentials._jwt_credentials.additional_claims = {"scope": "bar foo"} credentials._create_self_signed_jwt(None) jwt.from_signing_credentials.assert_called_once_with( credentials, None, additional_claims={"scope": "bar foo"} ) @mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True) def test__create_self_signed_jwt_always_use_jwt_access(self, jwt): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, always_use_jwt_access=True, ) credentials._create_self_signed_jwt(None) jwt.from_signing_credentials.assert_not_called() def test_token_usage_metrics_assertion(self): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, always_use_jwt_access=False, ) credentials.token = "token" credentials.expiry = None headers = {} credentials.before_request(mock.Mock(), None, None, headers) assert headers["authorization"] == "Bearer token" assert headers["x-goog-api-client"] == "cred-type/sa" def test_token_usage_metrics_self_signed_jwt(self): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, always_use_jwt_access=True, ) credentials._create_self_signed_jwt("foo.googleapis.com") credentials.token = "token" credentials.expiry = None headers = {} credentials.before_request(mock.Mock(), None, None, headers) assert headers["authorization"] == "Bearer token" assert headers["x-goog-api-client"] == "cred-type/jwt" @mock.patch("google.oauth2._client.jwt_grant", autospec=True) def test_refresh_success(self, jwt_grant): credentials = self.make_credentials() token = "token" jwt_grant.return_value = ( token, _helpers.utcnow() + datetime.timedelta(seconds=500), {}, ) request = mock.create_autospec(transport.Request, instance=True) # Refresh credentials credentials.refresh(request) # Check jwt grant call. assert jwt_grant.called called_request, token_uri, assertion = jwt_grant.call_args[0] assert called_request == request assert token_uri == credentials._token_uri assert jwt.decode(assertion, PUBLIC_CERT_BYTES) # No further assertion done on the token, as there are separate tests # for checking the authorization grant assertion. # Check that the credentials have the token. assert credentials.token == token # Check that the credentials are valid (have a token and are not # expired) assert credentials.valid @mock.patch("google.oauth2._client.jwt_grant", autospec=True) def test_before_request_refreshes(self, jwt_grant): credentials = self.make_credentials() token = "token" jwt_grant.return_value = ( token, _helpers.utcnow() + datetime.timedelta(seconds=500), None, ) request = mock.create_autospec(transport.Request, instance=True) # Credentials should start as invalid assert not credentials.valid # before_request should cause a refresh credentials.before_request(request, "GET", "http://example.com?a=1#3", {}) # The refresh endpoint should've been called. assert jwt_grant.called # Credentials should now be valid. assert credentials.valid @mock.patch("google.auth.jwt.Credentials._make_jwt") def test_refresh_with_jwt_credentials(self, make_jwt): credentials = self.make_credentials() credentials._create_self_signed_jwt("https://pubsub.googleapis.com") request = mock.create_autospec(transport.Request, instance=True) token = "token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) make_jwt.return_value = (b"token", expiry) # Credentials should start as invalid assert not credentials.valid # before_request should cause a refresh credentials.before_request(request, "GET", "http://example.com?a=1#3", {}) # Credentials should now be valid. assert credentials.valid # Assert make_jwt was called assert make_jwt.call_count == 1 assert credentials.token == token assert credentials.expiry == expiry def test_refresh_with_jwt_credentials_token_type_check(self): credentials = self.make_credentials() credentials._create_self_signed_jwt("https://pubsub.googleapis.com") credentials.refresh(mock.Mock()) # Credentials token should be a JWT string. assert isinstance(credentials.token, str) payload = jwt.decode(credentials.token, verify=False) assert payload["aud"] == "https://pubsub.googleapis.com" @mock.patch("google.oauth2._client.jwt_grant", autospec=True) @mock.patch("google.auth.jwt.Credentials.refresh", autospec=True) def test_refresh_jwt_not_used_for_domain_wide_delegation( self, self_signed_jwt_refresh, jwt_grant ): # Create a domain wide delegation credentials by setting the subject. credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, always_use_jwt_access=True, subject="subject", ) credentials._create_self_signed_jwt("https://pubsub.googleapis.com") jwt_grant.return_value = ( "token", _helpers.utcnow() + datetime.timedelta(seconds=500), {}, ) request = mock.create_autospec(transport.Request, instance=True) # Refresh credentials credentials.refresh(request) # Make sure we are using jwt_grant and not self signed JWT refresh # method to obtain the token. assert jwt_grant.called assert not self_signed_jwt_refresh.called def test_refresh_missing_jwt_credentials(self): credentials = self.make_credentials() credentials = credentials.with_scopes(["foo", "bar"]) credentials = credentials.with_always_use_jwt_access(True) assert not credentials._jwt_credentials credentials.refresh(mock.Mock()) # jwt credentials should have been automatically created with scopes assert credentials._jwt_credentials is not None def test_refresh_non_gdu_domain_wide_delegation_not_supported(self): credentials = self.make_credentials(universe_domain="foo") credentials._subject = "bar@example.com" credentials._create_self_signed_jwt("https://pubsub.googleapis.com") with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(None) assert excinfo.match("domain wide delegation is not supported") class TestIDTokenCredentials(object): SERVICE_ACCOUNT_EMAIL = "service-account@example.com" TOKEN_URI = "https://example.com/oauth2/token" TARGET_AUDIENCE = "https://example.com" @classmethod def make_credentials(cls, universe_domain=service_account._DEFAULT_UNIVERSE_DOMAIN): return service_account.IDTokenCredentials( SIGNER, cls.SERVICE_ACCOUNT_EMAIL, cls.TOKEN_URI, cls.TARGET_AUDIENCE, universe_domain=universe_domain, ) def test_constructor_no_universe_domain(self): credentials = service_account.IDTokenCredentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, self.TARGET_AUDIENCE, universe_domain=None, ) assert credentials._universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN def test_from_service_account_info(self): credentials = service_account.IDTokenCredentials.from_service_account_info( SERVICE_ACCOUNT_INFO, target_audience=self.TARGET_AUDIENCE ) assert credentials._signer.key_id == SERVICE_ACCOUNT_INFO["private_key_id"] assert credentials.service_account_email == SERVICE_ACCOUNT_INFO["client_email"] assert credentials._token_uri == SERVICE_ACCOUNT_INFO["token_uri"] assert credentials._target_audience == self.TARGET_AUDIENCE assert not credentials._use_iam_endpoint def test_from_service_account_info_non_gdu(self): credentials = service_account.IDTokenCredentials.from_service_account_info( SERVICE_ACCOUNT_INFO_NON_GDU, target_audience=self.TARGET_AUDIENCE ) assert ( credentials._signer.key_id == SERVICE_ACCOUNT_INFO_NON_GDU["private_key_id"] ) assert ( credentials.service_account_email == SERVICE_ACCOUNT_INFO_NON_GDU["client_email"] ) assert credentials._token_uri == SERVICE_ACCOUNT_INFO_NON_GDU["token_uri"] assert credentials._target_audience == self.TARGET_AUDIENCE assert credentials._use_iam_endpoint def test_from_service_account_file(self): info = SERVICE_ACCOUNT_INFO.copy() credentials = service_account.IDTokenCredentials.from_service_account_file( SERVICE_ACCOUNT_JSON_FILE, target_audience=self.TARGET_AUDIENCE ) assert credentials.service_account_email == info["client_email"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] assert credentials._target_audience == self.TARGET_AUDIENCE assert not credentials._use_iam_endpoint def test_from_service_account_file_non_gdu(self): info = SERVICE_ACCOUNT_INFO_NON_GDU.copy() credentials = service_account.IDTokenCredentials.from_service_account_file( SERVICE_ACCOUNT_NON_GDU_JSON_FILE, target_audience=self.TARGET_AUDIENCE ) assert credentials.service_account_email == info["client_email"] assert credentials._signer.key_id == info["private_key_id"] assert credentials._token_uri == info["token_uri"] assert credentials._target_audience == self.TARGET_AUDIENCE assert credentials._use_iam_endpoint def test_default_state(self): credentials = self.make_credentials() assert not credentials.valid # Expiration hasn't been set yet assert not credentials.expired def test_sign_bytes(self): credentials = self.make_credentials() to_sign = b"123" signature = credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) def test_signer(self): credentials = self.make_credentials() assert isinstance(credentials.signer, crypt.Signer) def test_signer_email(self): credentials = self.make_credentials() assert credentials.signer_email == self.SERVICE_ACCOUNT_EMAIL def test_with_target_audience(self): credentials = self.make_credentials() new_credentials = credentials.with_target_audience("https://new.example.com") assert new_credentials._target_audience == "https://new.example.com" def test__with_use_iam_endpoint(self): credentials = self.make_credentials() new_credentials = credentials._with_use_iam_endpoint(True) assert new_credentials._use_iam_endpoint def test__with_use_iam_endpoint_non_default_universe_domain(self): credentials = self.make_credentials(universe_domain=FAKE_UNIVERSE_DOMAIN) with pytest.raises(exceptions.InvalidValue) as excinfo: credentials._with_use_iam_endpoint(False) assert excinfo.match( "use_iam_endpoint should be True for non-default universe domain" ) def test_with_quota_project(self): credentials = self.make_credentials() new_credentials = credentials.with_quota_project("project-foo") assert new_credentials._quota_project_id == "project-foo" def test_with_token_uri(self): credentials = self.make_credentials() new_token_uri = "https://example2.com/oauth2/token" assert credentials._token_uri == self.TOKEN_URI creds_with_new_token_uri = credentials.with_token_uri(new_token_uri) assert creds_with_new_token_uri._token_uri == new_token_uri def test__make_authorization_grant_assertion(self): credentials = self.make_credentials() token = credentials._make_authorization_grant_assertion() payload = jwt.decode(token, PUBLIC_CERT_BYTES) assert payload["iss"] == self.SERVICE_ACCOUNT_EMAIL assert payload["aud"] == service_account._GOOGLE_OAUTH2_TOKEN_ENDPOINT assert payload["target_audience"] == self.TARGET_AUDIENCE @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) def test_refresh_success(self, id_token_jwt_grant): credentials = self.make_credentials() token = "token" id_token_jwt_grant.return_value = ( token, _helpers.utcnow() + datetime.timedelta(seconds=500), {}, ) request = mock.create_autospec(transport.Request, instance=True) # Refresh credentials credentials.refresh(request) # Check jwt grant call. assert id_token_jwt_grant.called called_request, token_uri, assertion = id_token_jwt_grant.call_args[0] assert called_request == request assert token_uri == credentials._token_uri assert jwt.decode(assertion, PUBLIC_CERT_BYTES) # No further assertion done on the token, as there are separate tests # for checking the authorization grant assertion. # Check that the credentials have the token. assert credentials.token == token # Check that the credentials are valid (have a token and are not # expired) assert credentials.valid @mock.patch( "google.oauth2._client.call_iam_generate_id_token_endpoint", autospec=True ) def test_refresh_iam_flow(self, call_iam_generate_id_token_endpoint): credentials = self.make_credentials() credentials._use_iam_endpoint = True token = "id_token" call_iam_generate_id_token_endpoint.return_value = ( token, _helpers.utcnow() + datetime.timedelta(seconds=500), ) request = mock.Mock() credentials.refresh(request) req, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ 0 ] assert req == request assert signer_email == "service-account@example.com" assert target_audience == "https://example.com" decoded_access_token = jwt.decode(access_token, verify=False) assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam" @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) def test_before_request_refreshes(self, id_token_jwt_grant): credentials = self.make_credentials() token = "token" id_token_jwt_grant.return_value = ( token, _helpers.utcnow() + datetime.timedelta(seconds=500), None, ) request = mock.create_autospec(transport.Request, instance=True) # Credentials should start as invalid assert not credentials.valid # before_request should cause a refresh credentials.before_request(request, "GET", "http://example.com?a=1#3", {}) # The refresh endpoint should've been called. assert id_token_jwt_grant.called # Credentials should now be valid. assert credentials.valid ��oauth2/__init__.py��0000644��00000000000�15025175543�0010054 0��ustar�00��test_aws.py��0000644��00000256710�15025175543�0006771 0��ustar�00��# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import os import urllib.parse import mock import pytest # type: ignore from google.auth import _helpers from google.auth import aws from google.auth import environment_vars from google.auth import exceptions from google.auth import transport IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) LANG_LIBRARY_METRICS_HEADER_VALUE = "gl-python/3.7 auth/1.1" CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password". BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com" SERVICE_ACCOUNT_IMPERSONATION_URL_BASE = ( "https://us-east1-iamcredentials.googleapis.com" ) SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE = "/v1/projects/-/serviceAccounts/{}:generateAccessToken".format( SERVICE_ACCOUNT_EMAIL ) SERVICE_ACCOUNT_IMPERSONATION_URL = ( SERVICE_ACCOUNT_IMPERSONATION_URL_BASE + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID" SCOPES = ["scope1", "scope2"] TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request" AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" REGION_URL = "http://169.254.169.254/latest/meta-data/placement/availability-zone" IMDSV2_SESSION_TOKEN_URL = "http://169.254.169.254/latest/api/token" SECURITY_CREDS_URL = "http://169.254.169.254/latest/meta-data/iam/security-credentials" REGION_URL_IPV6 = "http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone" IMDSV2_SESSION_TOKEN_URL_IPV6 = "http://[fd00:ec2::254]/latest/api/token" SECURITY_CREDS_URL_IPV6 = ( "http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials" ) CRED_VERIFICATION_URL = ( "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" ) # Sample fictitious AWS security credentials to be used with tests that require a session token. ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE" SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" TOKEN = "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE" # To avoid json.dumps() differing behavior from one version to other, # the JSON payload is hardcoded. REQUEST_PARAMS = '{"KeySchema":[{"KeyType":"HASH","AttributeName":"Id"}],"TableName":"TestTable","AttributeDefinitions":[{"AttributeName":"Id","AttributeType":"S"}],"ProvisionedThroughput":{"WriteCapacityUnits":5,"ReadCapacityUnits":5}}' # Each tuple contains the following entries: # region, time, credentials, original_request, signed_request DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" VALID_TOKEN_URLS = [ "https://sts.googleapis.com", "https://us-east-1.sts.googleapis.com", "https://US-EAST-1.sts.googleapis.com", "https://sts.us-east-1.googleapis.com", "https://sts.US-WEST-1.googleapis.com", "https://us-east-1-sts.googleapis.com", "https://US-WEST-1-sts.googleapis.com", "https://us-west-1-sts.googleapis.com/path?query", "https://sts-us-east-1.p.googleapis.com", ] INVALID_TOKEN_URLS = [ "https://iamcredentials.googleapis.com", "sts.googleapis.com", "https://", "http://sts.googleapis.com", "https://st.s.googleapis.com", "https://us-eas\t-1.sts.googleapis.com", "https:/us-east-1.sts.googleapis.com", "https://US-WE/ST-1-sts.googleapis.com", "https://sts-us-east-1.googleapis.com", "https://sts-US-WEST-1.googleapis.com", "testhttps://us-east-1.sts.googleapis.com", "https://us-east-1.sts.googleapis.comevil.com", "https://us-east-1.us-east-1.sts.googleapis.com", "https://us-ea.s.t.sts.googleapis.com", "https://sts.googleapis.comevil.com", "hhttps://us-east-1.sts.googleapis.com", "https://us- -1.sts.googleapis.com", "https://-sts.googleapis.com", "https://us-east-1.sts.googleapis.com.evil.com", "https://sts.pgoogleapis.com", "https://p.googleapis.com", "https://sts.p.com", "http://sts.p.googleapis.com", "https://xyz-sts.p.googleapis.com", "https://sts-xyz.123.p.googleapis.com", "https://sts-xyz.p1.googleapis.com", "https://sts-xyz.p.foo.com", "https://sts-xyz.p.foo.googleapis.com", ] VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com", "https://US-EAST-1.iamcredentials.googleapis.com", "https://iamcredentials.us-east-1.googleapis.com", "https://iamcredentials.US-WEST-1.googleapis.com", "https://us-east-1-iamcredentials.googleapis.com", "https://US-WEST-1-iamcredentials.googleapis.com", "https://us-west-1-iamcredentials.googleapis.com/path?query", "https://iamcredentials-us-east-1.p.googleapis.com", ] INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://sts.googleapis.com", "iamcredentials.googleapis.com", "https://", "http://iamcredentials.googleapis.com", "https://iamcre.dentials.googleapis.com", "https://us-eas\t-1.iamcredentials.googleapis.com", "https:/us-east-1.iamcredentials.googleapis.com", "https://US-WE/ST-1-iamcredentials.googleapis.com", "https://iamcredentials-us-east-1.googleapis.com", "https://iamcredentials-US-WEST-1.googleapis.com", "testhttps://us-east-1.iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.comevil.com", "https://us-east-1.us-east-1.iamcredentials.googleapis.com", "https://us-ea.s.t.iamcredentials.googleapis.com", "https://iamcredentials.googleapis.comevil.com", "hhttps://us-east-1.iamcredentials.googleapis.com", "https://us- -1.iamcredentials.googleapis.com", "https://-iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com.evil.com", "https://iamcredentials.pgoogleapis.com", "https://p.googleapis.com", "https://iamcredentials.p.com", "http://iamcredentials.p.googleapis.com", "https://xyz-iamcredentials.p.googleapis.com", "https://iamcredentials-xyz.123.p.googleapis.com", "https://iamcredentials-xyz.p1.googleapis.com", "https://iamcredentials-xyz.p.foo.com", "https://iamcredentials-xyz.p.foo.googleapis.com", ] TEST_FIXTURES = [ # GET request (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with relative path (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-relative-relative.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-relative-relative.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/foo/bar/../..", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/foo/bar/../..", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with /./ path (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-dot-slash.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-dot-slash.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/./", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/./", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with pointless dot path (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-pointless-dot.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-pointless-dot.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/./foo", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/./foo", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=910e4d6c9abafaf87898e1eb4c929135782ea25bb0279703146455745391e63a", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with utf8 path (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-utf8.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-utf8.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/%E1%88%B4", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/%E1%88%B4", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=8d6634c189aa8c75c2e51e106b6b5121bed103fdb351f7d7d4381c738823af74", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with duplicate query key (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-key-case.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-key-case.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/?foo=Zoo&foo=aha", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/?foo=Zoo&foo=aha", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with duplicate out of order query key (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-value.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-value.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/?foo=b&foo=a", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/?foo=b&foo=a", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=feb926e49e382bec75c9d7dcb2a1b6dc8aa50ca43c25d2bc51143768c0875acc", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with utf8 query (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-ut8-query.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-ut8-query.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "GET", "url": "https://host.foo.com/?{}=bar".format( urllib.parse.unquote("%E1%88%B4") ), "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/?{}=bar".format( urllib.parse.unquote("%E1%88%B4") ), "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=6fb359e9a05394cc7074e0feb42573a2601abc0c869a953e8c5c12e4e01f1a8c", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # POST request with sorted headers (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-key-sort.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-key-sort.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "POST", "url": "https://host.foo.com/", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "ZOO": "zoobar"}, }, { "url": "https://host.foo.com/", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=b7a95a52518abbca0964a999a880429ab734f35ebbf1235bd79a5de87756dc4a", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", "ZOO": "zoobar", }, }, ), # POST request with upper case header value from AWS Python test harness. # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-value-case.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-value-case.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "POST", "url": "https://host.foo.com/", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "zoo": "ZOOBAR"}, }, { "url": "https://host.foo.com/", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=273313af9d0c265c531e11db70bbd653f3ba074c1009239e8559d3987039cad7", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", "zoo": "ZOOBAR", }, }, ), # POST request with header and no body (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "POST", "url": "https://host.foo.com/", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "p": "phfft"}, }, { "url": "https://host.foo.com/", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;p, Signature=debf546796015d6f6ded8626f5ce98597c33b47b9164cf6b17b4642036fcb592", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", "p": "phfft", }, }, ), # POST request with body and no header (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-x-www-form-urlencoded.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-x-www-form-urlencoded.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "POST", "url": "https://host.foo.com/", "headers": { "Content-Type": "application/x-www-form-urlencoded", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, "data": "foo=bar", }, { "url": "https://host.foo.com/", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=content-type;date;host, Signature=5a15b22cf462f047318703b92e6f4f38884e4a7ab7b1d6426ca46a8bd1c26cbc", "host": "host.foo.com", "Content-Type": "application/x-www-form-urlencoded", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, "data": "foo=bar", }, ), # POST request with querystring (AWS botocore tests). # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-vanilla-query.req # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-vanilla-query.sreq ( "us-east-1", "2011-09-09T23:36:00Z", { "access_key_id": "AKIDEXAMPLE", "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", }, { "method": "POST", "url": "https://host.foo.com/?foo=bar", "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, }, { "url": "https://host.foo.com/?foo=bar", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b6e3b79003ce0743a491606ba1035a804593b0efb1e20a11cba83f8c25a57a92", "host": "host.foo.com", "date": "Mon, 09 Sep 2011 23:36:00 GMT", }, }, ), # GET request with session token credentials. ( "us-east-2", "2020-08-11T06:55:22Z", { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, }, { "method": "GET", "url": "https://ec2.us-east-2.amazonaws.com?Action=DescribeRegions&Version=2013-10-15", }, { "url": "https://ec2.us-east-2.amazonaws.com?Action=DescribeRegions&Version=2013-10-15", "method": "GET", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=" + ACCESS_KEY_ID + "/20200811/us-east-2/ec2/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=41e226f997bf917ec6c9b2b14218df0874225f13bb153236c247881e614fafc9", "host": "ec2.us-east-2.amazonaws.com", "x-amz-date": "20200811T065522Z", "x-amz-security-token": TOKEN, }, }, ), # POST request with session token credentials. ( "us-east-2", "2020-08-11T06:55:22Z", { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, }, { "method": "POST", "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", }, { "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=" + ACCESS_KEY_ID + "/20200811/us-east-2/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=596aa990b792d763465d73703e684ca273c45536c6d322c31be01a41d02e5b60", "host": "sts.us-east-2.amazonaws.com", "x-amz-date": "20200811T065522Z", "x-amz-security-token": TOKEN, }, }, ), # POST request with computed x-amz-date and no data. ( "us-east-2", "2020-08-11T06:55:22Z", {"access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY}, { "method": "POST", "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", }, { "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=" + ACCESS_KEY_ID + "/20200811/us-east-2/sts/aws4_request, SignedHeaders=host;x-amz-date, Signature=9e722e5b7bfa163447e2a14df118b45ebd283c5aea72019bdf921d6e7dc01a9a", "host": "sts.us-east-2.amazonaws.com", "x-amz-date": "20200811T065522Z", }, }, ), # POST request with session token and additional headers/data. ( "us-east-2", "2020-08-11T06:55:22Z", { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, }, { "method": "POST", "url": "https://dynamodb.us-east-2.amazonaws.com/", "headers": { "Content-Type": "application/x-amz-json-1.0", "x-amz-target": "DynamoDB_20120810.CreateTable", }, "data": REQUEST_PARAMS, }, { "url": "https://dynamodb.us-east-2.amazonaws.com/", "method": "POST", "headers": { "Authorization": "AWS4-HMAC-SHA256 Credential=" + ACCESS_KEY_ID + "/20200811/us-east-2/dynamodb/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=eb8bce0e63654bba672d4a8acb07e72d69210c1797d56ce024dbbc31beb2a2c7", "host": "dynamodb.us-east-2.amazonaws.com", "x-amz-date": "20200811T065522Z", "Content-Type": "application/x-amz-json-1.0", "x-amz-target": "DynamoDB_20120810.CreateTable", "x-amz-security-token": TOKEN, }, "data": REQUEST_PARAMS, }, ), ] class TestRequestSigner(object): @pytest.mark.parametrize( "region, time, credentials, original_request, signed_request", TEST_FIXTURES ) @mock.patch("google.auth._helpers.utcnow") def test_get_request_options( self, utcnow, region, time, credentials, original_request, signed_request ): utcnow.return_value = datetime.datetime.strptime(time, "%Y-%m-%dT%H:%M:%SZ") request_signer = aws.RequestSigner(region) actual_signed_request = request_signer.get_request_options( credentials, original_request.get("url"), original_request.get("method"), original_request.get("data"), original_request.get("headers"), ) assert actual_signed_request == signed_request def test_get_request_options_with_missing_scheme_url(self): request_signer = aws.RequestSigner("us-east-2") with pytest.raises(ValueError) as excinfo: request_signer.get_request_options( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, }, "invalid", "POST", ) assert excinfo.match(r"Invalid AWS service URL") def test_get_request_options_with_invalid_scheme_url(self): request_signer = aws.RequestSigner("us-east-2") with pytest.raises(ValueError) as excinfo: request_signer.get_request_options( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, }, "http://invalid", "POST", ) assert excinfo.match(r"Invalid AWS service URL") def test_get_request_options_with_missing_hostname_url(self): request_signer = aws.RequestSigner("us-east-2") with pytest.raises(ValueError) as excinfo: request_signer.get_request_options( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, }, "https://", "POST", ) assert excinfo.match(r"Invalid AWS service URL") class TestCredentials(object): AWS_REGION = "us-east-2" AWS_ROLE = "gcp-aws-role" AWS_SECURITY_CREDENTIALS_RESPONSE = { "AccessKeyId": ACCESS_KEY_ID, "SecretAccessKey": SECRET_ACCESS_KEY, "Token": TOKEN, } AWS_IMDSV2_SESSION_TOKEN = "awsimdsv2sessiontoken" AWS_SIGNATURE_TIME = "2020-08-11T06:55:22Z" CREDENTIAL_SOURCE = { "environment_id": "aws1", "region_url": REGION_URL, "url": SECURITY_CREDS_URL, "regional_cred_verification_url": CRED_VERIFICATION_URL, } CREDENTIAL_SOURCE_IPV6 = { "environment_id": "aws1", "region_url": REGION_URL_IPV6, "url": SECURITY_CREDS_URL_IPV6, "regional_cred_verification_url": CRED_VERIFICATION_URL, "imdsv2_session_token_url": IMDSV2_SESSION_TOKEN_URL_IPV6, } SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 3600, "scope": " ".join(SCOPES), } @classmethod def make_serialized_aws_signed_request( cls, aws_security_credentials, region_name="us-east-2", url="https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", ): """Utility to generate serialize AWS signed requests. This makes it easy to assert generated subject tokens based on the provided AWS security credentials, regions and AWS STS endpoint. """ request_signer = aws.RequestSigner(region_name) signed_request = request_signer.get_request_options( aws_security_credentials, url, "POST" ) reformatted_signed_request = { "url": signed_request.get("url"), "method": signed_request.get("method"), "headers": [ { "key": "Authorization", "value": signed_request.get("headers").get("Authorization"), }, {"key": "host", "value": signed_request.get("headers").get("host")}, { "key": "x-amz-date", "value": signed_request.get("headers").get("x-amz-date"), }, ], } # Include security token if available. if "security_token" in aws_security_credentials: reformatted_signed_request.get("headers").append( { "key": "x-amz-security-token", "value": signed_request.get("headers").get("x-amz-security-token"), } ) # Append x-goog-cloud-target-resource header. reformatted_signed_request.get("headers").append( {"key": "x-goog-cloud-target-resource", "value": AUDIENCE} ), return urllib.parse.quote( json.dumps( reformatted_signed_request, separators=(",", ":"), sort_keys=True ) ) @classmethod def make_mock_request( cls, region_status=None, region_name=None, role_status=None, role_name=None, security_credentials_status=None, security_credentials_data=None, token_status=None, token_data=None, impersonation_status=None, impersonation_data=None, imdsv2_session_token_status=None, imdsv2_session_token_data=None, ): """Utility function to generate a mock HTTP request object. This will facilitate testing various edge cases by specify how the various endpoints will respond while generating a Google Access token in an AWS environment. """ responses = [] if imdsv2_session_token_status: # AWS session token request imdsv2_session_response = mock.create_autospec( transport.Response, instance=True ) imdsv2_session_response.status = imdsv2_session_token_status imdsv2_session_response.data = imdsv2_session_token_data responses.append(imdsv2_session_response) if region_status: # AWS region request. region_response = mock.create_autospec(transport.Response, instance=True) region_response.status = region_status if region_name: region_response.data = "{}b".format(region_name).encode("utf-8") responses.append(region_response) if role_status: # AWS role name request. role_response = mock.create_autospec(transport.Response, instance=True) role_response.status = role_status if role_name: role_response.data = role_name.encode("utf-8") responses.append(role_response) if security_credentials_status: # AWS security credentials request. security_credentials_response = mock.create_autospec( transport.Response, instance=True ) security_credentials_response.status = security_credentials_status if security_credentials_data: security_credentials_response.data = json.dumps( security_credentials_data ).encode("utf-8") responses.append(security_credentials_response) if token_status: # GCP token exchange request. token_response = mock.create_autospec(transport.Response, instance=True) token_response.status = token_status token_response.data = json.dumps(token_data).encode("utf-8") responses.append(token_response) if impersonation_status: # Service account impersonation request. impersonation_response = mock.create_autospec( transport.Response, instance=True ) impersonation_response.status = impersonation_status impersonation_response.data = json.dumps(impersonation_data).encode("utf-8") responses.append(impersonation_response) request = mock.create_autospec(transport.Request) request.side_effect = responses return request @classmethod def make_credentials( cls, credential_source, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, client_id=None, client_secret=None, quota_project_id=None, scopes=None, default_scopes=None, service_account_impersonation_url=None, ): return aws.Credentials( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=token_url, token_info_url=token_info_url, service_account_impersonation_url=service_account_impersonation_url, credential_source=credential_source, client_id=client_id, client_secret=client_secret, quota_project_id=quota_project_id, scopes=scopes, default_scopes=default_scopes, ) @classmethod def assert_aws_metadata_request_kwargs( cls, request_kwargs, url, headers=None, method="GET" ): assert request_kwargs["url"] == url # All used AWS metadata server endpoints use GET HTTP method. assert request_kwargs["method"] == method if headers: assert request_kwargs["headers"] == headers else: assert "headers" not in request_kwargs or request_kwargs["headers"] is None # None of the endpoints used require any data in request. assert "body" not in request_kwargs @classmethod def assert_token_request_kwargs( cls, request_kwargs, headers, request_data, token_url=TOKEN_URL ): assert request_kwargs["url"] == token_url assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_tuples = urllib.parse.parse_qsl(request_kwargs["body"]) assert len(body_tuples) == len(request_data.keys()) for (k, v) in body_tuples: assert v.decode("utf-8") == request_data[k.decode("utf-8")] @classmethod def assert_impersonation_request_kwargs( cls, request_kwargs, headers, request_data, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, ): assert request_kwargs["url"] == service_account_impersonation_url assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None body_json = json.loads(request_kwargs["body"].decode("utf-8")) assert body_json == request_data @mock.patch.object(aws.Credentials, "__init__", return_value=None) def test_from_info_full_options(self, mock_init): credentials = aws.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE, } ) # Confirm aws.Credentials instance initialized with the expected parameters. assert isinstance(credentials, aws.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(aws.Credentials, "__init__", return_value=None) def test_from_info_required_options_only(self, mock_init): credentials = aws.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE, } ) # Confirm aws.Credentials instance initialized with the expected parameters. assert isinstance(credentials, aws.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(aws.Credentials, "__init__", return_value=None) def test_from_file_full_options(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = aws.Credentials.from_file(str(config_file)) # Confirm aws.Credentials instance initialized with the expected parameters. assert isinstance(credentials, aws.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(aws.Credentials, "__init__", return_value=None) def test_from_file_required_options_only(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = aws.Credentials.from_file(str(config_file)) # Confirm aws.Credentials instance initialized with the expected parameters. assert isinstance(credentials, aws.