Skip to content

Commit

Permalink
fix: more nonGdu tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@TimurSadykov
TimurSadykov committed Oct 19, 2024
1 parent b3d5579 commit 1c4b998
Showing 1 changed file with 110 additions and 5 deletions.
115 changes: 110 additions & 5 deletions tests/test_impersonated_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,38 @@ def test_refresh_success(self, use_data_bytes, mock_donor_credentials):
== ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE
)

@pytest.mark.parametrize("use_data_bytes", [True, False])
def test_refresh_success_nonGdu(self, use_data_bytes, mock_donor_credentials):
source_credentials = service_account.Credentials(
SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar"
)
credentials = self.make_credentials(
lifetime=None, source_credentials=source_credentials
)
token = "token"

expire_time = (
_helpers.utcnow().replace(microsecond=0) + datetime.timedelta(seconds=500)
).isoformat("T") + "Z"
response_body = {"accessToken": token, "expireTime": expire_time}

request = self.make_request(
data=json.dumps(response_body),
status=http_client.OK,
use_data_bytes=use_data_bytes,
)

credentials.refresh(request)

assert credentials.valid
assert not credentials.expired
# Confirm override endpoint used.
request_kwargs = request.call_args[1]
assert (
request_kwargs["url"]
== "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
)

@pytest.mark.parametrize("use_data_bytes", [True, False])
def test_refresh_success_iam_endpoint_override(
self, use_data_bytes, mock_donor_credentials
Expand Down Expand Up @@ -404,6 +436,38 @@ def test_service_account_email(self):

def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
credentials = self.make_credentials(lifetime=None)
expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:signBlob"
self._sign_bytes_helper(
credentials,
mock_donor_credentials,
mock_authorizedsession_sign,
expected_url,
)

def test_sign_bytes_nonGdu(
self, mock_donor_credentials, mock_authorizedsession_sign
):
source_credentials = service_account.Credentials(
SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar"
)
credentials = self.make_credentials(
lifetime=None, source_credentials=source_credentials
)
expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:signBlob"
self._sign_bytes_helper(
credentials,
mock_donor_credentials,
mock_authorizedsession_sign,
expected_url,
)

def _sign_bytes_helper(
self,
credentials,
mock_donor_credentials,
mock_authorizedsession_sign,
expected_url,
):
token = "token"

expire_time = (
Expand All @@ -426,7 +490,7 @@ def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign):
mock_authorizedsession_sign.assert_called_with(
mock.ANY,
"POST",
"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:signBlob",
expected_url,
None,
json={"payload": "c2lnbmVkIGJ5dGVz", "delegates": []},
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -578,6 +642,45 @@ def test_id_token_from_credential(
self, mock_donor_credentials, mock_authorizedsession_idtoken
):
credentials = self.make_credentials(lifetime=None)
target_credentials = self.make_credentials(lifetime=None)
expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateIdToken"
self._test_id_token_helper(
credentials,
target_credentials,
mock_donor_credentials,
mock_authorizedsession_idtoken,
expected_url,
)

def test_id_token_from_credential_nonGdu(
self, mock_donor_credentials, mock_authorizedsession_idtoken
):
source_credentials = service_account.Credentials(
SIGNER, "[email protected]", TOKEN_URI, universe_domain="foo.bar"
)
credentials = self.make_credentials(
lifetime=None, source_credentials=source_credentials
)
target_credentials = self.make_credentials(
lifetime=None, source_credentials=source_credentials
)
expected_url = "https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/[email protected]:generateIdToken"
self._test_id_token_helper(
credentials,
target_credentials,
mock_donor_credentials,
mock_authorizedsession_idtoken,
expected_url,
)

def _test_id_token_helper(
self,
credentials,
target_credentials,
mock_donor_credentials,
mock_authorizedsession_idtoken,
expected_url,
):
token = "token"
target_audience = "https://foo.bar"

Expand All @@ -595,17 +698,19 @@ def test_id_token_from_credential(
assert credentials.valid
assert not credentials.expired

new_credentials = self.make_credentials(lifetime=None)

id_creds = impersonated_credentials.IDTokenCredentials(
credentials, target_audience=target_audience, include_email=True
)
id_creds = id_creds.from_credentials(target_credentials=new_credentials)
id_creds = id_creds.from_credentials(target_credentials=target_credentials)
id_creds.refresh(request)

args = mock_authorizedsession_idtoken.call_args.args

assert args[2] == expected_url

assert id_creds.token == ID_TOKEN_DATA
assert id_creds._include_email is True
assert id_creds._target_credentials is new_credentials
assert id_creds._target_credentials is target_credentials

def test_id_token_with_target_audience(
self, mock_donor_credentials, mock_authorizedsession_idtoken
Expand Down

0 comments on commit 1c4b998

Please sign in to comment.