1109 lines
43 KiB
Python
1109 lines
43 KiB
Python
# Copyright 2020 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import datetime
|
|
import json
|
|
import os
|
|
|
|
import mock
|
|
import pytest
|
|
from six.moves import http_client
|
|
from six.moves import urllib
|
|
|
|
from google.auth import _helpers
|
|
from google.auth import exceptions
|
|
from google.auth import identity_pool
|
|
from google.auth import transport
|
|
|
|
|
|
CLIENT_ID = "username"
|
|
CLIENT_SECRET = "password"
|
|
# Base64 encoding of "username:password".
|
|
BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ="
|
|
SERVICE_ACCOUNT_EMAIL = "service-1234@service-name.iam.gserviceaccount.com"
|
|
SERVICE_ACCOUNT_IMPERSONATION_URL = (
|
|
"https://us-east1-iamcredentials.googleapis.com/v1/projects/-"
|
|
+ "/serviceAccounts/{}:generateAccessToken".format(SERVICE_ACCOUNT_EMAIL)
|
|
)
|
|
QUOTA_PROJECT_ID = "QUOTA_PROJECT_ID"
|
|
SCOPES = ["scope1", "scope2"]
|
|
DATA_DIR = os.path.join(os.path.dirname(__file__), "data")
|
|
SUBJECT_TOKEN_TEXT_FILE = os.path.join(DATA_DIR, "external_subject_token.txt")
|
|
SUBJECT_TOKEN_JSON_FILE = os.path.join(DATA_DIR, "external_subject_token.json")
|
|
SUBJECT_TOKEN_FIELD_NAME = "access_token"
|
|
|
|
with open(SUBJECT_TOKEN_TEXT_FILE) as fh:
|
|
TEXT_FILE_SUBJECT_TOKEN = fh.read()
|
|
|
|
with open(SUBJECT_TOKEN_JSON_FILE) as fh:
|
|
JSON_FILE_CONTENT = json.load(fh)
|
|
JSON_FILE_SUBJECT_TOKEN = JSON_FILE_CONTENT.get(SUBJECT_TOKEN_FIELD_NAME)
|
|
|
|
TOKEN_URL = "https://sts.googleapis.com/v1/token"
|
|
SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"
|
|
AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
|
|
WORKFORCE_AUDIENCE = (
|
|
"//iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID"
|
|
)
|
|
WORKFORCE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token"
|
|
WORKFORCE_POOL_USER_PROJECT = "WORKFORCE_POOL_USER_PROJECT_NUMBER"
|
|
|
|
|
|
class TestCredentials(object):
|
|
CREDENTIAL_SOURCE_TEXT = {"file": SUBJECT_TOKEN_TEXT_FILE}
|
|
CREDENTIAL_SOURCE_JSON = {
|
|
"file": SUBJECT_TOKEN_JSON_FILE,
|
|
"format": {"type": "json", "subject_token_field_name": "access_token"},
|
|
}
|
|
CREDENTIAL_URL = "http://fakeurl.com"
|
|
CREDENTIAL_SOURCE_TEXT_URL = {"url": CREDENTIAL_URL}
|
|
CREDENTIAL_SOURCE_JSON_URL = {
|
|
"url": CREDENTIAL_URL,
|
|
"format": {"type": "json", "subject_token_field_name": "access_token"},
|
|
}
|
|
SUCCESS_RESPONSE = {
|
|
"access_token": "ACCESS_TOKEN",
|
|
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
|
|
"token_type": "Bearer",
|
|
"expires_in": 3600,
|
|
"scope": " ".join(SCOPES),
|
|
}
|
|
|
|
@classmethod
|
|
def make_mock_response(cls, status, data):
|
|
response = mock.create_autospec(transport.Response, instance=True)
|
|
response.status = status
|
|
if isinstance(data, dict):
|
|
response.data = json.dumps(data).encode("utf-8")
|
|
else:
|
|
response.data = data
|
|
return response
|
|
|
|
@classmethod
|
|
def make_mock_request(
|
|
cls, token_status=http_client.OK, token_data=None, *extra_requests
|
|
):
|
|
responses = []
|
|
responses.append(cls.make_mock_response(token_status, token_data))
|
|
|
|
while len(extra_requests) > 0:
|
|
# If service account impersonation is requested, mock the expected response.
|
|
status, data, extra_requests = (
|
|
extra_requests[0],
|
|
extra_requests[1],
|
|
extra_requests[2:],
|
|
)
|
|
responses.append(cls.make_mock_response(status, data))
|
|
|
|
request = mock.create_autospec(transport.Request)
|
|
request.side_effect = responses
|
|
|
|
return request
|
|
|
|
@classmethod
|
|
def assert_credential_request_kwargs(
|
|
cls, request_kwargs, headers, url=CREDENTIAL_URL
|
|
):
|
|
assert request_kwargs["url"] == url
|
|
assert request_kwargs["method"] == "GET"
|
|
assert request_kwargs["headers"] == headers
|
|
assert request_kwargs.get("body", None) is None
|
|
|
|
@classmethod
|
|
def assert_token_request_kwargs(
|
|
cls, request_kwargs, headers, request_data, token_url=TOKEN_URL
|
|
):
|
|
assert request_kwargs["url"] == token_url
|
|
assert request_kwargs["method"] == "POST"
|
|
assert request_kwargs["headers"] == headers
|
|
assert request_kwargs["body"] is not None
|
|
body_tuples = urllib.parse.parse_qsl(request_kwargs["body"])
|
|
assert len(body_tuples) == len(request_data.keys())
|
|
for (k, v) in body_tuples:
|
|
assert v.decode("utf-8") == request_data[k.decode("utf-8")]
|
|
|
|
@classmethod
|
|
def assert_impersonation_request_kwargs(
|
|
cls,
|
|
request_kwargs,
|
|
headers,
|
|
request_data,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
):
|
|
assert request_kwargs["url"] == service_account_impersonation_url
|
|
assert request_kwargs["method"] == "POST"
|
|
assert request_kwargs["headers"] == headers
|
|
assert request_kwargs["body"] is not None
|
|
body_json = json.loads(request_kwargs["body"].decode("utf-8"))
|
|
assert body_json == request_data
|
|
|
|
@classmethod
|
|
def assert_underlying_credentials_refresh(
|
|
cls,
|
|
credentials,
|
|
audience,
|
|
subject_token,
|
|
subject_token_type,
|
|
token_url,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=None,
|
|
credential_data=None,
|
|
scopes=None,
|
|
default_scopes=None,
|
|
workforce_pool_user_project=None,
|
|
):
|
|
"""Utility to assert that a credentials are initialized with the expected
|
|
attributes by calling refresh functionality and confirming response matches
|
|
expected one and that the underlying requests were populated with the
|
|
expected parameters.
|
|
"""
|
|
# STS token exchange request/response.
|
|
token_response = cls.SUCCESS_RESPONSE.copy()
|
|
token_headers = {"Content-Type": "application/x-www-form-urlencoded"}
|
|
if basic_auth_encoding:
|
|
token_headers["Authorization"] = "Basic " + basic_auth_encoding
|
|
|
|
if service_account_impersonation_url:
|
|
token_scopes = "https://www.googleapis.com/auth/iam"
|
|
else:
|
|
token_scopes = " ".join(used_scopes or [])
|
|
|
|
token_request_data = {
|
|
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
|
|
"audience": audience,
|
|
"requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
|
|
"scope": token_scopes,
|
|
"subject_token": subject_token,
|
|
"subject_token_type": subject_token_type,
|
|
}
|
|
if workforce_pool_user_project:
|
|
token_request_data["options"] = urllib.parse.quote(
|
|
json.dumps({"userProject": workforce_pool_user_project})
|
|
)
|
|
|
|
if service_account_impersonation_url:
|
|
# Service account impersonation request/response.
|
|
expire_time = (
|
|
_helpers.utcnow().replace(microsecond=0)
|
|
+ datetime.timedelta(seconds=3600)
|
|
).isoformat("T") + "Z"
|
|
impersonation_response = {
|
|
"accessToken": "SA_ACCESS_TOKEN",
|
|
"expireTime": expire_time,
|
|
}
|
|
impersonation_headers = {
|
|
"Content-Type": "application/json",
|
|
"authorization": "Bearer {}".format(token_response["access_token"]),
|
|
}
|
|
impersonation_request_data = {
|
|
"delegates": None,
|
|
"scope": used_scopes,
|
|
"lifetime": "3600s",
|
|
}
|
|
|
|
# Initialize mock request to handle token retrieval, token exchange and
|
|
# service account impersonation request.
|
|
requests = []
|
|
if credential_data:
|
|
requests.append((http_client.OK, credential_data))
|
|
|
|
token_request_index = len(requests)
|
|
requests.append((http_client.OK, token_response))
|
|
|
|
if service_account_impersonation_url:
|
|
impersonation_request_index = len(requests)
|
|
requests.append((http_client.OK, impersonation_response))
|
|
|
|
request = cls.make_mock_request(*[el for req in requests for el in req])
|
|
|
|
credentials.refresh(request)
|
|
|
|
assert len(request.call_args_list) == len(requests)
|
|
if credential_data:
|
|
cls.assert_credential_request_kwargs(request.call_args_list[0][1], None)
|
|
# Verify token exchange request parameters.
|
|
cls.assert_token_request_kwargs(
|
|
request.call_args_list[token_request_index][1],
|
|
token_headers,
|
|
token_request_data,
|
|
token_url,
|
|
)
|
|
# Verify service account impersonation request parameters if the request
|
|
# is processed.
|
|
if service_account_impersonation_url:
|
|
cls.assert_impersonation_request_kwargs(
|
|
request.call_args_list[impersonation_request_index][1],
|
|
impersonation_headers,
|
|
impersonation_request_data,
|
|
service_account_impersonation_url,
|
|
)
|
|
assert credentials.token == impersonation_response["accessToken"]
|
|
else:
|
|
assert credentials.token == token_response["access_token"]
|
|
assert credentials.quota_project_id == quota_project_id
|
|
assert credentials.scopes == scopes
|
|
assert credentials.default_scopes == default_scopes
|
|
|
|
@classmethod
|
|
def make_credentials(
|
|
cls,
|
|
audience=AUDIENCE,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
client_id=None,
|
|
client_secret=None,
|
|
quota_project_id=None,
|
|
scopes=None,
|
|
default_scopes=None,
|
|
service_account_impersonation_url=None,
|
|
credential_source=None,
|
|
workforce_pool_user_project=None,
|
|
):
|
|
return identity_pool.Credentials(
|
|
audience=audience,
|
|
subject_token_type=subject_token_type,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=service_account_impersonation_url,
|
|
credential_source=credential_source,
|
|
client_id=client_id,
|
|
client_secret=client_secret,
|
|
quota_project_id=quota_project_id,
|
|
scopes=scopes,
|
|
default_scopes=default_scopes,
|
|
workforce_pool_user_project=workforce_pool_user_project,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_info_full_options(self, mock_init):
|
|
credentials = identity_pool.Credentials.from_info(
|
|
{
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
"client_id": CLIENT_ID,
|
|
"client_secret": CLIENT_SECRET,
|
|
"quota_project_id": QUOTA_PROJECT_ID,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
}
|
|
)
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=AUDIENCE,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=QUOTA_PROJECT_ID,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_info_required_options_only(self, mock_init):
|
|
credentials = identity_pool.Credentials.from_info(
|
|
{
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
}
|
|
)
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=AUDIENCE,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
client_id=None,
|
|
client_secret=None,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=None,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_info_workforce_pool(self, mock_init):
|
|
credentials = identity_pool.Credentials.from_info(
|
|
{
|
|
"audience": WORKFORCE_AUDIENCE,
|
|
"subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
"workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT,
|
|
}
|
|
)
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
client_id=None,
|
|
client_secret=None,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=None,
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_file_full_options(self, mock_init, tmpdir):
|
|
info = {
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"service_account_impersonation_url": SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
"client_id": CLIENT_ID,
|
|
"client_secret": CLIENT_SECRET,
|
|
"quota_project_id": QUOTA_PROJECT_ID,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
}
|
|
config_file = tmpdir.join("config.json")
|
|
config_file.write(json.dumps(info))
