def test_signed_jwt_for_p12(self):
from oauth2client import service_account
from gcloud._testing import _Monkey
from gcloud import credentials as MUT
PRIVATE_KEY = b'dummy_private_key_text'
SIGNER = object()
credentials = service_account.ServiceAccountCredentials(
'dummy_service_account_email', SIGNER)
credentials._private_key_pkcs12 = PRIVATE_KEY
credentials._private_key_password = password = '******'
crypt = _Crypt()
load_result = object()
openssl_crypto = _OpenSSLCrypto(load_result, None)
with _Monkey(MUT, crypt=crypt, crypto=openssl_crypto):
result = self._callFUT(credentials)
self.assertEqual(crypt._private_key_text, PRIVATE_KEY)
self.assertEqual(crypt._private_key_password, password)
self.assertEqual(result, load_result)
self.assertEqual(openssl_crypto._loaded,
[(openssl_crypto.FILETYPE_PEM, _Crypt._KEY)])
self.assertEqual(openssl_crypto._signed, [])
def testIsServiceAccountCredential(self):
oauth2client_cred = service_account.ServiceAccountCredentials(
None, 'email')
google_auth_cred = google_auth_service_account.Credentials(
None, 'email', 'token_uri')
self.assertTrue(
auth_util.IsServiceAccountCredential(oauth2client_cred))
self.assertTrue(auth_util.IsServiceAccountCredential(google_auth_cred))
def test_create_delegated(self):
signer = object()
sub = '*****@*****.**'
creds = service_account.ServiceAccountCredentials(
'*****@*****.**', signer)
self.assertNotIn('sub', creds._kwargs)
delegated_creds = creds.create_delegated(sub)
self.assertEqual(delegated_creds._kwargs['sub'], sub)
# Make sure the original is unchanged.
self.assertNotIn('sub', creds._kwargs)
def test_create_scoped_required_with_scopes(self):
signer = object()
self.credentials = service_account.ServiceAccountCredentials(
self.service_account_email,
signer,
scopes=self.scopes,
private_key_id=self.private_key_id,
client_id=self.client_id,
)
self.assertFalse(self.credentials.create_scoped_required())
def test_service_account_type(self):
from oauth2client import service_account
SERVICE_ACCOUNT_NAME = 'SERVICE_ACCOUNT_NAME'
SIGNER = object()
CREDENTIALS = service_account.ServiceAccountCredentials(
SERVICE_ACCOUNT_NAME, SIGNER)
found = self._callFUT(CREDENTIALS)
self.assertEqual(found, SERVICE_ACCOUNT_NAME)
def test_create_delegated_existing_sub(self):
signer = object()
sub1 = '*****@*****.**'
sub2 = '*****@*****.**'
creds = service_account.ServiceAccountCredentials('*****@*****.**',
signer,
sub=sub1)
self.assertEqual(creds._kwargs['sub'], sub1)
delegated_creds = creds.create_delegated(sub2)
self.assertEqual(delegated_creds._kwargs['sub'], sub2)
# Make sure the original is unchanged.
self.assertEqual(creds._kwargs['sub'], sub1)
def test_json_type(self):
from oauth2client import service_account
from gcloud._testing import _Monkey
PRIVATE_KEY_TEXT = 'dummy_private_key_pkcs8_text'
STRING_TO_SIGN = b'dummy_signature'
SIGNER = object()
CREDENTIALS = service_account.ServiceAccountCredentials(
'dummy_service_account_email', SIGNER)
CREDENTIALS._private_key_pkcs8_pem = PRIVATE_KEY_TEXT
self._run_with_fake_crypto(CREDENTIALS, PRIVATE_KEY_TEXT,
STRING_TO_SIGN)
def setUp(self):
self.client_id = '123'
self.service_account_email = '*****@*****.**'
self.private_key_id = 'ABCDEF'
self.private_key = datafile('pem_from_pkcs12.pem')
self.scopes = ['dummy_scope']
self.signer = crypt.Signer.from_string(self.private_key)
self.credentials = service_account.ServiceAccountCredentials(
self.service_account_email,
self.signer,
private_key_id=self.private_key_id,
client_id=self.client_id,
)
def test_without_pyopenssl(self):
from oauth2client import service_account
from gcloud._testing import _Monkey
from gcloud import credentials as credentials_mod
PRIVATE_TEXT = 'dummy_private_key_pkcs8_text'
SIGNER = object()
credentials = service_account.ServiceAccountCredentials(
'dummy_service_account_email', SIGNER)
credentials._private_key_pkcs8_pem = PRIVATE_TEXT
with _Monkey(credentials_mod, crypto=None):
with self.assertRaises(EnvironmentError):
self._callFUT(credentials)
def test__to_json_override(self):
signer = object()
creds = service_account.ServiceAccountCredentials(
'*****@*****.**', signer)
self.assertEqual(creds._signer, signer)
