def test_signed_jwt_for_p12(self): from oauth2client import service_account from gcloud._testing import _Monkey from gcloud import credentials as MUT PRIVATE_KEY = b'dummy_private_key_text' SIGNER = object() credentials = service_account.ServiceAccountCredentials( 'dummy_service_account_email', SIGNER) credentials._private_key_pkcs12 = PRIVATE_KEY credentials._private_key_password = password = '******' crypt = _Crypt() load_result = object() openssl_crypto = _OpenSSLCrypto(load_result, None) with _Monkey(MUT, crypt=crypt, crypto=openssl_crypto): result = self._callFUT(credentials) self.assertEqual(crypt._private_key_text, PRIVATE_KEY) self.assertEqual(crypt._private_key_password, password) self.assertEqual(result, load_result) self.assertEqual(openssl_crypto._loaded, [(openssl_crypto.FILETYPE_PEM, _Crypt._KEY)]) self.assertEqual(openssl_crypto._signed, [])
def testIsServiceAccountCredential(self): oauth2client_cred = service_account.ServiceAccountCredentials( None, 'email') google_auth_cred = google_auth_service_account.Credentials( None, 'email', 'token_uri') self.assertTrue( auth_util.IsServiceAccountCredential(oauth2client_cred)) self.assertTrue(auth_util.IsServiceAccountCredential(google_auth_cred))
def test_create_delegated(self): signer = object() sub = '*****@*****.**' creds = service_account.ServiceAccountCredentials( '*****@*****.**', signer) self.assertNotIn('sub', creds._kwargs) delegated_creds = creds.create_delegated(sub) self.assertEqual(delegated_creds._kwargs['sub'], sub) # Make sure the original is unchanged. self.assertNotIn('sub', creds._kwargs)
def test_create_scoped_required_with_scopes(self): signer = object() self.credentials = service_account.ServiceAccountCredentials( self.service_account_email, signer, scopes=self.scopes, private_key_id=self.private_key_id, client_id=self.client_id, ) self.assertFalse(self.credentials.create_scoped_required())
def test_service_account_type(self): from oauth2client import service_account SERVICE_ACCOUNT_NAME = 'SERVICE_ACCOUNT_NAME' SIGNER = object() CREDENTIALS = service_account.ServiceAccountCredentials( SERVICE_ACCOUNT_NAME, SIGNER) found = self._callFUT(CREDENTIALS) self.assertEqual(found, SERVICE_ACCOUNT_NAME)
def test_create_delegated_existing_sub(self): signer = object() sub1 = '*****@*****.**' sub2 = '*****@*****.**' creds = service_account.ServiceAccountCredentials('*****@*****.**', signer, sub=sub1) self.assertEqual(creds._kwargs['sub'], sub1) delegated_creds = creds.create_delegated(sub2) self.assertEqual(delegated_creds._kwargs['sub'], sub2) # Make sure the original is unchanged. self.assertEqual(creds._kwargs['sub'], sub1)
def test_json_type(self): from oauth2client import service_account from gcloud._testing import _Monkey PRIVATE_KEY_TEXT = 'dummy_private_key_pkcs8_text' STRING_TO_SIGN = b'dummy_signature' SIGNER = object() CREDENTIALS = service_account.ServiceAccountCredentials( 'dummy_service_account_email', SIGNER) CREDENTIALS._private_key_pkcs8_pem = PRIVATE_KEY_TEXT self._run_with_fake_crypto(CREDENTIALS, PRIVATE_KEY_TEXT, STRING_TO_SIGN)
def setUp(self): self.client_id = '123' self.service_account_email = '*****@*****.**' self.private_key_id = 'ABCDEF' self.private_key = datafile('pem_from_pkcs12.pem') self.scopes = ['dummy_scope'] self.signer = crypt.Signer.from_string(self.private_key) self.credentials = service_account.ServiceAccountCredentials( self.service_account_email, self.signer, private_key_id=self.private_key_id, client_id=self.client_id, )
def test_without_pyopenssl(self): from oauth2client import service_account from gcloud._testing import _Monkey from gcloud import credentials as credentials_mod PRIVATE_TEXT = 'dummy_private_key_pkcs8_text' SIGNER = object() credentials = service_account.ServiceAccountCredentials( 'dummy_service_account_email', SIGNER) credentials._private_key_pkcs8_pem = PRIVATE_TEXT with _Monkey(credentials_mod, crypto=None): with self.assertRaises(EnvironmentError): self._callFUT(credentials)
def test__to_json_override(self): signer = object() creds = service_account.ServiceAccountCredentials( '*****@*****.**', signer) self.assertEqual(creds._signer, signer) # Serialize over-ridden data (unrelated to ``creds``). to_serialize = {'unrelated': 'data'} serialized_str = creds._to_json([], to_serialize.copy()) serialized_data = json.loads(serialized_str) expected_serialized = { '_class': 'ServiceAccountCredentials', '_module': 'oauth2client.service_account', 'token_expiry': None, } expected_serialized.update(to_serialize) self.assertEqual(serialized_data, expected_serialized)
def _make_credentials(self): private_key = datafile('privatekey.' + self.format_) signer = crypt.Signer.from_string(private_key) credentials = service_account.ServiceAccountCredentials( '*****@*****.**', signer, scopes='read+write', sub='*****@*****.**') if self.format_ == 'pem': credentials._private_key_pkcs8_pem = private_key elif self.format_ == 'p12': credentials._private_key_pkcs12 = private_key credentials._private_key_password = ( service_account._PASSWORD_DEFAULT) else: # pragma: NO COVER raise ValueError('Unexpected format.') return credentials
