-
Notifications
You must be signed in to change notification settings - Fork 311
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: making iam endpoint universe-aware (#1604)
* feat: making iam endpoint universe-aware * feat: make sign and idtoken endpooints universe aware * add universe_domain parameter for the iam request * fix: test updates --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
f070de0
commit 16c728d
Showing
8 changed files
with
178 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -789,7 +789,7 @@ def test_refresh_iam_flow(self, call_iam_generate_id_token_endpoint): | |
| ) | ||
| request = mock.Mock() | ||
| credentials.refresh(request) | ||
| req, iam_endpoint, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ | ||
| req, iam_endpoint, signer_email, target_audience, access_token, universe_domain = call_iam_generate_id_token_endpoint.call_args[ | ||
| 0 | ||
| ] | ||
| assert req == request | ||
|
|
@@ -798,6 +798,7 @@ def test_refresh_iam_flow(self, call_iam_generate_id_token_endpoint): | |
| assert target_audience == "https://example.com" | ||
| decoded_access_token = jwt.decode(access_token, verify=False) | ||
| assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam" | ||
| assert universe_domain == "googleapis.com" | ||
|
|
||
| @mock.patch( | ||
| "google.oauth2._client.call_iam_generate_id_token_endpoint", autospec=True | ||
|
|
@@ -811,18 +812,19 @@ def test_refresh_iam_flow_non_gdu(self, call_iam_generate_id_token_endpoint): | |
| ) | ||
| request = mock.Mock() | ||
| credentials.refresh(request) | ||
| req, iam_endpoint, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ | ||
| req, iam_endpoint, signer_email, target_audience, access_token, universe_domain = call_iam_generate_id_token_endpoint.call_args[ | ||
| 0 | ||
| ] | ||
| assert req == request | ||
| assert ( | ||
| iam_endpoint | ||
| == "https://iamcredentials.fake-universe/v1/projects/-/serviceAccounts/{}:generateIdToken" | ||
| == "https://iamcredentials.{}/v1/projects/-/serviceAccounts/{}:generateIdToken" | ||
| ) | ||
| assert signer_email == "[email protected]" | ||
| assert target_audience == "https://example.com" | ||
| decoded_access_token = jwt.decode(access_token, verify=False) | ||
| assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam" | ||
| assert universe_domain == "fake-universe" | ||
|
|
||
| @mock.patch("google.oauth2._client.id_token_jwt_grant", autospec=True) | ||
| def test_before_request_refreshes(self, id_token_jwt_grant): | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -146,6 +146,13 @@ def test_get_cred_info(self): | |
| "principal": "[email protected]", | ||
| } | ||
|
|
||
| def test_universe_domain_matching_source(self): | ||
| source_credentials = service_account.Credentials( | ||
| SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar" | ||
| ) | ||
| credentials = self.make_credentials(source_credentials=source_credentials) | ||
| assert credentials.universe_domain == "foo.bar" | ||
|
|
||
| def test__make_copy_get_cred_info(self): | ||
| credentials = self.make_credentials() | ||
| credentials._cred_file_path = "/path/to/file" | ||
|
|
@@ -231,6 +238,38 @@ def test_refresh_success(self, use_data_bytes, mock_donor_credentials): | |
| == ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE | ||
| ) | ||
|
|
||
| @pytest.mark.parametrize("use_data_bytes", [True, False]) | ||
| def test_refresh_success_nonGdu(self, use_data_bytes, mock_donor_credentials): | ||
| source_credentials = service_account.Credentials( | ||
| SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar" | ||
| ) | ||
| credentials = self.make_credentials( | ||
| lifetime=None, source_credentials=source_credentials | ||
| ) | ||
| token = "token" | ||
|
|
||
| expire_time = ( | ||
| _helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500) | ||
| ).isoformat("T") + "Z" | ||
| response_body = {"accessToken": token, "expireTime": expire_time} | ||
|
|
||
| request = self.make_request( | ||
| data=json.dumps(response_body), | ||
| status=http_client.OK, | ||
| use_data_bytes=use_data_bytes, | ||
| ) | ||
|
|
||
| credentials.refresh(request) | ||
|
|
||
| assert credentials.valid | ||
| assert not credentials.expired | ||
| # Confirm override endpoint used. | ||
| request_kwargs = request.call_args[1] | ||
| assert ( | ||
| request_kwargs["url"] | ||
| == "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken" | ||
| ) | ||
|
|
||
| @pytest.mark.parametrize("use_data_bytes", [True, False]) | ||