|
|
credentials = identity_pool.Credentials.from_file(str(config_file))
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=AUDIENCE,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=QUOTA_PROJECT_ID,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_file_required_options_only(self, mock_init, tmpdir):
|
|
info = {
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
}
|
|
config_file = tmpdir.join("config.json")
|
|
config_file.write(json.dumps(info))
|
|
credentials = identity_pool.Credentials.from_file(str(config_file))
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=AUDIENCE,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
client_id=None,
|
|
client_secret=None,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=None,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
@mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
|
|
def test_from_file_workforce_pool(self, mock_init, tmpdir):
|
|
info = {
|
|
"audience": WORKFORCE_AUDIENCE,
|
|
"subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT,
|
|
"workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT,
|
|
}
|
|
config_file = tmpdir.join("config.json")
|
|
config_file.write(json.dumps(info))
|
|
credentials = identity_pool.Credentials.from_file(str(config_file))
|
|
|
|
# Confirm identity_pool.Credentials instantiated with expected attributes.
|
|
assert isinstance(credentials, identity_pool.Credentials)
|
|
mock_init.assert_called_once_with(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
client_id=None,
|
|
client_secret=None,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
quota_project_id=None,
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
def test_constructor_nonworkforce_with_workforce_pool_user_project(self):
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(
|
|
audience=AUDIENCE,
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
assert excinfo.match(
|
|
"workforce_pool_user_project should not be set for non-workforce "
|
|
"pool credentials"
|
|
)
|
|
|
|
def test_constructor_invalid_options(self):
|
|
credential_source = {"unsupported": "value"}
|
|
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source=credential_source)
|
|
|
|
assert excinfo.match(r"Missing credential_source")
|
|
|
|
def test_constructor_invalid_options_url_and_file(self):
|
|
credential_source = {
|
|
"url": self.CREDENTIAL_URL,
|
|
"file": SUBJECT_TOKEN_TEXT_FILE,
|
|
}
|
|
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source=credential_source)
|
|
|
|
assert excinfo.match(r"Ambiguous credential_source")
|
|
|
|
def test_constructor_invalid_options_environment_id(self):
|
|
credential_source = {"url": self.CREDENTIAL_URL, "environment_id": "aws1"}
|
|
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source=credential_source)
|
|
|
|
assert excinfo.match(
|
|
r"Invalid Identity Pool credential_source field 'environment_id'"
|
|
)
|
|
|
|
def test_constructor_invalid_credential_source(self):
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source="non-dict")
|
|
|
|
assert excinfo.match(r"Missing credential_source")
|
|
|
|
def test_constructor_invalid_credential_source_format_type(self):
|
|
credential_source = {"format": {"type": "xml"}}
|
|
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source=credential_source)
|
|
|
|
assert excinfo.match(r"Invalid credential_source format 'xml'")
|
|
|
|
def test_constructor_missing_subject_token_field_name(self):
|
|
credential_source = {"format": {"type": "json"}}
|
|
|
|
with pytest.raises(ValueError) as excinfo:
|
|
self.make_credentials(credential_source=credential_source)
|
|
|
|
assert excinfo.match(
|
|
r"Missing subject_token_field_name for JSON credential_source format"
|
|
)
|
|
|
|
def test_info_with_workforce_pool_user_project(self):
|
|
credentials = self.make_credentials(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL.copy(),
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
assert credentials.info == {
|
|
"type": "external_account",
|
|
"audience": WORKFORCE_AUDIENCE,
|
|
"subject_token_type": WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT_URL,
|
|
"workforce_pool_user_project": WORKFORCE_POOL_USER_PROJECT,
|
|
}
|
|
|
|
def test_info_with_file_credential_source(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL.copy()
|
|
)
|
|
|
|
assert credentials.info == {
|
|
"type": "external_account",
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_TEXT_URL,
|
|
}
|
|
|
|
def test_info_with_url_credential_source(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON_URL.copy()
|
|
)
|
|
|
|
assert credentials.info == {
|
|
"type": "external_account",
|
|
"audience": AUDIENCE,
|
|
"subject_token_type": SUBJECT_TOKEN_TYPE,
|
|
"token_url": TOKEN_URL,
|
|
"credential_source": self.CREDENTIAL_SOURCE_JSON_URL,
|
|
}
|
|
|
|
def test_retrieve_subject_token_missing_subject_token(self, tmpdir):