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) def test_constructor_invalid_credential_source(self): # Provide invalid credential source. credential_source = {"unsupported": "value"} with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"No valid AWS 'credential_source' provided") def test_constructor_invalid_environment_id(self): # Provide invalid environment_id. credential_source = self.CREDENTIAL_SOURCE.copy() credential_source["environment_id"] = "azure1" with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"No valid AWS 'credential_source' provided") def test_constructor_missing_cred_verification_url(self): # regional_cred_verification_url is a required field. credential_source = self.CREDENTIAL_SOURCE.copy() credential_source.pop("regional_cred_verification_url") with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"No valid AWS 'credential_source' provided") def test_constructor_invalid_environment_id_version(self): # Provide an unsupported version. credential_source = self.CREDENTIAL_SOURCE.copy() credential_source["environment_id"] = "aws3" with pytest.raises(ValueError) as excinfo: self.make_credentials(credential_source=credential_source) assert excinfo.match(r"aws version '3' is not supported in the current build.") def test_info(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy() ) assert credentials.info == { "type": "external_account", "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "credential_source": self.CREDENTIAL_SOURCE, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_token_info_url(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy() ) assert credentials.token_info_url == TOKEN_INFO_URL def test_token_info_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=(url + "/introspect"), ) assert credentials.token_info_url == (url + "/introspect") def test_token_info_url_negative(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=None ) assert not credentials.token_info_url def test_token_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy(), token_url=(url + "/token"), ) assert credentials._token_url == (url + "/token") def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy(), service_account_impersonation_url=( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ), ) assert credentials._service_account_impersonation_url == ( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) def test_retrieve_subject_token_missing_region_url(self): # When AWS_REGION envvar is not available, region_url is required for # determining the current AWS region. credential_source = self.CREDENTIAL_SOURCE.copy() credential_source.pop("region_url") credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(None) assert excinfo.match(r"Unable to determine AWS region") @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_temp_creds_no_environment_vars( self, utcnow ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert region request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], REGION_URL ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], SECURITY_CREDS_URL ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), {"Content-Type": "application/json"}, ) # Retrieve subject_token again. Region should not be queried again. new_request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, ) credentials.retrieve_subject_token(new_request) # Only 3 requests should be sent as the region is cached. assert len(new_request.call_args_list) == 2 # Assert role request. self.assert_aws_metadata_request_kwargs( new_request.call_args_list[0][1], SECURITY_CREDS_URL ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( new_request.call_args_list[1][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), {"Content-Type": "application/json"}, ) @mock.patch("google.auth._helpers.utcnow") @mock.patch.dict(os.environ, {}) def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2( self, utcnow ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert session token request self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert region request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], REGION_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], SECURITY_CREDS_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[3][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) # Retrieve subject_token again. Region should not be queried again. new_request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credentials.retrieve_subject_token(new_request) # Only 3 requests should be sent as the region is cached. assert len(new_request.call_args_list) == 3 # Assert session token request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert role request. self.assert_aws_metadata_request_kwargs( new_request.call_args_list[1][1], SECURITY_CREDS_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( new_request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @mock.patch("google.auth._helpers.utcnow") @mock.patch.dict( os.environ, { environment_vars.AWS_REGION: AWS_REGION, environment_vars.AWS_ACCESS_KEY_ID: ACCESS_KEY_ID, }, ) def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_secret_access_key_idmsv2( self, utcnow ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert session token request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], SECURITY_CREDS_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @mock.patch("google.auth._helpers.utcnow") @mock.patch.dict( os.environ, { environment_vars.AWS_REGION: AWS_REGION, environment_vars.AWS_SECRET_ACCESS_KEY: SECRET_ACCESS_KEY, }, ) def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_access_key_id_idmsv2( self, utcnow ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert session token request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], SECURITY_CREDS_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @mock.patch("google.auth._helpers.utcnow") @mock.patch.dict(os.environ, {environment_vars.AWS_REGION: AWS_REGION}) def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_creds_idmsv2( self, utcnow ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert session token request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], SECURITY_CREDS_URL, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @mock.patch("google.auth._helpers.utcnow") @mock.patch.dict( os.environ, { environment_vars.AWS_REGION: AWS_REGION, environment_vars.AWS_ACCESS_KEY_ID: ACCESS_KEY_ID, environment_vars.AWS_SECRET_ACCESS_KEY: SECRET_ACCESS_KEY, }, ) def test_retrieve_subject_token_success_temp_creds_idmsv2(self, utcnow): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( role_status=http_client.OK, role_name=self.AWS_ROLE ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) credentials.retrieve_subject_token(request) assert not request.called @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_ipv6(self, utcnow): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, imdsv2_session_token_status=http_client.OK, imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, ) credential_source_token_url = self.CREDENTIAL_SOURCE_IPV6.copy() credentials = self.make_credentials( credential_source=credential_source_token_url ) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) # Assert session token request. self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL_IPV6, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) # Assert region request. self.assert_aws_metadata_request_kwargs( request.call_args_list[1][1], REGION_URL_IPV6, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert role request. self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], SECURITY_CREDS_URL_IPV6, {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, ) # Assert security credentials request. self.assert_aws_metadata_request_kwargs( request.call_args_list[3][1], "{}/{}".format(SECURITY_CREDS_URL_IPV6, self.AWS_ROLE), { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_session_error_idmsv2(self, utcnow): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( imdsv2_session_token_status=http_client.UNAUTHORIZED, imdsv2_session_token_data="unauthorized", ) credential_source_token_url = self.CREDENTIAL_SOURCE.copy() credential_source_token_url[ "imdsv2_session_token_url" ] = IMDSV2_SESSION_TOKEN_URL credentials = self.make_credentials( credential_source=credential_source_token_url ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(request) assert excinfo.match(r"Unable to retrieve AWS Session Token") # Assert session token request self.assert_aws_metadata_request_kwargs( request.call_args_list[0][1], IMDSV2_SESSION_TOKEN_URL, {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, "PUT", ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_permanent_creds_no_environment_vars( self, utcnow ): # Simualte a permanent credential without a session token is # returned by the security-credentials endpoint. security_creds_response = self.AWS_SECURITY_CREDENTIALS_RESPONSE.copy() security_creds_response.pop("Token") utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=security_creds_response, ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( {"access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY} ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypatch): monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID) monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY) monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN) monkeypatch.setenv(environment_vars.AWS_REGION, self.AWS_REGION) utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_environment_vars_with_default_region( self, utcnow, monkeypatch ): monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID) monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY) monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN) monkeypatch.setenv(environment_vars.AWS_DEFAULT_REGION, self.AWS_REGION) utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_environment_vars_with_both_regions_set( self, utcnow, monkeypatch ): monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID) monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY) monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN) monkeypatch.setenv(environment_vars.AWS_DEFAULT_REGION, "Malformed AWS Region") # This test makes sure that the AWS_REGION gets used over AWS_DEFAULT_REGION, # So, AWS_DEFAULT_REGION is set to something that would cause the test to fail, # And AWS_REGION is set to the a valid value, and it should succeed monkeypatch.setenv(environment_vars.AWS_REGION, self.AWS_REGION) utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_environment_vars_no_session_token( self, utcnow, monkeypatch ): monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID) monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY) monkeypatch.setenv(environment_vars.AWS_REGION, self.AWS_REGION) utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.make_serialized_aws_signed_request( {"access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY} ) @mock.patch("google.auth._helpers.utcnow") def test_retrieve_subject_token_success_environment_vars_except_region( self, utcnow, monkeypatch ): monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID) monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY) monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN) utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) # Region will be queried since it is not found in envvars. request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(request) assert subject_token == self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) def test_retrieve_subject_token_error_determining_aws_region(self): # Simulate error in retrieving the AWS region. request = self.make_mock_request(region_status=http_client.BAD_REQUEST) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(request) assert excinfo.match(r"Unable to retrieve AWS region") def test_retrieve_subject_token_error_determining_aws_role(self): # Simulate error in retrieving the AWS role name. request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.BAD_REQUEST, ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(request) assert excinfo.match(r"Unable to retrieve AWS role name") def test_retrieve_subject_token_error_determining_security_creds_url(self): # Simulate the security-credentials url is missing. This is needed for # determining the AWS security credentials when not found in envvars. credential_source = self.CREDENTIAL_SOURCE.copy() credential_source.pop("url") request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION ) credentials = self.make_credentials(credential_source=credential_source) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(request) assert excinfo.match( r"Unable to determine the AWS metadata server security credentials endpoint" ) def test_retrieve_subject_token_error_determining_aws_security_creds(self): # Simulate error in retrieving the AWS security credentials. request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.BAD_REQUEST, ) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.retrieve_subject_token(request) assert excinfo.match(r"Unable to retrieve AWS security credentials") @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow") def test_refresh_success_without_impersonation_ignore_default_scopes( self, utcnow, mock_auth_lib_value ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) expected_subject_token = self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false source/aws", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": " ".join(SCOPES), "subject_token": expected_subject_token, "subject_token_type": SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, token_status=http_client.OK, token_data=self.SUCCESS_RESPONSE, ) credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, scopes=SCOPES, # Default scopes should be ignored. default_scopes=["ignored"], ) credentials.refresh(request) assert len(request.call_args_list) == 4 # Fourth request should be sent to GCP STS endpoint. self.assert_token_request_kwargs( request.call_args_list[3][1], token_headers, token_request_data ) assert credentials.token == self.SUCCESS_RESPONSE["access_token"] assert credentials.quota_project_id == QUOTA_PROJECT_ID assert credentials.scopes == SCOPES assert credentials.default_scopes == ["ignored"] @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow") def test_refresh_success_without_impersonation_use_default_scopes( self, utcnow, mock_auth_lib_value ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) expected_subject_token = self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/false config-lifetime/false source/aws", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": " ".join(SCOPES), "subject_token": expected_subject_token, "subject_token_type": SUBJECT_TOKEN_TYPE, } request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, token_status=http_client.OK, token_data=self.SUCCESS_RESPONSE, ) credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, scopes=None, # Default scopes should be used since user specified scopes are none. default_scopes=SCOPES, ) credentials.refresh(request) assert len(request.call_args_list) == 4 # Fourth request should be sent to GCP STS endpoint. self.assert_token_request_kwargs( request.call_args_list[3][1], token_headers, token_request_data ) assert credentials.token == self.SUCCESS_RESPONSE["access_token"] assert credentials.quota_project_id == QUOTA_PROJECT_ID assert credentials.scopes is None assert credentials.default_scopes == SCOPES @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow") def test_refresh_success_with_impersonation_ignore_default_scopes( self, utcnow, mock_metrics_header_value, mock_auth_lib_value ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" expected_subject_token = self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false source/aws", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/iam", "subject_token": expected_subject_token, "subject_token_type": SUBJECT_TOKEN_TYPE, } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-goog-user-project": QUOTA_PROJECT_ID, "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": SCOPES, "lifetime": "3600s", } request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, token_status=http_client.OK, token_data=self.SUCCESS_RESPONSE, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, quota_project_id=QUOTA_PROJECT_ID, scopes=SCOPES, # Default scopes should be ignored. default_scopes=["ignored"], ) credentials.refresh(request) assert len(request.call_args_list) == 5 # Fourth request should be sent to GCP STS endpoint. self.assert_token_request_kwargs( request.call_args_list[3][1], token_headers, token_request_data ) # Fifth request should be sent to iamcredentials endpoint for service # account impersonation. self.assert_impersonation_request_kwargs( request.call_args_list[4][1], impersonation_headers, impersonation_request_data, ) assert credentials.token == impersonation_response["accessToken"] assert credentials.quota_project_id == QUOTA_PROJECT_ID assert credentials.scopes == SCOPES assert credentials.default_scopes == ["ignored"] @mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ) @mock.patch( "google.auth.metrics.python_and_auth_lib_version", return_value=LANG_LIBRARY_METRICS_HEADER_VALUE, ) @mock.patch("google.auth._helpers.utcnow") def test_refresh_success_with_impersonation_use_default_scopes( self, utcnow, mock_metrics_header_value, mock_auth_lib_value ): utcnow.return_value = datetime.datetime.strptime( self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" ) expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=3600) ).isoformat("T") + "Z" expected_subject_token = self.make_serialized_aws_signed_request( { "access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY, "security_token": TOKEN, } ) token_headers = { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, "x-goog-api-client": "gl-python/3.7 auth/1.1 google-byoid-sdk sa-impersonation/true config-lifetime/false source/aws", } token_request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "audience": AUDIENCE, "requested_token_type": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/iam", "subject_token": expected_subject_token, "subject_token_type": SUBJECT_TOKEN_TYPE, } # Service account impersonation request/response. impersonation_response = { "accessToken": "SA_ACCESS_TOKEN", "expireTime": expire_time, } impersonation_headers = { "Content-Type": "application/json", "authorization": "Bearer {}".format(self.SUCCESS_RESPONSE["access_token"]), "x-goog-user-project": QUOTA_PROJECT_ID, "x-goog-api-client": IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, "x-allowed-locations": "0x0", } impersonation_request_data = { "delegates": None, "scope": SCOPES, "lifetime": "3600s", } request = self.make_mock_request( region_status=http_client.OK, region_name=self.AWS_REGION, role_status=http_client.OK, role_name=self.AWS_ROLE, security_credentials_status=http_client.OK, security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, token_status=http_client.OK, token_data=self.SUCCESS_RESPONSE, impersonation_status=http_client.OK, impersonation_data=impersonation_response, ) credentials = self.make_credentials( client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, quota_project_id=QUOTA_PROJECT_ID, scopes=None, # Default scopes should be used since user specified scopes are none. default_scopes=SCOPES, ) credentials.refresh(request) assert len(request.call_args_list) == 5 # Fourth request should be sent to GCP STS endpoint. self.assert_token_request_kwargs( request.call_args_list[3][1], token_headers, token_request_data ) # Fifth request should be sent to iamcredentials endpoint for service # account impersonation. self.assert_impersonation_request_kwargs( request.call_args_list[4][1], impersonation_headers, impersonation_request_data, ) assert credentials.token == impersonation_response["accessToken"] assert credentials.quota_project_id == QUOTA_PROJECT_ID assert credentials.scopes is None assert credentials.default_scopes == SCOPES def test_refresh_with_retrieve_subject_token_error(self): request = self.make_mock_request(region_status=http_client.BAD_REQUEST) credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(request) assert excinfo.match(r"Unable to retrieve AWS region") ��test__oauth2client.py��0000644��00000013134�15025175543�0010726 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import importlib import os import sys import mock import pytest # type: ignore try: import oauth2client.client # type: ignore import oauth2client.contrib.gce # type: ignore import oauth2client.service_account # type: ignore except ImportError: # pragma: NO COVER pytest.skip( "Skipping oauth2client tests since oauth2client is not installed.", allow_module_level=True, ) from google.auth import _oauth2client DATA_DIR = os.path.join(os.path.dirname(__file__), "data") SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") def test__convert_oauth2_credentials(): old_credentials = oauth2client.client.OAuth2Credentials( "access_token", "client_id", "client_secret", "refresh_token", datetime.datetime.min, "token_uri", "user_agent", scopes="one two", ) new_credentials = _oauth2client._convert_oauth2_credentials(old_credentials) assert new_credentials.token == old_credentials.access_token assert new_credentials._refresh_token == old_credentials.refresh_token assert new_credentials._client_id == old_credentials.client_id assert new_credentials._client_secret == old_credentials.client_secret assert new_credentials._token_uri == old_credentials.token_uri assert new_credentials.scopes == old_credentials.scopes def test__convert_service_account_credentials(): old_class = oauth2client.service_account.ServiceAccountCredentials old_credentials = old_class.from_json_keyfile_name(SERVICE_ACCOUNT_JSON_FILE) new_credentials = _oauth2client._convert_service_account_credentials( old_credentials ) assert ( new_credentials.service_account_email == old_credentials.service_account_email ) assert new_credentials._signer.key_id == old_credentials._private_key_id assert new_credentials._token_uri == old_credentials.token_uri def test__convert_service_account_credentials_with_jwt(): old_class = oauth2client.service_account._JWTAccessCredentials old_credentials = old_class.from_json_keyfile_name(SERVICE_ACCOUNT_JSON_FILE) new_credentials = _oauth2client._convert_service_account_credentials( old_credentials ) assert ( new_credentials.service_account_email == old_credentials.service_account_email ) assert new_credentials._signer.key_id == old_credentials._private_key_id assert new_credentials._token_uri == old_credentials.token_uri def test__convert_gce_app_assertion_credentials(): old_credentials = oauth2client.contrib.gce.AppAssertionCredentials( email="some_email" ) new_credentials = _oauth2client._convert_gce_app_assertion_credentials( old_credentials ) assert ( new_credentials.service_account_email == old_credentials.service_account_email ) @pytest.fixture def mock_oauth2client_gae_imports(mock_non_existent_module): mock_non_existent_module("google.appengine.api.app_identity") mock_non_existent_module("google.appengine.ext.ndb") mock_non_existent_module("google.appengine.ext.webapp.util") mock_non_existent_module("webapp2") @mock.patch("google.auth.app_engine.app_identity") def test__convert_appengine_app_assertion_credentials( app_identity, mock_oauth2client_gae_imports ): import oauth2client.contrib.appengine # type: ignore service_account_id = "service_account_id" old_credentials = oauth2client.contrib.appengine.AppAssertionCredentials( scope="one two", service_account_id=service_account_id ) new_credentials = _oauth2client._convert_appengine_app_assertion_credentials( old_credentials ) assert new_credentials.scopes == ["one", "two"] assert new_credentials._service_account_id == old_credentials.service_account_id class FakeCredentials(object): pass def test_convert_success(): convert_function = mock.Mock(spec=["__call__"]) conversion_map_patch = mock.patch.object( _oauth2client, "_CLASS_CONVERSION_MAP", {FakeCredentials: convert_function} ) credentials = FakeCredentials() with conversion_map_patch: result = _oauth2client.convert(credentials) convert_function.assert_called_once_with(credentials) assert result == convert_function.return_value def test_convert_not_found(): with pytest.raises(ValueError) as excinfo: _oauth2client.convert("a string is not a real credentials class") assert excinfo.match("Unable to convert") @pytest.fixture def reset__oauth2client_module(): """Reloads the _oauth2client module after a test.""" importlib.reload(_oauth2client) def test_import_has_app_engine( mock_oauth2client_gae_imports, reset__oauth2client_module ): importlib.reload(_oauth2client) assert _oauth2client._HAS_APPENGINE def test_import_without_oauth2client(monkeypatch, reset__oauth2client_module): monkeypatch.setitem(sys.modules, "oauth2client", None) with pytest.raises(ImportError) as excinfo: importlib.reload(_oauth2client) assert excinfo.match("oauth2client") ��test_packaging.py��0000644��00000001777�15025175543�0010124 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import os import subprocess import sys def test_namespace_package_compat(tmp_path): """ The ``google`` namespace package should not be masked by the presence of ``google-auth``. """ google = tmp_path / "google" google.mkdir() google.joinpath("othermod.py").write_text("") env = dict(os.environ, PYTHONPATH=str(tmp_path)) cmd = [sys.executable, "-m", "google.othermod"] subprocess.check_call(cmd, env=env) �test__helpers.py��0000644��00000013117�15025175543�0007770 0��ustar�00��# Copyright 2016 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import urllib import pytest # type: ignore from google.auth import _helpers class SourceClass(object): def func(self): # pragma: NO COVER """example docstring""" def test_copy_docstring_success(): def func(): # pragma: NO COVER pass _helpers.copy_docstring(SourceClass)(func) assert func.__doc__ == SourceClass.func.__doc__ def test_copy_docstring_conflict(): def func(): # pragma: NO COVER """existing docstring""" pass with pytest.raises(ValueError): _helpers.copy_docstring(SourceClass)(func) def test_copy_docstring_non_existing(): def func2(): # pragma: NO COVER pass with pytest.raises(AttributeError): _helpers.copy_docstring(SourceClass)(func2) def test_parse_content_type_plain(): assert _helpers.parse_content_type("text/html") == "text/html" assert _helpers.parse_content_type("application/xml") == "application/xml" assert _helpers.parse_content_type("application/json") == "application/json" def test_parse_content_type_with_parameters(): content_type_html = "text/html; charset=UTF-8" content_type_xml = "application/xml; charset=UTF-16; version=1.0" content_type_json = "application/json; charset=UTF-8; indent=2" assert _helpers.parse_content_type(content_type_html) == "text/html" assert _helpers.parse_content_type(content_type_xml) == "application/xml" assert _helpers.parse_content_type(content_type_json) == "application/json" def test_parse_content_type_missing_or_broken(): content_type_foo = None content_type_bar = "" content_type_baz = "1234" content_type_qux = " ; charset=UTF-8" assert _helpers.parse_content_type(content_type_foo) == "text/plain" assert _helpers.parse_content_type(content_type_bar) == "text/plain" assert _helpers.parse_content_type(content_type_baz) == "text/plain" assert _helpers.parse_content_type(content_type_qux) == "text/plain" def test_utcnow(): assert isinstance(_helpers.utcnow(), datetime.datetime) def test_datetime_to_secs(): assert _helpers.datetime_to_secs(datetime.datetime(1970, 1, 1)) == 0 assert _helpers.datetime_to_secs(datetime.datetime(1990, 5, 29)) == 643939200 def test_to_bytes_with_bytes(): value = b"bytes-val" assert _helpers.to_bytes(value) == value def test_to_bytes_with_unicode(): value = u"string-val" encoded_value = b"string-val" assert _helpers.to_bytes(value) == encoded_value def test_to_bytes_with_nonstring_type(): with pytest.raises(ValueError): _helpers.to_bytes(object()) def test_from_bytes_with_unicode(): value = u"bytes-val" assert _helpers.from_bytes(value) == value def test_from_bytes_with_bytes(): value = b"string-val" decoded_value = u"string-val" assert _helpers.from_bytes(value) == decoded_value def test_from_bytes_with_nonstring_type(): with pytest.raises(ValueError): _helpers.from_bytes(object()) def _assert_query(url, expected): parts = urllib.parse.urlsplit(url) query = urllib.parse.parse_qs(parts.query) assert query == expected def test_update_query_params_no_params(): uri = "http://www.google.com" updated = _helpers.update_query(uri, {"a": "b"}) assert updated == uri + "?a=b" def test_update_query_existing_params(): uri = "http://www.google.com?x=y" updated = _helpers.update_query(uri, {"a": "b", "c": "d&"}) _assert_query(updated, {"x": ["y"], "a": ["b"], "c": ["d&"]}) def test_update_query_replace_param(): base_uri = "http://www.google.com" uri = base_uri + "?x=a" updated = _helpers.update_query(uri, {"x": "b", "y": "c"}) _assert_query(updated, {"x": ["b"], "y": ["c"]}) def test_update_query_remove_param(): base_uri = "http://www.google.com" uri = base_uri + "?x=a" updated = _helpers.update_query(uri, {"y": "c"}, remove=["x"]) _assert_query(updated, {"y": ["c"]}) def test_scopes_to_string(): cases = [ ("", ()), ("", []), ("", ("",)), ("", [""]), ("a", ("a",)), ("b", ["b"]), ("a b", ["a", "b"]), ("a b", ("a", "b")), ("a b", (s for s in ["a", "b"])), ] for expected, case in cases: assert _helpers.scopes_to_string(case) == expected def test_string_to_scopes(): cases = [("", []), ("a", ["a"]), ("a b c d e f", ["a", "b", "c", "d", "e", "f"])] for case, expected in cases: assert _helpers.string_to_scopes(case) == expected def test_padded_urlsafe_b64decode(): cases = [ ("YQ==", b"a"), ("YQ", b"a"), ("YWE=", b"aa"), ("YWE", b"aa"), ("YWFhYQ==", b"aaaa"), ("YWFhYQ", b"aaaa"), ("YWFhYWE=", b"aaaaa"), ("YWFhYWE", b"aaaaa"), ] for case, expected in cases: assert _helpers.padded_urlsafe_b64decode(case) == expected def test_unpadded_urlsafe_b64encode(): cases = [(b"", b""), (b"a", b"YQ"), (b"aa", b"YWE"), (b"aaa", b"YWFh")] for case, expected in cases: assert _helpers.unpadded_urlsafe_b64encode(case) == expected ��test_impersonated_credentials.py��0000644��00000056166�15025175543�0013251 0��ustar�00��# Copyright 2018 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import os import mock import pytest # type: ignore from google.auth import _helpers from google.auth import crypt from google.auth import exceptions from google.auth import impersonated_credentials from google.auth import transport from google.auth.impersonated_credentials import Credentials from google.oauth2 import credentials from google.oauth2 import service_account DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data") with open(os.path.join(DATA_DIR, "privatekey.pem"), "rb") as fh: PRIVATE_KEY_BYTES = fh.read() SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json") ID_TOKEN_DATA = ( "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2Ew" "Yjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwc" "zovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJle" "HAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6L" "y9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwN" "zA4NTY4In0.redacted" ) ID_TOKEN_EXPIRY = 1564475051 with open(SERVICE_ACCOUNT_JSON_FILE, "rb") as fh: SERVICE_ACCOUNT_INFO = json.load(fh) SIGNER = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1") TOKEN_URI = "https://example.com/oauth2/token" ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) ID_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/imp" ) @pytest.fixture def mock_donor_credentials(): with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant: grant.return_value = ( "source token", _helpers.utcnow() + datetime.timedelta(seconds=500), {}, ) yield grant class MockResponse: def __init__(self, json_data, status_code): self.json_data = json_data self.status_code = status_code def json(self): return self.json_data @pytest.fixture def mock_authorizedsession_sign(): with mock.patch( "google.auth.transport.requests.AuthorizedSession.request", autospec=True ) as auth_session: data = {"keyId": "1", "signedBlob": "c2lnbmF0dXJl"} auth_session.return_value = MockResponse(data, http_client.OK) yield auth_session @pytest.fixture def mock_authorizedsession_idtoken(): with mock.patch( "google.auth.transport.requests.AuthorizedSession.request", autospec=True ) as auth_session: data = {"token": ID_TOKEN_DATA} auth_session.return_value = MockResponse(data, http_client.OK) yield auth_session class TestImpersonatedCredentials(object): SERVICE_ACCOUNT_EMAIL = "service-account@example.com" TARGET_PRINCIPAL = "impersonated@project.iam.gserviceaccount.com" TARGET_SCOPES = ["https://www.googleapis.com/auth/devstorage.read_only"] # DELEGATES: List[str] = [] # Because Python 2.7: DELEGATES = [] # type: ignore LIFETIME = 3600 SOURCE_CREDENTIALS = service_account.Credentials( SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI ) USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE") IAM_ENDPOINT_OVERRIDE = ( "https://us-east1-iamcredentials.googleapis.com/v1/projects/-" + "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL) ) def make_credentials( self, source_credentials=SOURCE_CREDENTIALS, lifetime=LIFETIME, target_principal=TARGET_PRINCIPAL, iam_endpoint_override=None, ): return Credentials( source_credentials=source_credentials, target_principal=target_principal, target_scopes=self.TARGET_SCOPES, delegates=self.DELEGATES, lifetime=lifetime, iam_endpoint_override=iam_endpoint_override, ) def test_make_from_user_credentials(self): credentials = self.make_credentials( source_credentials=self.USER_SOURCE_CREDENTIALS ) assert not credentials.valid assert credentials.expired def test_default_state(self): credentials = self.make_credentials() assert not credentials.valid assert credentials.expired def test_make_from_service_account_self_signed_jwt(self): source_credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, TOKEN_URI, always_use_jwt_access=True ) credentials = self.make_credentials(source_credentials=source_credentials) # test the source credential don't lose self signed jwt setting assert credentials._source_credentials._always_use_jwt_access assert credentials._source_credentials._jwt_credentials def make_request( self, data, status=http_client.OK, headers=None, side_effect=None, use_data_bytes=True, ): response = mock.create_autospec(transport.Response, instance=False) response.status = status response.data = _helpers.to_bytes(data) if use_data_bytes else data response.headers = headers or {} request = mock.create_autospec(transport.Request, instance=False) request.side_effect = side_effect request.return_value = response return request def test_token_usage_metrics(self): credentials = self.make_credentials() credentials.token = "token" credentials.expiry = None headers = {} credentials.before_request(mock.Mock(), None, None, headers) assert headers["authorization"] == "Bearer token" assert headers["x-goog-api-client"] == "cred-type/imp" @pytest.mark.parametrize("use_data_bytes", [True, False]) def test_refresh_success(self, use_data_bytes, mock_donor_credentials): credentials = self.make_credentials(lifetime=None) token = "token" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK, use_data_bytes=use_data_bytes, ) with mock.patch( "google.auth.metrics.token_request_access_token_impersonate", return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, ): credentials.refresh(request) assert credentials.valid assert not credentials.expired assert ( request.call_args.kwargs["headers"]["x-goog-api-client"] == ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE ) @pytest.mark.parametrize("use_data_bytes", [True, False]) def test_refresh_success_iam_endpoint_override( self, use_data_bytes, mock_donor_credentials ): credentials = self.make_credentials( lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE ) token = "token" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK, use_data_bytes=use_data_bytes, ) credentials.refresh(request) assert credentials.valid assert not credentials.expired # Confirm override endpoint used. request_kwargs = request.call_args[1] assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE @pytest.mark.parametrize("time_skew", [100, -100]) def test_refresh_source_credentials(self, time_skew): credentials = self.make_credentials(lifetime=None) # Source credentials is refreshed only if it is expired within # _helpers.REFRESH_THRESHOLD from now. We add a time_skew to the expiry, so # source credentials is refreshed only if time_skew <= 0. credentials._source_credentials.expiry = ( _helpers.utcnow() + _helpers.REFRESH_THRESHOLD + datetime.timedelta(seconds=time_skew) ) credentials._source_credentials.token = "Token" with mock.patch( "google.oauth2.service_account.Credentials.refresh", autospec=True ) as source_cred_refresh: expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": "token", "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired # Source credentials is refreshed only if it is expired within # _helpers.REFRESH_THRESHOLD if time_skew > 0: source_cred_refresh.assert_not_called() else: source_cred_refresh.assert_called_once() def test_refresh_failure_malformed_expire_time(self, mock_donor_credentials): credentials = self.make_credentials(lifetime=None) token = "token" expire_time = (_helpers.utcnow() + datetime.timedelta(seconds=500)).isoformat( "T" ) response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(request) assert excinfo.match(impersonated_credentials._REFRESH_ERROR) assert not credentials.valid assert credentials.expired def test_refresh_failure_unauthorzed(self, mock_donor_credentials): credentials = self.make_credentials(lifetime=None) response_body = { "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED", } } request = self.make_request( data=json.dumps(response_body), status=http_client.UNAUTHORIZED ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(request) assert excinfo.match(impersonated_credentials._REFRESH_ERROR) assert not credentials.valid assert credentials.expired def test_refresh_failure(self): credentials = self.make_credentials(lifetime=None) credentials.expiry = None credentials.token = "token" id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience="audience" ) response = mock.create_autospec(transport.Response, instance=False) response.status_code = http_client.UNAUTHORIZED response.json = mock.Mock(return_value="failed to get ID token") with mock.patch( "google.auth.transport.requests.AuthorizedSession.post", return_value=response, ): with pytest.raises(exceptions.RefreshError) as excinfo: id_creds.refresh(None) assert excinfo.match("Error getting ID token") def test_refresh_failure_http_error(self, mock_donor_credentials): credentials = self.make_credentials(lifetime=None) response_body = {} request = self.make_request( data=json.dumps(response_body), status=http_client.HTTPException ) with pytest.raises(exceptions.RefreshError) as excinfo: credentials.refresh(request) assert excinfo.match(impersonated_credentials._REFRESH_ERROR) assert not credentials.valid assert credentials.expired def test_expired(self): credentials = self.make_credentials(lifetime=None) assert credentials.expired def test_signer(self): credentials = self.make_credentials() assert