| def test_refresh_success_iam_endpoint_override( | ||
| self, use_data_bytes, mock_donor_credentials | ||
|
|
@@ -397,6 +436,38 @@ def test_service_account_email(self): | |
|
|
||
| def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign): | ||
| credentials = self.make_credentials(lifetime=None) | ||
| expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:signBlob" | ||
| self._sign_bytes_helper( | ||
| credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_sign, | ||
| expected_url, | ||
| ) | ||
|
|
||
| def test_sign_bytes_nonGdu( | ||
| self, mock_donor_credentials, mock_authorizedsession_sign | ||
| ): | ||
| source_credentials = service_account.Credentials( | ||
| SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar" | ||
| ) | ||
| credentials = self.make_credentials( | ||
| lifetime=None, source_credentials=source_credentials | ||
| ) | ||
| expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:signBlob" | ||
| self._sign_bytes_helper( | ||
| credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_sign, | ||
| expected_url, | ||
| ) | ||
|
|
||
| def _sign_bytes_helper( | ||
| self, | ||
| credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_sign, | ||
| expected_url, | ||
| ): | ||
| token = "token" | ||
|
|
||
| expire_time = ( | ||
|
|
@@ -412,11 +483,19 @@ def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign): | |
| request.return_value = response | ||
|
|
||
| credentials.refresh(request) | ||
|
|
||
| assert credentials.valid | ||
| assert not credentials.expired | ||
|
|
||
| signature = credentials.sign_bytes(b"signed bytes") | ||
| mock_authorizedsession_sign.assert_called_with( | ||
| mock.ANY, | ||
| "POST", | ||
| expected_url, | ||
| None, | ||
| json={"payload": "c2lnbmVkIGJ5dGVz", "delegates": []}, | ||
| headers={"Content-Type": "application/json"}, | ||
| ) | ||
|
|
||
| assert signature == b"signature" | ||
|
|
||
| def test_sign_bytes_failure(self): | ||
|
|
@@ -563,6 +642,45 @@ def test_id_token_from_credential( | |
| self, mock_donor_credentials, mock_authorizedsession_idtoken | ||
| ): | ||
| credentials = self.make_credentials(lifetime=None) | ||
| target_credentials = self.make_credentials(lifetime=None) | ||
| expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateIdToken" | ||
| self._test_id_token_helper( | ||
| credentials, | ||
| target_credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_idtoken, | ||
| expected_url, | ||
| ) | ||
|
|
||
| def test_id_token_from_credential_nonGdu( | ||
| self, mock_donor_credentials, mock_authorizedsession_idtoken | ||
| ): | ||
| source_credentials = service_account.Credentials( | ||
| SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar" | ||
| ) | ||
| credentials = self.make_credentials( | ||
| lifetime=None, source_credentials=source_credentials | ||
| ) | ||
| target_credentials = self.make_credentials( | ||
| lifetime=None, source_credentials=source_credentials | ||
| ) | ||
| expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:generateIdToken" | ||
| self._test_id_token_helper( | ||
| credentials, | ||
| target_credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_idtoken, | ||
| expected_url, | ||
| ) | ||
|
|
||
| def _test_id_token_helper( | ||
| self, | ||
| credentials, | ||
| target_credentials, | ||
| mock_donor_credentials, | ||
| mock_authorizedsession_idtoken, | ||
| expected_url, | ||
| ): | ||
| token = "token" | ||
| target_audience = "https://foo.bar" | ||
|
|
||
|
|
@@ -580,17 +698,19 @@ def test_id_token_from_credential( | |
| assert credentials.valid | ||
| assert not credentials.expired | ||
|
|
||
| new_credentials = self.make_credentials(lifetime=None) | ||
|
|
||
| id_creds = impersonated_credentials.IDTokenCredentials( | ||
| credentials, target_audience=target_audience, include_email=True | ||
| ) | ||
| id_creds = id_creds.from_credentials(target_credentials=new_credentials) | ||
| id_creds = id_creds.from_credentials(target_credentials=target_credentials) | ||
| id_creds.refresh(request) | ||
|
|
||
| args = mock_authorizedsession_idtoken.call_args.args | ||
|
|
||
| assert args[2] == expected_url | ||
|
|
||
| assert id_creds.token == ID_TOKEN_DATA | ||
| assert id_creds._include_email is True | ||
| assert id_creds._target_credentials is new_credentials | ||
| assert id_creds._target_credentials is target_credentials | ||
|
|
||
| def test_id_token_with_target_audience( | ||
| self, mock_donor_credentials, mock_authorizedsession_idtoken | ||
|
|
||