|
|
# Provide empty text file.
|
|
empty_file = tmpdir.join("empty.txt")
|
|
empty_file.write("")
|
|
credential_source = {"file": str(empty_file)}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(None)
|
|
|
|
assert excinfo.match(r"Missing subject_token in the credential_source file")
|
|
|
|
def test_retrieve_subject_token_text_file(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT
|
|
)
|
|
|
|
subject_token = credentials.retrieve_subject_token(None)
|
|
|
|
assert subject_token == TEXT_FILE_SUBJECT_TOKEN
|
|
|
|
def test_retrieve_subject_token_json_file(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON
|
|
)
|
|
|
|
subject_token = credentials.retrieve_subject_token(None)
|
|
|
|
assert subject_token == JSON_FILE_SUBJECT_TOKEN
|
|
|
|
def test_retrieve_subject_token_json_file_invalid_field_name(self):
|
|
credential_source = {
|
|
"file": SUBJECT_TOKEN_JSON_FILE,
|
|
"format": {"type": "json", "subject_token_field_name": "not_found"},
|
|
}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(None)
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
SUBJECT_TOKEN_JSON_FILE, "not_found"
|
|
)
|
|
)
|
|
|
|
def test_retrieve_subject_token_invalid_json(self, tmpdir):
|
|
# Provide JSON file. This should result in JSON parsing error.
|
|
invalid_json_file = tmpdir.join("invalid.json")
|
|
invalid_json_file.write("{")
|
|
credential_source = {
|
|
"file": str(invalid_json_file),
|
|
"format": {"type": "json", "subject_token_field_name": "access_token"},
|
|
}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(None)
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
str(invalid_json_file), "access_token"
|
|
)
|
|
)
|
|
|
|
def test_retrieve_subject_token_file_not_found(self):
|
|
credential_source = {"file": "./not_found.txt"}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(None)
|
|
|
|
assert excinfo.match(r"File './not_found.txt' was not found")
|
|
|
|
def test_refresh_text_file_success_without_impersonation_ignore_default_scopes(
|
|
self,
|
|
):
|
|
credentials = self.make_credentials(
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=SCOPES,
|
|
# Default scopes should be ignored.
|
|
default_scopes=["ignored"],
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=["ignored"],
|
|
)
|
|
|
|
def test_refresh_workforce_success_with_client_auth_without_impersonation(self):
|
|
credentials = self.make_credentials(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=SCOPES,
|
|
# This will be ignored in favor of client auth.
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
def test_refresh_workforce_success_with_client_auth_and_no_workforce_project(self):
|
|
credentials = self.make_credentials(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=SCOPES,
|
|
# This is not needed when client Auth is used.
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
workforce_pool_user_project=None,
|
|
)
|
|
|
|
def test_refresh_workforce_success_without_client_auth_without_impersonation(self):
|
|
credentials = self.make_credentials(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
client_id=None,
|
|
client_secret=None,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=SCOPES,
|
|
# This will not be ignored as client auth is not used.
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
def test_refresh_workforce_success_without_client_auth_with_impersonation(self):