isinstance(credentials.signer, impersonated_credentials.Credentials) def test_signer_email(self): credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL) assert credentials.signer_email == self.TARGET_PRINCIPAL def test_service_account_email(self): credentials = self.make_credentials(target_principal=self.TARGET_PRINCIPAL) assert credentials.service_account_email == self.TARGET_PRINCIPAL def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign): credentials = self.make_credentials(lifetime=None) token = "token" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" token_response_body = {"accessToken": token, "expireTime": expire_time} response = mock.create_autospec(transport.Response, instance=False) response.status = http_client.OK response.data = _helpers.to_bytes(json.dumps(token_response_body)) request = mock.create_autospec(transport.Request, instance=False) request.return_value = response credentials.refresh(request) assert credentials.valid assert not credentials.expired signature = credentials.sign_bytes(b"signed bytes") assert signature == b"signature" def test_sign_bytes_failure(self): credentials = self.make_credentials(lifetime=None) with mock.patch( "google.auth.transport.requests.AuthorizedSession.request", autospec=True ) as auth_session: data = {"error": {"code": 403, "message": "unauthorized"}} auth_session.return_value = MockResponse(data, http_client.FORBIDDEN) with pytest.raises(exceptions.TransportError) as excinfo: credentials.sign_bytes(b"foo") assert excinfo.match("'code': 403") def test_with_quota_project(self): credentials = self.make_credentials() quota_project_creds = credentials.with_quota_project("project-foo") assert quota_project_creds._quota_project_id == "project-foo" @pytest.mark.parametrize("use_data_bytes", [True, False]) def test_with_quota_project_iam_endpoint_override( self, use_data_bytes, mock_donor_credentials ): credentials = self.make_credentials( lifetime=None, iam_endpoint_override=self.IAM_ENDPOINT_OVERRIDE ) token = "token" # iam_endpoint_override should be copied to created credentials. quota_project_creds = credentials.with_quota_project("project-foo") expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK, use_data_bytes=use_data_bytes, ) quota_project_creds.refresh(request) assert quota_project_creds.valid assert not quota_project_creds.expired # Confirm override endpoint used. request_kwargs = request.call_args[1] assert request_kwargs["url"] == self.IAM_ENDPOINT_OVERRIDE def test_with_scopes(self): credentials = self.make_credentials() credentials._target_scopes = [] assert credentials.requires_scopes is True credentials = credentials.with_scopes(["fake_scope1", "fake_scope2"]) assert credentials.requires_scopes is False assert credentials._target_scopes == ["fake_scope1", "fake_scope2"] def test_with_scopes_provide_default_scopes(self): credentials = self.make_credentials() credentials._target_scopes = [] credentials = credentials.with_scopes( ["fake_scope1"], default_scopes=["fake_scope2"] ) assert credentials._target_scopes == ["fake_scope1"] def test_id_token_success( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = self.make_credentials(lifetime=None) token = "token" target_audience = "https://foo.bar" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience=target_audience ) id_creds.refresh(request) assert id_creds.token == ID_TOKEN_DATA assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY) def test_id_token_metrics(self, mock_donor_credentials): credentials = self.make_credentials(lifetime=None) credentials.token = "token" credentials.expiry = None target_audience = "https://foo.bar" id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience=target_audience ) with mock.patch( "google.auth.metrics.token_request_id_token_impersonate", return_value=ID_TOKEN_REQUEST_METRICS_HEADER_VALUE, ): with mock.patch( "google.auth.transport.requests.AuthorizedSession.post", autospec=True ) as mock_post: data = {"token": ID_TOKEN_DATA} mock_post.return_value = MockResponse(data, http_client.OK) id_creds.refresh(None) assert id_creds.token == ID_TOKEN_DATA assert id_creds.expiry == datetime.datetime.utcfromtimestamp( ID_TOKEN_EXPIRY ) assert ( mock_post.call_args.kwargs["headers"]["x-goog-api-client"] == ID_TOKEN_REQUEST_METRICS_HEADER_VALUE ) def test_id_token_from_credential( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = self.make_credentials(lifetime=None) token = "token" target_audience = "https://foo.bar" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired new_credentials = self.make_credentials(lifetime=None) id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience=target_audience, include_email=True ) id_creds = id_creds.from_credentials(target_credentials=new_credentials) id_creds.refresh(request) assert id_creds.token == ID_TOKEN_DATA assert id_creds._include_email is True assert id_creds._target_credentials is new_credentials def test_id_token_with_target_audience( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = self.make_credentials(lifetime=None) token = "token" target_audience = "https://foo.bar" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired id_creds = impersonated_credentials.IDTokenCredentials( credentials, include_email=True ) id_creds = id_creds.with_target_audience(target_audience=target_audience) id_creds.refresh(request) assert id_creds.token == ID_TOKEN_DATA assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY) assert id_creds._include_email is True def test_id_token_invalid_cred( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = None with pytest.raises(exceptions.GoogleAuthError) as excinfo: impersonated_credentials.IDTokenCredentials(credentials) assert excinfo.match("Provided Credential must be" " impersonated_credentials") def test_id_token_with_include_email( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = self.make_credentials(lifetime=None) token = "token" target_audience = "https://foo.bar" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience=target_audience ) id_creds = id_creds.with_include_email(True) id_creds.refresh(request) assert id_creds.token == ID_TOKEN_DATA def test_id_token_with_quota_project( self, mock_donor_credentials, mock_authorizedsession_idtoken ): credentials = self.make_credentials(lifetime=None) token = "token" target_audience = "https://foo.bar" expire_time = ( _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) ).isoformat("T") + "Z" response_body = {"accessToken": token, "expireTime": expire_time} request = self.make_request( data=json.dumps(response_body), status=http_client.OK ) credentials.refresh(request) assert credentials.valid assert not credentials.expired id_creds = impersonated_credentials.IDTokenCredentials( credentials, target_audience=target_audience ) id_creds = id_creds.with_quota_project("project-foo") id_creds.refresh(request) assert id_creds.quota_project_id == "project-foo" ��data/public_cert.pem��0000644��00000002173�15025175543�0010465 0��ustar�00��-----BEGIN CERTIFICATE----- MIIDIzCCAgugAwIBAgIJAMfISuBQ5m+5MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV BAMTCnVuaXQtdGVzdHMwHhcNMTExMjA2MTYyNjAyWhcNMjExMjAzMTYyNjAyWjAV MRMwEQYDVQQDEwp1bml0LXRlc3RzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj7wZgkdmM 7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/xmVU1Wer uQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYsSliS5qQp gyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18pe+zpyl4 +WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xkSBc//fy3 ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQABo3YwdDAdBgNVHQ4EFgQU2RQ8yO+O gN8oVW2SW7RLrfYd9jEwRQYDVR0jBD4wPIAU2RQ8yO+OgN8oVW2SW7RLrfYd9jGh GaQXMBUxEzARBgNVBAMTCnVuaXQtdGVzdHOCCQDHyErgUOZvuTAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBRv+M/6+FiVu7KXNjFI5pSN17OcW5QUtPr odJMlWrJBtynn/TA1oJlYu3yV5clc/71Vr/AxuX5xGP+IXL32YDF9lTUJXG/uUGk +JETpKmQviPbRsvzYhz4pf6ZIOZMc3/GIcNq92ECbseGO+yAgyWUVKMmZM0HqXC9 ovNslqe0M8C1sLm1zAR5z/h/litE7/8O2ietija3Q/qtl2TOXJdCA6sgjJX2WUql ybrC55ct18NKf3qhpcEkGQvFU40rVYApJpi98DiZPYFdx1oBDp/f4uZ3ojpxRVFT cDwcJLfNRCPUhormsY7fDS9xSyThiHsW9mjJYdcaKQkwYZ0F11yB -----END CERTIFICATE----- ��data/client_secrets.json��0000644��00000000672�15025175543�0011372 0��ustar�00��{ "web": { "client_id": "example.apps.googleusercontent.com", "project_id": "example", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_secret": "itsasecrettoeveryone", "redirect_uris": [ "urn:ietf:wg:oauth:2.0:oob", "http://localhost" ] } } ��data/enterprise_cert_valid.json��0000644��00000000163�15025175543�0012733 0��ustar�00��{ "libs": { "ecp_client": "/path/to/signer/lib", "tls_offload": "/path/to/offload/lib" } } ��data/es256_service_account.json��0000644��00000001027�15025175543�0012457 0��ustar�00��{ "type": "service_account", "project_id": "example-project", "private_key_id": "1", "private_key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAIC57aTx5ev4T2HBMQk4fXV09AzLDQ3Ju1uNoEB0LngoAoGCCqGSM49\nAwEHoUQDQgAEsACsrmP6Bp216OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJ\nz2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA==\n-----END EC PRIVATE KEY-----", "client_email": "service-account@example.com", "client_id": "1234", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token" } ��data/service_account.json��0000644��00000003733�15025175543�0011541 0��ustar�00��{ "type": "service_account", "project_id": "example-project", "private_key_id": "1", "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj\n7wZgkdmM7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/\nxmVU1WeruQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYs\nSliS5qQpgyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18\npe+zpyl4+WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xk\nSBc//fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQABAoIBAQDGGHzQxGKX+ANk\nnQi53v/c6632dJKYXVJC+PDAz4+bzU800Y+n/bOYsWf/kCp94XcG4Lgsdd0Gx+Zq\nHD9CI1IcqqBRR2AFscsmmX6YzPLTuEKBGMW8twaYy3utlFxElMwoUEsrSWRcCA1y\nnHSDzTt871c7nxCXHxuZ6Nm/XCL7Bg8uidRTSC1sQrQyKgTPhtQdYrPQ4WZ1A4J9\nIisyDYmZodSNZe5P+LTJ6M1SCgH8KH9ZGIxv3diMwzNNpk3kxJc9yCnja4mjiGE2\nYCNusSycU5IhZwVeCTlhQGcNeV/skfg64xkiJE34c2y2ttFbdwBTPixStGaF09nU\nZ422D40BAoGBAPvVyRRsC3BF+qZdaSMFwI1yiXY7vQw5+JZh01tD28NuYdRFzjcJ\nvzT2n8LFpj5ZfZFvSMLMVEFVMgQvWnN0O6xdXvGov6qlRUSGaH9u+TCPNnIldjMP\nB8+xTwFMqI7uQr54wBB+Poq7dVRP+0oHb0NYAwUBXoEuvYo3c/nDoRcZAoGBAOWl\naLHjMv4CJbArzT8sPfic/8waSiLV9Ixs3Re5YREUTtnLq7LoymqB57UXJB3BNz/2\neCueuW71avlWlRtE/wXASj5jx6y5mIrlV4nZbVuyYff0QlcG+fgb6pcJQuO9DxMI\naqFGrWP3zye+LK87a6iR76dS9vRU+bHZpSVvGMKJAoGAFGt3TIKeQtJJyqeUWNSk\nklORNdcOMymYMIlqG+JatXQD1rR6ThgqOt8sgRyJqFCVT++YFMOAqXOBBLnaObZZ\nCFbh1fJ66BlSjoXff0W+SuOx5HuJJAa5+WtFHrPajwxeuRcNa8jwxUsB7n41wADu\nUqWWSRedVBg4Ijbw3nWwYDECgYB0pLew4z4bVuvdt+HgnJA9n0EuYowVdadpTEJg\nsoBjNHV4msLzdNqbjrAqgz6M/n8Ztg8D2PNHMNDNJPVHjJwcR7duSTA6w2p/4k28\nbvvk/45Ta3XmzlxZcZSOct3O31Cw0i2XDVc018IY5be8qendDYM08icNo7vQYkRH\n504kQQKBgQDjx60zpz8ozvm1XAj0wVhi7GwXe+5lTxiLi9Fxq721WDxPMiHDW2XL\nYXfFVy/9/GIMvEiGYdmarK1NW+VhWl1DC5xhDg0kvMfxplt4tynoq1uTsQTY31Mx\nBeF5CT/JuNYk3bEBF0H/Q3VGO1/ggVS+YezdFbLWIRoMnLj6XCFEGg==\n-----END RSA PRIVATE KEY-----\n", "client_email": "service-account@example.com", "client_id": "1234", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token" } ��data/authorized_user_with_rapt_token.json��0000644��00000000240�15025175543�0015050 0��ustar�00��{ "client_id": "123", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user", "rapt_token": "rapt" } ��data/es256_public_cert.pem��0000644��00000000670�15025175543�0011411 0��ustar�00��-----BEGIN CERTIFICATE----- MIIBGDCBwAIJAPUA0H4EQWsdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCnVuaXQt dGVzdHMwHhcNMTkwNTA5MDI1MDExWhcNMTkwNjA4MDI1MDExWjAVMRMwEQYDVQQD DAp1bml0LXRlc3RzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsACsrmP6Bp21 6OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJz2O0IRAnXfso8K6YsjMuUDGC fj+b1IDIoDAKBggqhkjOPQQDAgNHADBEAh8PcDTMyWk8SHqV/v8FLuMbDxdtAsq2 dwCpuHQwqCcmAiEAnwtkiyieN+8zozaf1P4QKp2mAqNGqua50y3ua5uVotc= -----END CERTIFICATE----- ��data/service_account_non_gdu.json��0000644��00000004317�15025175543�0013251 0��ustar�00��{ "type": "service_account", "universe_domain": "universe.foo", "project_id": "example_project", "private_key_id": "1", "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj\n7wZgkdmM7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/\nxmVU1WeruQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYs\nSliS5qQpgyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18\npe+zpyl4+WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xk\nSBc//fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQABAoIBAQDGGHzQxGKX+ANk\nnQi53v/c6632dJKYXVJC+PDAz4+bzU800Y+n/bOYsWf/kCp94XcG4Lgsdd0Gx+Zq\nHD9CI1IcqqBRR2AFscsmmX6YzPLTuEKBGMW8twaYy3utlFxElMwoUEsrSWRcCA1y\nnHSDzTt871c7nxCXHxuZ6Nm/XCL7Bg8uidRTSC1sQrQyKgTPhtQdYrPQ4WZ1A4J9\nIisyDYmZodSNZe5P+LTJ6M1SCgH8KH9ZGIxv3diMwzNNpk3kxJc9yCnja4mjiGE2\nYCNusSycU5IhZwVeCTlhQGcNeV/skfg64xkiJE34c2y2ttFbdwBTPixStGaF09nU\nZ422D40BAoGBAPvVyRRsC3BF+qZdaSMFwI1yiXY7vQw5+JZh01tD28NuYdRFzjcJ\nvzT2n8LFpj5ZfZFvSMLMVEFVMgQvWnN0O6xdXvGov6qlRUSGaH9u+TCPNnIldjMP\nB8+xTwFMqI7uQr54wBB+Poq7dVRP+0oHb0NYAwUBXoEuvYo3c/nDoRcZAoGBAOWl\naLHjMv4CJbArzT8sPfic/8waSiLV9Ixs3Re5YREUTtnLq7LoymqB57UXJB3BNz/2\neCueuW71avlWlRtE/wXASj5jx6y5mIrlV4nZbVuyYff0QlcG+fgb6pcJQuO9DxMI\naqFGrWP3zye+LK87a6iR76dS9vRU+bHZpSVvGMKJAoGAFGt3TIKeQtJJyqeUWNSk\nklORNdcOMymYMIlqG+JatXQD1rR6ThgqOt8sgRyJqFCVT++YFMOAqXOBBLnaObZZ\nCFbh1fJ66BlSjoXff0W+SuOx5HuJJAa5+WtFHrPajwxeuRcNa8jwxUsB7n41wADu\nUqWWSRedVBg4Ijbw3nWwYDECgYB0pLew4z4bVuvdt+HgnJA9n0EuYowVdadpTEJg\nsoBjNHV4msLzdNqbjrAqgz6M/n8Ztg8D2PNHMNDNJPVHjJwcR7duSTA6w2p/4k28\nbvvk/45Ta3XmzlxZcZSOct3O31Cw0i2XDVc018IY5be8qendDYM08icNo7vQYkRH\n504kQQKBgQDjx60zpz8ozvm1XAj0wVhi7GwXe+5lTxiLi9Fxq721WDxPMiHDW2XL\nYXfFVy/9/GIMvEiGYdmarK1NW+VhWl1DC5xhDg0kvMfxplt4tynoq1uTsQTY31Mx\nBeF5CT/JuNYk3bEBF0H/Q3VGO1/ggVS+YezdFbLWIRoMnLj6XCFEGg==\n-----END RSA PRIVATE KEY-----\n", "client_email": "testsa@foo.iam.gserviceaccount.com", "client_id": "1234", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.universe.foo/token", "auth_provider_x509_cert_url": "https://www.universe.foo/oauth2/v1/certs", "client_x509_cert_url": "https://www.universe.foo/robot/v1/metadata/x509/foo.iam.gserviceaccount.com" } ��data/authorized_user_cloud_sdk.json��0000644��00000000277�15025175543�0013630 0��ustar�00��{ "client_id": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user" } ��data/enterprise_cert_invalid.json��0000644��00000000022�15025175543�0013254 0��ustar�00��{ "libs": {} }��data/old_oauth_credentials_py3.pickle��0000644��00000000433�15025175543�0014003 0��ustar�00��cgoogle.oauth2.credentials Credentials q�)�q}q(X��tokenqX��123qX��expiryqNX��_scopesqNX��_refresh_tokenqX��321qX ��_id_tokenq NX ��_token_uriq X ��https://example.com/oauth2/tokenqX ��_client_idqX ��client_idq X��_client_secretqX ��client_secretqub.��data/privatekey.pub��0000644��00000000652�15025175543�0010362 0��ustar�00��-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj7wZg kdmM7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/xmVU 1WeruQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYsSliS 5qQpgyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18pe+z pyl4+WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xkSBc/ /fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQAB -----END RSA PUBLIC KEY----- ��data/pem_from_pkcs12.pem��0000644��00000003472�15025175543�0011164 0��ustar�00��Bag Attributes friendlyName: key localKeyID: 22 7E 04 FC 64 48 20 83 1E C1 BD E3 F5 2F 44 7D EA 99 A5 BC Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDh6PSnttDsv+vi tUZTP1E3hVBah6PUGDWZhYgNiyW8quTWCmPvBmCR2YzuhUrY5+CtKP8UJOQico+p oJHSAPsrzSr6YsGs3c9SQOslBmm9Fkh9/f/GZVTVZ6u5AsUmOcVvZ2q7Sz8Vj/aR aIm0EJqRe9cQ5vvN9sg25rIv4xKwIZJ1VixKWJLmpCmDINqn7xvl+ldlUmSr3aGt w21uSDuEJhQlzO3yf2FwJMkJ9SkCm9oVDXyl77OnKXj5bOQ/rojbyGeIxDJSUDWE GKyRPuqKi6rSbwg6h2G/Z9qBJkqM5NNTbGRIFz/9/LdmmwvtaqCxlLtD7RVEryAp +qTGDk5hAgMBAAECggEBAMYYfNDEYpf4A2SdCLne/9zrrfZ0kphdUkL48MDPj5vN TzTRj6f9s5ixZ/+QKn3hdwbguCx13QbH5mocP0IjUhyqoFFHYAWxyyaZfpjM8tO4 QoEYxby3BpjLe62UXESUzChQSytJZFwIDXKcdIPNO3zvVzufEJcfG5no2b9cIvsG Dy6J1FNILWxCtDIqBM+G1B1is9DhZnUDgn0iKzINiZmh1I1l7k/4tMnozVIKAfwo f1kYjG/d2IzDM02mTeTElz3IKeNriaOIYTZgI26xLJxTkiFnBV4JOWFAZw15X+yR +DrjGSIkTfhzbLa20Vt3AFM+LFK0ZoXT2dRnjbYPjQECgYEA+9XJFGwLcEX6pl1p IwXAjXKJdju9DDn4lmHTW0Pbw25h1EXONwm/NPafwsWmPll9kW9IwsxUQVUyBC9a c3Q7rF1e8ai/qqVFRIZof275MI82ciV2Mw8Hz7FPAUyoju5CvnjAEH4+irt1VE/7 SgdvQ1gDBQFegS69ijdz+cOhFxkCgYEA5aVoseMy/gIlsCvNPyw9+Jz/zBpKItX0 jGzdF7lhERRO2cursujKaoHntRckHcE3P/Z4K565bvVq+VaVG0T/BcBKPmPHrLmY iuVXidltW7Jh9/RCVwb5+BvqlwlC470PEwhqoUatY/fPJ74srztrqJHvp1L29FT5 sdmlJW8YwokCgYAUa3dMgp5C0knKp5RY1KSSU5E11w4zKZgwiWob4lq1dAPWtHpO GCo63yyBHImoUJVP75gUw4Cpc4EEudo5tlkIVuHV8nroGVKOhd9/Rb5K47Hke4kk Brn5a0Ues9qPDF65Fw1ryPDFSwHufjXAAO5SpZZJF51UGDgiNvDedbBgMQKBgHSk t7DjPhtW69234eCckD2fQS5ijBV1p2lMQmCygGM0dXiawvN02puOsCqDPoz+fxm2 DwPY80cw0M0k9UeMnBxHt25JMDrDan/iTbxu++T/jlNrdebOXFlxlI5y3c7fULDS LZcNVzTXwhjlt7yp6d0NgzTyJw2ju9BiREfnTiRBAoGBAOPHrTOnPyjO+bVcCPTB WGLsbBd77mVPGIuL0XGrvbVYPE8yIcNbZcthd8VXL/38Ygy8SIZh2ZqsrU1b5WFa XUMLnGEODSS8x/GmW3i3KeirW5OxBNjfUzEF4XkJP8m41iTdsQEXQf9DdUY7X+CB VL5h7N0VstYhGgycuPpcIUQa -----END PRIVATE KEY----- ��data/context_aware_metadata.json��0000644��00000000254�15025175543�0013063 0��ustar�00��{ "cert_provider_command":[ "/opt/google/endpoint-verification/bin/SecureConnectHelper", "--print_certificate"], "device_resource_ids":["11111111-1111-1111"] } ��data/privatekey.pem��0000644��00000003217�15025175543�0010355 0��ustar�00��-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj 7wZgkdmM7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/ xmVU1WeruQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYs SliS5qQpgyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18 pe+zpyl4+WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xk SBc//fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQABAoIBAQDGGHzQxGKX+ANk nQi53v/c6632dJKYXVJC+PDAz4+bzU800Y+n/bOYsWf/kCp94XcG4Lgsdd0Gx+Zq HD9CI1IcqqBRR2AFscsmmX6YzPLTuEKBGMW8twaYy3utlFxElMwoUEsrSWRcCA1y nHSDzTt871c7nxCXHxuZ6Nm/XCL7Bg8uidRTSC1sQrQyKgTPhtQdYrPQ4WZ1A4J9 IisyDYmZodSNZe5P+LTJ6M1SCgH8KH9ZGIxv3diMwzNNpk3kxJc9yCnja4mjiGE2 YCNusSycU5IhZwVeCTlhQGcNeV/skfg64xkiJE34c2y2ttFbdwBTPixStGaF09nU Z422D40BAoGBAPvVyRRsC3BF+qZdaSMFwI1yiXY7vQw5+JZh01tD28NuYdRFzjcJ vzT2n8LFpj5ZfZFvSMLMVEFVMgQvWnN0O6xdXvGov6qlRUSGaH9u+TCPNnIldjMP B8+xTwFMqI7uQr54wBB+Poq7dVRP+0oHb0NYAwUBXoEuvYo3c/nDoRcZAoGBAOWl aLHjMv4CJbArzT8sPfic/8waSiLV9Ixs3Re5YREUTtnLq7LoymqB57UXJB3BNz/2 eCueuW71avlWlRtE/wXASj5jx6y5mIrlV4nZbVuyYff0QlcG+fgb6pcJQuO9DxMI aqFGrWP3zye+LK87a6iR76dS9vRU+bHZpSVvGMKJAoGAFGt3TIKeQtJJyqeUWNSk klORNdcOMymYMIlqG+JatXQD1rR6ThgqOt8sgRyJqFCVT++YFMOAqXOBBLnaObZZ CFbh1fJ66BlSjoXff0W+SuOx5HuJJAa5+WtFHrPajwxeuRcNa8jwxUsB7n41wADu UqWWSRedVBg4Ijbw3nWwYDECgYB0pLew4z4bVuvdt+HgnJA9n0EuYowVdadpTEJg soBjNHV4msLzdNqbjrAqgz6M/n8Ztg8D2PNHMNDNJPVHjJwcR7duSTA6w2p/4k28 bvvk/45Ta3XmzlxZcZSOct3O31Cw0i2XDVc018IY5be8qendDYM08icNo7vQYkRH 504kQQKBgQDjx60zpz8ozvm1XAj0wVhi7GwXe+5lTxiLi9Fxq721WDxPMiHDW2XL YXfFVy/9/GIMvEiGYdmarK1NW+VhWl1DC5xhDg0kvMfxplt4tynoq1uTsQTY31Mx BeF5CT/JuNYk3bEBF0H/Q3VGO1/ggVS+YezdFbLWIRoMnLj6XCFEGg== -----END RSA PRIVATE KEY----- ��data/impersonated_service_account_with_quota_project.json��0000644��00000000770�15025175543�0020303 0��ustar�00��{ "delegates": [ "service-account-delegate@example.com" ], "quota_project_id": "quota_project", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-target@example.com:generateAccessToken", "source_credentials": { "client_id": "123", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user" }, "type": "impersonated_service_account" }��data/external_subject_token.json��0000644��00000000076�15025175543�0013123 0��ustar�00��{ "access_token": "HEADER.SIMULATED_JWT_PAYLOAD.SIGNATURE" }��data/privatekey.p12��0000644��00000004624�15025175543�0010201 0��ustar�00��0� �0� V �H�� G� C0� ?0�� �H�� 0��0�� �H�� 0 �H�� 0'�dX}�1��F�+BNq� �bұF�W_ ,K��4��a9�v�t�G��9N��/��^�i̬#��\|�e�Aށz~~h2�aC��xњL��ɨ�13l"�(Ex�)w�_$��Gu�t2�ycxg��ԝ�1&:�� V��3f�~��6ٯ�^��iDw�m&��w�j-~τ��쌒��\|�z��)S��O3 �w(��g�X�V�Qڵ/��rl�8�wxᦕ'�� n��2��f��Y򧴢>�:��a�w�x�L #��$ہѦv��5A8�_x��C��ݮ�vr�o�g�>H�B;"�3O ��x]�fX��)@kMI�(�u,H[�j� ��6�9�9��I\�I39M}h�܋�}�,�hNz�h!��/�P��OQ�}�Gѩ�[�`:i�s��B#l��v��(��1�xX<,�Q�;u��F��2��.5��ݞ/��AQ�+T^Ӄu��q��,�=b7�a� ��&��gR��/�F"��]�"-�#��s �Hko+�ےB)Z��ٖf�Iܱ��9��"="�v�"#Ɖ��q��i�m(��@Wi��'�Ah#9:�\|d_�6�׸��ɨjoD�ڞ��!'�HHsOᗃ��Ɇ��P�xº �e&&��§@�A��&G��ABI0�r�y��u>�v�2�� ۲�PT/�� kr77?�A��\�3�_fu��U�?Ԝ�wxC-uHOJ�>ʋn�4,�f>Q��k�\|+>��Iݱ�<A�;'��>�XD7=ܽK)��X�Ʀ�I��L0��}��.�J��5{ �v� k�ӈ��C=Z F̊.B �Q�o^c�1��0�X �H�� I�E0�A0�=�H�� 0��0 �H�� 0!�P;7�]��Ȏ=󿥵��MV��dAv��"�"��3�?�\|��c�j5FY��7e�O�X��驓jpPa<�(��2��4�w�R��z��/ر��Y[«��W�\|��Խ�И�'~N�x�=��S�qF��ﳍ6(�b�/?x?r?�sܟ\|�?�Ġt��݄��T�v]5w��-,6�txmA��Kȓ��y�HN�ܸ��O��2��<��k��Rx]��\�\wr$$0��T�[2a��e�V��4֯�Ѓ�iB�7��͜��K~%�^Z��,Kw���ܖ��w��.��ݛ�{y[�M��OV�sK�⸛: Ů8��pЀ�j�ާn��9h.�s+O!�+ɖ�s��j�/��xa/_D�bg�UQ�"P鞳NpZ��f<'H��42 ��6��Ȕhp8�i A�ir�g̞��~:N��lAX˴x)8d�8�<5� �iǎ�W�ʑ�G�h����m!F,�aP�nBm#OƄ�-"�L� �&�~g�aFi�&�Cڪ�e�u�#��)��ȣ=j�u2�:�p>��Կ�=k3d�gN�(� �v��ӽ>9e�_�?�g�K�{�q�%�J�"%��6h���_T�l� ��>�i]`�кlC��+�\��w�2�� !�u�c��e'�D��L��zY��SzIi�W��w��s�N� �q"��N�.[��",I.h��]#E��M�<�`��M&�F��;�lP��Sċ�� ރ�SIt�O0�ae��ɟ�]�ցߛ��E�M3��CNVҢK741�b{Af�4�z��cE�P�:O�B��b~�0�bv,�;27�W�Skiǻ 8�/��:Gjy��%�8U�J>&�" ��K�x�S=QVhYoЂ�`3Nf�#��l��`3u��M�8��qu��W] #��{� �t��D��ӵ��_��N�m�t;�QK��3wZ��jrƓ&��K%�� \�<Y�y�?�+�[��\��%%�0�D�'��E�iR�Ӆ ��,�,�v�L�@C:�6A�53�sퟖ[��y��ЁA��F�LA([�&:U8J��Z�ڼ��V�]&.��=��WF��9�VHmb��?1<0 �H�� 1�k�e�y0# �H�� 1"~�dH ��/D}ꙥ�010!0 +�ъ��n�S�q�3Lū�l�Zګ�o/��data/gdch_service_account.json��0000644��00000001024�15025175543�0012515 0��ustar�00��{ "type": "gdch_service_account", "format_version": "1", "project": "project_foo", "private_key_id": "key_foo", "private_key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIIGb2np7v54Hs6++NiLE7CQtQg7rzm4znstHvrOUlcMMoAoGCCqGSM49\nAwEHoUQDQgAECvv0VyZS9nYOa8tdwKCbkNxlWgrAZVClhJXqrvOZHlH4N3d8Rplk\n2DEJvzp04eMxlHw1jm6JCs3iJR6KAokG+w==\n-----END EC PRIVATE KEY-----\n", "name": "service_identity_name", "ca_cert_path": "/path/to/ca/cert", "token_uri": "https://service-identity.<Domain>/authenticate" } ��data/es256_publickey.pem��0000644��00000000262�15025175543�0011102 0��ustar�00��-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsACsrmP6Bp216OCFm73C8W/VRHZW cO8yU/bMwx96f05BkTII3KeJz2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA== -----END PUBLIC KEY----- ��data/authorized_user_cloud_sdk_with_quota_project_id.json��0000644��00000000351�15025175543�0020267 0��ustar�00��{ "client_id": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user", "quota_project_id": "quota_project_id" } ��data/other_cert.pem��0000644��00000003771�15025175543�0010335 0��ustar�00��-----BEGIN CERTIFICATE----- MIIFtTCCA52gAwIBAgIJAPBsLZmNGfKtMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTYwOTIxMDI0NTEyWhcNMTYxMDIxMDI0NTEyWjBF MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAsiMC7mTsmUXwZoYlT4aHY1FLw8bxIXC+z3IqA+TY1WqfbeiZRo8MA5Zx lTTxYMKPCZUE1XBc7jvD8GJhWIj6pToPYHn73B01IBkLBxq4kF1yV2Z7DVmkvc6H EcxXXq8zkCx0j6XOfiI4+qkXnuQn8cvrk8xfhtnMMZM7iVm6VSN93iRP/8ey6xuL XTHrDX7ukoRce1hpT8O+15GXNrY0irhhYQz5xKibNCJF3EjV28WMry8y7I8uYUFU RWDiQawwK9ec1zhZ94v92+GZDlPevmcFmSERKYQ0NsKcT0Y3lGuGnaExs8GyOpnC oksu4YJGXQjg7lkv4MxzsNbRqmCkUwxw1Mg6FP0tsCNsw9qTrkvWCRA9zp/aU+sZ IBGh1t4UGCub8joeQFvHxvr/3F7mH/dyvCjA34u0Lo1VPx+jYUIi9i0odltMspDW xOpjqdGARZYmlJP5Au9q5cQjPMcwS/EBIb8cwNl32mUE6WnFlep+38mNR/FghIjO ViAkXuKQmcHe6xppZAoHFsO/t3l4Tjek5vNW7erI1rgrFku/fvkIW/G8V1yIm/+Q F+CE4maQzCJfhftpkhM/sPC/FuLNBmNE8BHVX8y58xG4is/cQxL4Z9TsFIw0C5+3 uTrFW9D0agysahMVzPGtCqhDQqJdIJrBQqlS6bztpzBA8zEI0skCAwEAAaOBpzCB pDAdBgNVHQ4EFgQUz/8FmW6TfqXyNJZr7rhc+Tn5sKQwdQYDVR0jBG4wbIAUz/8F mW6TfqXyNJZr7rhc+Tn5sKShSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDw bC2ZjRnyrTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQCQmrcfhurX riR3Q0Y+nq040/3dJIAJXjyI9CEtxaU0nzCNTng7PwgZ0CKmCelQfInuwWFwBSHS 6kBfC1rgJeFnjnTt8a3RCgRlIgUr9NCdPSEccB7TurobwPJ2h6cJjjR8urcb0CXh CEMvPneyPj0xUFY8vVKXMGWahz/kyfwIiVqcX/OtMZ29fUu1onbWl71g2gVLtUZl sECdZ+AC/6HDCVpYIVETMl1T7N/XyqXZQiDLDNRDeZhnapz8w9fsW1KVujAZLNQR pVnw2qa2UK1dSf2FHX+lQU5mFSYM4vtwaMlX/LgfdLZ9I796hFh619WwTVz+LO2N vHnwBMabld3XSPuZRqlbBulDQ07Vbqdjv8DYSLA2aKI4ZkMMKuFLG/oS28V2ZYmv /KpGEs5UgKY+P9NulYpTDwCU/6SomuQpP795wbG6sm7Hzq82r2RmB61GupNRGeqi pXKsy69T388zBxYu6zQrosXiDl5YzaViH7tm0J7opye8dCWjjpnahki0vq2znti7 6cWla2j8Xz1glvLz+JI/NCOMfxUInb82T7ijo80N0VJ2hzf7p2GxRZXAxAV9knLI nM4F5TLjSd7ZhOOZ7ni/eZFueTMisWfypt2nc41whGjHMX/Zp1kPfhB4H2bLKIX/ lSrwNr3qbGTEJX8JqpDBNVAd96XkMvDNyA== -----END CERTIFICATE----- ��data/impersonated_service_account_authorized_user_source.json��0000644��00000000717�15025175543�0021166 0��ustar�00��{ "delegates": [ "service-account-delegate@example.com" ], "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-target@example.com:generateAccessToken", "source_credentials": { "client_id": "123", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user" }, "type": "impersonated_service_account" }��data/external_account_authorized_user.json��0000644��00000000615�15025175543�0015213 0��ustar�00��{ "type": "external_account_authorized_user", "audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID", "refresh_token": "refreshToken", "token_url": "https://sts.googleapis.com/v1/oauth/token", "token_info_url": "https://sts.googleapis.com/v1/instrospect", "client_id": "clientId", "client_secret": "clientSecret" } ��data/authorized_user.json��0000644��00000000172�15025175543�0011573 0��ustar�00��{ "client_id": "123", "client_secret": "secret", "refresh_token": "alabalaportocala", "type": "authorized_user" } ��data/external_subject_token.txt��0000644��00000000046�15025175543�0012766 0��ustar�00��HEADER.SIMULATED_JWT_PAYLOAD.SIGNATURE��data/impersonated_service_account_service_account_source.json��0000644��00000004510�15025175543�0021121 0��ustar�00��{ "delegates": [ "service-account-delegate@example.com" ], "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-target@example.com:generateAccessToken", "source_credentials": { "type": "service_account", "project_id": "example-project", "private_key_id": "1", "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA4ej0p7bQ7L/r4rVGUz9RN4VQWoej1Bg1mYWIDYslvKrk1gpj\n7wZgkdmM7oVK2OfgrSj/FCTkInKPqaCR0gD7K80q+mLBrN3PUkDrJQZpvRZIff3/\nxmVU1WeruQLFJjnFb2dqu0s/FY/2kWiJtBCakXvXEOb7zfbINuayL+MSsCGSdVYs\nSliS5qQpgyDap+8b5fpXZVJkq92hrcNtbkg7hCYUJczt8n9hcCTJCfUpApvaFQ18\npe+zpyl4+WzkP66I28hniMQyUlA1hBiskT7qiouq0m8IOodhv2fagSZKjOTTU2xk\nSBc//fy3ZpsL7WqgsZS7Q+0VRK8gKfqkxg5OYQIDAQABAoIBAQDGGHzQxGKX+ANk\nnQi53v/c6632dJKYXVJC+PDAz4+bzU800Y+n/bOYsWf/kCp94XcG4Lgsdd0Gx+Zq\nHD9CI1IcqqBRR2AFscsmmX6YzPLTuEKBGMW8twaYy3utlFxElMwoUEsrSWRcCA1y\nnHSDzTt871c7nxCXHxuZ6Nm/XCL7Bg8uidRTSC1sQrQyKgTPhtQdYrPQ4WZ1A4J9\nIisyDYmZodSNZe5P+LTJ6M1SCgH8KH9ZGIxv3diMwzNNpk3kxJc9yCnja4mjiGE2\nYCNusSycU5IhZwVeCTlhQGcNeV/skfg64xkiJE34c2y2ttFbdwBTPixStGaF09nU\nZ422D40BAoGBAPvVyRRsC3BF+qZdaSMFwI1yiXY7vQw5+JZh01tD28NuYdRFzjcJ\nvzT2n8LFpj5ZfZFvSMLMVEFVMgQvWnN0O6xdXvGov6qlRUSGaH9u+TCPNnIldjMP\nB8+xTwFMqI7uQr54wBB+Poq7dVRP+0oHb0NYAwUBXoEuvYo3c/nDoRcZAoGBAOWl\naLHjMv4CJbArzT8sPfic/8waSiLV9Ixs3Re5YREUTtnLq7LoymqB57UXJB3BNz/2\neCueuW71avlWlRtE/wXASj5jx6y5mIrlV4nZbVuyYff0QlcG+fgb6pcJQuO9DxMI\naqFGrWP3zye+LK87a6iR76dS9vRU+bHZpSVvGMKJAoGAFGt3TIKeQtJJyqeUWNSk\nklORNdcOMymYMIlqG+JatXQD1rR6ThgqOt8sgRyJqFCVT++YFMOAqXOBBLnaObZZ\nCFbh1fJ66BlSjoXff0W+SuOx5HuJJAa5+WtFHrPajwxeuRcNa8jwxUsB7n41wADu\nUqWWSRedVBg4Ijbw3nWwYDECgYB0pLew4z4bVuvdt+HgnJA9n0EuYowVdadpTEJg\nsoBjNHV4msLzdNqbjrAqgz6M/n8Ztg8D2PNHMNDNJPVHjJwcR7duSTA6w2p/4k28\nbvvk/45Ta3XmzlxZcZSOct3O31Cw0i2XDVc018IY5be8qendDYM08icNo7vQYkRH\n504kQQKBgQDjx60zpz8ozvm1XAj0wVhi7GwXe+5lTxiLi9Fxq721WDxPMiHDW2XL\nYXfFVy/9/GIMvEiGYdmarK1NW+VhWl1DC5xhDg0kvMfxplt4tynoq1uTsQTY31Mx\nBeF5CT/JuNYk3bEBF0H/Q3VGO1/ggVS+YezdFbLWIRoMnLj6XCFEGg==\n-----END RSA PRIVATE KEY-----\n", "client_email": "service-account@example.com", "client_id": "1234", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token" }, "type": "impersonated_service_account" }��data/es256_privatekey.pem��0000644��00000000343�15025175543�0011276 0��ustar�00��-----BEGIN EC PRIVATE KEY----- MHcCAQEEIAIC57aTx5ev4T2HBMQk4fXV09AzLDQ3Ju1uNoEB0LngoAoGCCqGSM49 AwEHoUQDQgAEsACsrmP6Bp216OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJ z2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA== -----END EC PRIVATE KEY----- ��conftest.py��0000644��00000003055�15025175543�0006755 0��ustar�00��try: from http.server import HTTPServer, SimpleHTTPRequestHandler except ImportError: from BaseHTTPServer import HTTPServer from SimpleHTTPServer import SimpleHTTPRequestHandler import ssl import threading import pytest from requests.compat import urljoin def prepare_url(value): # Issue #1483: Make sure the URL always has a trailing slash httpbin_url = value.url.rstrip("/") + "/" def inner(suffix): return urljoin(httpbin_url, "/".join(suffix)) return inner @pytest.fixture def httpbin(httpbin): return prepare_url(httpbin) @pytest.fixture def httpbin_secure(httpbin_secure): return prepare_url(httpbin_secure) @pytest.fixture def nosan_server(tmp_path_factory): # delay importing until the fixture in order to make it possible # to deselect the test via command-line when trustme is not available import trustme tmpdir = tmp_path_factory.mktemp("certs") ca = trustme.CA() # only commonName, no subjectAltName server_cert = ca.issue_cert(common_name="localhost") ca_bundle = str(tmpdir / "ca.pem") ca.cert_pem.write_to_path(ca_bundle) context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) server_cert.configure_cert(context) server = HTTPServer(("localhost", 0), SimpleHTTPRequestHandler) server.socket = context.wrap_socket(server.socket, server_side=True) server_thread = threading.Thread(target=server.serve_forever) server_thread.start() yield "localhost", server.server_address[1], ca_bundle server.shutdown() server_thread.join() ��test_pluggable.py��0000644��00000144452�15025175543�0010140 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import os import subprocess import mock import pytest # type: ignore from google.auth import exceptions from google.auth import pluggable from tests.test__default import WORKFORCE_AUDIENCE CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password". BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com" SERVICE_ACCOUNT_IMPERSONATION_URL_BASE = ( "https://us-east1-iamcredentials.googleapis.com" ) SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE = "/v1/projects/-/serviceAccounts/{}:generateAccessToken".format( SERVICE_ACCOUNT_EMAIL ) SERVICE_ACCOUNT_IMPERSONATION_URL = ( SERVICE_ACCOUNT_IMPERSONATION_URL_BASE + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID" SCOPES = ["scope1", "scope2"] SUBJECT_TOKEN_FIELD_NAME = "access_token" TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" VALID_TOKEN_URLS = [ "https://sts.googleapis.com", "https://us-east-1.sts.googleapis.com", "https://US-EAST-1.sts.googleapis.com", "https://sts.us-east-1.googleapis.com", "https://sts.US-WEST-1.googleapis.com", "https://us-east-1-sts.googleapis.com", "https://US-WEST-1-sts.googleapis.com", "https://us-west-1-sts.googleapis.com/path?query", "https://sts-us-east-1.p.googleapis.com", ] INVALID_TOKEN_URLS = [ "https://iamcredentials.googleapis.com", "sts.googleapis.com", "https://", "http://sts.googleapis.com", "https://st.s.googleapis.com", "https://us-eas\t-1.sts.googleapis.com", "https:/us-east-1.sts.googleapis.com", "https://US-WE/ST-1-sts.googleapis.com", "https://sts-us-east-1.googleapis.com", "https://sts-US-WEST-1.googleapis.com", "testhttps://us-east-1.sts.googleapis.com", "https://us-east-1.sts.googleapis.comevil.com", "https://us-east-1.us-east-1.sts.googleapis.com", "https://us-ea.s.t.sts.googleapis.com", "https://sts.googleapis.comevil.com", "hhttps://us-east-1.sts.googleapis.com", "https://us- -1.sts.googleapis.com", "https://-sts.googleapis.com", "https://us-east-1.sts.googleapis.com.evil.com", "https://sts.pgoogleapis.com", "https://p.googleapis.com", "https://sts.p.com", "http://sts.p.googleapis.com", "https://xyz-sts.p.googleapis.com", "https://sts-xyz.123.p.googleapis.com", "https://sts-xyz.p1.googleapis.com", "https://sts-xyz.p.foo.com", "https://sts-xyz.p.foo.googleapis.com", ] VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com", "https://US-EAST-1.iamcredentials.googleapis.com", "https://iamcredentials.us-east-1.googleapis.com", "https://iamcredentials.US-WEST-1.googleapis.com", "https://us-east-1-iamcredentials.googleapis.com", "https://US-WEST-1-iamcredentials.googleapis.com", "https://us-west-1-iamcredentials.googleapis.com/path?query", "https://iamcredentials-us-east-1.p.googleapis.com", ] INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://sts.googleapis.com", "iamcredentials.googleapis.com", "https://", "http://iamcredentials.googleapis.com", "https://iamcre.dentials.googleapis.com", "https://us-eas\t-1.iamcredentials.googleapis.com", "https:/us-east-1.iamcredentials.googleapis.com", "https://US-WE/ST-1-iamcredentials.googleapis.com", "https://iamcredentials-us-east-1.googleapis.com", "https://iamcredentials-US-WEST-1.googleapis.com", "testhttps://us-east-1.iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.comevil.com", "https://us-east-1.us-east-1.iamcredentials.googleapis.com", "https://us-ea.s.t.iamcredentials.googleapis.com", "https://iamcredentials.googleapis.comevil.com", "hhttps://us-east-1.iamcredentials.googleapis.com", "https://us- -1.iamcredentials.googleapis.com", "https://-iamcredentials.googleapis.com", "https://us-east-1.iamcredentials.googleapis.com.evil.com", "https://iamcredentials.pgoogleapis.com", "https://p.googleapis.com", "https://iamcredentials.p.com", "http://iamcredentials.p.googleapis.com", "https://xyz-iamcredentials.p.googleapis.com", "https://iamcredentials-xyz.123.p.googleapis.com", "https://iamcredentials-xyz.p1.googleapis.com", "https://iamcredentials-xyz.p.foo.com", "https://iamcredentials-xyz.p.foo.googleapis.com", ] class TestCredentials(object): CREDENTIAL_SOURCE_EXECUTABLE_COMMAND = ( "/fake/external/excutable --arg1=value1 --arg2=value2" ) CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = "fake_output_file" CREDENTIAL_SOURCE_EXECUTABLE = { "command": CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "timeout_millis": 30000, "interactive_timeout_millis": 300000, "output_file": CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } CREDENTIAL_SOURCE = {"executable": CREDENTIAL_SOURCE_EXECUTABLE} EXECUTABLE_OIDC_TOKEN = "FAKE_ID_TOKEN" EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": EXECUTABLE_OIDC_TOKEN, } EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_JWT = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:jwt", "id_token": EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:jwt", "id_token": EXECUTABLE_OIDC_TOKEN, } EXECUTABLE_SAML_TOKEN = "FAKE_SAML_RESPONSE" EXECUTABLE_SUCCESSFUL_SAML_RESPONSE = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:saml2", "saml_response": EXECUTABLE_SAML_TOKEN, "expiration_time": 9999999999, } EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:saml2", "saml_response": EXECUTABLE_SAML_TOKEN, } EXECUTABLE_FAILED_RESPONSE = { "version": 1, "success": False, "code": "401", "message": "Permission denied. Caller not authorized", } CREDENTIAL_URL = "http://fakeurl.com" @classmethod def make_pluggable( cls, audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, client_id=None, client_secret=None, quota_project_id=None, scopes=None, default_scopes=None, service_account_impersonation_url=None, credential_source=None, workforce_pool_user_project=None, interactive=None, ): return pluggable.Credentials( audience=audience, subject_token_type=subject_token_type, token_url=token_url, token_info_url=token_info_url, service_account_impersonation_url=service_account_impersonation_url, credential_source=credential_source, client_id=client_id, client_secret=client_secret, quota_project_id=quota_project_id, scopes=scopes, default_scopes=default_scopes, workforce_pool_user_project=workforce_pool_user_project, interactive=interactive, ) def test_from_constructor_and_injection(self): credentials = pluggable.Credentials( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, credential_source=self.CREDENTIAL_SOURCE, interactive=True, ) setattr(credentials, "_tokeninfo_username", "mock_external_account_id") assert isinstance(credentials, pluggable.Credentials) assert credentials.interactive assert credentials.external_account_id == "mock_external_account_id" @mock.patch.object(pluggable.Credentials, "__init__", return_value=None) def test_from_info_full_options(self, mock_init): credentials = pluggable.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE, } ) # Confirm pluggable.Credentials instantiated with expected attributes. assert isinstance(credentials, pluggable.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(pluggable.Credentials, "__init__", return_value=None) def test_from_info_required_options_only(self, mock_init): credentials = pluggable.Credentials.from_info( { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE, } ) # Confirm pluggable.Credentials instantiated with expected attributes. assert isinstance(credentials, pluggable.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(pluggable.Credentials, "__init__", return_value=None) def test_from_file_full_options(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "service_account_impersonation": {"token_lifetime_seconds": 2800}, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "quota_project_id": QUOTA_PROJECT_ID, "credential_source": self.CREDENTIAL_SOURCE, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = pluggable.Credentials.from_file(str(config_file)) # Confirm pluggable.Credentials instantiated with expected attributes. assert isinstance(credentials, pluggable.