def test_grpc_request_with_regular_credentials_and_self_signed_jwt(
http_request):
credentials, project_id = google.auth.default()
# At the time this test is being written, there are no GAPIC libraries
# that will trigger the self-signed JWT flow. Manually create the self-signed
# jwt on the service account credential to check that the request
# succeeds.
credentials = credentials.with_scopes(
scopes=[], default_scopes=["https://www.googleapis.com/auth/pubsub"])
credentials._create_self_signed_jwt(
audience="https://pubsub.googleapis.com/")
# Create a pub/sub client.
client = pubsub_v1.PublisherClient(credentials=credentials)
# list the topics and drain the iterator to test that an authorized API
# call works.
list_topics_iter = client.list_topics(
project="projects/{}".format(project_id))
list(list_topics_iter)
# Check that self-signed JWT was created and is being used
assert credentials._jwt_credentials is not None
assert credentials._jwt_credentials.token == credentials.token
def spanner_api(self):
"""Helper for session-related API calls."""
if self._spanner_api is None:
credentials = self._instance._client.credentials
if isinstance(credentials, google.auth.credentials.Scoped):
credentials = credentials.with_scopes((SPANNER_DATA_SCOPE, ))
self._spanner_api = SpannerClient(credentials=credentials,
client_info=_CLIENT_INFO)
return self._spanner_api
def spanner_api(self):
"""Helper for session-related API calls."""
if self._spanner_api is None:
credentials = self._instance._client.credentials
if isinstance(credentials, google.auth.credentials.Scoped):
credentials = credentials.with_scopes((SPANNER_DATA_SCOPE,))
self._spanner_api = SpannerClient(
credentials=credentials, client_info=_CLIENT_INFO
)
return self._spanner_api
def spanner_api(self):
"""Helper for session-related API calls."""
if self._spanner_api is None:
credentials = self._instance._client.credentials
if isinstance(credentials, google.auth.credentials.Scoped):
credentials = credentials.with_scopes((SPANNER_DATA_SCOPE, ))
self._spanner_api = SpannerClient(
lib_name='gccl',
lib_version=__version__,
credentials=credentials,
)
return self._spanner_api
def spanner_api(self):
"""Helper for session-related API calls."""
if self._spanner_api is None:
client_info = self._instance._client._client_info
client_options = self._instance._client._client_options
if self._instance.emulator_host is not None:
transport = spanner_grpc_transport.SpannerGrpcTransport(
channel=grpc.insecure_channel(
self._instance.emulator_host))
self._spanner_api = SpannerClient(
client_info=client_info,
client_options=client_options,
transport=transport,
)
return self._spanner_api
credentials = self._instance._client.credentials
if isinstance(credentials, google.auth.credentials.Scoped):
credentials = credentials.with_scopes((SPANNER_DATA_SCOPE, ))
if (os.getenv("GOOGLE_CLOUD_SPANNER_ENABLE_RESOURCE_BASED_ROUTING")
== "true"):
endpoint_cache = self._instance._client._endpoint_cache
if self._instance.name in endpoint_cache:
client_options = ClientOptions(
api_endpoint=endpoint_cache[self._instance.name])
else:
try:
api = self._instance._client.instance_admin_api
resp = api.get_instance(
self._instance.name,
field_mask={"paths": ["endpoint_uris"]},
metadata=_metadata_with_prefix(self.name),
)
endpoints = resp.endpoint_uris
if endpoints:
endpoint_cache[self._instance.name] = list(
endpoints)[0]
client_options = ClientOptions(
api_endpoint=endpoint_cache[
self._instance.name])
# If there are no endpoints, use default endpoint.
except PermissionDenied:
warnings.warn(
_RESOURCE_ROUTING_PERMISSIONS_WARNING,
ResourceRoutingPermissionsWarning,
stacklevel=2,
)
self._spanner_api = SpannerClient(
credentials=credentials,
client_info=client_info,
client_options=client_options,
)
return self._spanner_api
def spanner_api(self):
"""Helper for session-related API calls."""
if self._spanner_api is None:
client_info = self._instance._client._client_info
client_options = self._instance._client._client_options
if self._instance.emulator_host is not None:
transport = SpannerGrpcTransport(channel=grpc.insecure_channel(
self._instance.emulator_host))
self._spanner_api = SpannerClient(client_info=client_info,
transport=transport)
return self._spanner_api
credentials = self._instance._client.credentials
if isinstance(credentials, google.auth.credentials.Scoped):
credentials = credentials.with_scopes((SPANNER_DATA_SCOPE, ))
self._spanner_api = SpannerClient(
credentials=credentials,
client_info=client_info,
client_options=client_options,
)
return self._spanner_api
def test_authorized_session_with_service_account_and_self_signed_jwt():
credentials, project_id = google.auth.default()
credentials = credentials.with_scopes(
scopes=[],
default_scopes=["https://www.googleapis.com/auth/pubsub"],
)
session = google.auth.transport.requests.AuthorizedSession(
credentials=credentials, default_host="pubsub.googleapis.com")
# List Pub/Sub Topics through the REST API
# https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/list
response = session.get(
"https://pubsub.googleapis.com/v1/projects/{}/topics".format(
project_id))
response.raise_for_status()
# Check that self-signed JWT was created and is being used
assert credentials._jwt_credentials is not None
assert credentials._jwt_credentials.token == credentials.token
def test_authorized_session_with_service_account_and_self_signed_jwt():
credentials, project_id = google.auth.default()
credentials = credentials.with_scopes(
scopes=[],
default_scopes=["https://www.googleapis.com/auth/pubsub"],
)
http = google.auth.transport.urllib3.AuthorizedHttp(
credentials=credentials, default_host="pubsub.googleapis.com")
# List Pub/Sub Topics through the REST API
# https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/list
response = http.urlopen(
method="GET",
url="https://pubsub.googleapis.com/v1/projects/{}/topics".format(
project_id))
assert response.status == 200
# Check that self-signed JWT was created and is being used
assert credentials._jwt_credentials is not None
assert credentials._jwt_credentials.token == credentials.token
def with_scopes_if_required(credentials, scopes):
"""Creates a copy of the credentials with scopes if scoping is required.
This helper function is useful when you do not know (or care to know) the
specific type of credentials you are using (such as when you use
:func:`google.auth.default`). This function will call
:meth:`Scoped.with_scopes` if the credentials are scoped credentials and if
the credentials require scoping. Otherwise, it will return the credentials
as-is.
Args:
credentials (google.auth.credentials.Credentials): The credentials to
scope if necessary.
scopes (Sequence[str]): The list of scopes to use.
Returns:
google.auth._credentials_async.Credentials: Either a new set of scoped
credentials, or the passed in credentials instance if no scoping
was required.
"""
if isinstance(credentials, Scoped) and credentials.requires_scopes:
return credentials.with_scopes(scopes)
else:
return credentials