|
|
credentials = self.make_credentials(
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
client_id=None,
|
|
client_secret=None,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=SCOPES,
|
|
# This will not be ignored as client auth is not used.
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=WORKFORCE_AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=WORKFORCE_SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
workforce_pool_user_project=WORKFORCE_POOL_USER_PROJECT,
|
|
)
|
|
|
|
def test_refresh_text_file_success_without_impersonation_use_default_scopes(self):
|
|
credentials = self.make_credentials(
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
scopes=None,
|
|
# Default scopes should be used since user specified scopes are none.
|
|
default_scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=None,
|
|
default_scopes=SCOPES,
|
|
)
|
|
|
|
def test_refresh_text_file_success_with_impersonation_ignore_default_scopes(self):
|
|
# Initialize credentials with service account impersonation and basic auth.
|
|
credentials = self.make_credentials(
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
scopes=SCOPES,
|
|
# Default scopes should be ignored.
|
|
default_scopes=["ignored"],
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=["ignored"],
|
|
)
|
|
|
|
def test_refresh_text_file_success_with_impersonation_use_default_scopes(self):
|
|
# Initialize credentials with service account impersonation, basic auth
|
|
# and default scopes (no user scopes).
|
|
credentials = self.make_credentials(
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
scopes=None,
|
|
# Default scopes should be used since user specified scopes are none.
|
|
default_scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=None,
|
|
default_scopes=SCOPES,
|
|
)
|
|
|
|
def test_refresh_json_file_success_without_impersonation(self):
|
|
credentials = self.make_credentials(
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with JSON format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=JSON_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
)
|
|
|
|
def test_refresh_json_file_success_with_impersonation(self):
|
|
# Initialize credentials with service account impersonation and basic auth.
|
|
credentials = self.make_credentials(
|
|
# Test with JSON format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=JSON_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
)
|
|
|
|
def test_refresh_with_retrieve_subject_token_error(self):
|
|
credential_source = {
|
|
"file": SUBJECT_TOKEN_JSON_FILE,
|
|
"format": {"type": "json", "subject_token_field_name": "not_found"},
|
|
}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.refresh(None)
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
SUBJECT_TOKEN_JSON_FILE, "not_found"
|
|
)
|
|
)
|
|
|
|
def test_retrieve_subject_token_from_url(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL
|
|
)
|
|
request = self.make_mock_request(token_data=TEXT_FILE_SUBJECT_TOKEN)
|
|
subject_token = credentials.retrieve_subject_token(request)
|
|
|
|
assert subject_token == TEXT_FILE_SUBJECT_TOKEN
|
|
self.assert_credential_request_kwargs(request.call_args_list[0][1], None)
|
|
|
|
def test_retrieve_subject_token_from_url_with_headers(self):
|
|
credentials = self.make_credentials(
|
|
credential_source={"url": self.CREDENTIAL_URL, "headers": {"foo": "bar"}}
|
|
)
|
|
request = self.make_mock_request(token_data=TEXT_FILE_SUBJECT_TOKEN)
|
|
subject_token = credentials.retrieve_subject_token(request)
|
|
|
|
assert subject_token == TEXT_FILE_SUBJECT_TOKEN
|
|
self.assert_credential_request_kwargs(
|
|
request.call_args_list[0][1], {"foo": "bar"}
|
|
)
|
|
|
|
def test_retrieve_subject_token_from_url_json(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON_URL
|
|
)
|
|
request = self.make_mock_request(token_data=JSON_FILE_CONTENT)
|
|
subject_token = credentials.retrieve_subject_token(request)
|
|
|
|
assert subject_token == JSON_FILE_SUBJECT_TOKEN
|
|
self.assert_credential_request_kwargs(request.call_args_list[0][1], None)
|
|
|
|
def test_retrieve_subject_token_from_url_json_with_headers(self):
|
|
credentials = self.make_credentials(
|
|