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, service_account_impersonation_options={"token_lifetime_seconds": 2800}, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=QUOTA_PROJECT_ID, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) @mock.patch.object(pluggable.Credentials, "__init__", return_value=None) def test_from_file_required_options_only(self, mock_init, tmpdir): info = { "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE, } config_file = tmpdir.join("config.json") config_file.write(json.dumps(info)) credentials = pluggable.Credentials.from_file(str(config_file)) # Confirm pluggable.Credentials instantiated with expected attributes. assert isinstance(credentials, pluggable.Credentials) mock_init.assert_called_once_with( audience=AUDIENCE, subject_token_type=SUBJECT_TOKEN_TYPE, token_url=TOKEN_URL, token_info_url=None, service_account_impersonation_url=None, service_account_impersonation_options={}, client_id=None, client_secret=None, credential_source=self.CREDENTIAL_SOURCE, quota_project_id=None, workforce_pool_user_project=None, universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) def test_constructor_invalid_options(self): credential_source = {"unsupported": "value"} with pytest.raises(ValueError) as excinfo: self.make_pluggable(credential_source=credential_source) assert excinfo.match(r"Missing credential_source") def test_constructor_invalid_credential_source(self): with pytest.raises(ValueError) as excinfo: self.make_pluggable(credential_source="non-dict") assert excinfo.match(r"Missing credential_source") def test_info_with_credential_source(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy() ) assert credentials.info == { "type": "external_account", "audience": AUDIENCE, "subject_token_type": SUBJECT_TOKEN_TYPE, "token_url": TOKEN_URL, "token_info_url": TOKEN_INFO_URL, "credential_source": self.CREDENTIAL_SOURCE, "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_token_info_url(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy() ) assert credentials.token_info_url == TOKEN_INFO_URL def test_token_info_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=(url + "/introspect"), ) assert credentials.token_info_url == url + "/introspect" def test_token_info_url_negative(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=None ) assert not credentials.token_info_url def test_token_url_custom(self): for url in VALID_TOKEN_URLS: credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy(), token_url=(url + "/token"), ) assert credentials._token_url == (url + "/token") def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy(), service_account_impersonation_url=( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ), ) assert credentials._service_account_impersonation_url == ( url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_successfully(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "interactive_timeout_millis": 300000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} testData = { "subject_token_oidc_id_token": { "stdout": json.dumps( self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN ).encode("UTF-8"), "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN, "expect_token": self.EXECUTABLE_OIDC_TOKEN, }, "subject_token_oidc_id_token_interacitve_mode": { "audience": WORKFORCE_AUDIENCE, "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_ID_TOKEN, "interactive": True, "expect_token": self.EXECUTABLE_OIDC_TOKEN, }, "subject_token_oidc_jwt": { "stdout": json.dumps( self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_JWT ).encode("UTF-8"), "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT, "expect_token": self.EXECUTABLE_OIDC_TOKEN, }, "subject_token_oidc_jwt_interactive_mode": { "audience": WORKFORCE_AUDIENCE, "file_content": self.EXECUTABLE_SUCCESSFUL_OIDC_NO_EXPIRATION_TIME_RESPONSE_JWT, "interactive": True, "expect_token": self.EXECUTABLE_OIDC_TOKEN, }, "subject_token_saml": { "stdout": json.dumps(self.EXECUTABLE_SUCCESSFUL_SAML_RESPONSE).encode( "UTF-8" ), "impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL, "file_content": self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE, "expect_token": self.EXECUTABLE_SAML_TOKEN, }, "subject_token_saml_interactive_mode": { "audience": WORKFORCE_AUDIENCE, "file_content": self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE, "interactive": True, "expect_token": self.EXECUTABLE_SAML_TOKEN, }, } for data in testData.values(): with open( ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w" ) as output_file: json.dump(data.get("file_content"), output_file) with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=data.get("stdout"), returncode=0 ), ): credentials = self.make_pluggable( audience=data.get("audience", AUDIENCE), service_account_impersonation_url=data.get("impersonation_url"), credential_source=ACTUAL_CREDENTIAL_SOURCE, interactive=data.get("interactive", False), ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == data.get("expect_token") os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_saml(self): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(self.EXECUTABLE_SUCCESSFUL_SAML_RESPONSE).encode( "UTF-8" ), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_SAML_TOKEN @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_saml_interactive_mode(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "interactive_timeout_millis": 300000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file: json.dump( self.EXECUTABLE_SUCCESSFUL_SAML_NO_EXPIRATION_TIME_RESPONSE, output_file ) with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess(args=[], returncode=0), ): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, credential_source=ACTUAL_CREDENTIAL_SOURCE, interactive=True, ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_SAML_TOKEN os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_failed(self): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(self.EXECUTABLE_FAILED_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Executable returned unsuccessful response: code: 401, message: Permission denied. Caller not authorized." ) @mock.patch.dict( os.environ, { "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1", "GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE": "1", }, ) def test_retrieve_subject_token_failed_interactive_mode(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "interactive_timeout_millis": 300000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} with open( ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w", encoding="utf-8" ) as output_file: json.dump(self.EXECUTABLE_FAILED_RESPONSE, output_file) with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess(args=[], returncode=0), ): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, credential_source=ACTUAL_CREDENTIAL_SOURCE, interactive=True, ) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Executable returned unsuccessful response: code: 401, message: Permission denied. Caller not authorized." ) os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "0"}) def test_retrieve_subject_token_not_allowd(self): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps( self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN ).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"Executables need to be explicitly allowed") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_invalid_version(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_VERSION_2 = { "version": 2, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_VERSION_2).encode( "UTF-8" ), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"Executable returned unsupported version.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_expired_token(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_EXPIRED = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 0, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_EXPIRED).encode( "UTF-8" ), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"The token returned by the executable is expired.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_file_cache(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "timeout_millis": 30000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file: json.dump(self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN, output_file) credentials = self.make_pluggable(credential_source=ACTUAL_CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_OIDC_TOKEN os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_no_file_cache(self): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "timeout_millis": 30000, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps( self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN ).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable( credential_source=ACTUAL_CREDENTIAL_SOURCE ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_OIDC_TOKEN @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_file_cache_value_error_report(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "timeout_millis": 30000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} ACTUAL_EXECUTABLE_RESPONSE = { "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file: json.dump(ACTUAL_EXECUTABLE_RESPONSE, output_file) credentials = self.make_pluggable(credential_source=ACTUAL_CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"The executable response is missing the version field.") os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_file_cache_refresh_error_retry(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join( "actual_output_file" ) ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE = { "command": "command", "timeout_millis": 30000, "output_file": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } ACTUAL_CREDENTIAL_SOURCE = {"executable": ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE} ACTUAL_EXECUTABLE_RESPONSE = { "version": 2, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with open(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, "w") as output_file: json.dump(ACTUAL_EXECUTABLE_RESPONSE, output_file) with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps( self.EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE_ID_TOKEN ).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable( credential_source=ACTUAL_CREDENTIAL_SOURCE ) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_OIDC_TOKEN os.remove(ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_unsupported_token_type(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = { "version": 1, "success": True, "token_type": "unsupported_token_type", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"Executable returned unsupported token type.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_missing_version(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = { "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"The executable response is missing the version field." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_missing_success(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = { "version": 1, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"The executable response is missing the success field." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_missing_error_code_message(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {"version": 1, "success": False} with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Error code and message fields are required in the response." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_without_expiration_time_should_pass_when_output_file_not_specified( self, ): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = { "version": 1, "success": True, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": self.EXECUTABLE_OIDC_TOKEN, } CREDENTIAL_SOURCE = { "executable": {"command": "command", "timeout_millis": 30000} } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) subject_token = credentials.retrieve_subject_token(None) assert subject_token == self.EXECUTABLE_OIDC_TOKEN @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_missing_token_type(self): EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = { "version": 1, "success": True, "id_token": self.EXECUTABLE_OIDC_TOKEN, "expiration_time": 9999999999, } with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"), returncode=0, ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"The executable response is missing the token_type field." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_missing_command(self): with pytest.raises(ValueError) as excinfo: CREDENTIAL_SOURCE = { "executable": { "timeout_millis": 30000, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert excinfo.match( r"Missing command field. Executable command must be provided." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_missing_output_interactive_mode(self): CREDENTIAL_SOURCE = { "executable": {"command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND} } credentials = self.make_pluggable( credential_source=CREDENTIAL_SOURCE, interactive=True ) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"An output_file must be specified in the credential configuration for interactive mode." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_timeout_missing_will_use_default_timeout_value(self): CREDENTIAL_SOURCE = { "executable": { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert ( credentials._credential_source_executable_timeout_millis == pluggable.EXECUTABLE_TIMEOUT_MILLIS_DEFAULT ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_timeout_small(self): with pytest.raises(ValueError) as excinfo: CREDENTIAL_SOURCE = { "executable": { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "timeout_millis": 5000 - 1, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert excinfo.match(r"Timeout must be between 5 and 120 seconds.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_timeout_large(self): with pytest.raises(ValueError) as excinfo: CREDENTIAL_SOURCE = { "executable": { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "timeout_millis": 120000 + 1, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert excinfo.match(r"Timeout must be between 5 and 120 seconds.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_interactive_timeout_small(self): with pytest.raises(ValueError) as excinfo: CREDENTIAL_SOURCE = { "executable": { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "interactive_timeout_millis": 30000 - 1, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert excinfo.match( r"Interactive timeout must be between 30 seconds and 30 minutes." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_interactive_timeout_large(self): with pytest.raises(ValueError) as excinfo: CREDENTIAL_SOURCE = { "executable": { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "interactive_timeout_millis": 1800000 + 1, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) assert excinfo.match( r"Interactive timeout must be between 30 seconds and 30 minutes." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_executable_fail(self): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=None, returncode=1 ), ): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Executable exited with non-zero return code 1. Error: None" ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_non_workforce_fail_interactive_mode(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE, interactive=True ) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"Interactive mode is only enabled for workforce pool.") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_fail_on_validation_missing_interactive_timeout( self ): CREDENTIAL_SOURCE_EXECUTABLE = { "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, } CREDENTIAL_SOURCE = {"executable": CREDENTIAL_SOURCE_EXECUTABLE} credentials = self.make_pluggable( credential_source=CREDENTIAL_SOURCE, interactive=True ) with pytest.raises(ValueError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Interactive mode cannot run without an interactive timeout." ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_executable_fail_interactive_mode(self): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=None, returncode=1 ), ): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, credential_source=self.CREDENTIAL_SOURCE, interactive=True, ) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match( r"Executable exited with non-zero return code 1. Error: None" ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "0"}) def test_revoke_failed_executable_not_allowed(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE, interactive=True ) with pytest.raises(ValueError) as excinfo: _ = credentials.revoke(None) assert excinfo.match(r"Executables need to be explicitly allowed") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_revoke_failed(self): testData = { "non_interactive_mode": { "interactive": False, "expectErrType": ValueError, "expectErrPattern": r"Revoke is only enabled under interactive mode.", }, "executable_failed": { "returncode": 1, "expectErrType": exceptions.RefreshError, "expectErrPattern": r"Auth revoke failed on executable.", }, "response_validation_missing_version": { "response": {}, "expectErrType": ValueError, "expectErrPattern": r"The executable response is missing the version field.", }, "response_validation_invalid_version": { "response": {"version": 2}, "expectErrType": exceptions.RefreshError, "expectErrPattern": r"Executable returned unsupported version.", }, "response_validation_missing_success": { "response": {"version": 1}, "expectErrType": ValueError, "expectErrPattern": r"The executable response is missing the success field.", }, "response_validation_failed_with_success_field_is_false": { "response": {"version": 1, "success": False}, "expectErrType": exceptions.RefreshError, "expectErrPattern": r"Revoke failed with unsuccessful response.", }, } for data in testData.values(): with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(data.get("response")).encode("UTF-8"), returncode=data.get("returncode", 0), ), ): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL, credential_source=self.CREDENTIAL_SOURCE, interactive=data.get("interactive", True), ) with pytest.raises(data.get("expectErrType")) as excinfo: _ = credentials.revoke(None) assert excinfo.match(data.get("expectErrPattern")) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_revoke_successfully(self): ACTUAL_RESPONSE = {"version": 1, "success": True} with mock.patch( "subprocess.run", return_value=subprocess.CompletedProcess( args=[], stdout=json.dumps(ACTUAL_RESPONSE).encode("utf-8"), returncode=0, ), ): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, credential_source=self.CREDENTIAL_SOURCE, interactive=True, ) _ = credentials.revoke(None) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_python_2(self): with mock.patch("sys.version_info", (2, 7)): credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.retrieve_subject_token(None) assert excinfo.match(r"Pluggable auth is only supported for python 3.7+") @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_revoke_subject_token_python_2(self): with mock.patch("sys.version_info", (2, 7)): credentials = self.make_pluggable( audience=WORKFORCE_AUDIENCE, credential_source=self.CREDENTIAL_SOURCE, interactive=True, ) with pytest.raises(exceptions.RefreshError) as excinfo: _ = credentials.revoke(None) assert excinfo.match(r"Pluggable auth is only supported for python 3.7+") ��__init__.py��0000644��00000000725�15025175543�0006670 0��ustar�00��"""Requests test package initialisation.""" import warnings try: from urllib3.exceptions import SNIMissingWarning # urllib3 1.x sets SNIMissingWarning to only go off once, # while this test suite requires it to always fire # so that it occurs during test_requests.test_https_warnings warnings.simplefilter("always", SNIMissingWarning) except ImportError: # urllib3 2.0 removed that warning and errors out instead SNIMissingWarning = None ��test_external_account_authorized_user.py��0000644��00000045011�15025175543�0015017 0��ustar�00��# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import datetime import http.client as http_client import json import mock import pytest # type: ignore from google.auth import exceptions from google.auth import external_account_authorized_user from google.auth import transport TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" REVOKE_URL = "https://sts.googleapis.com/v1/revoke" PROJECT_NUMBER = "123456" QUOTA_PROJECT_ID = "654321" POOL_ID = "POOL_ID" PROVIDER_ID = "PROVIDER_ID" AUDIENCE = ( "//iam.googleapis.com/projects/{}" "/locations/global/workloadIdentityPools/{}" "/providers/{}" ).format(PROJECT_NUMBER, POOL_ID, PROVIDER_ID) REFRESH_TOKEN = "REFRESH_TOKEN" NEW_REFRESH_TOKEN = "NEW_REFRESH_TOKEN" ACCESS_TOKEN = "ACCESS_TOKEN" CLIENT_ID = "username" CLIENT_SECRET = "password" # Base64 encoding of "username:password". BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SCOPES = ["email", "profile"] NOW = datetime.datetime(1990, 8, 27, 6, 54, 30) class TestCredentials(object): @classmethod def make_credentials( cls, audience=AUDIENCE, refresh_token=REFRESH_TOKEN, token_url=TOKEN_URL, token_info_url=TOKEN_INFO_URL, client_id=CLIENT_ID, client_secret=CLIENT_SECRET, kwargs ): return external_account_authorized_user.Credentials( audience=audience, refresh_token=refresh_token, token_url=token_url, token_info_url=token_info_url, client_id=client_id, client_secret=client_secret, kwargs ) @classmethod def make_mock_request(cls, status=http_client.OK, data=None): # STS token exchange request. token_response = mock.create_autospec(transport.Response, instance=True) token_response.status = status token_response.data = json.dumps(data).encode("utf-8") responses = [token_response] request = mock.create_autospec(transport.Request) request.side_effect = responses return request def test_default_state(self): creds = self.make_credentials() assert not creds.expiry assert not creds.expired assert not creds.token assert not creds.valid assert not creds.requires_scopes assert not creds.scopes assert not creds.revoke_url assert creds.token_info_url assert creds.client_id assert creds.client_secret assert creds.is_user assert creds.refresh_token == REFRESH_TOKEN assert creds.audience == AUDIENCE assert creds.token_url == TOKEN_URL def test_basic_create(self): creds = external_account_authorized_user.Credentials( token=ACCESS_TOKEN, expiry=datetime.datetime.max, scopes=SCOPES, revoke_url=REVOKE_URL, ) assert creds.expiry == datetime.datetime.max assert not creds.expired assert creds.token == ACCESS_TOKEN assert creds.valid assert not creds.requires_scopes assert creds.scopes == SCOPES assert creds.is_user assert creds.revoke_url == REVOKE_URL def test_stunted_create_no_refresh_token(self): with pytest.raises(ValueError) as excinfo: self.make_credentials(token=None, refresh_token=None) assert excinfo.match( r"Token should be created with fields to make it valid $`token` and " r"`expiry`$, or fields to allow it to refresh $`refresh_token`, " r"`token_url`, `client_id`, `client_secret`$\." ) def test_stunted_create_no_token_url(self): with pytest.raises(ValueError) as excinfo: self.make_credentials(token=None, token_url=None) assert excinfo.match( r"Token should be created with fields to make it valid $`token` and " r"`expiry`$, or fields to allow it to refresh $`refresh_token`, " r"`token_url`, `client_id`, `client_secret`$\." ) def test_stunted_create_no_client_id(self): with pytest.raises(ValueError) as excinfo: self.make_credentials(token=None, client_id=None) assert excinfo.match( r"Token should be created with fields to make it valid $`token` and " r"`expiry`$, or fields to allow it to refresh $`refresh_token`, " r"`token_url`, `client_id`, `client_secret`$\." ) def test_stunted_create_no_client_secret(self): with pytest.raises(ValueError) as excinfo: self.make_credentials(token=None, client_secret=None) assert excinfo.match( r"Token should be created with fields to make it valid $`token` and " r"`expiry`$, or fields to allow it to refresh $`refresh_token`, " r"`token_url`, `client_id`, `client_secret`$\." ) @mock.patch("google.auth._helpers.utcnow", return_value=NOW) def test_refresh_auth_success(self, utcnow): request = self.make_mock_request( status=http_client.OK, data={"access_token": ACCESS_TOKEN, "expires_in": 3600}, ) creds = self.make_credentials() creds.refresh(request) assert creds.expiry == utcnow() + datetime.timedelta(seconds=3600) assert not creds.expired assert creds.token == ACCESS_TOKEN assert creds.valid assert not creds.requires_scopes assert creds.is_user assert creds._refresh_token == REFRESH_TOKEN request.assert_called_once_with( url=TOKEN_URL, method="POST", headers={ "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, }, body=("grant_type=refresh_token&refresh_token=" + REFRESH_TOKEN).encode( "UTF-8" ), ) @mock.patch("google.auth._helpers.utcnow", return_value=NOW) def test_refresh_auth_success_new_refresh_token(self, utcnow): request = self.make_mock_request( status=http_client.OK, data={ "access_token": ACCESS_TOKEN, "expires_in": 3600, "refresh_token": NEW_REFRESH_TOKEN, }, ) creds = self.make_credentials() creds.refresh(request) assert creds.expiry == utcnow() + datetime.timedelta(seconds=3600) assert not creds.expired assert creds.token == ACCESS_TOKEN assert creds.valid assert not creds.requires_scopes assert creds.is_user assert creds._refresh_token == NEW_REFRESH_TOKEN request.assert_called_once_with( url=TOKEN_URL, method="POST", headers={ "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, }, body=("grant_type=refresh_token&refresh_token=" + REFRESH_TOKEN).encode( "UTF-8" ), ) def test_refresh_auth_failure(self): request = self.make_mock_request( status=http_client.BAD_REQUEST, data={ "error": "invalid_request", "error_description": "Invalid subject token", "error_uri": "https://tools.ietf.org/html/rfc6749", }, ) creds = self.make_credentials() with pytest.raises(exceptions.OAuthError) as excinfo: creds.refresh(request) assert excinfo.match( r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749" ) assert not creds.expiry assert not creds.expired assert not creds.token assert not creds.valid assert not creds.requires_scopes assert creds.is_user request.assert_called_once_with( url=TOKEN_URL, method="POST", headers={ "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic " + BASIC_AUTH_ENCODING, }, body=("grant_type=refresh_token&refresh_token=" + REFRESH_TOKEN).encode( "UTF-8" ), ) def test_refresh_without_refresh_token(self): request = self.make_mock_request() creds = self.make_credentials(refresh_token=None, token=ACCESS_TOKEN) with pytest.raises(exceptions.RefreshError) as excinfo: creds.refresh(request) assert excinfo.match( r"The credentials do not contain the necessary fields need to refresh the access token. You must specify refresh_token, token_url, client_id, and client_secret." ) assert not creds.expiry assert not creds.expired assert not creds.requires_scopes assert creds.is_user request.assert_not_called() def test_refresh_without_token_url(self): request = self.make_mock_request() creds = self.make_credentials(token_url=None, token=ACCESS_TOKEN) with pytest.raises(exceptions.RefreshError) as excinfo: creds.refresh(request) assert excinfo.match( r"The credentials do not contain the necessary fields need to refresh the access token. You must specify refresh_token, token_url, client_id, and client_secret." ) assert not creds.expiry assert not creds.expired assert not creds.requires_scopes assert creds.is_user request.assert_not_called() def test_refresh_without_client_id(self): request = self.make_mock_request() creds = self.make_credentials(client_id=None, token=ACCESS_TOKEN) with pytest.raises(exceptions.RefreshError) as excinfo: creds.refresh(request) assert excinfo.match( r"The credentials do not contain the necessary fields need to refresh the access token. You must specify refresh_token, token_url, client_id, and client_secret." ) assert not creds.expiry assert not creds.expired assert not creds.requires_scopes assert creds.is_user request.assert_not_called() def test_refresh_without_client_secret(self): request = self.make_mock_request() creds = self.make_credentials(client_secret=None, token=ACCESS_TOKEN) with pytest.raises(exceptions.RefreshError) as excinfo: creds.refresh(request) assert excinfo.match( r"The credentials do not contain the necessary fields need to refresh the access token. You must specify refresh_token, token_url, client_id, and client_secret." ) assert not creds.expiry assert not creds.expired assert not creds.requires_scopes assert creds.is_user request.assert_not_called() def test_info(self): creds = self.make_credentials() info = creds.info assert info["audience"] == AUDIENCE assert info["refresh_token"] == REFRESH_TOKEN assert info["token_url"] == TOKEN_URL assert info["token_info_url"] == TOKEN_INFO_URL assert info["client_id"] == CLIENT_ID assert info["client_secret"] == CLIENT_SECRET assert "token" not in info assert "expiry" not in info assert "revoke_url" not in info assert "quota_project_id" not in info def test_info_full(self): creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, ) info = creds.info assert info["audience"] == AUDIENCE assert info["refresh_token"] == REFRESH_TOKEN assert info["token_url"] == TOKEN_URL assert info["token_info_url"] == TOKEN_INFO_URL assert info["client_id"] == CLIENT_ID assert info["client_secret"] == CLIENT_SECRET assert info["token"] == ACCESS_TOKEN assert info["expiry"] == NOW.isoformat() + "Z" assert info["revoke_url"] == REVOKE_URL assert info["quota_project_id"] == QUOTA_PROJECT_ID def test_to_json(self): creds = self.make_credentials() json_info = creds.to_json() info = json.loads(json_info) assert info["audience"] == AUDIENCE assert info["refresh_token"] == REFRESH_TOKEN assert info["token_url"] == TOKEN_URL assert info["token_info_url"] == TOKEN_INFO_URL assert info["client_id"] == CLIENT_ID assert info["client_secret"] == CLIENT_SECRET assert "token" not in info assert "expiry" not in info assert "revoke_url" not in info assert "quota_project_id" not in info def test_to_json_full(self): creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, ) json_info = creds.to_json() info = json.loads(json_info) assert info["audience"] == AUDIENCE assert info["refresh_token"] == REFRESH_TOKEN assert info["token_url"] == TOKEN_URL assert info["token_info_url"] == TOKEN_INFO_URL assert info["client_id"] == CLIENT_ID assert info["client_secret"] == CLIENT_SECRET assert info["token"] == ACCESS_TOKEN assert info["expiry"] == NOW.isoformat() + "Z" assert info["revoke_url"] == REVOKE_URL assert info["quota_project_id"] == QUOTA_PROJECT_ID def test_to_json_full_with_strip(self): creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, ) json_info = creds.to_json(strip=["token", "expiry"]) info = json.loads(json_info) assert info["audience"] == AUDIENCE assert info["refresh_token"] == REFRESH_TOKEN assert info["token_url"] == TOKEN_URL assert info["token_info_url"] == TOKEN_INFO_URL assert info["client_id"] == CLIENT_ID assert info["client_secret"] == CLIENT_SECRET assert "token" not in info assert "expiry" not in info assert info["revoke_url"] == REVOKE_URL assert info["quota_project_id"] == QUOTA_PROJECT_ID def test_get_project_id(self): creds = self.make_credentials() request = mock.create_autospec(transport.Request) assert creds.get_project_id(request) is None request.assert_not_called() def test_with_quota_project(self): creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, ) new_creds = creds.with_quota_project(QUOTA_PROJECT_ID) assert new_creds._audience == creds._audience assert new_creds._refresh_token == creds._refresh_token assert new_creds._token_url == creds._token_url assert new_creds._token_info_url == creds._token_info_url assert new_creds._client_id == creds._client_id assert new_creds._client_secret == creds._client_secret assert new_creds.token == creds.token assert new_creds.expiry == creds.expiry assert new_creds._revoke_url == creds._revoke_url assert new_creds._quota_project_id == QUOTA_PROJECT_ID def test_with_token_uri(self): creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, ) new_creds = creds.with_token_uri("https://google.com") assert new_creds._audience == creds._audience assert new_creds._refresh_token == creds._refresh_token assert new_creds._token_url == "https://google.com" assert new_creds._token_info_url == creds._token_info_url assert new_creds._client_id == creds._client_id assert new_creds._client_secret == creds._client_secret assert new_creds.token == creds.token assert new_creds.expiry == creds.expiry assert new_creds._revoke_url == creds._revoke_url assert new_creds._quota_project_id == creds._quota_project_id def test_from_file_required_options_only(self, tmpdir): from_creds = self.make_credentials() config_file = tmpdir.join("config.json") config_file.write(from_creds.to_json()) creds = external_account_authorized_user.Credentials.from_file(str(config_file)) assert isinstance(creds, external_account_authorized_user.Credentials) assert creds.audience == AUDIENCE assert creds.refresh_token == REFRESH_TOKEN assert creds.token_url == TOKEN_URL assert creds.token_info_url == TOKEN_INFO_URL assert creds.client_id == CLIENT_ID assert creds.client_secret == CLIENT_SECRET assert creds.token is None assert creds.expiry is None assert creds.scopes is None assert creds._revoke_url is None assert creds._quota_project_id is None def test_from_file_full_options(self, tmpdir): from_creds = self.make_credentials( token=ACCESS_TOKEN, expiry=NOW, revoke_url=REVOKE_URL, quota_project_id=QUOTA_PROJECT_ID, scopes=SCOPES, ) config_file = tmpdir.join("config.json") config_file.write(from_creds.to_json()) creds = external_account_authorized_user.Credentials.from_file(str(config_file)) assert isinstance(creds, external_account_authorized_user.Credentials) assert creds.audience == AUDIENCE assert creds.refresh_token == REFRESH_TOKEN assert creds.token_url == TOKEN_URL assert creds.token_info_url == TOKEN_INFO_URL assert creds.client_id == CLIENT_ID assert creds.client_secret == CLIENT_SECRET assert creds.token == ACCESS_TOKEN assert creds.expiry == NOW assert creds.scopes == SCOPES assert creds._revoke_url == REVOKE_URL assert creds._quota_project_id == QUOTA_PROJECT_ID ��test_hooks.py��0000644��00000000650�15025233430�0007276 0��ustar�00��import pytest from requests import hooks def hook(value): return value[1:] @pytest.mark.parametrize( "hooks_list, result", ( (hook, "ata"), ([hook, lambda x: None, hook], "ta"), ), ) def test_hooks(hooks_list, result): assert hooks.dispatch_hook("response", {"response": hooks_list}, "Data") == result def test_default_hooks(): assert hooks.default_hooks() == {"response": []} ��test_help.py��0000644��00000001507�15025233430�0007105 0��ustar�00��from unittest import mock from requests.help import info def test_system_ssl(): """Verify we're actually setting system_ssl when it should be available.""" assert info()["system_ssl"]["version"] != "" class VersionedPackage: def __init__(self, version): self.