def testMaybeConvertP12ServiceAccountCredsToGoogleAuthCreds(self): cred_p12 = service_account.ServiceAccountCredentials( 'service_account_email', None, config.CLOUDSDK_SCOPES, 'private_key_id', 'client_id', None, 'token_uri') cred_p12.access_token = 'access-token' cred_p12.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0) cred_p12._private_key_pkcs12 = '_private_key_pkcs12' cred_returned = creds.MaybeConvertToGoogleAuthCredentials(cred_p12, True) self.assertIsInstance(cred_returned, service_account.ServiceAccountCredentials) self.AssertCredentialsEqual( cred_returned, { 'access_token': 'access-token', 'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), 'client_id': 'client_id', '_private_key_id': 'private_key_id', '_private_key_pkcs12': '_private_key_pkcs12', 'token_uri': 'token_uri', })
def test_service_account_via_json_key(self): from oauth2client import service_account from gcloud._testing import _Monkey from gcloud import credentials as MUT scopes = [] PRIVATE_TEXT = 'dummy_private_key_pkcs8_text' SIGNER = object() credentials = service_account.ServiceAccountCredentials( 'dummy_service_account_email', SIGNER, scopes=scopes) credentials._private_key_pkcs8_pem = PRIVATE_TEXT load_result = object() openssl_crypto = _OpenSSLCrypto(load_result, None) with _Monkey(MUT, crypto=openssl_crypto): result = self._callFUT(credentials) self.assertEqual(result, load_result) self.assertEqual(openssl_crypto._loaded, [(openssl_crypto.FILETYPE_PEM, PRIVATE_TEXT)]) self.assertEqual(openssl_crypto._signed, [])
def test_access_token(self, utcnow): # Configure the patch. seconds = 11 NOW = datetime.datetime(1992, 12, 31, second=seconds) utcnow.return_value = NOW # Create a custom credentials with a mock signer. signer = mock.MagicMock() signed_value = b'signed-content' signer.sign = mock.MagicMock(name='sign', return_value=signed_value) credentials = service_account.ServiceAccountCredentials( self.service_account_email, signer, private_key_id=self.private_key_id, client_id=self.client_id, ) # Begin testing. lifetime = 2 # number of seconds in which the token expires EXPIRY_TIME = datetime.datetime(1992, 12, 31, second=seconds + lifetime) token1 = u'first_token' token_response_first = { 'access_token': token1, 'expires_in': lifetime, } token2 = u'second_token' token_response_second = { 'access_token': token2, 'expires_in': lifetime, } http = HttpMockSequence([ ({ 'status': '200' }, json.dumps(token_response_first).encode('utf-8')), ({ 'status': '200' }, json.dumps(token_response_second).encode('utf-8')), ]) # Get Access Token, First attempt. self.assertIsNone(credentials.access_token) self.assertFalse(credentials.access_token_expired) self.assertIsNone(credentials.token_expiry) token = credentials.get_access_token(http=http) self.assertEqual(credentials.token_expiry, EXPIRY_TIME) self.assertEqual(token1, token.access_token) self.assertEqual(lifetime, token.expires_in) self.assertEqual(token_response_first, credentials.token_response) # Two utcnow calls are expected: # - get_access_token() -> _do_refresh_request (setting expires in) # - get_access_token() -> _expires_in() expected_utcnow_calls = [mock.call()] * 2 self.assertEqual(expected_utcnow_calls, utcnow.mock_calls) # One call to sign() expected: Actual refresh was needed. self.assertEqual(len(signer.sign.mock_calls), 1) # Get Access Token, Second Attempt (not expired) self.assertEqual(credentials.access_token, token1) self.assertFalse(credentials.access_token_expired) token = credentials.get_access_token(http=http) # Make sure no refresh occurred since the token was not expired. self.assertEqual(token1, token.access_token) self.assertEqual(lifetime, token.expires_in) self.assertEqual(token_response_first, credentials.token_response) # Three more utcnow calls are expected: # - access_token_expired # - get_access_token() -> access_token_expired # - get_access_token -> _expires_in expected_utcnow_calls = [mock.call()] * (2 + 3) self.assertEqual(expected_utcnow_calls, utcnow.mock_calls) # No call to sign() expected: the token was not expired. self.assertEqual(len(signer.sign.mock_calls), 1 + 0) # Get Access Token, Third Attempt (force expiration) self.assertEqual(credentials.access_token, token1) credentials.token_expiry = NOW # Manually force expiry. self.assertTrue(credentials.access_token_expired) token = credentials.get_access_token(http=http) # Make sure refresh occurred since the token was not expired. self.assertEqual(token2, token.access_token) self.assertEqual(lifetime, token.expires_in) self.assertFalse(credentials.access_token_expired) self.assertEqual(token_response_second, credentials.token_response) # Five more utcnow calls are expected: # - access_token_expired # - get_access_token -> access_token_expired # - get_access_token -> _do_refresh_request # - get_access_token -> _expires_in # - access_token_expired expected_utcnow_calls = [mock.call()] * (2 + 3 + 5) self.assertEqual(expected_utcnow_calls, utcnow.mock_calls) # One more call to sign() expected: Actual refresh was needed. self.assertEqual(len(signer.sign.mock_calls), 1 + 0 + 1) self.assertEqual(credentials.access_token, token2)
def _MakeEmptyServiceAccountCredentialsOauth2client(): return service_account.ServiceAccountCredentials(None, None)