credential_source={
|
|
"url": self.CREDENTIAL_URL,
|
|
"format": {"type": "json", "subject_token_field_name": "access_token"},
|
|
"headers": {"foo": "bar"},
|
|
}
|
|
)
|
|
request = self.make_mock_request(token_data=JSON_FILE_CONTENT)
|
|
subject_token = credentials.retrieve_subject_token(request)
|
|
|
|
assert subject_token == JSON_FILE_SUBJECT_TOKEN
|
|
self.assert_credential_request_kwargs(
|
|
request.call_args_list[0][1], {"foo": "bar"}
|
|
)
|
|
|
|
def test_retrieve_subject_token_from_url_not_found(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL
|
|
)
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(
|
|
self.make_mock_request(token_status=404, token_data=JSON_FILE_CONTENT)
|
|
)
|
|
|
|
assert excinfo.match("Unable to retrieve Identity Pool subject token")
|
|
|
|
def test_retrieve_subject_token_from_url_json_invalid_field(self):
|
|
credential_source = {
|
|
"url": self.CREDENTIAL_URL,
|
|
"format": {"type": "json", "subject_token_field_name": "not_found"},
|
|
}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(
|
|
self.make_mock_request(token_data=JSON_FILE_CONTENT)
|
|
)
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
self.CREDENTIAL_URL, "not_found"
|
|
)
|
|
)
|
|
|
|
def test_retrieve_subject_token_from_url_json_invalid_format(self):
|
|
credentials = self.make_credentials(
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON_URL
|
|
)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.retrieve_subject_token(self.make_mock_request(token_data="{"))
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
self.CREDENTIAL_URL, "access_token"
|
|
)
|
|
)
|
|
|
|
def test_refresh_text_file_success_without_impersonation_url(self):
|
|
credentials = self.make_credentials(
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
credential_data=TEXT_FILE_SUBJECT_TOKEN,
|
|
)
|
|
|
|
def test_refresh_text_file_success_with_impersonation_url(self):
|
|
# Initialize credentials with service account impersonation and basic auth.
|
|
credentials = self.make_credentials(
|
|
# Test with text format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_TEXT_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=TEXT_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
credential_data=TEXT_FILE_SUBJECT_TOKEN,
|
|
)
|
|
|
|
def test_refresh_json_file_success_without_impersonation_url(self):
|
|
credentials = self.make_credentials(
|
|
client_id=CLIENT_ID,
|
|
client_secret=CLIENT_SECRET,
|
|
# Test with JSON format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON_URL,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=JSON_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=None,
|
|
basic_auth_encoding=BASIC_AUTH_ENCODING,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
credential_data=JSON_FILE_CONTENT,
|
|
)
|
|
|
|
def test_refresh_json_file_success_with_impersonation_url(self):
|
|
# Initialize credentials with service account impersonation and basic auth.
|
|
credentials = self.make_credentials(
|
|
# Test with JSON format type.
|
|
credential_source=self.CREDENTIAL_SOURCE_JSON_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
scopes=SCOPES,
|
|
)
|
|
|
|
self.assert_underlying_credentials_refresh(
|
|
credentials=credentials,
|
|
audience=AUDIENCE,
|
|
subject_token=JSON_FILE_SUBJECT_TOKEN,
|
|
subject_token_type=SUBJECT_TOKEN_TYPE,
|
|
token_url=TOKEN_URL,
|
|
service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
|
|
basic_auth_encoding=None,
|
|
quota_project_id=None,
|
|
used_scopes=SCOPES,
|
|
scopes=SCOPES,
|
|
default_scopes=None,
|
|
credential_data=JSON_FILE_CONTENT,
|
|
)
|
|
|
|
def test_refresh_with_retrieve_subject_token_error_url(self):
|
|
credential_source = {
|
|
"url": self.CREDENTIAL_URL,
|
|
"format": {"type": "json", "subject_token_field_name": "not_found"},
|
|
}
|
|
credentials = self.make_credentials(credential_source=credential_source)
|
|
|
|
with pytest.raises(exceptions.RefreshError) as excinfo:
|
|
credentials.refresh(self.make_mock_request(token_data=JSON_FILE_CONTENT))
|
|
|
|
assert excinfo.match(
|
|
"Unable to parse subject_token from JSON file '{}' using key '{}'".format(
|
|
self.CREDENTIAL_URL, "not_found"
|
|
)
|
|
)
|