__version__ = version def test_idna_without_version_attribute(): """Older versions of IDNA don't provide a __version__ attribute, verify that if we have such a package, we don't blow up. """ with mock.patch("requests.help.idna", new=None): assert info()["idna"] == {"version": ""} def test_idna_with_version_attribute(): """Verify we're actually setting idna version when it should be available.""" with mock.patch("requests.help.idna", new=VersionedPackage("2.6")): assert info()["idna"] == {"version": "2.6"} ��test_packages.py��0000644��00000000345�15025233430�0007732 0��ustar�00��import requests def test_can_access_urllib3_attribute(): requests.packages.urllib3 def test_can_access_idna_attribute(): requests.packages.idna def test_can_access_chardet_attribute(): requests.packages.chardet ��test_utils.py��0000644��00000071255�15025233430�0007324 0��ustar�00��import copy import filecmp import os import tarfile import zipfile from collections import deque from io import BytesIO from unittest import mock import pytest from requests import compat from requests._internal_utils import unicode_is_ascii from requests.cookies import RequestsCookieJar from requests.structures import CaseInsensitiveDict from requests.utils import ( _parse_content_type_header, add_dict_to_cookiejar, address_in_network, dotted_netmask, extract_zipped_paths, get_auth_from_url, get_encoding_from_headers, get_encodings_from_content, get_environ_proxies, guess_filename, guess_json_utf, is_ipv4_address, is_valid_cidr, iter_slices, parse_dict_header, parse_header_links, prepend_scheme_if_needed, requote_uri, select_proxy, set_environ, should_bypass_proxies, super_len, to_key_val_list, to_native_string, unquote_header_value, unquote_unreserved, urldefragauth, ) from .compat import StringIO, cStringIO class TestSuperLen: @pytest.mark.parametrize( "stream, value", ( (StringIO.StringIO, "Test"), (BytesIO, b"Test"), pytest.param( cStringIO, "Test", marks=pytest.mark.skipif("cStringIO is None") ), ), ) def test_io_streams(self, stream, value): """Ensures that we properly deal with different kinds of IO streams.""" assert super_len(stream()) == 0 assert super_len(stream(value)) == 4 def test_super_len_correctly_calculates_len_of_partially_read_file(self): """Ensure that we handle partially consumed file like objects.""" s = StringIO.StringIO() s.write("foobarbogus") assert super_len(s) == 0 @pytest.mark.parametrize("error", [IOError, OSError]) def test_super_len_handles_files_raising_weird_errors_in_tell(self, error): """If tell() raises errors, assume the cursor is at position zero.""" class BoomFile: def __len__(self): return 5 def tell(self): raise error() assert super_len(BoomFile()) == 0 @pytest.mark.parametrize("error", [IOError, OSError]) def test_super_len_tell_ioerror(self, error): """Ensure that if tell gives an IOError super_len doesn't fail""" class NoLenBoomFile: def tell(self): raise error() def seek(self, offset, whence): pass assert super_len(NoLenBoomFile()) == 0 def test_string(self): assert super_len("Test") == 4 @pytest.mark.parametrize( "mode, warnings_num", ( ("r", 1), ("rb", 0), ), ) def test_file(self, tmpdir, mode, warnings_num, recwarn): file_obj = tmpdir.join("test.txt") file_obj.write("Test") with file_obj.open(mode) as fd: assert super_len(fd) == 4 assert len(recwarn) == warnings_num def test_tarfile_member(self, tmpdir): file_obj = tmpdir.join("test.txt") file_obj.write("Test") tar_obj = str(tmpdir.join("test.tar")) with tarfile.open(tar_obj, "w") as tar: tar.add(str(file_obj), arcname="test.txt") with tarfile.open(tar_obj) as tar: member = tar.extractfile("test.txt") assert super_len(member) == 4 def test_super_len_with__len__(self): foo = [1, 2, 3, 4] len_foo = super_len(foo) assert len_foo == 4 def test_super_len_with_no__len__(self): class LenFile: def __init__(self): self.len = 5 assert super_len(LenFile()) == 5 def test_super_len_with_tell(self): foo = StringIO.StringIO("12345") assert super_len(foo) == 5 foo.read(2) assert super_len(foo) == 3 def test_super_len_with_fileno(self): with open(__file__, "rb") as f: length = super_len(f) file_data = f.read() assert length == len(file_data) def test_super_len_with_no_matches(self): """Ensure that objects without any length methods default to 0""" assert super_len(object()) == 0 class TestToKeyValList: @pytest.mark.parametrize( "value, expected", ( ([("key", "val")], [("key", "val")]), ((("key", "val"),), [("key", "val")]), ({"key": "val"}, [("key", "val")]), (None, None), ), ) def test_valid(self, value, expected): assert to_key_val_list(value) == expected def test_invalid(self): with pytest.raises(ValueError): to_key_val_list("string") class TestUnquoteHeaderValue: @pytest.mark.parametrize( "value, expected", ( (None, None), ("Test", "Test"), ('"Test"', "Test"), ('"Test\\\\"', "Test\\"), ('"\\\\Comp\\Res"', "\\Comp\\Res"), ), ) def test_valid(self, value, expected): assert unquote_header_value(value) == expected def test_is_filename(self): assert unquote_header_value('"\\\\Comp\\Res"', True) == "\\\\Comp\\Res" class TestGetEnvironProxies: """Ensures that IP addresses are correctly matches with ranges in no_proxy variable. """ @pytest.fixture(autouse=True, params=["no_proxy", "NO_PROXY"]) def no_proxy(self, request, monkeypatch): monkeypatch.setenv( request.param, "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1" ) @pytest.mark.parametrize( "url", ( "http://192.168.0.1:5000/", "http://192.168.0.1/", "http://172.16.1.1/", "http://172.16.1.1:5000/", "http://localhost.localdomain:5000/v1.0/", ), ) def test_bypass(self, url): assert get_environ_proxies(url, no_proxy=None) == {} @pytest.mark.parametrize( "url", ( "http://192.168.1.1:5000/", "http://192.168.1.1/", "http://www.requests.com/", ), ) def test_not_bypass(self, url): assert get_environ_proxies(url, no_proxy=None) != {} @pytest.mark.parametrize( "url", ( "http://192.168.1.1:5000/", "http://192.168.1.1/", "http://www.requests.com/", ), ) def test_bypass_no_proxy_keyword(self, url): no_proxy = "192.168.1.1,requests.com" assert get_environ_proxies(url, no_proxy=no_proxy) == {} @pytest.mark.parametrize( "url", ( "http://192.168.0.1:5000/", "http://192.168.0.1/", "http://172.16.1.1/", "http://172.16.1.1:5000/", "http://localhost.localdomain:5000/v1.0/", ), ) def test_not_bypass_no_proxy_keyword(self, url, monkeypatch): # This is testing that the 'no_proxy' argument overrides the # environment variable 'no_proxy' monkeypatch.setenv("http_proxy", "http://proxy.example.com:3128/") no_proxy = "192.168.1.1,requests.com" assert get_environ_proxies(url, no_proxy=no_proxy) != {} class TestIsIPv4Address: def test_valid(self): assert is_ipv4_address("8.8.8.8") @pytest.mark.parametrize("value", ("8.8.8.8.8", "localhost.localdomain")) def test_invalid(self, value): assert not is_ipv4_address(value) class TestIsValidCIDR: def test_valid(self): assert is_valid_cidr("192.168.1.0/24") @pytest.mark.parametrize( "value", ( "8.8.8.8", "192.168.1.0/a", "192.168.1.0/128", "192.168.1.0/-1", "192.168.1.999/24", ), ) def test_invalid(self, value): assert not is_valid_cidr(value) class TestAddressInNetwork: def test_valid(self): assert address_in_network("192.168.1.1", "192.168.1.0/24") def test_invalid(self): assert not address_in_network("172.16.0.1", "192.168.1.0/24") class TestGuessFilename: @pytest.mark.parametrize( "value", (1, type("Fake", (object,), {"name": 1})()), ) def test_guess_filename_invalid(self, value): assert guess_filename(value) is None @pytest.mark.parametrize( "value, expected_type", ( (b"value", compat.bytes), (b"value".decode("utf-8"), compat.str), ), ) def test_guess_filename_valid(self, value, expected_type): obj = type("Fake", (object,), {"name": value})() result = guess_filename(obj) assert result == value assert isinstance(result, expected_type) class TestExtractZippedPaths: @pytest.mark.parametrize( "path", ( "/", __file__, pytest.__file__, "/etc/invalid/location", ), ) def test_unzipped_paths_unchanged(self, path): assert path == extract_zipped_paths(path) def test_zipped_paths_extracted(self, tmpdir): zipped_py = tmpdir.join("test.zip") with zipfile.ZipFile(zipped_py.strpath, "w") as f: f.write(__file__) _, name = os.path.splitdrive(__file__) zipped_path = os.path.join(zipped_py.strpath, name.lstrip(r"\/")) extracted_path = extract_zipped_paths(zipped_path) assert extracted_path != zipped_path assert os.path.exists(extracted_path) assert filecmp.cmp(extracted_path, __file__) def test_invalid_unc_path(self): path = r"\\localhost\invalid\location" assert extract_zipped_paths(path) == path class TestContentEncodingDetection: def test_none(self): encodings = get_encodings_from_content("") assert not len(encodings) @pytest.mark.parametrize( "content", ( # HTML5 meta charset attribute '<meta charset="UTF-8">', # HTML4 pragma directive '<meta http-equiv="Content-type" content="text/html;charset=UTF-8">', # XHTML 1.x served with text/html MIME type '<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />', # XHTML 1.x served as XML '<?xml version="1.0" encoding="UTF-8"?>', ), ) def test_pragmas(self, content): encodings = get_encodings_from_content(content) assert len(encodings) == 1 assert encodings[0] == "UTF-8" def test_precedence(self): content = """ <?xml version="1.0" encoding="XML"?> <meta charset="HTML5"> <meta http-equiv="Content-type" content="text/html;charset=HTML4" /> """.strip() assert get_encodings_from_content(content) == ["HTML5", "HTML4", "XML"] class TestGuessJSONUTF: @pytest.mark.parametrize( "encoding", ( "utf-32", "utf-8-sig", "utf-16", "utf-8", "utf-16-be", "utf-16-le", "utf-32-be", "utf-32-le", ), ) def test_encoded(self, encoding): data = "{}".encode(encoding) assert guess_json_utf(data) == encoding def test_bad_utf_like_encoding(self): assert guess_json_utf(b"\x00\x00\x00\x00") is None @pytest.mark.parametrize( ("encoding", "expected"), ( ("utf-16-be", "utf-16"), ("utf-16-le", "utf-16"), ("utf-32-be", "utf-32"), ("utf-32-le", "utf-32"), ), ) def test_guess_by_bom(self, encoding, expected): data = "\ufeff{}".encode(encoding) assert guess_json_utf(data) == expected USER = PASSWORD = "%!'();:@&=+$,/?#[] " ENCODED_USER = compat.quote(USER, "") ENCODED_PASSWORD = compat.quote(PASSWORD, "") @pytest.mark.parametrize( "url, auth", ( ( f"http://{ENCODED_USER}:{ENCODED_PASSWORD}@request.com/url.html#test", (USER, PASSWORD), ), ("http://user:pass@complex.url.com/path?query=yes", ("user", "pass")), ( "http://user:pass%20pass@complex.url.com/path?query=yes", ("user", "pass pass"), ), ("http://user:pass pass@complex.url.com/path?query=yes", ("user", "pass pass")), ( "http://user%25user:pass@complex.url.com/path?query=yes", ("user%user", "pass"), ), ( "http://user:pass%23pass@complex.url.com/path?query=yes", ("user", "pass#pass"), ), ("http://complex.url.com/path?query=yes", ("", "")), ), ) def test_get_auth_from_url(url, auth): assert get_auth_from_url(url) == auth @pytest.mark.parametrize( "uri, expected", ( ( # Ensure requoting doesn't break expectations "http://example.com/fiz?buz=%25ppicture", "http://example.com/fiz?buz=%25ppicture", ), ( # Ensure we handle unquoted percent signs in redirects "http://example.com/fiz?buz=%ppicture", "http://example.com/fiz?buz=%25ppicture", ), ), ) def test_requote_uri_with_unquoted_percents(uri, expected): """See: https://github.com/psf/requests/issues/2356""" assert requote_uri(uri) == expected @pytest.mark.parametrize( "uri, expected", ( ( # Illegal bytes "http://example.com/?a=%--", "http://example.com/?a=%--", ), ( # Reserved characters "http://example.com/?a=%300", "http://example.com/?a=00", ), ), ) def test_unquote_unreserved(uri, expected): assert unquote_unreserved(uri) == expected @pytest.mark.parametrize( "mask, expected", ( (8, "255.0.0.0"), (24, "255.255.255.0"), (25, "255.255.255.128"), ), ) def test_dotted_netmask(mask, expected): assert dotted_netmask(mask) == expected http_proxies = { "http": "http://http.proxy", "http://some.host": "http://some.host.proxy", } all_proxies = { "all": "socks5://http.proxy", "all://some.host": "socks5://some.host.proxy", } mixed_proxies = { "http": "http://http.proxy", "http://some.host": "http://some.host.proxy", "all": "socks5://http.proxy", } @pytest.mark.parametrize( "url, expected, proxies", ( ("hTTp://u:p@Some.Host/path", "http://some.host.proxy", http_proxies), ("hTTp://u:p@Other.Host/path", "http://http.proxy", http_proxies), ("hTTp:///path", "http://http.proxy", http_proxies), ("hTTps://Other.Host", None, http_proxies), ("file:///etc/motd", None, http_proxies), ("hTTp://u:p@Some.Host/path", "socks5://some.host.proxy", all_proxies), ("hTTp://u:p@Other.Host/path", "socks5://http.proxy", all_proxies), ("hTTp:///path", "socks5://http.proxy", all_proxies), ("hTTps://Other.Host", "socks5://http.proxy", all_proxies), ("http://u:p@other.host/path", "http://http.proxy", mixed_proxies), ("http://u:p@some.host/path", "http://some.host.proxy", mixed_proxies), ("https://u:p@other.host/path", "socks5://http.proxy", mixed_proxies), ("https://u:p@some.host/path", "socks5://http.proxy", mixed_proxies), ("https://", "socks5://http.proxy", mixed_proxies), # XXX: unsure whether this is reasonable behavior ("file:///etc/motd", "socks5://http.proxy", all_proxies), ), ) def test_select_proxies(url, expected, proxies): """Make sure we can select per-host proxies correctly.""" assert select_proxy(url, proxies) == expected @pytest.mark.parametrize( "value, expected", ( ('foo="is a fish", bar="as well"', {"foo": "is a fish", "bar": "as well"}), ("key_without_value", {"key_without_value": None}), ), ) def test_parse_dict_header(value, expected): assert parse_dict_header(value) == expected @pytest.mark.parametrize( "value, expected", ( ("application/xml", ("application/xml", {})), ( "application/json ; charset=utf-8", ("application/json", {"charset": "utf-8"}), ), ( "application/json ; Charset=utf-8", ("application/json", {"charset": "utf-8"}), ), ("text/plain", ("text/plain", {})), ( "multipart/form-data; boundary = something ; boundary2='something_else' ; no_equals ", ( "multipart/form-data", { "boundary": "something", "boundary2": "something_else", "no_equals": True, }, ), ), ( 'multipart/form-data; boundary = something ; boundary2="something_else" ; no_equals ', ( "multipart/form-data", { "boundary": "something", "boundary2": "something_else", "no_equals": True, }, ), ), ( "multipart/form-data; boundary = something ; 'boundary2=something_else' ; no_equals ", ( "multipart/form-data", { "boundary": "something", "boundary2": "something_else", "no_equals": True, }, ), ), ( 'multipart/form-data; boundary = something ; "boundary2=something_else" ; no_equals ', ( "multipart/form-data", { "boundary": "something", "boundary2": "something_else", "no_equals": True, }, ), ), ("application/json ; ; ", ("application/json", {})), ), ) def test__parse_content_type_header(value, expected): assert _parse_content_type_header(value) == expected @pytest.mark.parametrize( "value, expected", ( (CaseInsensitiveDict(), None), ( CaseInsensitiveDict({"content-type": "application/json; charset=utf-8"}), "utf-8", ), (CaseInsensitiveDict({"content-type": "text/plain"}), "ISO-8859-1"), ), ) def test_get_encoding_from_headers(value, expected): assert get_encoding_from_headers(value) == expected @pytest.mark.parametrize( "value, length", ( ("", 0), ("T", 1), ("Test", 4), ("Cont", 0), ("Other", -5), ("Content", None), ), ) def test_iter_slices(value, length): if length is None or (length <= 0 and len(value) > 0): # Reads all content at once assert len(list(iter_slices(value, length))) == 1 else: assert len(list(iter_slices(value, 1))) == length @pytest.mark.parametrize( "value, expected", ( ( '<http:/.../front.jpeg>; rel=front; type="image/jpeg"', [{"url": "http:/.../front.jpeg", "rel": "front", "type": "image/jpeg"}], ), ("<http:/.../front.jpeg>", [{"url": "http:/.../front.jpeg"}]), ("<http:/.../front.jpeg>;", [{"url": "http:/.../front.jpeg"}]), ( '<http:/.../front.jpeg>; type="image/jpeg",<http://.../back.jpeg>;', [ {"url": "http:/.../front.jpeg", "type": "image/jpeg"}, {"url": "http://.../back.jpeg"}, ], ), ("", []), ), ) def test_parse_header_links(value, expected): assert parse_header_links(value) == expected @pytest.mark.parametrize( "value, expected", ( ("example.com/path", "http://example.com/path"), ("//example.com/path", "http://example.com/path"), ("example.com:80", "http://example.com:80"), ( "http://user:pass@example.com/path?query", "http://user:pass@example.com/path?query", ), ("http://user@example.com/path?query", "http://user@example.com/path?query"), ), ) def test_prepend_scheme_if_needed(value, expected): assert prepend_scheme_if_needed(value, "http") == expected @pytest.mark.parametrize( "value, expected", ( ("T", "T"), (b"T", "T"), ("T", "T"), ), ) def test_to_native_string(value, expected): assert to_native_string(value) == expected @pytest.mark.parametrize( "url, expected", ( ("http://u:p@example.com/path?a=1#test", "http://example.com/path?a=1"), ("http://example.com/path", "http://example.com/path"), ("//u:p@example.com/path", "//example.com/path"), ("//example.com/path", "//example.com/path"), ("example.com/path", "//example.com/path"), ("scheme:u:p@example.com/path", "scheme://example.com/path"), ), ) def test_urldefragauth(url, expected): assert urldefragauth(url) == expected @pytest.mark.parametrize( "url, expected", ( ("http://192.168.0.1:5000/", True), ("http://192.168.0.1/", True), ("http://172.16.1.1/", True), ("http://172.16.1.1:5000/", True), ("http://localhost.localdomain:5000/v1.0/", True), ("http://google.com:6000/", True), ("http://172.16.1.12/", False), ("http://172.16.1.12:5000/", False), ("http://google.com:5000/v1.0/", False), ("file:///some/path/on/disk", True), ), ) def test_should_bypass_proxies(url, expected, monkeypatch): """Tests for function should_bypass_proxies to check if proxy can be bypassed or not """ monkeypatch.setenv( "no_proxy", "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000", ) monkeypatch.setenv( "NO_PROXY", "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000", ) assert should_bypass_proxies(url, no_proxy=None) == expected @pytest.mark.parametrize( "url, expected", ( ("http://172.16.1.1/", "172.16.1.1"), ("http://172.16.1.1:5000/", "172.16.1.1"), ("http://user:pass@172.16.1.1", "172.16.1.1"), ("http://user:pass@172.16.1.1:5000", "172.16.1.1"), ("http://hostname/", "hostname"), ("http://hostname:5000/", "hostname"), ("http://user:pass@hostname", "hostname"), ("http://user:pass@hostname:5000", "hostname"), ), ) def test_should_bypass_proxies_pass_only_hostname(url, expected): """The proxy_bypass function should be called with a hostname or IP without a port number or auth credentials. """ with mock.patch("requests.utils.proxy_bypass") as proxy_bypass: should_bypass_proxies(url, no_proxy=None) proxy_bypass.assert_called_once_with(expected) @pytest.mark.parametrize( "cookiejar", ( compat.cookielib.CookieJar(), RequestsCookieJar(), ), ) def test_add_dict_to_cookiejar(cookiejar): """Ensure add_dict_to_cookiejar works for non-RequestsCookieJar CookieJars """ cookiedict = {"test": "cookies", "good": "cookies"} cj = add_dict_to_cookiejar(cookiejar, cookiedict) cookies = {cookie.name: cookie.value for cookie in cj} assert cookiedict == cookies @pytest.mark.parametrize( "value, expected", ( ("test", True), ("æíöû", False), ("ジェーピーニック", False), ), ) def test_unicode_is_ascii(value, expected): assert unicode_is_ascii(value) is expected @pytest.mark.parametrize( "url, expected", ( ("http://192.168.0.1:5000/", True), ("http://192.168.0.1/", True), ("http://172.16.1.1/", True), ("http://172.16.1.1:5000/", True), ("http://localhost.localdomain:5000/v1.0/", True), ("http://172.16.1.12/", False), ("http://172.16.1.12:5000/", False), ("http://google.com:5000/v1.0/", False), ), ) def test_should_bypass_proxies_no_proxy(url, expected, monkeypatch): """Tests for function should_bypass_proxies to check if proxy can be bypassed or not using the 'no_proxy' argument """ no_proxy = "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1" # Test 'no_proxy' argument assert should_bypass_proxies(url, no_proxy=no_proxy) == expected @pytest.mark.skipif(os.name != "nt", reason="Test only on Windows") @pytest.mark.parametrize( "url, expected, override", ( ("http://192.168.0.1:5000/", True, None), ("http://192.168.0.1/", True, None), ("http://172.16.1.1/", True, None), ("http://172.16.1.1:5000/", True, None), ("http://localhost.localdomain:5000/v1.0/", True, None), ("http://172.16.1.22/", False, None), ("http://172.16.1.22:5000/", False, None), ("http://google.com:5000/v1.0/", False, None), ("http://mylocalhostname:5000/v1.0/", True, "<local>"), ("http://192.168.0.1/", False, ""), ), ) def test_should_bypass_proxies_win_registry(url, expected, override, monkeypatch): """Tests for function should_bypass_proxies to check if proxy can be bypassed or not with Windows registry settings """ if override is None: override = "192.168.;127.0.0.1;localhost.localdomain;172.16.1.1" import winreg class RegHandle: def Close(self): pass ie_settings = RegHandle() proxyEnableValues = deque([1, "1"]) def OpenKey(key, subkey): return ie_settings def QueryValueEx(key, value_name): if key is ie_settings: if value_name == "ProxyEnable": # this could be a string (REG_SZ) or a 32-bit number (REG_DWORD) proxyEnableValues.rotate() return [proxyEnableValues[0]] elif value_name == "ProxyOverride": return [override] monkeypatch.setenv("http_proxy", "") monkeypatch.setenv("https_proxy", "") monkeypatch.setenv("ftp_proxy", "") monkeypatch.setenv("no_proxy", "") monkeypatch.setenv("NO_PROXY", "") monkeypatch.setattr(winreg, "OpenKey", OpenKey) monkeypatch.setattr(winreg, "QueryValueEx", QueryValueEx) assert should_bypass_proxies(url, None) == expected @pytest.mark.skipif(os.name != "nt", reason="Test only on Windows") def test_should_bypass_proxies_win_registry_bad_values(monkeypatch): """Tests for function should_bypass_proxies to check if proxy can be bypassed or not with Windows invalid registry settings. """ import winreg class RegHandle: def Close(self): pass ie_settings = RegHandle() def OpenKey(key, subkey): return ie_settings def QueryValueEx(key, value_name): if key is ie_settings: if value_name == "ProxyEnable": # Invalid response; Should be an int or int-y value return [""] elif value_name == "ProxyOverride": return ["192.168.;127.0.0.1;localhost.localdomain;172.16.1.1"] monkeypatch.setenv("http_proxy", "") monkeypatch.setenv("https_proxy", "") monkeypatch.setenv("no_proxy", "") monkeypatch.setenv("NO_PROXY", "") monkeypatch.setattr(winreg, "OpenKey", OpenKey) monkeypatch.setattr(winreg, "QueryValueEx", QueryValueEx) assert should_bypass_proxies("http://172.16.1.1/", None) is False @pytest.mark.parametrize( "env_name, value", ( ("no_proxy", "192.168.0.0/24,127.0.0.1,localhost.localdomain"), ("no_proxy", None), ("a_new_key", "192.168.0.0/24,127.0.0.1,localhost.localdomain"), ("a_new_key", None), ), ) def test_set_environ(env_name, value): """Tests set_environ will set environ values and will restore the environ.""" environ_copy = copy.deepcopy(os.environ) with set_environ(env_name, value): assert os.environ.get(env_name) == value assert os.environ == environ_copy def test_set_environ_raises_exception(): """Tests set_environ will raise exceptions in context when the value parameter is None.""" with pytest.raises(Exception) as exception: with set_environ("test1", None): raise Exception("Expected exception") assert "Expected exception" in str(exception.value) @pytest.mark.skipif(os.name != "nt", reason="Test only on Windows") def test_should_bypass_proxies_win_registry_ProxyOverride_value(monkeypatch): """Tests for function should_bypass_proxies to check if proxy can be bypassed or not with Windows ProxyOverride registry value ending with a semicolon. """ import winreg class RegHandle: def Close(self): pass ie_settings = RegHandle() def OpenKey(key, subkey): return ie_settings def QueryValueEx(key, value_name): if key is ie_settings: if value_name == "ProxyEnable": return [1] elif value_name == "ProxyOverride": return [ "192.168.;127.0.0.1;localhost.localdomain;172.16.1.1;<-loopback>;" ] monkeypatch.setenv("NO_PROXY", "") monkeypatch.setenv("no_proxy", "") monkeypatch.setattr(winreg, "OpenKey", OpenKey) monkeypatch.setattr(winreg, "QueryValueEx", QueryValueEx) assert should_bypass_proxies("http://example.com/", None) is False ��test_adapters.py��0000644��00000000467�15025233430�0007764 0��ustar�00��import requests.adapters def test_request_url_trims_leading_path_separators(): """See also https://github.com/psf/requests/issues/6643.""" a = requests.adapters.HTTPAdapter() p = requests.Request(method="GET", url="http://127.0.0.1:10000//v:h").prepare() assert "/v:h" == a.request_url(p, {}) ��test_requests.py��0000644��00000314060�15025233430�0010031 0��ustar�00��"""Tests for Requests.""" import collections import contextlib import io import json import os import pickle import re import threading import warnings from unittest import mock import pytest import urllib3 from urllib3.util import Timeout as Urllib3Timeout import requests from requests.adapters import HTTPAdapter from requests.auth import HTTPDigestAuth, _basic_auth_str from requests.compat import ( JSONDecodeError, Morsel, MutableMapping, builtin_str, cookielib, getproxies, urlparse, ) from requests.cookies import cookiejar_from_dict, morsel_to_cookie from requests.exceptions import ( ChunkedEncodingError, ConnectionError, ConnectTimeout, ContentDecodingError, InvalidHeader, InvalidProxyURL, InvalidSchema, InvalidURL, MissingSchema, ProxyError, ReadTimeout, RequestException, RetryError, ) from requests.exceptions import SSLError as RequestsSSLError from requests.exceptions import Timeout, TooManyRedirects, UnrewindableBodyError from requests.hooks import default_hooks from requests.models import PreparedRequest, urlencode from requests.sessions import SessionRedirectMixin from requests.structures import CaseInsensitiveDict from . import SNIMissingWarning from .compat import StringIO from .testserver.server import TLSServer, consume_socket_content from .utils import override_environ # Requests to this URL should always fail with a connection timeout (nothing # listening on that port) TARPIT = "http://10.255.255.1" # This is to avoid waiting the timeout of using TARPIT INVALID_PROXY = "http://localhost:1" try: from ssl import SSLContext del SSLContext HAS_MODERN_SSL = True except ImportError: HAS_MODERN_SSL = False try: requests.pyopenssl HAS_PYOPENSSL = True except AttributeError: HAS_PYOPENSSL = False class TestRequests: digest_auth_algo = ("MD5", "SHA-256", "SHA-512") def test_entry_points(self): requests.session requests.session().get requests.session().head requests.get requests.head requests.put requests.patch requests.post # Not really an entry point, but people rely on it. from requests.packages.urllib3.poolmanager import PoolManager # noqa:F401 @pytest.mark.parametrize( "exception, url", ( (MissingSchema, "hiwpefhipowhefopw"), (InvalidSchema, "localhost:3128"), (InvalidSchema, "localhost.localdomain:3128/"), (InvalidSchema, "10.122.1.1:3128/"), (InvalidURL, "http://"), (InvalidURL, "http://example.com"), (InvalidURL, "http://.example.com"), ), ) def test_invalid_url(self, exception, url): with pytest.raises(exception): requests.get(url) def test_basic_building(self): req = requests.Request() req.url = "http://kennethreitz.org/" req.data = {"life": "42"} pr = req.prepare() assert pr.url == req.url assert pr.body == "life=42" @pytest.mark.parametrize("method", ("GET", "HEAD")) def test_no_content_length(self, httpbin, method): req = requests.Request(method, httpbin(method.lower())).prepare() assert "Content-Length" not in req.headers @pytest.mark.parametrize("method", ("POST", "PUT", "PATCH", "OPTIONS")) def test_no_body_content_length(self, httpbin, method): req = requests.Request(method, httpbin(method.lower())).prepare() assert req.headers["Content-Length"] == "0" @pytest.mark.parametrize("method", ("POST", "PUT", "PATCH", "OPTIONS")) def test_empty_content_length(self, httpbin, method): req = requests.Request(method, httpbin(method.lower()), data="").prepare() assert req.headers["Content-Length"] == "0" def test_override_content_length(self, httpbin): headers = {"Content-Length": "not zero"} r = requests.Request("POST", httpbin("post"), headers=headers).prepare() assert "Content-Length" in r.headers assert r.headers["Content-Length"] == "not zero" def test_path_is_not_double_encoded(self): request = requests.Request("GET", "http://0.0.0.0/get/test case").prepare() assert request.path_url == "/get/test%20case" @pytest.mark.parametrize( "url, expected", ( ( "http://example.com/path#fragment", "http://example.com/path?a=b#fragment", ), ( "http://example.com/path?key=value#fragment", "http://example.com/path?key=value&a=b#fragment", ), ), ) def test_params_are_added_before_fragment(self, url, expected): request = requests.Request("GET", url, params={"a": "b"}).prepare() assert request.url == expected def test_params_original_order_is_preserved_by_default(self): param_ordered_dict = collections.OrderedDict( (("z", 1), ("a", 1), ("k", 1), ("d", 1)) ) session = requests.Session() request = requests.Request( "GET", "http://example.com/", params=param_ordered_dict ) prep = session.prepare_request(request) assert prep.url == "http://example.com/?z=1&a=1&k=1&d=1" def test_params_bytes_are_encoded(self): request = requests.Request( "GET", "http://example.com", params=b"test=foo" ).prepare() assert request.url == "http://example.com/?test=foo" def test_binary_put(self): request = requests.Request( "PUT", "http://example.com", data="ööö".encode() ).prepare() assert isinstance(request.body, bytes) def test_whitespaces_are_removed_from_url(self): # Test for issue #3696 request = requests.Request("GET", " http://example.com").prepare() assert request.url == "http://example.com/" @pytest.mark.parametrize("scheme", ("http://", "HTTP://", "hTTp://", "HttP://")) def test_mixed_case_scheme_acceptable(self, httpbin, scheme): s = requests.Session() s.proxies = getproxies() parts = urlparse(httpbin("get")) url = scheme + parts.netloc + parts.path r = requests.Request("GET", url) r = s.send(r.prepare()) assert r.status_code == 200, f"failed for scheme {scheme}" def test_HTTP_200_OK_GET_ALTERNATIVE(self, httpbin): r = requests.Request("GET", httpbin("get")) s = requests.Session() s.proxies = getproxies() r = s.send(r.prepare()) assert r.status_code == 200 def test_HTTP_302_ALLOW_REDIRECT_GET(self, httpbin): r = requests.get(httpbin("redirect", "1")) assert r.status_code == 200 assert r.history[0].status_code == 302 assert r.history[0].is_redirect def test_HTTP_307_ALLOW_REDIRECT_POST(self, httpbin): r = requests.post( httpbin("redirect-to"), data="test", params={"url": "post", "status_code": 307}, ) assert r.status_code == 200 assert r.history[0].status_code == 307 assert r.history[0].is_redirect assert r.json()["data"] == "test" def test_HTTP_307_ALLOW_REDIRECT_POST_WITH_SEEKABLE(self, httpbin): byte_str = b"test" r = requests.post( httpbin("redirect-to"), data=io.BytesIO(byte_str), params={"url": "post", "status_code": 307}, ) assert r.status_code == 200 assert r.history[0].status_code == 307 assert r.history[0].is_redirect assert r.json()["data"] == byte_str.decode("utf-8") def test_HTTP_302_TOO_MANY_REDIRECTS(self, httpbin): try: requests.get(httpbin("relative-redirect", "50")) except TooManyRedirects as e: url = httpbin("relative-redirect", "20") assert e.request.url == url assert e.response.url == url assert len(e.response.history) == 30 else: pytest.fail("Expected redirect to raise TooManyRedirects but it did not") def test_HTTP_302_TOO_MANY_REDIRECTS_WITH_PARAMS(self, httpbin): s = requests.session() s.max_redirects = 5 try: s.get(httpbin("relative-redirect", "50")) except TooManyRedirects as e: url = httpbin("relative-redirect", "45") assert e.request.url == url assert e.response.url == url assert len(e.response.history) == 5 else: pytest.fail( "Expected custom max number of redirects to be respected but was not" ) def test_http_301_changes_post_to_get(self, httpbin): r = requests.post(httpbin("status", "301")) assert r.status_code == 200 assert r.request.method == "GET" assert r.history[0].status_code == 301 assert r.history[0].is_redirect def test_http_301_doesnt_change_head_to_get(self, httpbin): r = requests.head(httpbin("status", "301"), allow_redirects=True) print(r.content) assert r.status_code == 200 assert r.request.method == "HEAD" assert r.history[0].status_code == 301 assert r.history[0].is_redirect def test_http_302_changes_post_to_get(self, httpbin): r = requests.post(httpbin("status", "302")) assert r.status_code == 200 assert r.request.method == "GET" assert r.history[0].status_code == 302 assert r.history[0].is_redirect def test_http_302_doesnt_change_head_to_get(self, httpbin): r = requests.head(httpbin("status", "302"), allow_redirects=True) assert r.status_code == 200 assert r.request.method == "HEAD" assert r.history[0].status_code == 302 assert r.history[0].is_redirect def test_http_303_changes_post_to_get(self, httpbin): r = requests.post(httpbin("status", "303")) assert r.status_code == 200 assert r.request.method == "GET" assert r.history[0].status_code == 303 assert r.history[0].is_redirect def test_http_303_doesnt_change_head_to_get(self, httpbin): r = requests.head(httpbin("status", "303"), allow_redirects=True) assert r.status_code == 200 assert r.request.method == "HEAD" assert r.history[0].status_code == 303 assert r.history[0].is_redirect def test_header_and_body_removal_on_redirect(self, httpbin): purged_headers = ("Content-Length", "Content-Type") ses = requests.Session() req = requests.Request("POST", httpbin("post"), data={"test": "data"}) prep = ses.prepare_request(req) resp = ses.send(prep) # Mimic a redirect response resp.status_code = 302 resp.headers["location"] = "get" # Run request through resolve_redirects next_resp = next(ses.resolve_redirects(resp, prep)) assert next_resp.request.body is None for header in purged_headers: assert header not in next_resp.request.headers def test_transfer_enc_removal_on_redirect(self, httpbin): purged_headers = ("Transfer-Encoding", "Content-Type") ses = requests.Session() req = requests.Request("POST", httpbin("post"), data=(b"x" for x in range(1))) prep = ses.prepare_request(req) assert "Transfer-Encoding" in prep.headers # Create Response to avoid https://github.com/kevin1024/pytest-httpbin/issues/33 resp = requests.Response() resp.raw = io.BytesIO(b"the content") resp.request = prep setattr(resp.raw, "release_conn", lambda args: args) # Mimic a redirect response resp.status_code = 302 resp.headers["location"] = httpbin("get") # Run request through resolve_redirect next_resp = next(ses.resolve_redirects(resp, prep)) assert next_resp.request.body is None for header in purged_headers: assert header not in next_resp.request.headers def test_fragment_maintained_on_redirect(self, httpbin): fragment = "#view=edit&token=hunter2" r = requests.get(httpbin("redirect-to?url=get") + fragment) assert len(r.history) > 0 assert r.history[0].request.url == httpbin("redirect-to?url=get") + fragment assert r.url == httpbin("get") + fragment def test_HTTP_200_OK_GET_WITH_PARAMS(self, httpbin): heads = {"User-agent": "Mozilla/5.0"} r = requests.get(httpbin("user-agent"), headers=heads) assert heads["User-agent"] in r.text assert r.status_code == 200 def test_HTTP_200_OK_GET_WITH_MIXED_PARAMS(self, httpbin): heads = {"User-agent": "Mozilla/5.0"} r = requests.get( httpbin("get") + "?test=true", params={"q": "test"}, headers=heads ) assert r.status_code == 200 def test_set_cookie_on_301(self, httpbin): s = requests.session() url = httpbin("cookies/set?foo=bar") s.get(url) assert s.cookies["foo"] == "bar" def test_cookie_sent_on_redirect(self, httpbin): s = requests.session() s.get(httpbin("cookies/set?foo=bar")) r = s.get(httpbin("redirect/1")) # redirects to httpbin('get') assert "Cookie" in r.json()["headers"] def test_cookie_removed_on_expire(self, httpbin): s = requests.session() s.get(httpbin("cookies/set?foo=bar")) assert s.cookies["foo"] == "bar" s.get( httpbin("response-headers"), params={"Set-Cookie": "foo=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT"}, ) assert "foo" not in s.cookies def test_cookie_quote_wrapped(self, httpbin): s = requests.session() s.get(httpbin('cookies/set?foo="bar:baz"')) assert s.cookies["foo"] == '"bar:baz"' def test_cookie_persists_via_api(self, httpbin): s = requests.session() r = s.get(httpbin("redirect/1"), cookies={"foo": "bar"}) assert "foo" in r.request.headers["Cookie"] assert "foo" in r.history[0].request.headers["Cookie"] def test_request_cookie_overrides_session_cookie(self, httpbin): s = requests.session() s.cookies["foo"] = "bar" r = s.get(httpbin("cookies"), cookies={"foo": "baz"}) assert r.json()["cookies"]["foo"] == "baz" # Session cookie should not be modified assert s.cookies["foo"] == "bar" def test_request_cookies_not_persisted(self, httpbin): s = requests.session() s.get(httpbin("cookies"), cookies={"foo": "baz"}) # Sending a request with cookies should not add cookies to the session assert not s.cookies def test_generic_cookiejar_works(self, httpbin): cj = cookielib.CookieJar() cookiejar_from_dict({"foo": "bar"}, cj) s = requests.session() s.cookies = cj r = s.get(httpbin("cookies")) # Make sure the cookie was sent assert r.json()["cookies"]["foo"] == "bar" # Make sure the session cj is still the custom one assert s.cookies is cj def test_param_cookiejar_works(self, httpbin): cj = cookielib.CookieJar() cookiejar_from_dict({"foo": "bar"}, cj) s = requests.session() r = s.get(httpbin("cookies"), cookies=cj) # Make sure the cookie was sent assert r.json()["cookies"]["foo"] == "bar" def test_cookielib_cookiejar_on_redirect(self, httpbin): """Tests resolve_redirect doesn't fail when merging cookies with non-RequestsCookieJar cookiejar. See GH #3579 """ cj = cookiejar_from_dict({"foo": "bar"}, cookielib.CookieJar()) s = requests.Session() s.cookies = cookiejar_from_dict({"cookie": "tasty"}) # Prepare request without using Session req = requests.Request("GET", httpbin("headers"), cookies=cj) prep_req = req.prepare() # Send request and simulate redirect resp = s.send(prep_req) resp.status_code = 302 resp.headers["location"] = httpbin("get") redirects = s.resolve_redirects(resp, prep_req) resp = next(redirects) # Verify CookieJar isn't being converted to RequestsCookieJar assert isinstance(prep_req._cookies, cookielib.CookieJar) assert isinstance(resp.request._cookies, cookielib.CookieJar) assert not isinstance(resp.request._cookies, requests.cookies.RequestsCookieJar) cookies = {} for c in resp.request._cookies: cookies[c.name] = c.value assert cookies["foo"] == "bar" assert cookies["cookie"] == "tasty" def test_requests_in_history_are_not_overridden(self, httpbin): resp = requests.get(httpbin("redirect/3")) urls = [r.url for r in resp.history] req_urls = [r.request.url for r in resp.history] assert urls == req_urls def test_history_is_always_a_list(self, httpbin): """Show that even with redirects, Response.history is always a list.""" resp = requests.get(httpbin("get")) assert isinstance(resp.history, list) resp = requests.get(httpbin("redirect/1")) assert isinstance(resp.history, list) assert not isinstance(resp.history, tuple) def test_headers_on_session_with_None_are_not_sent(self, httpbin): """Do not send headers in Session.headers with None values.""" ses = requests.Session() ses.headers["Accept-Encoding"] = None req = requests.Request("GET", httpbin("get")) prep = ses.prepare_request(req) assert "Accept-Encoding" not in prep.headers def test_headers_preserve_order(self, httpbin): """Preserve order when headers provided as OrderedDict.""" ses = requests.Session() ses.headers = collections.OrderedDict() ses.headers["Accept-Encoding"] = "identity" ses.headers["First"] = "1" ses.headers["Second"] = "2" headers = collections.OrderedDict([("Third", "3"), ("Fourth", "4")]) headers["Fifth"] = "5" headers["Second"] = "222" req = requests.Request("GET", httpbin("get"), headers=headers) prep = ses.prepare_request(req) items = list(prep.headers.items()) assert items[0] == ("Accept-Encoding", "identity") assert items[1] == ("First", "1") assert items[2] == ("Second", "222") assert items[3] == ("Third", "3") assert items[4] == ("Fourth", "4") assert items[5] == ("Fifth", "5") @pytest.mark.parametrize("key", ("User-agent", "user-agent")) def test_user_agent_transfers(self, httpbin, key): heads = {key: "Mozilla/5.0 (github.com/psf/requests)"} r = requests.get(httpbin("user-agent"), headers=heads) assert heads[key] in r.text def test_HTTP_200_OK_HEAD(self, httpbin): r = requests.head(httpbin("get")) assert r.status_code == 200 def test_HTTP_200_OK_PUT(self, httpbin): r = requests.put(httpbin("put")) assert r.status_code == 200 def test_BASICAUTH_TUPLE_HTTP_200_OK_GET(self, httpbin): auth = ("user", "pass") url = httpbin("basic-auth", "user", "pass") r = requests.get(url, auth=auth) assert r.status_code == 200 r = requests.get(url) assert r.status_code == 401 s = requests.session() s.auth = auth r = s.get(url) assert r.status_code == 200 @pytest.mark.parametrize( "username, password", ( ("user", "pass"), ("имя".encode(), "пароль".encode()), (42, 42), (None, None), ), ) def test_set_basicauth(self, httpbin, username, password): auth = (username, password) url = httpbin("get") r = requests.Request("GET", url, auth=auth) p = r.prepare() assert p.headers["Authorization"] == _basic_auth_str(username, password) def test_basicauth_encodes_byte_strings(self): """Ensure b'test' formats as the byte string "test" rather than the unicode string "b'test'" in Python 3. """ auth = (b"\xc5\xafsername", b"test\xc6\xb6") r = requests.Request("GET", "http://localhost", auth=auth) p = r.prepare() assert p.headers["Authorization"] == "Basic xa9zZXJuYW1lOnRlc3TGtg==" @pytest.mark.parametrize( "url, exception", ( # Connecting to an unknown domain should raise a ConnectionError ("http://doesnotexist.google.com", ConnectionError), # Connecting to an invalid port should raise a ConnectionError ("http://localhost:1", ConnectionError), # Inputing a URL that cannot be parsed should raise an InvalidURL error ("http://fe80::5054:ff:fe5a:fc0", InvalidURL), ), ) def test_errors(self, url, exception): with pytest.raises(exception): requests.get(url, timeout=1) def test_proxy_error(self): # any proxy related error (address resolution, no route to host, etc) should result in a ProxyError with pytest.raises(ProxyError): requests.get( "http://localhost:1", proxies={"http": "non-resolvable-address"} ) def test_proxy_error_on_bad_url(self, httpbin, httpbin_secure): with pytest.raises(InvalidProxyURL): requests.get(httpbin_secure(), proxies={"https": "http:/badproxyurl:3128"}) with pytest.raises(InvalidProxyURL): requests.get(httpbin(), proxies={"http": "http://:8080"}) with pytest.raises(InvalidProxyURL): requests.get(httpbin_secure(), proxies={"https": "https://"}) with pytest.raises(InvalidProxyURL): requests.get(httpbin(), proxies={"http": "http:///example.com:8080"}) def test_respect_proxy_env_on_send_self_prepared_request(self, httpbin): with override_environ(http_proxy=INVALID_PROXY): with pytest.raises(ProxyError): session = requests.Session() request = requests.Request("GET", httpbin()) session.send(request.prepare()) def test_respect_proxy_env_on_send_session_prepared_request(self, httpbin): with override_environ(http_proxy=INVALID_PROXY): with pytest.raises(ProxyError): session = requests.Session() request = requests.Request("GET", httpbin()) prepared = session.prepare_request(request) session.send(prepared) def test_respect_proxy_env_on_send_with_redirects(self, httpbin): with override_environ(http_proxy=INVALID_PROXY): with pytest.raises(ProxyError): session = requests.Session() url = httpbin("redirect/1") print(url) request = requests.Request("GET", url) session.send(request.prepare()) def test_respect_proxy_env_on_get(self, httpbin): with override_environ(http_proxy=INVALID_PROXY): with pytest.raises(ProxyError): session = requests.Session() session.get(httpbin()) def test_respect_proxy_env_on_request(self, httpbin): with override_environ(http_proxy=INVALID_PROXY): with pytest.raises(ProxyError): session = requests.Session() session.request(method="GET", url=httpbin()) def test_proxy_authorization_preserved_on_request(self, httpbin): proxy_auth_value = "Bearer XXX" session = requests.Session() session.headers.update({"Proxy-Authorization": proxy_auth_value}) resp = session.request(method="GET", url=httpbin("get")) sent_headers = resp.json().get("headers", {}) assert sent_headers.get("Proxy-Authorization") == proxy_auth_value @pytest.mark.parametrize( "url,has_proxy_auth", ( ("http://example.com", True), ("https://example.com", False), ), ) def test_proxy_authorization_not_appended_to_https_request( self, url, has_proxy_auth ): session = requests.Session() proxies = { "http": "http://test:pass@localhost:8080", "https": "http://test:pass@localhost:8090", } req = requests.Request("GET", url) prep = req.prepare() session.rebuild_proxies(prep, proxies) assert ("Proxy-Authorization" in prep.headers) is has_proxy_auth def test_basicauth_with_netrc(self, httpbin): auth = ("user", "pass") wrong_auth = ("wronguser", "wrongpass") url = httpbin("basic-auth", "user", "pass") old_auth = requests.sessions.get_netrc_auth try: def get_netrc_auth_mock(url): return auth requests.sessions.get_netrc_auth = get_netrc_auth_mock # Should use netrc and work. r = requests.get(url) assert r.status_code == 200 # Given auth should override and fail. r = requests.get(url, auth=wrong_auth) assert r.status_code == 401 s = requests.session() # Should use netrc and work. r = s.get(url) assert r.status_code == 200 # Given auth should override and fail. s.auth = wrong_auth r = s.get(url) assert r.status_code == 401 finally: requests.sessions.get_netrc_auth = old_auth def test_DIGEST_HTTP_200_OK_GET(self, httpbin): for authtype in self.digest_auth_algo: auth = HTTPDigestAuth("user", "pass") url = httpbin("digest-auth", "auth", "user", "pass", authtype, "never") r = requests.get(url, auth=auth) assert r.status_code == 200 r = requests.get(url) assert r.status_code == 401 print(r.headers["WWW-Authenticate"]) s = requests.session() s.auth = HTTPDigestAuth("user", "pass") r = s.get(url) assert r.status_code == 200 def test_DIGEST_AUTH_RETURNS_COOKIE(self, httpbin): for authtype in self.digest_auth_algo: url = httpbin("digest-auth", "auth", "user", "pass", authtype) auth = HTTPDigestAuth("user", "pass") r = requests.get(url) assert r.cookies["fake"] == "fake_value" r = requests.get(url, auth=auth) assert r.status_code == 200 def test_DIGEST_AUTH_SETS_SESSION_COOKIES(self, httpbin): for authtype in self.digest_auth_algo: url = httpbin("digest-auth", "auth", "user", "pass", authtype) auth = HTTPDigestAuth("user", "pass") s = requests.Session() s.get(url, auth=auth) assert s.cookies["fake"] == "fake_value" def test_DIGEST_STREAM(self, httpbin): for authtype in self.digest_auth_algo: auth = HTTPDigestAuth("user", "pass") url = httpbin("digest-auth", "auth", "user", "pass", authtype) r = requests.get(url, auth=auth, stream=True) assert r.raw.read() != b"" r = requests.get(url, auth=auth, stream=False) assert r.raw.read() == b"" def test_DIGESTAUTH_WRONG_HTTP_401_GET(self, httpbin): for authtype in self.digest_auth_algo: auth = HTTPDigestAuth("user", "wrongpass") url = httpbin("digest-auth", "auth", "user", "pass", authtype) r = requests.get(url, auth=auth) assert r.status_code == 401 r = requests.get(url) assert r.status_code == 401 s = requests.session() s.auth = auth r = s.get(url) assert r.status_code == 401 def test_DIGESTAUTH_QUOTES_QOP_VALUE(self, httpbin): for authtype in self.digest_auth_algo: auth = HTTPDigestAuth("user", "pass") url = httpbin("digest-auth", "auth", "user", "pass", authtype) r = requests.get(url, auth=auth) assert '"auth"' in r.request.headers["Authorization"] def test_POSTBIN_GET_POST_FILES(self, httpbin): url = httpbin("post") requests.post(url).raise_for_status() post1 = requests.post(url, data={"some": "data"}) assert post1.status_code == 200 with open("requirements-dev.txt") as f: post2 = requests.post(url, files={"some": f}) assert post2.status_code == 200 post4 = requests.post(url, data='[{"some": "json"}]') assert post4.status_code == 200 with pytest.raises(ValueError): requests.post(url, files=["bad file data"]) def test_invalid_files_input(self, httpbin): url = httpbin("post") post = requests.post(url, files={"random-file-1": None, "random-file-2": 1}) assert b'name="random-file-1"' not in post.request.body assert b'name="random-file-2"' in post.request.body def test_POSTBIN_SEEKED_OBJECT_WITH_NO_ITER(self, httpbin): class TestStream: def __init__(self, data): self.data = data.encode() self.length = len(self.data) self.index = 0 def __len__(self): return self.length def read(self, size=None): if size: ret = self.data[self.index : self.index + size] self.index += size else: ret = self.data[self.index :] self.index = self.length return ret def tell(self): return self.index def seek(self, offset, where=0): if where == 0: self.index = offset elif where == 1: self.index += offset elif where == 2: self.index = self.length + offset test = TestStream("test") post1 = requests.post(httpbin("post"), data=test) assert post1.status_code == 200 assert post1.json()["data"] == "test" test = TestStream("test") test.seek(2) post2 = requests.post(httpbin("post"), data=test) assert post2.status_code == 200 assert post2.json()["data"] == "st" def test_POSTBIN_GET_POST_FILES_WITH_DATA(self, httpbin): url = httpbin("post") requests.post(url).raise_for_status() post1 = requests.post(url, data={"some": "data"}) assert post1.status_code == 200 with open("requirements-dev.txt") as f: post2 = requests.post(url, data={"some": "data"}, files={"some": f}) assert post2.status_code == 200 post4 = requests.post(url, data='[{"some": "json"}]') assert post4.status_code == 200 with pytest.raises(ValueError): requests.post(url, files=["bad file data"]) def test_post_with_custom_mapping(self, httpbin): class CustomMapping(MutableMapping): def __init__(self, args, *kwargs): self.data = dict(args, kwargs) def __delitem__(self, key): del self.data[key] def __getitem__(self, key): return self.data[key] def __setitem__(self, key, value): self.data[key] = value def __iter__(self): return iter(self.data) def __len__(self): return len(self.data) data = CustomMapping({"some": "data"}) url = httpbin("post") found_json = requests.post(url, data=data).json().get("form") assert found_json == {"some": "data"} def test_conflicting_post_params(self, httpbin): url = httpbin("post") with open("requirements-dev.txt") as f: with pytest.raises(ValueError): requests.post(url, data='[{"some": "data"}]', files={"some": f}) def test_request_ok_set(self, httpbin): r = requests.get(httpbin("status", "404")) assert not r.ok def test_status_raising(self, httpbin): r = requests.get(httpbin("status", "404")) with pytest.raises(requests.exceptions.HTTPError): r.raise_for_status() r = requests.get(httpbin("status", "500")) assert not r.ok def test_decompress_gzip(self, httpbin): r = requests.get(httpbin("gzip")) r.content.decode("ascii") @pytest.mark.parametrize( "url, params", ( ("/get", {"foo": "føø"}), ("/get", {"føø": "føø"}), ("/get", {"føø": "føø"}), ("/get", {"foo": "foo"}), ("ø", {"foo": "foo"}), ), ) def test_unicode_get(self, httpbin, url, params): requests.get(httpbin(url), params=params) def test_unicode_header_name(self, httpbin): requests.put( httpbin("put"), headers={"Content-Type": "application/octet-stream"}, data="\xff", ) # compat.str is unicode. def test_pyopenssl_redirect(self, httpbin_secure, httpbin_ca_bundle): requests.get(httpbin_secure("status", "301"), verify=httpbin_ca_bundle) def test_invalid_ca_certificate_path(self, httpbin_secure): INVALID_PATH = "/garbage" with pytest.raises(IOError) as e: requests.get(httpbin_secure(), verify=INVALID_PATH) assert str( e.value ) == "Could not find a suitable TLS CA certificate bundle, invalid path: {}".format( INVALID_PATH ) def test_invalid_ssl_certificate_files(self, httpbin_secure): INVALID_PATH = "/garbage" with pytest.raises(IOError) as e: requests.get(httpbin_secure(), cert=INVALID_PATH) assert str( e.value ) == "Could not find the TLS certificate file, invalid path: {}".format( INVALID_PATH ) with pytest.raises(IOError) as e: requests.get(httpbin_secure(), cert=(".", INVALID_PATH)) assert str(e.value) == ( f"Could not find the TLS key file, invalid path: {INVALID_PATH}" ) @pytest.mark.parametrize( "env, expected", ( ({}, True), ({"REQUESTS_CA_BUNDLE": "/some/path"}, "/some/path"), ({"REQUESTS_CA_BUNDLE": ""}, True), ({"CURL_CA_BUNDLE": "/some/path"}, "/some/path"), ({"CURL_CA_BUNDLE": ""}, True), ({"REQUESTS_CA_BUNDLE": "", "CURL_CA_BUNDLE": ""}, True), ( { "REQUESTS_CA_BUNDLE": "/some/path", "CURL_CA_BUNDLE": "/curl/path", }, "/some/path", ), ( { "REQUESTS_CA_BUNDLE": "", "CURL_CA_BUNDLE": "/curl/path", }, "/curl/path", ), ), ) def test_env_cert_bundles(self, httpbin, env, expected): s = requests.Session() with mock.patch("os.environ", env): settings = s.merge_environment_settings( url=httpbin("get"), proxies={}, stream=False, verify=True, cert=None ) assert settings["verify"] == expected def test_http_with_certificate(self, httpbin): r = requests.get(httpbin(), cert=".") assert r.status_code == 200 @pytest.mark.skipif( SNIMissingWarning is None, reason="urllib3 2.0 removed that warning and errors out instead", ) def test_https_warnings(self, nosan_server): """warnings are emitted with requests.get""" host, port, ca_bundle = nosan_server if HAS_MODERN_SSL or HAS_PYOPENSSL: warnings_expected = ("SubjectAltNameWarning",) else: warnings_expected = ( "SNIMissingWarning", "InsecurePlatformWarning", "SubjectAltNameWarning", ) with pytest.warns() as warning_records: warnings.simplefilter("always") requests.get(f"https://localhost:{port}/", verify=ca_bundle) warning_records = [ item for item in warning_records if item.category.__name__ != "ResourceWarning" ] warnings_category = tuple(item.category.__name__ for item in warning_records) assert warnings_category == warnings_expected def test_certificate_failure(self, httpbin_secure): """ When underlying SSL problems occur, an SSLError is raised. """ with pytest.raises(RequestsSSLError): # Our local httpbin does not have a trusted CA, so this call will # fail if we use our default trust bundle. requests.get(httpbin_secure("status", "200")) def test_urlencoded_get_query_multivalued_param(self, httpbin): r = requests.get(httpbin("get"), params={"test": ["foo", "baz"]}) assert r.status_code == 200 assert r.url == httpbin("get?test=foo&test=baz") def test_form_encoded_post_query_multivalued_element(self, httpbin): r = requests.Request( method="POST", url=httpbin("post"), data=dict(test=["foo", "baz"]) ) prep = r.prepare() assert prep.body == "test=foo&test=baz" def test_different_encodings_dont_break_post(self, httpbin): with open(__file__, "rb") as f: r = requests.post( httpbin("post"), data={"stuff": json.dumps({"a": 123})}, params={"blah": "asdf1234"}, files={"file": ("test_requests.py", f)}, ) assert r.status_code == 200 @pytest.mark.parametrize( "data", ( {"stuff": "ëlïxr"}, {"stuff": "ëlïxr".encode()}, {"stuff": "elixr"}, {"stuff": b"elixr"}, ), ) def test_unicode_multipart_post(self, httpbin, data): with open(__file__, "rb") as f: r = requests.post( httpbin("post"), data=data, files={"file": ("test_requests.py", f)}, ) assert r.status_code == 200 def test_unicode_multipart_post_fieldnames(self, httpbin): filename = os.path.splitext(__file__)[0] + ".py" with open(filename, "rb") as f: r = requests.Request( method="POST", url=httpbin("post"), data={b"stuff": "elixr"}, files={"file": ("test_requests.py", f)}, ) prep = r.prepare() assert b'name="stuff"' in prep.body assert b"name=\"b'stuff'\"" not in prep.body def test_unicode_method_name(self, httpbin): with open(__file__, "rb") as f: files = {"file": f} r = requests.request( method="POST", url=httpbin("post"), files=files, ) assert r.status_code == 200 def test_unicode_method_name_with_request_object(self, httpbin): s = requests.Session() with open(__file__, "rb") as f: files = {"file": f} req = requests.Request("POST", httpbin("post"), files=files) prep = s.prepare_request(req) assert isinstance(prep.method, builtin_str) assert prep.method == "POST" resp = s.send(prep) assert resp.status_code == 200 def test_non_prepared_request_error(self): s = requests.Session() req = requests.Request("POST", "/") with pytest.raises(ValueError) as e: s.send(req) assert str(e.value) == "You can only send PreparedRequests." def test_custom_content_type(self, httpbin): with open(__file__, "rb") as f1: with open(__file__, "rb") as f2: data = {"stuff": json.dumps({"a": 123})} files = { "file1": ("test_requests.py", f1), "file2": ("test_requests", f2, "text/py-content-type"), } r = requests.post(httpbin("post"), data=data, files=files) assert r.status_code == 200 assert b"text/py-content-type" in r.request.body def test_hook_receives_request_arguments(self, httpbin): def hook(resp, kwargs): assert resp is not None assert kwargs != {} s = requests.Session() r = requests.Request("GET", httpbin(), hooks={"response": hook}) prep = s.prepare_request(r) s.send(prep) def test_session_hooks_are_used_with_no_request_hooks(self, httpbin): def hook(args, kwargs): pass s = requests.Session() s.hooks["response"].append(hook) r = requests.Request("GET", httpbin()) prep = s.prepare_request(r) assert prep.hooks["response"] != [] assert prep.hooks["response"] == [hook] def test_session_hooks_are_overridden_by_request_hooks(self, httpbin): def hook1(args, *kwargs): pass def hook2(args, kwargs): pass assert hook1 is not hook2 s = requests.Session() s.hooks["response"].append(hook2) r = requests.Request("GET", httpbin(), hooks={"response": [hook1]}) prep = s.prepare_request(r) assert prep.hooks["response"] == [hook1] def test_prepared_request_hook(self, httpbin): def hook(resp, kwargs): resp.hook_working = True return resp req = requests.Request("GET", httpbin(), hooks={"response": hook}) prep = req.prepare() s = requests.Session() s.proxies = getproxies() resp = s.send(prep) assert hasattr(resp, "hook_working") def test_prepared_from_session(self, httpbin): class DummyAuth(requests.auth.AuthBase): def __call__(self, r): r.headers["Dummy-Auth-Test"] = "dummy-auth-test-ok" return r req = requests.Request("GET", httpbin("headers")) assert not req.auth s = requests.Session() s.auth = DummyAuth() prep = s.prepare_request(req) resp = s.send(prep) assert resp.json()["headers"]["Dummy-Auth-Test"] == "dummy-auth-test-ok" def test_prepare_request_with_bytestring_url(self): req = requests.Request("GET", b"https://httpbin.org/") s = requests.Session() prep = s.prepare_request(req) assert prep.url == "https://httpbin.org/" def test_request_with_bytestring_host(self, httpbin): s = requests.Session() resp = s.request( "GET", httpbin("cookies/set?cookie=value"), allow_redirects=False, headers={"Host": b"httpbin.org"}, ) assert resp.cookies.get("cookie") == "value" def test_links(self): r = requests.Response() r.headers = { "cache-control": "public, max-age=60, s-maxage=60", "connection": "keep-alive", "content-encoding": "gzip", "content-type": "application/json; charset=utf-8", "date": "Sat, 26 Jan 2013 16:47:56 GMT", "etag": '"6ff6a73c0e446c1f61614769e3ceb778"', "last-modified": "Sat, 26 Jan 2013 16:22:39 GMT", "link": ( "<https://api.github.com/users/kennethreitz/repos?" 'page=2&per_page=10>; rel="next", <https://api.github.' "com/users/kennethreitz/repos?page=7&per_page=10>; " ' rel="last"' ), "server": "GitHub.com", "status": "200 OK", "vary": "Accept", "x-content-type-options": "nosniff", "x-github-media-type": "github.beta", "x-ratelimit-limit": "60", "x-ratelimit-remaining": "57", } assert r.links["next"]["rel"] == "next" def test_cookie_parameters(self): key = "some_cookie" value = "some_value" secure = True domain = "test.com" rest = {"HttpOnly": True} jar = requests.cookies.RequestsCookieJar() jar.set(key, value, secure=secure, domain=domain, rest=rest) assert len(jar) == 1 assert "some_cookie" in jar cookie = list(jar)[0] assert cookie.secure == secure assert cookie.domain == domain assert cookie._rest["HttpOnly"] == rest["HttpOnly"] def test_cookie_as_dict_keeps_len(self): key = "some_cookie" value = "some_value" key1 = "some_cookie1" value1 = "some_value1" jar = requests.cookies.RequestsCookieJar() jar.set(key, value) jar.set(key1, value1) d1 = dict(jar) d2 = dict(jar.iteritems()) d3 = dict(jar.items()) assert len(jar) == 2 assert len(d1) == 2 assert len(d2) == 2 assert len(d3) == 2 def test_cookie_as_dict_keeps_items(self): key = "some_cookie" value = "some_value" key1 = "some_cookie1" value1 = "some_value1" jar = requests.cookies.RequestsCookieJar() jar.set(key, value) jar.set(key1, value1) d1 = dict(jar) d2 = dict(jar.iteritems()) d3 = dict(jar.items()) assert d1["some_cookie"] == "some_value" assert d2["some_cookie"] == "some_value" assert d3["some_cookie1"] == "some_value1" def test_cookie_as_dict_keys(self): key = "some_cookie" value = "some_value" key1 = "some_cookie1" value1 = "some_value1" jar = requests.cookies.RequestsCookieJar() jar.set(key, value) jar.set(key1, value1) keys = jar.keys() assert keys == list(keys) # make sure one can use keys multiple times assert list(keys) == list(keys) def test_cookie_as_dict_values(self): key = "some_cookie" value = "some_value" key1 = "some_cookie1" value1 = "some_value1" jar = requests.cookies.RequestsCookieJar() jar.set(key, value) jar.set(key1, value1) values = jar.values() assert values == list(values) # make sure one can use values multiple times assert list(values) == list(values) def test_cookie_as_dict_items(self): key = "some_cookie" value = "some_value" key1 = "some_cookie1" value1 = "some_value1" jar = requests.cookies.RequestsCookieJar() jar.set(key, value) jar.set(key1, value1) items = jar.items() assert items == list(items) # make sure one can use items multiple times assert list(items) == list(items) def test_cookie_duplicate_names_different_domains(self): key = "some_cookie" value = "some_value" domain1 = "test1.com" domain2 = "test2.com" jar = requests.cookies.RequestsCookieJar() jar.set(key, value, domain=domain1) jar.set(key, value, domain=domain2) assert key in jar items = jar.items() assert len(items) == 2 # Verify that CookieConflictError is raised if domain is not specified with pytest.raises(requests.cookies.CookieConflictError): jar.get(key) # Verify that CookieConflictError is not raised if domain is specified cookie = jar.get(key, domain=domain1) assert cookie == value def test_cookie_duplicate_names_raises_cookie_conflict_error(self): key = "some_cookie" value = "some_value" path = "some_path" jar = requests.cookies.RequestsCookieJar() jar.set(key, value, path=path) jar.set(key, value) with pytest.raises(requests.cookies.CookieConflictError): jar.get(key) def test_cookie_policy_copy(self): class MyCookiePolicy(cookielib.DefaultCookiePolicy): pass jar = requests.cookies.RequestsCookieJar() jar.set_policy(MyCookiePolicy()) assert isinstance(jar.copy().get_policy(), MyCookiePolicy) def test_time_elapsed_blank(self, httpbin): r = requests.get(httpbin("get")) td = r.elapsed total_seconds = ( td.microseconds + (td.seconds + td.days * 24 * 3600) * 106 ) / 106 assert total_seconds > 0.0 def test_empty_response_has_content_none(self): r = requests.Response() assert r.content is None def test_response_is_iterable(self): r = requests.Response() io = StringIO.StringIO("abc") read_ = io.read def read_mock(amt, decode_content=None): return read_(amt) setattr(io, "read", read_mock) r.raw = io assert next(iter(r)) io.close() def test_response_decode_unicode(self): """When called with decode_unicode, Response.iter_content should always return unicode. """ r = requests.Response() r._content_consumed = True r._content = b"the content" r.encoding = "ascii" chunks = r.iter_content(decode_unicode=True) assert all(isinstance(chunk, str) for chunk in chunks) # also for streaming r = requests.Response() r.raw = io.BytesIO(b"the content") r.encoding = "ascii" chunks = r.iter_content(decode_unicode=True) assert all(isinstance(chunk, str) for chunk in chunks) def test_response_reason_unicode(self): # check for unicode HTTP status r = requests.Response() r.url = "unicode URL" r.reason = "Komponenttia ei löydy".encode() r.status_code = 404 r.encoding = None assert not r.ok # old behaviour - crashes here def test_response_reason_unicode_fallback(self): # check raise_status falls back to ISO-8859-1 r = requests.Response() r.url = "some url" reason = "Komponenttia ei löydy" r.reason = reason.encode("latin-1") r.status_code = 500 r.encoding = None with pytest.raises(requests.exceptions.HTTPError) as e: r.raise_for_status() assert reason in e.value.args[0] def test_response_chunk_size_type(self): """Ensure that chunk_size is passed as None or an integer, otherwise raise a TypeError. """ r = requests.Response() r.raw = io.BytesIO(b"the content") chunks = r.iter_content(1) assert all(len(chunk) == 1 for chunk in chunks) r = requests.Response() r.raw = io.BytesIO(b"the content") chunks = r.iter_content(None) assert list(chunks) == [b"the content"] r = requests.Response() r.raw = io.BytesIO(b"the content") with pytest.raises(TypeError): chunks = r.iter_content("1024") @pytest.mark.parametrize( "exception, args, expected", ( (urllib3.exceptions.ProtocolError, tuple(), ChunkedEncodingError), (urllib3.exceptions.DecodeError, tuple(), ContentDecodingError), (urllib3.exceptions.ReadTimeoutError, (None, "", ""), ConnectionError), (urllib3.exceptions.SSLError, tuple(), RequestsSSLError), ), ) def test_iter_content_wraps_exceptions(self, httpbin, exception, args, expected): r = requests.Response() r.raw = mock.Mock() # ReadTimeoutError can't be initialized by mock # so we'll manually create the instance with args r.raw.stream.side_effect = exception(args) with pytest.raises(expected): next(r.iter_content(1024)) def test_request_and_response_are_pickleable(self, httpbin): r = requests.get(httpbin("get")) # verify we can pickle the original request assert pickle.loads(pickle.dumps(r.request)) # verify we can pickle the response and that we have access to # the original request. pr = pickle.loads(pickle.dumps(r)) assert r.request.url == pr.request.url assert r.request.headers == pr.request.headers def test_prepared_request_is_pickleable(self, httpbin): p = requests.Request("GET", httpbin("get")).prepare() # Verify PreparedRequest can be pickled and unpickled r = pickle.loads(pickle.dumps(p)) assert r.url == p.url assert r.headers == p.headers assert r.body == p.body # Verify unpickled PreparedRequest sends properly s = requests.Session() resp = s.send(r) assert resp.status_code == 200 def test_prepared_request_with_file_is_pickleable(self, httpbin): with open(__file__, "rb") as f: r = requests.Request("POST", httpbin("post"), files={"file": f}) p = r.prepare() # Verify PreparedRequest can be pickled and unpickled r = pickle.loads(pickle.dumps(p)) assert r.url == p.url assert r.headers == p.headers assert r.body == p.body # Verify unpickled PreparedRequest sends properly s = requests.Session() resp = s.send(r) assert resp.status_code == 200 def test_prepared_request_with_hook_is_pickleable(self, httpbin): r = requests.Request("GET", httpbin("get"), hooks=default_hooks()) p = r.prepare() # Verify PreparedRequest can be pickled r = pickle.loads(pickle.dumps(p)) assert r.url == p.url assert r.headers == p.headers assert r.body == p.body assert r.hooks == p.hooks # Verify unpickled PreparedRequest sends properly s = requests.Session() resp = s.send(r) assert resp.status_code == 200 def test_cannot_send_unprepared_requests(self, httpbin): r = requests.Request(url=httpbin()) with pytest.raises(ValueError): requests.Session().send(r) def test_http_error(self): error = requests.exceptions.HTTPError() assert not error.response response = requests.Response() error = requests.exceptions.HTTPError(response=response) assert error.response == response error = requests.exceptions.HTTPError("message", response=response) assert str(error) == "message" assert error.response == response def test_session_pickling(self, httpbin): r = requests.Request("GET", httpbin("get")) s = requests.Session() s = pickle.loads(pickle.dumps(s)) s.proxies = getproxies() r = s.send(r.prepare()) assert r.status_code == 200 def test_fixes_1329(self, httpbin): """Ensure that header updates are done case-insensitively.""" s = requests.Session() s.headers.update({"ACCEPT": "BOGUS"}) s.headers.update({"accept": "application/json"}) r = s.get(httpbin("get")) headers = r.request.headers assert headers["accept"] == "application/json" assert headers["Accept"] == "application/json" assert headers["ACCEPT"] == "application/json" def test_uppercase_scheme_redirect(self, httpbin): parts = urlparse(httpbin("html")) url = "HTTP://" + parts.netloc + parts.path r = requests.get(httpbin("redirect-to"), params={"url": url}) assert r.status_code == 200 assert r.url.lower() == url.lower() def test_transport_adapter_ordering(self): s = requests.Session() order = ["https://", "http://"] assert order == list(s.adapters) s.mount("http://git", HTTPAdapter()) s.mount("http://github", HTTPAdapter()) s.mount("http://github.com", HTTPAdapter()) s.mount("http://github.com/about/", HTTPAdapter()) order = [ "http://github.com/about/", "http://github.com", "http://github", "http://git", "https://", "http://", ] assert order == list(s.adapters) s.mount("http://gittip", HTTPAdapter()) s.mount("http://gittip.com", HTTPAdapter()) s.mount("http://gittip.com/about/", HTTPAdapter()) order = [ "http://github.com/about/", "http://gittip.com/about/", "http://github.com", "http://gittip.com", "http://github", "http://gittip", "http://git", "https://", "http://", ] assert order == list(s.adapters) s2 = requests.Session() s2.adapters = {"http://": HTTPAdapter()} s2.mount("https://", HTTPAdapter()) assert "http://" in s2.adapters assert "https://" in s2.adapters def test_session_get_adapter_prefix_matching(self): prefix = "https://example.com" more_specific_prefix = prefix + "/some/path" url_matching_only_prefix = prefix + "/another/path" url_matching_more_specific_prefix = more_specific_prefix + "/longer/path" url_not_matching_prefix = "https://another.example.com/" s = requests.Session() prefix_adapter = HTTPAdapter() more_specific_prefix_adapter = HTTPAdapter() s.mount(prefix, prefix_adapter) s.mount(more_specific_prefix, more_specific_prefix_adapter) assert s.get_adapter(url_matching_only_prefix) is prefix_adapter assert ( s.get_adapter(url_matching_more_specific_prefix) is more_specific_prefix_adapter ) assert s.get_adapter(url_not_matching_prefix) not in ( prefix_adapter, more_specific_prefix_adapter, ) def test_session_get_adapter_prefix_matching_mixed_case(self): mixed_case_prefix = "hTtPs://eXamPle.CoM/MixEd_CAse_PREfix" url_matching_prefix = mixed_case_prefix + "/full_url" s = requests.Session() my_adapter = HTTPAdapter() s.mount(mixed_case_prefix, my_adapter) assert s.get_adapter(url_matching_prefix) is my_adapter def test_session_get_adapter_prefix_matching_is_case_insensitive(self): mixed_case_prefix = "hTtPs://eXamPle.CoM/MixEd_CAse_PREfix" url_matching_prefix_with_different_case = ( "HtTpS://exaMPLe.cOm/MiXeD_caSE_preFIX/another_url" ) s = requests.Session() my_adapter = HTTPAdapter() s.mount(mixed_case_prefix, my_adapter) assert s.get_adapter(url_matching_prefix_with_different_case) is my_adapter def test_header_remove_is_case_insensitive(self, httpbin): # From issue #1321 s = requests.Session() s.headers["foo"] = "bar" r = s.get(httpbin("get"), headers={"FOO": None}) assert "foo" not in r.request.headers def test_params_are_merged_case_sensitive(self, httpbin): s = requests.Session() s.params["foo"] = "bar" r = s.get(httpbin("get"), params={"FOO": "bar"}) assert r.json()["args"] == {"foo": "bar", "FOO": "bar"} def test_long_authinfo_in_url(self): url = "http://{}:{}@{}:9000/path?query#frag".format( "E8A3BE87-9E3F-4620-8858-95478E385B5B", "EA770032-DA4D-4D84-8CE9-29C6D910BF1E", "exactly-------------sixty-----------three------------characters", ) r = requests.Request("GET", url).prepare() assert r.url == url def test_header_keys_are_native(self, httpbin): headers = {"unicode": "blah", b"byte": "blah"} r = requests.Request("GET", httpbin("get"), headers=headers) p = r.prepare() # This is testing that they are builtin strings. A bit weird, but there # we go. assert "unicode" in p.headers.keys() assert "byte" in p.headers.keys() def test_header_validation(self, httpbin): """Ensure prepare_headers regex isn't flagging valid header contents.""" valid_headers = { "foo": "bar baz qux", "bar": b"fbbq", "baz": "", "qux": "1", } r = requests.get(httpbin("get"), headers=valid_headers) for key in valid_headers.keys(): assert valid_headers[key] == r.request.headers[key] @pytest.mark.parametrize( "invalid_header, key", ( ({"foo": 3}, "foo"), ({"bar": {"foo": "bar"}}, "bar"), ({"baz": ["foo", "bar"]}, "baz"), ), ) def test_header_value_not_str(self, httpbin, invalid_header, key): """Ensure the header value is of type string or bytes as per discussion in GH issue #3386 """ with pytest.raises(InvalidHeader) as excinfo: requests.get(httpbin("get"), headers=invalid_header) assert key in str(excinfo.value) @pytest.mark.parametrize( "invalid_header", ( {"foo": "bar\r\nbaz: qux"}, {"foo": "bar\n\rbaz: qux"}, {"foo": "bar\nbaz: qux"}, {"foo": "bar\rbaz: qux"}, {"fo\ro": "bar"}, {"fo\r\no": "bar"}, {"fo\n\ro": "bar"}, {"fo\no": "bar"}, ), ) def test_header_no_return_chars(self, httpbin, invalid_header): """Ensure that a header containing return character sequences raise an exception. Otherwise, multiple headers are created from single string. """ with pytest.raises(InvalidHeader): requests.get(httpbin("get"), headers=invalid_header) @pytest.mark.parametrize( "invalid_header", ( {" foo": "bar"}, {"\tfoo": "bar"}, {" foo": "bar"}, {"foo": " bar"}, {"foo": " bar"}, {"foo": "\tbar"}, {" ": "bar"}, ), ) def test_header_no_leading_space(self, httpbin, invalid_header): """Ensure headers containing leading whitespace raise InvalidHeader Error before sending. """ with pytest.raises(InvalidHeader): requests.get(httpbin("get"), headers=invalid_header) def test_header_with_subclass_types(self, httpbin): """If the subclasses does not behave exactly* like the base bytes/str classes, this is not supported. This test is for backwards compatibility. """ class MyString(str): pass class MyBytes(bytes): pass r_str = requests.get(httpbin("get"), headers={MyString("x-custom"): "myheader"}) assert r_str.request.headers["x-custom"] == "myheader" r_bytes = requests.get( httpbin("get"), headers={MyBytes(b"x-custom"): b"myheader"} ) assert r_bytes.request.headers["x-custom"] == b"myheader" r_mixed = requests.get( httpbin("get"), headers={MyString("x-custom"): MyBytes(b"myheader")} ) assert r_mixed.request.headers["x-custom"] == b"myheader" @pytest.mark.parametrize("files", ("foo", b"foo", bytearray(b"foo"))) def test_can_send_objects_with_files(self, httpbin, files): data = {"a": "this is a string"} files = {"b": files} r = requests.Request("POST", httpbin("post"), data=data, files=files) p = r.prepare() assert "multipart/form-data" in p.headers["Content-Type"] def test_can_send_file_object_with_non_string_filename(self, httpbin): f = io.BytesIO() f.name = 2 r = requests.Request("POST", httpbin("post"), files={"f": f}) p = r.prepare() assert "multipart/form-data" in p.headers["Content-Type"] def test_autoset_header_values_are_native(self, httpbin): data = "this is a string" length = "16" req = requests.Request("POST", httpbin("post"), data=data) p = req.prepare() assert p.headers["Content-Length"] == length def test_content_length_for_bytes_data(self, httpbin): data = "This is a string containing multi-byte UTF-8 ☃️" encoded_data = data.encode("utf-8") length = str(len(encoded_data)) req = requests.Request("POST", httpbin("post"), data=encoded_data) p = req.prepare() assert p.headers["Content-Length"] == length def test_content_length_for_string_data_counts_bytes(self, httpbin): data = "This is a string containing multi-byte UTF-8 ☃️" length = str(len(data.encode("utf-8"))) req = requests.Request("POST", httpbin("post"), data=data) p = req.prepare() assert p.headers["Content-Length"] == length def test_nonhttp_schemes_dont_check_URLs(self): test_urls = ( "data:image/gif;base64,R0lGODlhAQABAHAAACH5BAUAAAAALAAAAAABAAEAAAICRAEAOw==", "file:///etc/passwd", "magnet:?xt=urn:btih:be08f00302bc2d1d3cfa3af02024fa647a271431", ) for test_url in test_urls: req = requests.Request("GET", test_url) preq = req.prepare() assert test_url == preq.url def test_auth_is_stripped_on_http_downgrade( self, httpbin, httpbin_secure, httpbin_ca_bundle ): r = requests.get( httpbin_secure("redirect-to"), params={"url": httpbin("get")}, auth=("user", "pass"), verify=httpbin_ca_bundle, ) assert r.history[0].request.headers["Authorization"] assert "Authorization" not in r.request.headers def test_auth_is_retained_for_redirect_on_host(self, httpbin): r = requests.get(httpbin("redirect/1"), auth=("user", "pass")) h1 = r.history[0].request.headers["Authorization"] h2 = r.request.headers["Authorization"] assert h1 == h2 def test_should_strip_auth_host_change(self): s = requests.Session() assert s.should_strip_auth( "http://example.com/foo", "http://another.example.com/" ) def test_should_strip_auth_http_downgrade(self): s = requests.Session() assert s.should_strip_auth("https://example.com/foo", "http://example.com/bar") def test_should_strip_auth_https_upgrade(self): s = requests.Session() assert not s.should_strip_auth( "http://example.com/foo", "https://example.com/bar" ) assert not s.should_strip_auth( "http://example.com:80/foo", "https://example.com/bar" ) assert not s.should_strip_auth( "http://example.com/foo", "https://example.com:443/bar" ) # Non-standard ports should trigger stripping assert s.should_strip_auth( "http://example.com:8080/foo", "https://example.com/bar" ) assert s.should_strip_auth( "http://example.com/foo", "https://example.com:8443/bar" ) def test_should_strip_auth_port_change(self): s = requests.Session() assert s.should_strip_auth( "http://example.com:1234/foo", "https://example.com:4321/bar" ) @pytest.mark.parametrize( "old_uri, new_uri", ( ("https://example.com:443/foo", "https://example.com/bar"), ("http://example.com:80/foo", "http://example.com/bar"), ("https://example.com/foo", "https://example.com:443/bar"), ("http://example.com/foo", "http://example.com:80/bar"), ), ) def test_should_strip_auth_default_port(self, old_uri, new_uri): s = requests.Session() assert not s.should_strip_auth(old_uri, new_uri) def test_manual_redirect_with_partial_body_read(self, httpbin): s = requests.Session() r1 = s.get(httpbin("redirect/2"), allow_redirects=False, stream=True) assert r1.is_redirect rg = s.resolve_redirects(r1, r1.request, stream=True) # read only the first eight bytes of the response body, # then follow the redirect r1.iter_content(8) r2 = next(rg) assert r2.is_redirect # read all of the response via iter_content, # then follow the redirect for _ in r2.iter_content(): pass r3 = next(rg) assert not r3.is_redirect def test_prepare_body_position_non_stream(self): data = b"the data" prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position is None def test_rewind_body(self): data = io.BytesIO(b"the data") prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position == 0 assert prep.body.read() == b"the data" # the data has all been read assert prep.body.read() == b"" # rewind it back requests.utils.rewind_body(prep) assert prep.body.read() == b"the data" def test_rewind_partially_read_body(self): data = io.BytesIO(b"the data") data.read(4) # read some data prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position == 4 assert prep.body.read() == b"data" # the data has all been read assert prep.body.read() == b"" # rewind it back requests.utils.rewind_body(prep) assert prep.body.read() == b"data" def test_rewind_body_no_seek(self): class BadFileObj: def __init__(self, data): self.data = data def tell(self): return 0 def __iter__(self): return data = BadFileObj("the data") prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position == 0 with pytest.raises(UnrewindableBodyError) as e: requests.utils.rewind_body(prep) assert "Unable to rewind request body" in str(e) def test_rewind_body_failed_seek(self): class BadFileObj: def __init__(self, data): self.data = data def tell(self): return 0 def seek(self, pos, whence=0): raise OSError() def __iter__(self): return data = BadFileObj("the data") prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position == 0 with pytest.raises(UnrewindableBodyError) as e: requests.utils.rewind_body(prep) assert "error occurred when rewinding request body" in str(e) def test_rewind_body_failed_tell(self): class BadFileObj: def __init__(self, data): self.data = data def tell(self): raise OSError() def __iter__(self): return data = BadFileObj("the data") prep = requests.Request("GET", "http://example.com", data=data).prepare() assert prep._body_position is not None with pytest.raises(UnrewindableBodyError) as e: requests.utils.rewind_body(prep) assert "Unable to rewind request body" in str(e) def _patch_adapter_gzipped_redirect(self, session, url): adapter = session.get_adapter(url=url) org_build_response = adapter.build_response self._patched_response = False def build_response(args, kwargs): resp = org_build_response(args, *kwargs) if not self._patched_response: resp.raw.headers["content-encoding"] = "gzip" self._patched_response = True return resp adapter.build_response = build_response def test_redirect_with_wrong_gzipped_header(self, httpbin): s = requests.Session() url = httpbin("redirect/1") self._patch_adapter_gzipped_redirect(s, url) s.get(url) @pytest.mark.parametrize( "username, password, auth_str", ( ("test", "test", "Basic dGVzdDp0ZXN0"), ( "имя".encode(), "пароль".encode(), "Basic 0LjQvNGPOtC/0LDRgNC+0LvRjA==", ), ), ) def test_basic_auth_str_is_always_native(self, username, password, auth_str): s = _basic_auth_str(username, password) assert isinstance(s, builtin_str) assert s == auth_str def test_requests_history_is_saved(self, httpbin): r = requests.get(httpbin("redirect/5")) total = r.history[-1].history i = 0 for item in r.history: assert item.history == total[0:i] i += 1 def test_json_param_post_content_type_works(self, httpbin): r = requests.post(httpbin("post"), json={"life": 42}) assert r.status_code == 200 assert "application/json" in r.request.headers["Content-Type"] assert {"life": 42} == r.json()["json"] def test_json_param_post_should_not_override_data_param(self, httpbin): r = requests.Request( method="POST", url=httpbin("post"), data={"stuff": "elixr"}, json={"music": "flute"}, ) prep = r.prepare() assert "stuff=elixr" == prep.body def test_response_iter_lines(self, httpbin): r = requests.get(httpbin("stream/4"), stream=True) assert r.status_code == 200 it = r.iter_lines() next(it) assert len(list(it)) == 3 def test_response_context_manager(self, httpbin): with requests.get(httpbin("stream/4"), stream=True) as response: assert isinstance(response, requests.Response) assert response.raw.closed def test_unconsumed_session_response_closes_connection(self, httpbin): s = requests.session() with contextlib.closing(s.get(httpbin("stream/4"), stream=True)) as response: pass assert response._content_consumed is False assert response.raw.closed @pytest.mark.xfail def test_response_iter_lines_reentrant(self, httpbin): """Response.iter_lines() is not reentrant safe""" r = requests.get(httpbin("stream/4"), stream=True) assert r.status_code == 200 next(r.iter_lines()) assert len(list(r.iter_lines())) == 3 def test_session_close_proxy_clear(self): proxies = { "one": mock.Mock(), "two": mock.Mock(), } session = requests.Session() with mock.patch.dict(session.adapters["http://"].proxy_manager, proxies): session.close() proxies["one"].clear.assert_called_once_with() proxies["two"].clear.assert_called_once_with() def test_proxy_auth(self): adapter = HTTPAdapter() headers = adapter.proxy_headers("http://user:pass@httpbin.org") assert headers == {"Proxy-Authorization": "Basic dXNlcjpwYXNz"} def test_proxy_auth_empty_pass(self): adapter = HTTPAdapter() headers = adapter.proxy_headers("http://user:@httpbin.org") assert headers == {"Proxy-Authorization": "Basic dXNlcjo="} def test_response_json_when_content_is_None(self, httpbin): r = requests.get(httpbin("/status/204")) # Make sure r.content is None r.status_code = 0 r._content = False r._content_consumed = False assert r.content is None with pytest.raises(ValueError): r.json() def test_response_without_release_conn(self): """Test `close` call for non-urllib3-like raw objects. Should work when `release_conn` attr doesn't exist on `response.raw`. """ resp = requests.Response() resp.raw = StringIO.StringIO("test") assert not resp.raw.closed resp.close() assert resp.raw.closed def test_empty_stream_with_auth_does_not_set_content_length_header(self, httpbin): """Ensure that a byte stream with size 0 will not set both a Content-Length and Transfer-Encoding header. """ auth = ("user", "pass") url = httpbin("post") file_obj = io.BytesIO(b"") r = requests.Request("POST", url, auth=auth, data=file_obj) prepared_request = r.prepare() assert "Transfer-Encoding" in prepared_request.headers assert "Content-Length" not in prepared_request.headers def test_stream_with_auth_does_not_set_transfer_encoding_header(self, httpbin): """Ensure that a byte stream with size > 0 will not set both a Content-Length and Transfer-Encoding header. """ auth = ("user", "pass") url = httpbin("post") file_obj = io.BytesIO(b"test data") r = requests.Request("POST", url, auth=auth, data=file_obj) prepared_request = r.prepare() assert "Transfer-Encoding" not in prepared_request.headers assert "Content-Length" in prepared_request.headers def test_chunked_upload_does_not_set_content_length_header(self, httpbin): """Ensure that requests with a generator body stream using Transfer-Encoding: chunked, not a Content-Length header. """ data = (i for i in [b"a", b"b", b"c"]) url = httpbin("post") r = requests.Request("POST", url, data=data) prepared_request = r.prepare() assert "Transfer-Encoding" in prepared_request.headers assert "Content-Length" not in prepared_request.headers def test_custom_redirect_mixin(self, httpbin): """Tests a custom mixin to overwrite ``get_redirect_target``. Ensures a subclassed ``requests.Session`` can handle a certain type of malformed redirect responses. 1. original request receives a proper response: 302 redirect 2. following the redirect, a malformed response is given: status code = HTTP 200 location = alternate url 3. the custom session catches the edge case and follows the redirect """ url_final = httpbin("html") querystring_malformed = urlencode({"location": url_final}) url_redirect_malformed = httpbin("response-headers?%s" % querystring_malformed) querystring_redirect = urlencode({"url": url_redirect_malformed}) url_redirect = httpbin("redirect-to?%s" % querystring_redirect) urls_test = [ url_redirect, url_redirect_malformed, url_final, ] class CustomRedirectSession(requests.Session): def get_redirect_target(self, resp): # default behavior if resp.is_redirect: return resp.headers["location"] # edge case - check to see if 'location' is in headers anyways location = resp.headers.get("location") if location and (location != resp.url): return location return None session = CustomRedirectSession() r = session.get(urls_test[0]) assert len(r.history) == 2 assert r.status_code == 200 assert r.history[0].status_code == 302 assert r.history[0].is_redirect assert r.history[1].status_code == 200 assert not r.history[1].is_redirect assert r.url == urls_test[2] class TestCaseInsensitiveDict: @pytest.mark.parametrize( "cid", ( CaseInsensitiveDict({"Foo": "foo", "BAr": "bar"}), CaseInsensitiveDict([("Foo", "foo"), ("BAr", "bar")]), CaseInsensitiveDict(FOO="foo", BAr="bar"), ), ) def test_init(self, cid): assert len(cid) == 2 assert "foo" in cid assert "bar" in cid def test_docstring_example(self): cid = CaseInsensitiveDict() cid["Accept"] = "application/json" assert cid["aCCEPT"] == "application/json" assert list(cid) == ["Accept"] def test_len(self): cid = CaseInsensitiveDict({"a": "a", "b": "b"}) cid["A"] = "a" assert len(cid) == 2 def test_getitem(self): cid = CaseInsensitiveDict({"Spam": "blueval"}) assert cid["spam"] == "blueval" assert cid["SPAM"] == "blueval" def test_fixes_649(self): """__setitem__ should behave case-insensitively.""" cid = CaseInsensitiveDict() cid["spam"] = "oneval" cid["Spam"] = "twoval" cid["sPAM"] = "redval" cid["SPAM"] = "blueval" assert cid["spam"] == "blueval" assert cid["SPAM"] == "blueval" assert list(cid.keys()) == ["SPAM"] def test_delitem(self): cid = CaseInsensitiveDict() cid["Spam"] = "someval" del cid["sPam"] assert "spam" not in cid assert len(cid) == 0 def test_contains(self): cid = CaseInsensitiveDict() cid["Spam"] = "someval" assert "Spam" in cid assert "spam" in cid assert "SPAM" in cid assert "sPam" in cid assert "notspam" not in cid def test_get(self): cid = CaseInsensitiveDict() cid["spam"] = "oneval" cid["SPAM"] = "blueval" assert cid.get("spam") == "blueval" assert cid.get("SPAM") == "blueval" assert cid.get("sPam") == "blueval" assert cid.get("notspam", "default") == "default" def test_update(self): cid = CaseInsensitiveDict() cid["spam"] = "blueval" cid.update({"sPam": "notblueval"}) assert cid["spam"] == "notblueval" cid = CaseInsensitiveDict({"Foo": "foo", "BAr": "bar"}) cid.update({"fOO": "anotherfoo", "bAR": "anotherbar"}) assert len(cid) == 2 assert cid["foo"] == "anotherfoo" assert cid["bar"] == "anotherbar" def test_update_retains_unchanged(self): cid = CaseInsensitiveDict({"foo": "foo", "bar": "bar"}) cid.update({"foo": "newfoo"}) assert cid["bar"] == "bar" def test_iter(self): cid = CaseInsensitiveDict({"Spam": "spam", "Eggs": "eggs"}) keys = frozenset(["Spam", "Eggs"]) assert frozenset(iter(cid)) == keys def test_equality(self): cid = CaseInsensitiveDict({"SPAM": "blueval", "Eggs": "redval"}) othercid = CaseInsensitiveDict({"spam": "blueval", "eggs": "redval"}) assert cid == othercid del othercid["spam"] assert cid != othercid assert cid == {"spam": "blueval", "eggs": "redval"} assert cid != object() def test_setdefault(self): cid = CaseInsensitiveDict({"Spam": "blueval"}) assert cid.setdefault("spam", "notblueval") == "blueval" assert cid.setdefault("notspam", "notblueval") == "notblueval" def test_lower_items(self): cid = CaseInsensitiveDict( { "Accept": "application/json", "user-Agent": "requests", } ) keyset = frozenset(lowerkey for lowerkey, v in cid.lower_items()) lowerkeyset = frozenset(["accept", "user-agent"]) assert keyset == lowerkeyset def test_preserve_key_case(self): cid = CaseInsensitiveDict( { "Accept": "application/json", "user-Agent": "requests", } ) keyset = frozenset(["Accept", "user-Agent"]) assert frozenset(i[0] for i in cid.items()) == keyset assert frozenset(cid.keys()) == keyset assert frozenset(cid) == keyset def test_preserve_last_key_case(self): cid = CaseInsensitiveDict( { "Accept": "application/json", "user-Agent": "requests", } ) cid.update({"ACCEPT": "application/json"}) cid["USER-AGENT"] = "requests" keyset = frozenset(["ACCEPT", "USER-AGENT"]) assert frozenset(i[0] for i in cid.items()) == keyset assert frozenset(cid.keys()) == keyset assert frozenset(cid) == keyset def test_copy(self): cid = CaseInsensitiveDict( { "Accept": "application/json", "user-Agent": "requests", } ) cid_copy = cid.copy() assert cid == cid_copy cid["changed"] = True assert cid != cid_copy class TestMorselToCookieExpires: """Tests for morsel_to_cookie when morsel contains expires.""" def test_expires_valid_str(self): """Test case where we convert expires from string time.""" morsel = Morsel() morsel["expires"] = "Thu, 01-Jan-1970 00:00:01 GMT" cookie = morsel_to_cookie(morsel) assert cookie.expires == 1 @pytest.mark.parametrize( "value, exception", ( (100, TypeError), ("woops", ValueError), ), ) def test_expires_invalid_int(self, value, exception): """Test case where an invalid type is passed for expires.""" morsel = Morsel() morsel["expires"] = value with pytest.raises(exception): morsel_to_cookie(morsel) def test_expires_none(self): """Test case where expires is None.""" morsel = Morsel() morsel["expires"] = None cookie = morsel_to_cookie(morsel) assert cookie.expires is None class TestMorselToCookieMaxAge: """Tests for morsel_to_cookie when morsel contains max-age.""" def test_max_age_valid_int(self): """Test case where a valid max age in seconds is passed.""" morsel = Morsel() morsel["max-age"] = 60 cookie = morsel_to_cookie(morsel) assert isinstance(cookie.expires, int) def test_max_age_invalid_str(self): """Test case where a invalid max age is passed.""" morsel = Morsel() morsel["max-age"] = "woops" with pytest.raises(TypeError): morsel_to_cookie(morsel) class TestTimeout: def test_stream_timeout(self, httpbin): try: requests.get(httpbin("delay/10"), timeout=2.0) except requests.exceptions.Timeout as e: assert "Read timed out" in e.args[0].args[0] @pytest.mark.parametrize( "timeout, error_text", ( ((3, 4, 5), "(connect, read)"), ("foo", "must be an int, float or None"), ), ) def test_invalid_timeout(self, httpbin, timeout, error_text): with pytest.raises(ValueError) as e: requests.get(httpbin("get"), timeout=timeout) assert error_text in str(e) @pytest.mark.parametrize("timeout", (None, Urllib3Timeout(connect=None, read=None))) def test_none_timeout(self, httpbin, timeout): """Check that you can set None as a valid timeout value. To actually test this behavior, we'd want to check that setting the timeout to None actually lets the request block past the system default timeout. However, this would make the test suite unbearably slow. Instead we verify that setting the timeout to None does not prevent the request from succeeding. """ r = requests.get(httpbin("get"), timeout=timeout) assert r.status_code == 200 @pytest.mark.parametrize( "timeout", ((None, 0.1), Urllib3Timeout(connect=None, read=0.1)) ) def test_read_timeout(self, httpbin, timeout): try: requests.get(httpbin("delay/10"), timeout=timeout) pytest.fail("The recv() request should time out.") except ReadTimeout: pass @pytest.mark.parametrize( "timeout", ((0.1, None), Urllib3Timeout(connect=0.1, read=None)) ) def test_connect_timeout(self, timeout): try: requests.get(TARPIT, timeout=timeout) pytest.fail("The connect() request should time out.") except ConnectTimeout as e: assert isinstance(e, ConnectionError) assert isinstance(e, Timeout) @pytest.mark.parametrize( "timeout", ((0.1, 0.1), Urllib3Timeout(connect=0.1, read=0.1)) ) def test_total_timeout_connect(self, timeout): try: requests.get(TARPIT, timeout=timeout) pytest.fail("The connect() request should time out.") except ConnectTimeout: pass def test_encoded_methods(self, httpbin): """See: https://github.com/psf/requests/issues/2316""" r = requests.request(b"GET", httpbin("get")) assert r.ok SendCall = collections.namedtuple("SendCall", ("args", "kwargs")) class RedirectSession(SessionRedirectMixin): def __init__(self, order_of_redirects): self.redirects = order_of_redirects self.calls = [] self.max_redirects = 30 self.cookies = {} self.trust_env = False def send(self, args, *kwargs): self.calls.append(SendCall(args, kwargs)) return self.build_response() def build_response(self): request = self.calls[-1].args[0] r = requests.Response() try: r.status_code = int(self.redirects.pop(0)) except IndexError: r.status_code = 200 r.headers = CaseInsensitiveDict({"Location": "/"}) r.raw = self._build_raw() r.request = request return r def _build_raw(self): string = StringIO.StringIO("") setattr(string, "release_conn", lambda args: args) return string def test_json_encodes_as_bytes(): # urllib3 expects bodies as bytes-like objects body = {"key": "value"} p = PreparedRequest() p.prepare(method="GET", url="https://www.example.com/", json=body) assert isinstance(p.body, bytes) def test_requests_are_updated_each_time(httpbin): session = RedirectSession([303, 307]) prep = requests.Request("POST", httpbin("post")).prepare() r0 = session.send(prep) assert r0.request.method == "POST" assert session.calls[-1] == SendCall((r0.request,), {}) redirect_generator = session.resolve_redirects(r0, prep) default_keyword_args = { "stream": False, "verify": True, "cert": None, "timeout": None, "allow_redirects": False, "proxies": {}, } for response in redirect_generator: assert response.request.method == "GET" send_call = SendCall((response.request,), default_keyword_args) assert session.calls[-1] == send_call @pytest.mark.parametrize( "var,url,proxy", [ ("http_proxy", "http://example.com", "socks5://proxy.com:9876"), ("https_proxy", "https://example.com", "socks5://proxy.com:9876"), ("all_proxy", "http://example.com", "socks5://proxy.com:9876"), ("all_proxy", "https://example.com", "socks5://proxy.com:9876"), ], ) def test_proxy_env_vars_override_default(var, url, proxy): session = requests.Session() prep = PreparedRequest() prep.prepare(method="GET", url=url) kwargs = {var: proxy} scheme = urlparse(url).scheme with override_environ(kwargs): proxies = session.rebuild_proxies(prep, {}) assert scheme in proxies assert proxies[scheme] == proxy @pytest.mark.parametrize( "data", ( (("a", "b"), ("c", "d")), (("c", "d"), ("a", "b")), (("a", "b"), ("c", "d"), ("e", "f")), ), ) def test_data_argument_accepts_tuples(data): """Ensure that the data argument will accept tuples of strings and properly encode them. """ p = PreparedRequest() p.prepare( method="GET", url="http://www.example.com", data=data, hooks=default_hooks() ) assert p.body == urlencode(data) @pytest.mark.parametrize( "kwargs", ( None, { "method": "GET", "url": "http://www.example.com", "data": "foo=bar", "hooks": default_hooks(), }, { "method": "GET", "url": "http://www.example.com", "data": "foo=bar", "hooks": default_hooks(), "cookies": {"foo": "bar"}, }, {"method": "GET", "url": "http://www.example.com/üniçø∂é"}, ), ) def test_prepared_copy(kwargs): p = PreparedRequest() if kwargs: p.prepare(kwargs) copy = p.copy() for attr in ("method", "url", "headers", "_cookies", "body", "hooks"): assert getattr(p, attr) == getattr(copy, attr) def test_urllib3_retries(httpbin): from urllib3.util import Retry s = requests.Session() s.mount("http://", HTTPAdapter(max_retries=Retry(total=2, status_forcelist=[500]))) with pytest.raises(RetryError): s.get(httpbin("status/500")) def test_urllib3_pool_connection_closed(httpbin): s = requests.Session() s.mount("http://", HTTPAdapter(pool_connections=0, pool_maxsize=0)) try: s.get(httpbin("status/200")) except ConnectionError as e: assert "Pool is closed." in str(e) class TestPreparingURLs: @pytest.mark.parametrize( "url,expected", ( ("http://google.com", "http://google.com/"), ("http://ジェーピーニック.jp", "http://xn--hckqz9bzb1cyrb.jp/"), ("http://xn--n3h.net/", "http://xn--n3h.net/"), ("http://ジェーピーニック.jp".encode(), "http://xn--hckqz9bzb1cyrb.jp/"), ("http://straße.de/straße", "http://xn--strae-oqa.de/stra%C3%9Fe"), ( "http://straße.de/straße".encode(), "http://xn--strae-oqa.de/stra%C3%9Fe", ), ( "http://Königsgäßchen.de/straße", "http://xn--knigsgchen-b4a3dun.de/stra%C3%9Fe", ), ( "http://Königsgäßchen.de/straße".encode(), "http://xn--knigsgchen-b4a3dun.de/stra%C3%9Fe", ), (b"http://xn--n3h.net/", "http://xn--n3h.net/"), ( b"http://[1200:0000:ab00:1234:0000:2552:7777:1313]:12345/", "http://[1200:0000:ab00:1234:0000:2552:7777:1313]:12345/", ), ( "http://[1200:0000:ab00:1234:0000:2552:7777:1313]:12345/", "http://[1200:0000:ab00:1234:0000:2552:7777:1313]:12345/", ), ), ) def test_preparing_url(self, url, expected): def normalize_percent_encode(x): # Helper function that normalizes equivalent # percent-encoded bytes before comparisons for c in re.findall(r"%[a-fA-F0-9]{2}", x): x = x.replace(c, c.upper()) return x r = requests.Request("GET", url=url) p = r.prepare() assert normalize_percent_encode(p.url) == expected @pytest.mark.parametrize( "url", ( b"http://.google.com", b"http://", "http://.google.com", "http://", "http://☃.net/", ), ) def test_preparing_bad_url(self, url): r = requests.Request("GET", url=url) with pytest.raises(requests.exceptions.InvalidURL): r.prepare() @pytest.mark.parametrize("url, exception", (("http://:1", InvalidURL),)) def test_redirecting_to_bad_url(self, httpbin, url, exception): with pytest.raises(exception): requests.get(httpbin("redirect-to"), params={"url": url}) @pytest.mark.parametrize( "input, expected", ( ( b"http+unix://%2Fvar%2Frun%2Fsocket/path%7E", "http+unix://%2Fvar%2Frun%2Fsocket/path~", ), ( "http+unix://%2Fvar%2Frun%2Fsocket/path%7E", "http+unix://%2Fvar%2Frun%2Fsocket/path~", ), ( b"mailto:user@example.org", "mailto:user@example.org", ), ( "mailto:user@example.org", "mailto:user@example.org", ), ( b"data:SSDimaUgUHl0aG9uIQ==", "data:SSDimaUgUHl0aG9uIQ==", ), ), ) def test_url_mutation(self, input, expected): """ This test validates that we correctly exclude some URLs from preparation, and that we handle others. Specifically, it tests that any URL whose scheme doesn't begin with "http" is left alone, and those whose scheme does begin with "http" are mutated. """ r = requests.Request("GET", url=input) p = r.prepare() assert p.url == expected @pytest.mark.parametrize( "input, params, expected", ( ( b"http+unix://%2Fvar%2Frun%2Fsocket/path", {"key": "value"}, "http+unix://%2Fvar%2Frun%2Fsocket/path?key=value", ), ( "http+unix://%2Fvar%2Frun%2Fsocket/path", {"key": "value"}, "http+unix://%2Fvar%2Frun%2Fsocket/path?key=value", ), ( b"mailto:user@example.org", {"key": "value"}, "mailto:user@example.org", ), ( "mailto:user@example.org", {"key": "value"}, "mailto:user@example.org", ), ), ) def test_parameters_for_nonstandard_schemes(self, input, params, expected): """ Setting parameters for nonstandard schemes is allowed if those schemes begin with "http", and is forbidden otherwise. """ r = requests.Request("GET", url=input, params=params) p = r.prepare() assert p.url == expected def test_post_json_nan(self, httpbin): data = {"foo": float("nan")} with pytest.raises(requests.exceptions.InvalidJSONError): requests.post(httpbin("post"), json=data) def test_json_decode_compatibility(self, httpbin): r = requests.get(httpbin("bytes/20")) with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo: r.json() assert isinstance(excinfo.value, RequestException) assert isinstance(excinfo.value, JSONDecodeError) assert r.text not in str(excinfo.value) def test_json_decode_persists_doc_attr(self, httpbin): r = requests.get(httpbin("bytes/20")) with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo: r.json() assert excinfo.value.doc == r.text def test_status_code_425(self): r1 = requests.codes.get("TOO_EARLY") r2 = requests.codes.get("too_early") r3 = requests.codes.get("UNORDERED") r4 = requests.codes.get("unordered") r5 = requests.codes.get("UNORDERED_COLLECTION") r6 = requests.codes.get("unordered_collection") assert r1 == 425 assert r2 == 425 assert r3 == 425 assert r4 == 425 assert r5 == 425 assert r6 == 425 def test_different_connection_pool_for_tls_settings_verify_True(self): def response_handler(sock): consume_socket_content(sock, timeout=0.5) sock.send( b"HTTP/1.1 200 OK\r\n" b"Content-Length: 18\r\n\r\n" b'\xff\xfe{\x00"\x00K0"\x00=\x00"\x00\xab0"\x00\r\n' ) s = requests.Session() close_server = threading.Event() server = TLSServer( handler=response_handler, wait_to_close_event=close_server, requests_to_handle=3, cert_chain="tests/certs/expired/server/server.pem", keyfile="tests/certs/expired/server/server.key", ) with server as (host, port): url = f"https://{host}:{port}" r1 = s.get(url, verify=False) assert r1.status_code == 200 # Cannot verify self-signed certificate with pytest.raises(requests.exceptions.SSLError): s.get(url) close_server.set() assert 2 == len(s.adapters["https://"].poolmanager.pools) def test_different_connection_pool_for_tls_settings_verify_bundle_expired_cert( self, ): def response_handler(sock): consume_socket_content(sock, timeout=0.5) sock.send( b"HTTP/1.1 200 OK\r\n" b"Content-Length: 18\r\n\r\n" b'\xff\xfe{\x00"\x00K0"\x00=\x00"\x00\xab0"\x00\r\n' ) s = requests.Session() close_server = threading.Event() server = TLSServer( handler=response_handler, wait_to_close_event=close_server, requests_to_handle=3, cert_chain="tests/certs/expired/server/server.pem", keyfile="tests/certs/expired/server/server.key", ) with server as (host, port): url = f"https://{host}:{port}" r1 = s.get(url, verify=False) assert r1.status_code == 200 # Has right trust bundle, but certificate expired with pytest.raises(requests.exceptions.SSLError): s.get(url, verify="tests/certs/expired/ca/ca.crt") close_server.set() assert 2 == len(s.adapters["https://"].poolmanager.pools) def test_different_connection_pool_for_tls_settings_verify_bundle_unexpired_cert( self, ): def response_handler(sock): consume_socket_content(sock, timeout=0.5) sock.send( b"HTTP/1.1 200 OK\r\n" b"Content-Length: 18\r\n\r\n" b'\xff\xfe{\x00"\x00K0"\x00=\x00"\x00\xab0"\x00\r\n' ) s = requests.Session() close_server = threading.Event() server = TLSServer( handler=response_handler, wait_to_close_event=close_server, requests_to_handle=3, cert_chain="tests/certs/valid/server/server.pem", keyfile="tests/certs/valid/server/server.key", ) with server as (host, port): url = f"https://{host}:{port}" r1 = s.get(url, verify=False) assert r1.status_code == 200 r2 = s.get(url, verify="tests/certs/valid/ca/ca.crt") assert r2.status_code == 200 close_server.set() assert 2 == len(s.adapters["https://"].poolmanager.pools) def test_different_connection_pool_for_mtls_settings(self): client_cert = None def response_handler(sock): nonlocal client_cert client_cert = sock.getpeercert() consume_socket_content(sock, timeout=0.5) sock.send( b"HTTP/1.1 200 OK\r\n" b"Content-Length: 18\r\n\r\n" b'\xff\xfe{\x00"\x00K0"\x00=\x00"\x00\xab0"\x00\r\n' ) s = requests.Session() close_server = threading.Event() server = TLSServer( handler=response_handler, wait_to_close_event=close_server, requests_to_handle=2, cert_chain="tests/certs/expired/server/server.pem", keyfile="tests/certs/expired/server/server.key", mutual_tls=True, cacert="tests/certs/expired/ca/ca.crt", ) cert = ( "tests/certs/mtls/client/client.pem", "tests/certs/mtls/client/client.key", ) with server as (host, port): url = f"https://{host}:{port}" r1 = s.get(url, verify=False, cert=cert) assert r1.status_code == 200 with pytest.raises(requests.exceptions.SSLError): s.get(url, cert=cert) close_server.set() assert client_cert is not None def test_json_decode_errors_are_serializable_deserializable(): json_decode_error = requests.exceptions.JSONDecodeError( "Extra data", '{"responseCode":["706"],"data":null}{"responseCode":["706"],"data":null}', 36, ) deserialized_error = pickle.loads(pickle.dumps(json_decode_error)) assert repr(json_decode_error) == repr(deserialized_error) ��test_lowlevel.py��0000644��00000035757�15025233430�0010024 0��ustar�00��import threading import pytest from tests.testserver.server import Server, consume_socket_content import requests from requests.compat import JSONDecodeError from .utils import override_environ def echo_response_handler(sock): """Simple handler that will take request and echo it back to requester.""" request_content = consume_socket_content(sock, timeout=0.5) text_200 = ( b"HTTP/1.1 200 OK\r\n" b"Content-Length: %d\r\n\r\n" b"%s" ) % (len(request_content), request_content) sock.send(text_200) def test_chunked_upload(): """can safely send generators""" close_server = threading.Event() server = Server.basic_response_server(wait_to_close_event=close_server) data = iter([b"a", b"b", b"c"]) with server as (host, port): url = f"http://{host}:{port}/" r = requests.post(url, data=data, stream=True) close_server.set() # release server block assert r.status_code == 200 assert r.request.headers["Transfer-Encoding"] == "chunked" def test_chunked_encoding_error(): """get a ChunkedEncodingError if the server returns a bad response""" def incomplete_chunked_response_handler(sock): request_content = consume_socket_content(sock, timeout=0.5) # The server never ends the request and doesn't provide any valid chunks sock.send( b"HTTP/1.1 200 OK\r\n" b"Transfer-Encoding: chunked\r\n" ) return request_content close_server = threading.Event() server = Server(incomplete_chunked_response_handler) with server as (host, port): url = f"http://{host}:{port}/" with pytest.raises(requests.exceptions.ChunkedEncodingError): requests.get(url) close_server.set() # release server block def test_chunked_upload_uses_only_specified_host_header(): """Ensure we use only the specified Host header for chunked requests.""" close_server = threading.Event() server = Server(echo_response_handler, wait_to_close_event=close_server) data = iter([b"a", b"b", b"c"]) custom_host = "sample-host" with server as (host, port): url = f"http://{host}:{port}/" r = requests.post(url, data=data, headers={"Host": custom_host}, stream=True) close_server.set() # release server block expected_header = b"Host: %s\r\n" % custom_host.encode("utf-8") assert expected_header in r.content assert r.content.count(b"Host: ") == 1 def test_chunked_upload_doesnt_skip_host_header(): """Ensure we don't omit all Host headers with chunked requests.""" close_server = threading.Event() server = Server(echo_response_handler, wait_to_close_event=close_server) data = iter([b"a", b"b", b"c"]) with server as (host, port): expected_host = f"{host}:{port}" url = f"http://{host}:{port}/" r = requests.post(url, data=data, stream=True) close_server.set() # release server block expected_header = b"Host: %s\r\n" % expected_host.encode("utf-8") assert expected_header in r.content assert r.content.count(b"Host: ") == 1 def test_conflicting_content_lengths(): """Ensure we correctly throw an InvalidHeader error if multiple conflicting Content-Length headers are returned. """ def multiple_content_length_response_handler(sock): request_content = consume_socket_content(sock, timeout=0.5) response = ( b"HTTP/1.1 200 OK\r\n" b"Content-Type: text/plain\r\n" b"Content-Length: 16\r\n" b"Content-Length: 32\r\n\r\n" b"-- Bad Actor -- Original Content\r\n" ) sock.send(response) return request_content close_server = threading.Event() server = Server(multiple_content_length_response_handler) with server as (host, port): url = f"http://{host}:{port}/" with pytest.raises(requests.exceptions.InvalidHeader): requests.get(url) close_server.set() def test_digestauth_401_count_reset_on_redirect(): """Ensure we correctly reset num_401_calls after a successful digest auth, followed by a 302 redirect to another digest auth prompt. See https://github.com/psf/requests/issues/1979. """ text_401 = (b'HTTP/1.1 401 UNAUTHORIZED\r\n' b'Content-Length: 0\r\n' b'WWW-Authenticate: Digest nonce="6bf5d6e4da1ce66918800195d6b9130d"' b', opaque="372825293d1c26955496c80ed6426e9e", ' b'realm="me@kennethreitz.com", qop=auth\r\n\r\n') text_302 = (b'HTTP/1.1 302 FOUND\r\n' b'Content-Length: 0\r\n' b'Location: /\r\n\r\n') text_200 = (b'HTTP/1.1 200 OK\r\n' b'Content-Length: 0\r\n\r\n') expected_digest = (b'Authorization: Digest username="user", ' b'realm="me@kennethreitz.com", ' b'nonce="6bf5d6e4da1ce66918800195d6b9130d", uri="/"') auth = requests.auth.HTTPDigestAuth('user', 'pass') def digest_response_handler(sock): # Respond to initial GET with a challenge. request_content = consume_socket_content(sock, timeout=0.5) assert request_content.startswith(b"GET / HTTP/1.1") sock.send(text_401) # Verify we receive an Authorization header in response, then redirect. request_content = consume_socket_content(sock, timeout=0.5) assert expected_digest in request_content sock.send(text_302) # Verify Authorization isn't sent to the redirected host, # then send another challenge. request_content = consume_socket_content(sock, timeout=0.5) assert b'Authorization:' not in request_content sock.send(text_401) # Verify Authorization is sent correctly again, and return 200 OK. request_content = consume_socket_content(sock, timeout=0.5) assert expected_digest in request_content sock.send(text_200) return request_content close_server = threading.Event() server = Server(digest_response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/' r = requests.get(url, auth=auth) # Verify server succeeded in authenticating. assert r.status_code == 200 # Verify Authorization was sent in final request. assert 'Authorization' in r.request.headers assert r.request.headers['Authorization'].startswith('Digest ') # Verify redirect happened as we expected. assert r.history[0].status_code == 302 close_server.set() def test_digestauth_401_only_sent_once(): """Ensure we correctly respond to a 401 challenge once, and then stop responding if challenged again. """ text_401 = (b'HTTP/1.1 401 UNAUTHORIZED\r\n' b'Content-Length: 0\r\n' b'WWW-Authenticate: Digest nonce="6bf5d6e4da1ce66918800195d6b9130d"' b', opaque="372825293d1c26955496c80ed6426e9e", ' b'realm="me@kennethreitz.com", qop=auth\r\n\r\n') expected_digest = (b'Authorization: Digest username="user", ' b'realm="me@kennethreitz.com", ' b'nonce="6bf5d6e4da1ce66918800195d6b9130d", uri="/"') auth = requests.auth.HTTPDigestAuth('user', 'pass') def digest_failed_response_handler(sock): # Respond to initial GET with a challenge. request_content = consume_socket_content(sock, timeout=0.5) assert request_content.startswith(b"GET / HTTP/1.1") sock.send(text_401) # Verify we receive an Authorization header in response, then # challenge again. request_content = consume_socket_content(sock, timeout=0.5) assert expected_digest in request_content sock.send(text_401) # Verify the client didn't respond to second challenge. request_content = consume_socket_content(sock, timeout=0.5) assert request_content == b'' return request_content close_server = threading.Event() server = Server(digest_failed_response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/' r = requests.get(url, auth=auth) # Verify server didn't authenticate us. assert r.status_code == 401 assert r.history[0].status_code == 401 close_server.set() def test_digestauth_only_on_4xx(): """Ensure we only send digestauth on 4xx challenges. See https://github.com/psf/requests/issues/3772. """ text_200_chal = (b'HTTP/1.1 200 OK\r\n' b'Content-Length: 0\r\n' b'WWW-Authenticate: Digest nonce="6bf5d6e4da1ce66918800195d6b9130d"' b', opaque="372825293d1c26955496c80ed6426e9e", ' b'realm="me@kennethreitz.com", qop=auth\r\n\r\n') auth = requests.auth.HTTPDigestAuth('user', 'pass') def digest_response_handler(sock): # Respond to GET with a 200 containing www-authenticate header. request_content = consume_socket_content(sock, timeout=0.5) assert request_content.startswith(b"GET / HTTP/1.1") sock.send(text_200_chal) # Verify the client didn't respond with auth. request_content = consume_socket_content(sock, timeout=0.5) assert request_content == b'' return request_content close_server = threading.Event() server = Server(digest_response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/' r = requests.get(url, auth=auth) # Verify server didn't receive auth from us. assert r.status_code == 200 assert len(r.history) == 0 close_server.set() _schemes_by_var_prefix = [ ('http', ['http']), ('https', ['https']), ('all', ['http', 'https']), ] _proxy_combos = [] for prefix, schemes in _schemes_by_var_prefix: for scheme in schemes: _proxy_combos.append((f"{prefix}_proxy", scheme)) _proxy_combos += [(var.upper(), scheme) for var, scheme in _proxy_combos] @pytest.mark.parametrize("var,scheme", _proxy_combos) def test_use_proxy_from_environment(httpbin, var, scheme): url = f"{scheme}://httpbin.org" fake_proxy = Server() # do nothing with the requests; just close the socket with fake_proxy as (host, port): proxy_url = f"socks5://{host}:{port}" kwargs = {var: proxy_url} with override_environ(kwargs): # fake proxy's lack of response will cause a ConnectionError with pytest.raises(requests.exceptions.ConnectionError): requests.get(url) # the fake proxy received a request assert len(fake_proxy.handler_results) == 1 # it had actual content (not checking for SOCKS protocol for now) assert len(fake_proxy.handler_results[0]) > 0 def test_redirect_rfc1808_to_non_ascii_location(): path = 'š' expected_path = b'%C5%A1' redirect_request = [] # stores the second request to the server def redirect_resp_handler(sock): consume_socket_content(sock, timeout=0.5) location = f'//{host}:{port}/{path}' sock.send( ( b'HTTP/1.1 301 Moved Permanently\r\n' b'Content-Length: 0\r\n' b'Location: %s\r\n' b'\r\n' ) % location.encode('utf8') ) redirect_request.append(consume_socket_content(sock, timeout=0.5)) sock.send(b'HTTP/1.1 200 OK\r\n\r\n') close_server = threading.Event() server = Server(redirect_resp_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}' r = requests.get(url=url, allow_redirects=True) assert r.status_code == 200 assert len(r.history) == 1 assert r.history[0].status_code == 301 assert redirect_request[0].startswith(b'GET /' + expected_path + b' HTTP/1.1') assert r.url == '{}/{}'.format(url, expected_path.decode('ascii')) close_server.set() def test_fragment_not_sent_with_request(): """Verify that the fragment portion of a URI isn't sent to the server.""" close_server = threading.Event() server = Server(echo_response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/path/to/thing/#view=edit&token=hunter2' r = requests.get(url) raw_request = r.content assert r.status_code == 200 headers, body = raw_request.split(b'\r\n\r\n', 1) status_line, headers = headers.split(b'\r\n', 1) assert status_line == b'GET /path/to/thing/ HTTP/1.1' for frag in (b'view', b'edit', b'token', b'hunter2'): assert frag not in headers assert frag not in body close_server.set() def test_fragment_update_on_redirect(): """Verify we only append previous fragment if one doesn't exist on new location. If a new fragment is encountered in a Location header, it should be added to all subsequent requests. """ def response_handler(sock): consume_socket_content(sock, timeout=0.5) sock.send( b'HTTP/1.1 302 FOUND\r\n' b'Content-Length: 0\r\n' b'Location: /get#relevant-section\r\n\r\n' ) consume_socket_content(sock, timeout=0.5) sock.send( b'HTTP/1.1 302 FOUND\r\n' b'Content-Length: 0\r\n' b'Location: /final-url/\r\n\r\n' ) consume_socket_content(sock, timeout=0.5) sock.send( b'HTTP/1.1 200 OK\r\n\r\n' ) close_server = threading.Event() server = Server(response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/path/to/thing/#view=edit&token=hunter2' r = requests.get(url) assert r.status_code == 200 assert len(r.history) == 2 assert r.history[0].request.url == url # Verify we haven't overwritten the location with our previous fragment. assert r.history[1].request.url == f'http://{host}:{port}/get#relevant-section' # Verify previous fragment is used and not the original. assert r.url == f'http://{host}:{port}/final-url/#relevant-section' close_server.set() def test_json_decode_compatibility_for_alt_utf_encodings(): def response_handler(sock): consume_socket_content(sock, timeout=0.5) sock.send( b'HTTP/1.1 200 OK\r\n' b'Content-Length: 18\r\n\r\n' b'\xff\xfe{\x00"\x00K0"\x00=\x00"\x00\xab0"\x00\r\n' ) close_server = threading.Event() server = Server(response_handler, wait_to_close_event=close_server) with server as (host, port): url = f'http://{host}:{port}/' r = requests.get(url) r.encoding = None with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo: r.json() assert isinstance(excinfo.value, requests.exceptions.RequestException) assert isinstance(excinfo.value, JSONDecodeError) assert r.text not in str(excinfo.value) ��test_structures.py��0000644��00000004347�15025233430�0010405 0��ustar�00��import pytest from requests.structures import CaseInsensitiveDict, LookupDict class TestCaseInsensitiveDict: @pytest.fixture(autouse=True) def setup(self): """CaseInsensitiveDict instance with "Accept" header.""" self.case_insensitive_dict = CaseInsensitiveDict() self.case_insensitive_dict["Accept"] = "application/json" def test_list(self): assert list(self.case_insensitive_dict) == ["Accept"] possible_keys = pytest.mark.parametrize( "key", ("accept", "ACCEPT", "aCcEpT", "Accept") ) @possible_keys def test_getitem(self, key): assert self.case_insensitive_dict[key] == "application/json" @possible_keys def test_delitem(self, key): del self.case_insensitive_dict[key] assert key not in self.case_insensitive_dict def test_lower_items(self): assert list(self.case_insensitive_dict.lower_items()) == [ ("accept", "application/json") ] def test_repr(self): assert repr(self.case_insensitive_dict) == "{'Accept': 'application/json'}" def test_copy(self): copy = self.case_insensitive_dict.copy() assert copy is not self.case_insensitive_dict assert copy == self.case_insensitive_dict @pytest.mark.parametrize( "other, result", ( ({"AccePT": "application/json"}, True), ({}, False), (None, False), ), ) def test_instance_equality(self, other, result): assert (self.case_insensitive_dict == other) is result class TestLookupDict: @pytest.fixture(autouse=True) def setup(self): """LookupDict instance with "bad_gateway" attribute.""" self.lookup_dict = LookupDict("test") self.lookup_dict.bad_gateway = 502 def test_repr(self): assert repr(self.lookup_dict) == "<lookup 'test'>" get_item_parameters = pytest.mark.parametrize( "key, value", ( ("bad_gateway", 502), ("not_a_key", None), ), ) @get_item_parameters def test_getitem(self, key, value): assert self.lookup_dict[key] == value @get_item_parameters def test_get(self, key, value): assert self.lookup_dict.get(key) == value ��test_testserver.py��0000644��00000012661�15025233430�0010366 0��ustar�00��import socket import threading import time import pytest from tests.testserver.server import Server import requests class TestTestServer: def test_basic(self): """messages are sent and received properly""" question = b"success?" answer = b"yeah, success" def handler(sock): text = sock.recv(1000) assert text == question sock.sendall(answer) with Server(handler) as (host, port): sock = socket.socket() sock.connect((host, port)) sock.sendall(question) text = sock.recv(1000) assert text == answer sock.close() def test_server_closes(self): """the server closes when leaving the context manager""" with Server.basic_response_server() as (host, port): sock = socket.socket() sock.connect((host, port)) sock.close() with pytest.raises(socket.error): new_sock = socket.socket() new_sock.connect((host, port)) def test_text_response(self): """the text_response_server sends the given text""" server = Server.text_response_server( "HTTP/1.1 200 OK\r\n" "Content-Length: 6\r\n" "\r\nroflol" ) with server as (host, port): r = requests.get(f"http://{host}:{port}") assert r.status_code == 200 assert r.text == "roflol" assert r.headers["Content-Length"] == "6" def test_basic_response(self): """the basic response server returns an empty http response""" with Server.basic_response_server() as (host, port): r = requests.get(f"http://{host}:{port}") assert r.status_code == 200 assert r.text == "" assert r.headers["Content-Length"] == "0" def test_basic_waiting_server(self): """the server waits for the block_server event to be set before closing""" block_server = threading.Event() with Server.basic_response_server(wait_to_close_event=block_server) as ( host, port, ): sock = socket.socket() sock.connect((host, port)) sock.sendall(b"send something") time.sleep(2.5) sock.sendall(b"still alive") block_server.set() # release server block def test_multiple_requests(self): """multiple requests can be served""" requests_to_handle = 5 server = Server.basic_response_server(requests_to_handle=requests_to_handle) with server as (host, port): server_url = f"http://{host}:{port}" for _ in range(requests_to_handle): r = requests.get(server_url) assert r.status_code == 200 # the (n+1)th request fails with pytest.raises(requests.exceptions.ConnectionError): r = requests.get(server_url) @pytest.mark.skip(reason="this fails non-deterministically under pytest-xdist") def test_request_recovery(self): """can check the requests content""" # TODO: figure out why this sometimes fails when using pytest-xdist. server = Server.basic_response_server(requests_to_handle=2) first_request = b"put your hands up in the air" second_request = b"put your hand down in the floor" with server as address: sock1 = socket.socket() sock2 = socket.socket() sock1.connect(address) sock1.sendall(first_request) sock1.close() sock2.connect(address) sock2.sendall(second_request) sock2.close() assert server.handler_results[0] == first_request assert server.handler_results[1] == second_request def test_requests_after_timeout_are_not_received(self): """the basic response handler times out when receiving requests""" server = Server.basic_response_server(request_timeout=1) with server as address: sock = socket.socket() sock.connect(address) time.sleep(1.5) sock.sendall(b"hehehe, not received") sock.close() assert server.handler_results[0] == b"" def test_request_recovery_with_bigger_timeout(self): """a biggest timeout can be specified""" server = Server.basic_response_server(request_timeout=3) data = b"bananadine" with server as address: sock = socket.socket() sock.connect(address) time.sleep(1.5) sock.sendall(data) sock.close() assert server.handler_results[0] == data def test_server_finishes_on_error(self): """the server thread exits even if an exception exits the context manager""" server = Server.basic_response_server() with pytest.raises(Exception): with server: raise Exception() assert len(server.handler_results) == 0 # if the server thread fails to finish, the test suite will hang # and get killed by the jenkins timeout. def test_server_finishes_when_no_connections(self): """the server thread exits even if there are no connections""" server = Server.basic_response_server() with server: pass assert len(server.handler_results) == 0 # if the server thread fails to finish, the test suite will hang # and get killed by the jenkins timeout. ��testserver/__init__.py��0000644��00000000000�15025233430�0011046 0��ustar�00��testserver/server.py��0000644��00000012033�15025233430�0010626 0��ustar�00��import select import socket import ssl import threading def consume_socket_content(sock, timeout=0.5): chunks = 65536 content = b"" while True: more_to_read = select.select([sock], [], [], timeout)[0] if not more_to_read: break new_content = sock.recv(chunks) if not new_content: break content += new_content return content class Server(threading.Thread): """Dummy server using for unit testing""" WAIT_EVENT_TIMEOUT = 5 def __init__( self, handler=None, host="localhost", port=0, requests_to_handle=1, wait_to_close_event=None, ): super().__init__() self.handler = handler or consume_socket_content self.handler_results = [] self.host = host self.port = port self.requests_to_handle = requests_to_handle self.wait_to_close_event = wait_to_close_event self.ready_event = threading.Event() self.stop_event = threading.Event() @classmethod def text_response_server(cls, text, request_timeout=0.5, kwargs): def text_response_handler(sock): request_content = consume_socket_content(sock, timeout=request_timeout) sock.send(text.encode("utf-8")) return request_content return Server(text_response_handler, kwargs) @classmethod def basic_response_server(cls, kwargs): return cls.text_response_server( "HTTP/1.1 200 OK\r\n" + "Content-Length: 0\r\n\r\n", *kwargs ) def run(self): try: self.server_sock = self._create_socket_and_bind() # in case self.port = 0 self.port = self.server_sock.getsockname()[1] self.ready_event.set() self._handle_requests() if self.wait_to_close_event: self.wait_to_close_event.wait(self.WAIT_EVENT_TIMEOUT) finally: self.ready_event.set() # just in case of exception self._close_server_sock_ignore_errors() self.stop_event.set() def _create_socket_and_bind(self): sock = socket.socket() sock.bind((self.host, self.port)) sock.listen() return sock def _close_server_sock_ignore_errors(self): try: self.server_sock.close() except OSError: pass def _handle_requests(self): for _ in range(self.requests_to_handle): sock = self._accept_connection() if not sock: break handler_result = self.handler(sock) self.handler_results.append(handler_result) sock.close() def _accept_connection(self): try: ready, _, _ = select.select( [self.server_sock], [], [], self.WAIT_EVENT_TIMEOUT ) if not ready: return None return self.server_sock.accept()[0] except OSError: return None def __enter__(self): self.start() if not self.ready_event.wait(self.WAIT_EVENT_TIMEOUT): raise RuntimeError("Timeout waiting for server to be ready.") return self.host, self.port def __exit__(self, exc_type, exc_value, traceback): if exc_type is None: self.stop_event.wait(self.WAIT_EVENT_TIMEOUT) else: if self.wait_to_close_event: # avoid server from waiting for event timeouts # if an exception is found in the main thread self.wait_to_close_event.set() # ensure server thread doesn't get stuck waiting for connections self._close_server_sock_ignore_errors() self.join() return False # allow exceptions to propagate class TLSServer(Server): def __init__( self, , handler=None, host="localhost", port=0, requests_to_handle=1, wait_to_close_event=None, cert_chain=None, keyfile=None, mutual_tls=False, cacert=None, ): super().__init__( handler=handler, host=host, port=port, requests_to_handle=requests_to_handle, wait_to_close_event=wait_to_close_event, ) self.cert_chain = cert_chain self.keyfile = keyfile self.ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) self.ssl_context.load_cert_chain(self.cert_chain, keyfile=self.keyfile) self.mutual_tls = mutual_tls self.cacert = cacert if mutual_tls: # For simplicity, we're going to assume that the client cert is # issued by the same CA as our Server certificate self.ssl_context.verify_mode = ssl.CERT_OPTIONAL self.ssl_context.load_verify_locations(self.cacert) def _create_socket_and_bind(self): sock = socket.socket() sock = self.ssl_context.wrap_socket(sock, server_side=True) sock.bind((self.host, self.port)) sock.listen() return sock ��utils.py��0000644��00000000556�15025233430�0006261 0��ustar�00��import contextlib import os @contextlib.contextmanager def override_environ(*kwargs): save_env = dict(os.environ) for key, value in kwargs.items(): if value is None: del os.environ[key] else: os.environ[key] = value try: yield finally: os.environ.clear() os.environ.update(save_env) ��certs/expired/ca��0000755��00000000000�15025233430�0007620 0��ustar�00��certs/valid/server/cert.cnf��0000644��00000001322�15025233430�0011711 0��ustar�00��[req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt=no [req_distinguished_name] C = US ST = DE O = Python Software Foundation OU = python-requests CN = localhost [v3_req] # Extensions to add to a certificate request basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth subjectAltName = critical, @alt_names [v3_ca] # Extensions to add to a certificate request basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth subjectAltName = critical, @alt_names [alt_names] DNS.1 = .localhost DNS.1 = localhost IP.1 = 127.0.0.1 IP.2 = ::1 ��certs/valid/server/server.csr��0000644��00000002227�15025233430�0012310 0��ustar�00��-----BEGIN CERTIFICATE REQUEST----- MIIDKjCCAhICAQAwbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkRFMSMwIQYDVQQK DBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEYMBYGA1UECwwPcHl0aG9uLXJl cXVlc3RzMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQChEKOx377ymuDg23By5Re1DHi2RiBKSHr85/ZTZuwP/69lHN7q TQEO//EMEFZ9+ZwezeJJsejjP2HO5lQZbcsWok3hbM0wVT+vApkogPvJ8WNFFWFe ZBnGLi/1WM9cSZpUsDJ0XCsG0RTtO27wfgZQlKQMZxTkfi971oPYxNVSjTm2JcLT kvwYIwxjJXPDTOgRo9TEAY3cWkCrBJN4w74GWBTM5KDDA230T7WwLuv81XD2LvYj YYdMBGcxPr5tYTIlp3LncbcrDRNk3pbYQk0bRJgkw2vUkteiRGjkt+dgVnLc6+MI W+VLXEpj+zsOZ5/R4d1pofqj9sDyDPhtNr1JAgMBAAGgeDB2BgkqhkiG9w0BCQ4x aTBnMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoG CCsGAQUFBwMBMC8GA1UdEQEB/wQlMCOCCWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAA AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAFTlFTn5Mn8JXtqB5bGjuiChe ClA6Y32Co4l7N0CtAlf+bExwLdpLOleTX3WnryIPALl9uBUI/67dy/STn/J1Yn86 jWPEFwpmYNSKgQljYWcwtBdYLWfIsJO11kKdaAkOUHBEN5DKrXJ46Vs4918bD1/Q 6ztqdrThiKc646u9xB58Hg7F0IyMWbHfs0x16ZpcN9otrIkbqOE2wzTmc65O1t1i HDljcSk7OnNy3a9wtLEnyPiyMqHf2k/bTlmiDRVe3cSy9xieoqmzHTnOCSASe1y9 7lcEBQild18Jo4nACV4vCYOUwrMi/58LWW+lD6OmMnPiWUqOvMbgMffMNDpWPA== -----END CERTIFICATE REQUEST----- ��certs/valid/server/Makefile��0000644��00000000645�15025233430�0011733 0��ustar�00��.PHONY: all clean server.key: openssl genrsa -out $@ 2048 server.csr: server.key openssl req -key $< -config cert.cnf -new -out $@ server.pem: server.csr openssl x509 -req -CA ../ca/ca.crt -CAkey ../ca/ca-private.key -in server.csr -outform PEM -out server.pem -extfile cert.cnf -extensions v3_ca -days 7200 -CAcreateserial openssl x509 -in ../ca/ca.crt -outform PEM >> $@ all: server.pem clean: rm -f server.* ��certs/valid/server/server.pem��0000644��00000005443�15025233430�0012305 0��ustar�00��-----BEGIN CERTIFICATE----- MIIEhTCCA22gAwIBAgIUTzbDp+B1umRS0Q7rgefxif9Im3wwDQYJKoZIhvcNAQEL BQAwajELMAkGA1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3Vu ZGF0aW9uMRgwFgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYt U2lnbmVkIFJvb3QgQ0EwHhcNMjQwMzE0MDAxMDAzWhcNNDMxMTMwMDAxMDAzWjBt MQswCQYDVQQGEwJVUzELMAkGA1UECAwCREUxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0 d2FyZSBGb3VuZGF0aW9uMRgwFgYDVQQLDA9weXRob24tcmVxdWVzdHMxEjAQBgNV BAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKEQ o7HfvvKa4ODbcHLlF7UMeLZGIEpIevzn9lNm7A//r2Uc3upNAQ7/8QwQVn35nB7N 4kmx6OM/Yc7mVBltyxaiTeFszTBVP68CmSiA+8nxY0UVYV5kGcYuL/VYz1xJmlSw MnRcKwbRFO07bvB+BlCUpAxnFOR+L3vWg9jE1VKNObYlwtOS/BgjDGMlc8NM6BGj 1MQBjdxaQKsEk3jDvgZYFMzkoMMDbfRPtbAu6/zVcPYu9iNhh0wEZzE+vm1hMiWn cudxtysNE2TelthCTRtEmCTDa9SS16JEaOS352BWctzr4whb5UtcSmP7Ow5nn9Hh 3Wmh+qP2wPIM+G02vUkCAwEAAaOCAR4wggEaMAwGA1UdEwEB/wQCMAAwDgYDVR0P AQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMC8GA1UdEQEB/wQlMCOC CWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATAdBgNVHQ4EFgQUJ90a UnXKPP13yDprLhG39fUrnu8wgZEGA1UdIwSBiTCBhqFupGwwajELMAkGA1UEBhMC VVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgwFgYDVQQL DA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJvb3QgQ0GC FA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAA4IBAQCVh4hiraRv JzYbS/TombP//xfVEWHXDBEYsT5GgWf7GPJ/QtSvv6uJFsK7heqLzf9f+r4Z5xMh YAkb0oe/Ge0T30Mo1YaBEqkKuQL9lOMcP69S9uFz2VT6I/76I8qqAu2AFhu74p8f qudwmQyRYo1Ryg4R/SgRhSJKF/ST/2wOusNWSsBe1s8S2PmtOb4dr3cMBGihrUzS DmCQpWjuiuE23HXnnYDc/EUAnEEPkLDgCsE9iLq37FPUHcHjqdYIAhmImPBpv2EL ftXeRWfxN2hRHpS5Fn3QuAOwfJw5tUcVXojJCJfSpL+Ac97iSjxNaDIPlyomauKw 1rgbUkSw+9JQ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDWzCCAkMCFA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMjIxMDQwM1oXDTQ0MDMwNzIxMDQwM1owajELMAkG A1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgw FgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJv b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHlIhe7GLCeSk8 RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6 fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy e6lzFyWnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGymNVTsKSAq8Ju6zV+AWAyV GcUNBmLpgzDA0e7pkVYhHTdWKlGH4GnrRcp0nvnSbr6iq1Ob/8yEUUoRzK55Flws Kt1OLwnZyhfRoSUesoEqpP68vzWEgiYv0QuIWvzNt0YfAAvEgGoc3iri44MelKLn 9ZMT8m91nVamA35R8ZjfeAkNp2xcz0a67V0ww6o4wSXrG7o5ZRXyjqZ/9K7SfwUJ rV9RciccsjH/MzKbfrx73QwsbPWiFmjzHopdasIO0lDlmgm/r9gKfkbzfKoGCgLZ 6an6FlmLftLSXijf/QwtqeSP9fODeE3dzBmnTM3jdoVS53ZegUDWNl14o25v2Kg= -----END CERTIFICATE----- ��certs/valid/server/server.key��0000644��00000003250�15025233430�0012306 0��ustar�00��-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQChEKOx377ymuDg 23By5Re1DHi2RiBKSHr85/ZTZuwP/69lHN7qTQEO//EMEFZ9+ZwezeJJsejjP2HO 5lQZbcsWok3hbM0wVT+vApkogPvJ8WNFFWFeZBnGLi/1WM9cSZpUsDJ0XCsG0RTt O27wfgZQlKQMZxTkfi971oPYxNVSjTm2JcLTkvwYIwxjJXPDTOgRo9TEAY3cWkCr BJN4w74GWBTM5KDDA230T7WwLuv81XD2LvYjYYdMBGcxPr5tYTIlp3LncbcrDRNk 3pbYQk0bRJgkw2vUkteiRGjkt+dgVnLc6+MIW+VLXEpj+zsOZ5/R4d1pofqj9sDy DPhtNr1JAgMBAAECggEAIuLzBfXgCvXzlBjL2kMXd7p4EgkN+PEKnKmUr/t40b1Q zR6sBQWBX3GeET4fseElSQHQzCQaPNCve4xltm1S4jftFREHP7sTVHHEYWLQxuy/ Uwkewj5927CI6ERgg82YfVP91bjaA/u5I+pt7O7rKLyNbPdN7fEMEW+FNuhpiVvg JMrcK1BCFL6pmIT21LyTwkacMKZSPko58pWE24MA9aSCHk6cXdwQWQK0AfQT3XGT C4I0hRed7LgqMH+gMuhpakiO13t8yTwxt2iQC9+aa4oSHD3BOi/CwIWfe1mHwmlr cj4Kof1JSnK4SVTD16T++PlnWZkF6oaLUNg+/c2C9QKBgQDOFSYIY7+HzinT2hbI yTIJCHpp+Iee+WVvvxjdZIPMDINrlIiHcMfXb0itUdcUO6tz0KYDMDLRC9CSP0ar 6mBWUTHfAKF2S4JpI9JYI4PNtIpOP1NiYuyJlnh5+ytU1yIeIvl39hmLcRwI9mgz njy/D7yEoDCrG1dhcltubKpNXQKBgQDIFAVg0A7MNcxBZDLlk1NAME2JKOSszX8E VNucvZD+9l+L9V9BmwwPQdzYifv/dNp3nYn+lxRPPgze3ZWu4+PeDuGudxu0I6ll beFdbIcp1wbeQguzHYLjBYJqsMb4Pao5HPInjPu/HWfZlg9oZpJbKVucQwbonJLX lgca9KaE3QKBgA+OUx+g/+0tZ8ThGoUvgsJhzHPBWeNrKfgEcckMdFJrw2PUg3XN 0pf1g4PpwJV7Z5bHcjCda8iR3r2bXydM+tapLF2L+6QlUQPEu3UBwUo+zY3Yg9/S Xc6I+DEk/4FY9+9UboZaolT/RcF7cCQtVqKJeo58VRAlcTQe4L32H+jVAoGALXX3 Ht9HbXkP1w/YTLej4+LVy0OCag0rPiW13LBqALSkUx3GrhZ3sAPMFVuM6ad4eFNQ ZouXbsXvkLgSabGYNf11o/mmTtEHjWdhHKQrNgOIqPmixOkAs2quDmXqX79LLTz5 fKkZDny0+wiQqa0cth/4k9HbAQGKj/ej16kdKPUCgYAz08Y39NnJYxRNz3tu/7C6 jKyXKxhuZCZCt3cSWto5Tg0mVVB+2Jk2GhG1hCfZoRCP25R3FFBR1HOJgOc59T7C LL67FdO0+7mj/WNzHj3+9gyOYQyQgPVDaTmsJLbuzT2S+GpR94ZNliwL2NEa5baG B/Nb2ruRNj0GgZVw48N4XQ== -----END PRIVATE KEY----- ��certs/mtls/client/cert.cnf��0000644��00000001270�15025233430�0011543 0��ustar�00��[req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt=no [req_distinguished_name] C = US ST = DE O = Python Software Foundation OU = python-requests CN = requests [v3_req] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = .localhost IP.1 = 127.0.0.1 IP.2 = ::1 URI.1 = spiffe://trust.python.org/v0/maintainer/sigmavirus24/project/requests/org/psf URI.2 = spiffe://trust.python.org/v1/maintainer:sigmavirus24/project:requests/org:psf URI.3 = spiffe://trust.python.org/v1/maintainer=sigmavirus24/project=requests/org=psf ��certs/mtls/client/client.pem��0000644��00000004625�15025233430�0012106 0��ustar�00��-----BEGIN CERTIFICATE----- MIIDXTCCAkUCFE82w6fgdbpkUtEO64Hn8Yn/SJtzMA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMzE4MzUwNFoXDTI2MDMxMzE4MzUwNFowbDELMAkG A1UEBhMCVVMxCzAJBgNVBAgMAkRFMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg Rm91bmRhdGlvbjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMREwDwYDVQQDDAhy ZXF1ZXN0czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMn3iQycTjUz pKJChRNkcm33UB282cUwpxeqKN4ahHxBpS09HRhkcQYO7yErEUQwzQnBQEcIpzze IMZIqHuCkgnySjeEJd95AIzNzGyoLLkS51TcJwgRv83AvT8ljA88s9h38qGTy4/T CxJgf76pfHIuC1qoKVQh3AuHj9nOxIZLUsrdDbWFWoLqKSVyTby+RXvSAppAR+cu BCaWStQ6xFORn48RHfc6t30ggD4rDAjyU6Vz6oR8ot3XmGdK0h42UdqidUWkRJaj EbpkCnQSXS21IvfXKxF5sFqAXJrj9iVbUfpNPpaaW8IrHByngyV8amazGZrASstU VRFtWrnrcWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHHgMckLDRV72p1FEVmCh AAPZjCswiPZFrwGPN57JqSWjoRB9ilKvo87aPosEO7vfa05OD/qkM/T9Qykuhati I1T1T7qX4Ymb5kTJIBouuflAO3uKVaq+ga2Q/HLlU5w/VoMU4RuK7+RaiRUEE3xL iPSMBvZpoMj695LnzcGrT5oLkFI0bTIlpQt1SFjDpHFtOj/ZdwgSbZYLoTCBXQK3 7Y29qAj/XwEiCH63n8tJKvZcD8/ssMIMIdWhNmu+0jOWica/3WSih9Geoy6Ydtxi I5t9vRjC4LIipMUAF86AJIfvHJyI6aCNT420LaR6NRW0FQn5CPTHPAsKg3JkAywn Ew== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDWzCCAkMCFA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMjIxMDQwM1oXDTQ0MDMwNzIxMDQwM1owajELMAkG A1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgw FgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJv b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHlIhe7GLCeSk8 RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6 fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy e6lzFyWnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGymNVTsKSAq8Ju6zV+AWAyV GcUNBmLpgzDA0e7pkVYhHTdWKlGH4GnrRcp0nvnSbr6iq1Ob/8yEUUoRzK55Flws Kt1OLwnZyhfRoSUesoEqpP68vzWEgiYv0QuIWvzNt0YfAAvEgGoc3iri44MelKLn 9ZMT8m91nVamA35R8ZjfeAkNp2xcz0a67V0ww6o4wSXrG7o5ZRXyjqZ/9K7SfwUJ rV9RciccsjH/MzKbfrx73QwsbPWiFmjzHopdasIO0lDlmgm/r9gKfkbzfKoGCgLZ 6an6FlmLftLSXijf/QwtqeSP9fODeE3dzBmnTM3jdoVS53ZegUDWNl14o25v2Kg= -----END CERTIFICATE----- ��certs/mtls/client/client.csr��0000644��00000002734�15025233430�0012113 0��ustar�00��-----BEGIN CERTIFICATE REQUEST----- MIIEGjCCAwICAQAwbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkRFMSMwIQYDVQQK DBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEYMBYGA1UECwwPcHl0aG9uLXJl cXVlc3RzMREwDwYDVQQDDAhyZXF1ZXN0czCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMn3iQycTjUzpKJChRNkcm33UB282cUwpxeqKN4ahHxBpS09HRhk cQYO7yErEUQwzQnBQEcIpzzeIMZIqHuCkgnySjeEJd95AIzNzGyoLLkS51TcJwgR v83AvT8ljA88s9h38qGTy4/TCxJgf76pfHIuC1qoKVQh3AuHj9nOxIZLUsrdDbWF WoLqKSVyTby+RXvSAppAR+cuBCaWStQ6xFORn48RHfc6t30ggD4rDAjyU6Vz6oR8 ot3XmGdK0h42UdqidUWkRJajEbpkCnQSXS21IvfXKxF5sFqAXJrj9iVbUfpNPpaa W8IrHByngyV8amazGZrASstUVRFtWrnrcWECAwEAAaCCAWcwggFjBgkqhkiG9w0B CQ4xggFUMIIBUDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggr BgEFBQcDAjCCAR8GA1UdEQSCARYwggESggsqLmxvY2FsaG9zdIcEfwAAAYcQAAAA AAAAAAAAAAAAAAAAAYZNc3BpZmZlOi8vdHJ1c3QucHl0aG9uLm9yZy92MC9tYWlu dGFpbmVyL3NpZ21hdmlydXMyNC9wcm9qZWN0L3JlcXVlc3RzL29yZy9wc2aGTXNw aWZmZTovL3RydXN0LnB5dGhvbi5vcmcvdjEvbWFpbnRhaW5lcjpzaWdtYXZpcnVz MjQvcHJvamVjdDpyZXF1ZXN0cy9vcmc6cHNmhk1zcGlmZmU6Ly90cnVzdC5weXRo b24ub3JnL3YxL21haW50YWluZXI9c2lnbWF2aXJ1czI0L3Byb2plY3Q9cmVxdWVz dHMvb3JnPXBzZjANBgkqhkiG9w0BAQsFAAOCAQEAwP1KJ+Evddn2RV1FM6BFkoDK MPDO9qwb8ea3j57SIJXZlpw168DljmuGzxJw9oys2O6FYcspbHIocAkfFwiYgVAr NEog6xlCdPxNBJgC3YFIKwnmBjMPG6ZCWiJn940qTbaJ/j6ZviN17uW4K7Sl+THp IkMv29uQTWkfg+GbZ9q1hm2m2GHhYLGLAUdJdtv7JI+yq5uxdsWaCANpH6kc8SnK 2rik6D3iItDhHCmToHBpdEnP8J+KDzf5pJrv/g3WH8XVrl4ZzBsOhmciWF4C3Hbf 9eu8eAsp1AsIrZOEGTfClBd7vFCES5DmI0/iRs4czQooqZPnHjOw3Azp/LujrA== -----END CERTIFICATE REQUEST----- ��certs/mtls/client/Makefile��0000644��00000000575�15025233430�0011565 0��ustar�00��.PHONY: all clean client.key: openssl genrsa -out $@ 2048 client.csr: client.key openssl req -key $< -new -out $@ -config cert.cnf client.pem: client.csr openssl x509 -req -CA ./ca/ca.crt -CAkey ./ca/ca-private.key -in client.csr -outform PEM -out client.pem -days 730 -CAcreateserial openssl x509 -in ./ca/ca.crt -outform PEM >> $@ all: client.pem clean: rm -f client. ��certs/mtls/client/client.key��0000644��00000003250�15025233430�0012106 0��ustar�00��-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDJ94kMnE41M6Si QoUTZHJt91AdvNnFMKcXqijeGoR8QaUtPR0YZHEGDu8hKxFEMM0JwUBHCKc83iDG SKh7gpIJ8ko3hCXfeQCMzcxsqCy5EudU3CcIEb/NwL0/JYwPPLPYd/Khk8uP0wsS YH++qXxyLgtaqClUIdwLh4/ZzsSGS1LK3Q21hVqC6iklck28vkV70gKaQEfnLgQm lkrUOsRTkZ+PER33Ord9IIA+KwwI8lOlc+qEfKLd15hnStIeNlHaonVFpESWoxG6 ZAp0El0ttSL31ysRebBagFya4/YlW1H6TT6WmlvCKxwcp4MlfGpmsxmawErLVFUR bVq563FhAgMBAAECggEABhWX97JJxN6JFNOjhgGzqiPA3R8lrFlv3zhNbODS9u9U q404xYBZIKaYhkucLzgNJUBrevhZbsL+V8WJQIH0JlU57nw5ATIjAHA+uqiXraen zRhTcLHK28b1AeRUA4LU+YN7jWnnawN075kf9WgjtfOJ0gcDimOkE7uCFjyyvPJA LG9bG+8enGjvUleKXNgmwP4Sq/GlEdGz9Qy+8ga3mtfAULUWe8haFNZXK8CN3xPp wmVqy7QzgH2TGN1p6Dyxib9ksSN/lOg0dShL8zgu+QXDNx2VwmVrI8Vr02vmB//0 bYxCo5pfICPIFLjLl5yo30dvrUfYqF29PperStHGlQKBgQD/TdemlLjJNP0fvSs7 KEVJj/22YuHK+wurNr2ZFbSdcF3v9sfiwysllmEyGr5cNYA56uUbfG+8VSw7kDll G+6BKK2UdlPH++6RahqWLqo4k6rsNrkq7elj8xG4gIjR5qzu2uLpjNwp2BGmIoUI eb1NcLfTlMcNCooV8RHjm1Z5WwKBgQDKhHkUPDcJm2/9Ltq2NZQMrCS7o4LV2uAI GhGpISfY+SfHkQQNZ9Fvbe6hrFeZs31nAvlTDpPEg/LGSVKA5I2EZT9gwzAQU1TD Cyol4xqqWFWlwze7w+RLYqX5LtXf7NJg2m5p+ZOoOzzqvTVpodDxqTlCNp2/6ICP vAIvWhbA8wKBgAYlr62ZIyHlHrsm6OWRwKlWyDseAmXKyasjtEj9Vs37qKdgf8ub +2v6RPjZ3/+EYkQCveV9h4s3WctNW7Rtib6eZh+PAdFs5X+m2GEJWpvmIlVxs9+u vtHjRmf04FZ9gWh26MPK2no/c51Wc3GSzNYSgrqbeHd963k/xrh+QwTFAoGAZZjb 3UjwG4O9RPjyhCKQ6WKa8v9urbamWaoqXfziLrmgOUAJFmiU6x/tbXI2aEdhjAIz 7nULsLS5YLx8BWmjjV3106dYP3hut4KsXGF4iSjTnts25J27tA4DUeUrKrF2QVyT s9qfNvCw+Np/J0Uku3e33/3iWdpcVL9vIS5C5/0CgYBEuxb3dffNRqEiNkpOUrCD mQTqbO3X+hin9zT3GrxQE+7KpfCfdDIqdK6c5UWHirR3HUjUPZmIFLSx8msfLl3k hgQw37NMV+asg0Wy3P908qbtnEA2P6aDOMQeHJoC7qEHIDOcOQ1KP3FMvOrdscwS f0IIDygTH6fYr329s0iXjg== -----END PRIVATE KEY----- ��certs/mtls/README.md��0000644��00000000264�15025233430�0010121 0��ustar�00��# Certificate Examples for mTLS This has some generated certificates for mTLS utilization. The idea is to be able to have testing around how Requests handles client certificates. ��certs/mtls/Makefile��0000644��00000000112�15025233430�0010272 0��ustar�00��.PHONY: all clean all: make -C client all clean: make -C client clean ��certs/README.md��0000644��00000000527�15025233430�0007144 0��ustar�00��# Testing Certificates This is a collection of certificates useful for testing aspects of Requests' behaviour. The certificates include: * [expired](./expired) server certificate with a valid certificate authority * [mtls](./mtls) provides a valid client certificate with a 2 year validity * [valid](./valid) has a valid server certificate ��certs/expired/ca/ca.crt��0000644��00000002310�15025233430�0010775 0��ustar�00��-----BEGIN CERTIFICATE----- MIIDWzCCAkMCFA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMjIxMDQwM1oXDTQ0MDMwNzIxMDQwM1owajELMAkG A1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgw FgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJv b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHlIhe7GLCeSk8 RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6 fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy e6lzFyWnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGymNVTsKSAq8Ju6zV+AWAyV GcUNBmLpgzDA0e7pkVYhHTdWKlGH4GnrRcp0nvnSbr6iq1Ob/8yEUUoRzK55Flws Kt1OLwnZyhfRoSUesoEqpP68vzWEgiYv0QuIWvzNt0YfAAvEgGoc3iri44MelKLn 9ZMT8m91nVamA35R8ZjfeAkNp2xcz0a67V0ww6o4wSXrG7o5ZRXyjqZ/9K7SfwUJ rV9RciccsjH/MzKbfrx73QwsbPWiFmjzHopdasIO0lDlmgm/r9gKfkbzfKoGCgLZ 6an6FlmLftLSXijf/QwtqeSP9fODeE3dzBmnTM3jdoVS53ZegUDWNl14o25v2Kg= -----END CERTIFICATE----- ��certs/expired/ca/ca.srl��0000644��00000000051�15025233430�0011005 0��ustar�00��4F36C3A7E075BA6452D10EEB81E7F189FF489B74 ��certs/expired/ca/ca-private.key��0000644��00000003250�15025233430�0012451 0��ustar�00��-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHlIhe7GLCeSk8 RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6 fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy e6lzFyWnAgMBAAECggEAFwzHhzcD3PQDWCus85PwZoxTeQ817BmUBGpBBOKM0gLG GCsT7XsmGP2NjICBy9OK+QTKawmb/wR5XK0OMUWDHXqtWn+NFIyojyo8+HEeCf8n 4ZleTFHLnJ+d2N1etbc2qc9mY3tjpaurq8/0Tol9YH06ock1TY2+lO+a5HvMURnY hcWs70CamL+5B/6n67DhjzMtIW3dIXuEEceM1BW/jW8SKq0JHpQ3t+OJwID7zFaJ bLyOwAVheMzVGvN3yphf8tll3tMA65bNjdOzgOfZSjAy7EGjW3DyAolDw9jKLRyu E0gw/exNGe618oMIeUDv0KParlL4RjdiUP8l0xYOwQKBgQD3eYj9rWeqZquI9vKP gaSv6urb2UJLngShZUpEZRNJgBO+Ewiof0w8tpQdsnuMvWudxMLbzgiUNA+NyC/K CpzIXFkWnWx+A/pxs8ZO8moOfajVRayJgeOLsQZb7c4fXGsVGApbN4+cPNhTNG6d ucErv6tae/SzAzcLc5Vkw/ELxwKBgQDOdJ5Wl5JeKAvU/3kF6+MYWCrXxZqMjoHS y1BtyMX5RbdaWTCfDUu1aV3qJOJjjWQ9DJdJQcEsrTjOpD4bVdZx4w/XEG0JXAa3 jRypVHGdeG/TjhUGJA8U+KX3a1DkcdqM9pqFYRw5Ie95Wz9YRroI+YkixqpK8d7W C+5BodxXIQKBgCk8Lv9V7XgPM3XW8APJbk+BrTCEuu8unUbnQcCztssAdEmvkjnB PErBgVyRaNTCmzPmnTFS20sWgaD2QkBAFG+uM4n5ISK+NvTLJ7fv3IwdlAw1V9Jx uiCElrKqpTXEiHMzVkZss5ks6j6y9duCIBXSEhM5pERPvNRDphjsLTXxAoGARSNC nyb1Kjjo9XR0V+pNy6pC9q1C+00B5tCVZ55zxe114Hi70pfGQcM+YxnlAoeoCNW9 mBfAFDESNAlGjyrovIzYkiH7EcZSrYdBEOepgJ2DfWo4Wi0bK9+03K2AknAaS1iO GJqTtAJMSuymwu40gKroJNA42Q40nKO0LyCARGECgYEAiFRHkblBtStv22SpZxNC jim9yuM0ikh7Ij1lEHysc/GWb2RQNxQVk54BU2kQ0d9xwMZQTKvpF3VE9t7uGdwt AasWPr/tWYt35Ud0D4bNlagJJ4Xdslf8n1nkq3qqqDQbd7kkQRgwGzVr0uVg7ZfS 26qSPQ0/aF9nagb5eHX3AuU= -----END PRIVATE KEY----- ��certs/expired/ca/Makefile��0000644��00000000451�15025233430�0011344 0��ustar�00��.PHONY: all clean root_files = ca-private.key ca.crt ca-private.key: openssl genrsa -out ca-private.key 2048 all: ca-private.key openssl req -x509 -sha256 -days 7300 -key ca-private.key -out ca.crt -config ca.cnf ln -s ca.crt cacert.pem clean: rm -f cacert.pem ca.crt ca-private.key .csr ��certs/expired/ca/ca.cnf��0000644��00000000515�15025233430�0010760 0��ustar�00��[req] default_bits = 2048 prompt = no default_md = sha256 encrypt_key = no distinguished_name = dn [dn] C = US # country code O = Python Software Foundation # organization OU = python-requests # organization unit/department CN = Self-Signed Root CA # common name / your cert name ��certs/expired/server/cert.cnf��0000644��00000000711�15025233430�0012253 0��ustar�00��[req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt=no [req_distinguished_name] C = US ST = DE O = Python Software Foundation OU = python-requests CN = localhost [v3_req] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = .localhost DNS.1 = localhost IP.1 = 127.0.0.1 IP.2 = ::1 ��certs/expired/server/server.csr��0000644��00000002207�15025233430�0012647 0��ustar�00��-----BEGIN CERTIFICATE REQUEST----- MIIDHjCCAgYCAQAwbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkRFMSMwIQYDVQQK DBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEYMBYGA1UECwwPcHl0aG9uLXJl cXVlc3RzMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCKulIMpo633iCgbkKv1UoiLC4sQt5xWpgguujywu3hLYwmPFp9 kvPt//imqtl8FhuhKqJ8FCGrVl2YIGj1RJIB3GW7MSPNCuIBFL/gwNi35LxDPtoA IPyXytIR7VH9+ch9DFInJaoA/BekMuKvbXk54VW9whpHbwkXSG2lBS2vKL0XemYh 9VjvtuRDji2iOZpznlVE2PEN80bojArp6oYKakv2kYzgzgxAJiI/NZGvC7mbSI4e ja7ad3R9G0kB1FzNj36jrNO5WtxHO/mrRiXSpDeyUbitYvt0HKoM0vhTnOR+BspP IltfwOQh8qq2Q2AaMHNcVjMH3gHCZADfhk/zAgMBAAGgbDBqBgkqhkiG9w0BCQ4x XTBbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB MCwGA1UdEQQlMCOCCWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATAN BgkqhkiG9w0BAQsFAAOCAQEAfAhEhrulsZae71YFqgvzwJHm/hzXh47hErtgDXVJ mFqAxgF6XrnzYujlt3XQXUx/8vdrU7jH+Pe8WO1rDvFwRPMDGoBF3RX29SzyX/2F e102egnoRR+Hlf0Ixqu0CuTjEVnD+g4mRgXhV7LPKP4W6qGwzcVbaJ3c/zRcfqNR g9gN6Q6Qt4fXDc7wlx2T3nOszBLQ2XCsIyzVtOJ2sSuadqKH9Aj+mrkrLBdzVFHD FHnTMJ0t0+anZwd+AWDNsCr5lIwBGL634zw7/yJepMHuPFd2X24S3u8EaWPkfVQn lV6rLQMGjXYTe2xuYzlUCUYnKvkyPTMjSXDkxWa+WSNwyQ== -----END CERTIFICATE REQUEST----- ��certs/expired/server/Makefile��0000644��00000000576�15025233430�0012277 0��ustar�00��.PHONY: all clean server.key: openssl genrsa -out $@ 2048 server.csr: server.key openssl req -key $< -new -out $@ -config cert.cnf server.pem: server.csr openssl x509 -req -CA ../ca/ca.crt -CAkey ../ca/ca-private.key -in server.csr -outform PEM -out server.pem -days 0 -CAcreateserial openssl x509 -in ../ca/ca.crt -outform PEM >> $@ all: server.pem clean: rm -f server.* ��certs/expired/server/server.pem��0000644��00000004625�15025233430�0012647 0��ustar�00��-----BEGIN CERTIFICATE----- MIIDXjCCAkYCFE82w6fgdbpkUtEO64Hn8Yn/SJt0MA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMzIxMTQ0NVoXDTI0MDMxMzIxMTQ0NVowbTELMAkG A1UEBhMCVVMxCzAJBgNVBAgMAkRFMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg Rm91bmRhdGlvbjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRIwEAYDVQQDDAls b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKulIMpo63 3iCgbkKv1UoiLC4sQt5xWpgguujywu3hLYwmPFp9kvPt//imqtl8FhuhKqJ8FCGr Vl2YIGj1RJIB3GW7MSPNCuIBFL/gwNi35LxDPtoAIPyXytIR7VH9+ch9DFInJaoA /BekMuKvbXk54VW9whpHbwkXSG2lBS2vKL0XemYh9VjvtuRDji2iOZpznlVE2PEN 80bojArp6oYKakv2kYzgzgxAJiI/NZGvC7mbSI4eja7ad3R9G0kB1FzNj36jrNO5 WtxHO/mrRiXSpDeyUbitYvt0HKoM0vhTnOR+BspPIltfwOQh8qq2Q2AaMHNcVjMH 3gHCZADfhk/zAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGeQdB4+iDbJ78eKhCMV 49Cm8nyYi9215rRRJ24Bw6BtVw1ECwymxLVOEB0gHCu8kKdsFnniFBtChts/ilFg blIyPKTsb3+kQW9YV9QwVdFdC4mTIljujCSQ4HNUC/Vjfnz85SDKf9/3PMKRr36+ GtSLIozudPvkNmCv68jy3RRXyCwWHc43BLMSZKPD/W+DEuXShI9OIpIlSLBx16Hz 4ce3/1pGuITWcsw6UcRqW31oPR31QmNs5fsq5ZCojDNFzEFCA1t9LiR6UOftFUKy yOZWfZeAGGdK75U+XDqS9Xkr5/ic5jE0I5rT7e7r3lpvQdgIj8lSx493fczLOGHr YA0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDWzCCAkMCFA9wdtNh/V99DRwYp8vXjPxSjJnWMA0GCSqGSIb3DQEBCwUAMGox CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlv bjEYMBYGA1UECwwPcHl0aG9uLXJlcXVlc3RzMRwwGgYDVQQDDBNTZWxmLVNpZ25l ZCBSb290IENBMB4XDTI0MDMxMjIxMDQwM1oXDTQ0MDMwNzIxMDQwM1owajELMAkG A1UEBhMCVVMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRgw FgYDVQQLDA9weXRob24tcmVxdWVzdHMxHDAaBgNVBAMME1NlbGYtU2lnbmVkIFJv b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHlIhe7GLCeSk8 RZOKdtmyKns6KdZgGw/LcxPkYvQlu1g0zV8X0DqVr2LdMumWUTNCc9sPdSlAG+He mQp2TMoWUMumMuwDtit9RT0Sb6Eh9svWgjY9ferovPJRfCWUTsA2Ug8uoh0wyEXK na7X6fHt5E3B9vj0+b9a4vDibdBXV11FheLT02/uEmAEJDdP/zeBgvVbhcVyumO6 fAGMIWzR2ukhe8z/ma5H9zoi4gZA8nsK6reZUD8+6affnPe+jIt/AdzggtV9jkWm zSpr+RHeZ0y+q4eik2ZNUGg4XcF6JsJ9yu/AqLBXxd38uLdFfgyhP2y6K628yzgy e6lzFyWnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGymNVTsKSAq8Ju6zV+AWAyV GcUNBmLpgzDA0e7pkVYhHTdWKlGH4GnrRcp0nvnSbr6iq1Ob/8yEUUoRzK55Flws Kt1OLwnZyhfRoSUesoEqpP68vzWEgiYv0QuIWvzNt0YfAAvEgGoc3iri44MelKLn 9ZMT8m91nVamA35R8ZjfeAkNp2xcz0a67V0ww6o4wSXrG7o5ZRXyjqZ/9K7SfwUJ rV9RciccsjH/MzKbfrx73QwsbPWiFmjzHopdasIO0lDlmgm/r9gKfkbzfKoGCgLZ 6an6FlmLftLSXijf/QwtqeSP9fODeE3dzBmnTM3jdoVS53ZegUDWNl14o25v2Kg= -----END CERTIFICATE----- ��certs/expired/server/server.key��0000644��00000003250�15025233430�0012647 0��ustar�00��-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCKulIMpo633iCg bkKv1UoiLC4sQt5xWpgguujywu3hLYwmPFp9kvPt//imqtl8FhuhKqJ8FCGrVl2Y IGj1RJIB3GW7MSPNCuIBFL/gwNi35LxDPtoAIPyXytIR7VH9+ch9DFInJaoA/Bek MuKvbXk54VW9whpHbwkXSG2lBS2vKL0XemYh9VjvtuRDji2iOZpznlVE2PEN80bo jArp6oYKakv2kYzgzgxAJiI/NZGvC7mbSI4eja7ad3R9G0kB1FzNj36jrNO5WtxH O/mrRiXSpDeyUbitYvt0HKoM0vhTnOR+BspPIltfwOQh8qq2Q2AaMHNcVjMH3gHC ZADfhk/zAgMBAAECggEAFSF9RvUFzyb0BEvXN44+/QaKv+4tkMmSW4Xs3rFnZ4G3 E8nkpLUCF9ICD2z9tKNvcPScDFdKq5z7o6ToJ9faf5MRIdrBz8UlGLIO6g6l1Bjw vjNwJE3h+8MGjXl/IDbwXW/HgbQAeabsePPRSJRdvz2+ACn1M8VLdrLvFJA93ayW +n3Bk0bXdsrzqBGdoDiNzmIHI3WqdONiR9TymuJe41NJtMKxQDF+c6Y1n/X1OtBk s9L+u9Xr+R3H72xSYrf1KH1mFZJfTnIPoOmdEU2tVZnZj03rZhT7p8R1fVNX6OHu NX1Dy9VA6J7dbcqdPvTI743ByQeb+hNnqI/3hmV5eQKBgQC++1Wn3v/dxtczjA+I tN4a7zyjhazpB25lde55HVfCQPxmYxIYct+j6S0JkMaoLrjiEDb4pnu4Gt4MDqZa r0Xm8t3wD1YKUUbhpBEGvsMhAEZEIsBOcwkTiEwsoF0mKFa2mTyqAImgIQa8uFt8 Y/oTj55XFe1x6pZKEJRg+K+QSwKBgQC59ONVkMSBirLGS+G+b2kqiBdwZB/3s3wr feS1xTa+deL3AChnKT9+MsVqOkxdE2TRj/mAeF+5Woa5bPMvgr9Kl7u8bulTH80l YA/N6FneO11/ncnkgK9wN54kd5TiOtGsGB5S5t/nEAIMUIwWrM/cRau72xNEWOhT Tvw7TOSF+QKBgQCa/texeiYmE24sA4vH4yIuseKAw8hlBwbtiRyVZt8GZD9zyQuy k+g02tUWYk0XyXN65LX4bwURkZyMJIeWKZGNsaW1YnzturDQB5tZ4g/zBIoCWkHA aVQAaimIPk3a3foiD5NQVUdckfEp0GVPOsSGg5R6EO23+i8mxPXnDW1OqQKBgGvf lelTO8tyLFdAOcqBUt6rZ/1499p3snaAZ6bSqvk95dYnr0h48y5AQaln/FiaIYg4 HyLZsZ4S18jFXSWYkWOyNeQP6yafciBWY5StT0TN52VaoX3+8McGXKUHAcVjHbLZ ou2wpP6jmKyQJVQaF9LOT9uAMOMbOFrrnQLBjmfxAoGAQAnUhMFG5mwi9Otxt6Mz g+Gr+3JTlzwC3L7UwGdlFc3G2vSdGx/yOrfzpxPImfIBS95mibDfdvEBMer26pvw a/ycqybyX9d/5nPDIaJ1lc4M4cbHC/cB52JI6avr/1g8OMK7lR7b/FsPVHS1w8kl n6uwEjVt2+gP2o9DFTGs158= -----END PRIVATE KEY----- ��certs/expired/README.md��0000644��00000000344�15025233430�0010601 0��ustar�00��# Expired Certificates and Configuration for Testing This has a valid certificate authority in [ca](./ca) and an invalid server certificate in [server](./server). This can all be regenerated with: ``` make clean make all ``` ��certs/expired/Makefile��0000644��00000000212�15025233430�0010754 0��ustar�00��.PHONY: all clean ca server ca: make -C $@ all server: make -C $@ all all: ca server clean: make -C ca clean make -C server clean ��compat.py��0000644��00000000740�15025233430�0006377 0��ustar�00��import warnings try: import StringIO except ImportError: import io as StringIO try: from cStringIO import StringIO as cStringIO except ImportError: cStringIO = None def u(s): warnings.warn( ( "This helper function is no longer relevant in Python 3. " "Usage of this alias should be discontinued as it will be " "removed in a future release of Requests." ), DeprecationWarning, ) return s ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.03 | proxy | phpinfo | Settings