# Serialize over-ridden data (unrelated to ``creds``).
to_serialize = {'unrelated': 'data'}
serialized_str = creds._to_json([], to_serialize.copy())
serialized_data = json.loads(serialized_str)
expected_serialized = {
'_class': 'ServiceAccountCredentials',
'_module': 'oauth2client.service_account',
'token_expiry': None,
}
expected_serialized.update(to_serialize)
self.assertEqual(serialized_data, expected_serialized)
def _make_credentials(self):
private_key = datafile('privatekey.' + self.format_)
signer = crypt.Signer.from_string(private_key)
credentials = service_account.ServiceAccountCredentials(
'*****@*****.**',
signer,
scopes='read+write',
sub='*****@*****.**')
if self.format_ == 'pem':
credentials._private_key_pkcs8_pem = private_key
elif self.format_ == 'p12':
credentials._private_key_pkcs12 = private_key
credentials._private_key_password = (
service_account._PASSWORD_DEFAULT)
else: # pragma: NO COVER
raise ValueError('Unexpected format.')
return credentials
def testMaybeConvertP12ServiceAccountCredsToGoogleAuthCreds(self):
cred_p12 = service_account.ServiceAccountCredentials(
'service_account_email', None, config.CLOUDSDK_SCOPES, 'private_key_id',
'client_id', None, 'token_uri')
cred_p12.access_token = 'access-token'
cred_p12.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0)
cred_p12._private_key_pkcs12 = '_private_key_pkcs12'
cred_returned = creds.MaybeConvertToGoogleAuthCredentials(cred_p12, True)
self.assertIsInstance(cred_returned,
service_account.ServiceAccountCredentials)
self.AssertCredentialsEqual(
cred_returned, {
'access_token': 'access-token',
'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'client_id': 'client_id',
'_private_key_id': 'private_key_id',
'_private_key_pkcs12': '_private_key_pkcs12',
'token_uri': 'token_uri',
})
def test_service_account_via_json_key(self):
from oauth2client import service_account
from gcloud._testing import _Monkey
from gcloud import credentials as MUT
scopes = []
PRIVATE_TEXT = 'dummy_private_key_pkcs8_text'
SIGNER = object()
credentials = service_account.ServiceAccountCredentials(
'dummy_service_account_email', SIGNER, scopes=scopes)
credentials._private_key_pkcs8_pem = PRIVATE_TEXT
load_result = object()
openssl_crypto = _OpenSSLCrypto(load_result, None)
with _Monkey(MUT, crypto=openssl_crypto):
result = self._callFUT(credentials)
self.assertEqual(result, load_result)
self.assertEqual(openssl_crypto._loaded,
[(openssl_crypto.FILETYPE_PEM, PRIVATE_TEXT)])
self.assertEqual(openssl_crypto._signed, [])
def test_access_token(self, utcnow):
# Configure the patch.
seconds = 11
NOW = datetime.datetime(1992, 12, 31, second=seconds)
utcnow.return_value = NOW
# Create a custom credentials with a mock signer.
signer = mock.MagicMock()
signed_value = b'signed-content'
signer.sign = mock.MagicMock(name='sign', return_value=signed_value)
credentials = service_account.ServiceAccountCredentials(
self.service_account_email,
signer,
private_key_id=self.private_key_id,
client_id=self.client_id,
)
# Begin testing.
lifetime = 2 # number of seconds in which the token expires
EXPIRY_TIME = datetime.datetime(1992,
12,
31,
second=seconds + lifetime)
token1 = u'first_token'
token_response_first = {
'access_token': token1,
'expires_in': lifetime,
}
token2 = u'second_token'
token_response_second = {
'access_token': token2,
'expires_in': lifetime,
}
http = HttpMockSequence([
({
'status': '200'
}, json.dumps(token_response_first).encode('utf-8')),
({
'status': '200'
}, json.dumps(token_response_second).encode('utf-8')),
])
# Get Access Token, First attempt.
self.assertIsNone(credentials.access_token)
self.assertFalse(credentials.access_token_expired)
self.assertIsNone(credentials.token_expiry)
token = credentials.get_access_token(http=http)
self.assertEqual(credentials.token_expiry, EXPIRY_TIME)
self.assertEqual(token1, token.access_token)
self.assertEqual(lifetime, token.expires_in)
self.assertEqual(token_response_first, credentials.token_response)
# Two utcnow calls are expected:
# - get_access_token() -> _do_refresh_request (setting expires in)
# - get_access_token() -> _expires_in()
expected_utcnow_calls = [mock.call()] * 2
self.assertEqual(expected_utcnow_calls, utcnow.mock_calls)
# One call to sign() expected: Actual refresh was needed.
self.assertEqual(len(signer.sign.mock_calls), 1)
# Get Access Token, Second Attempt (not expired)
self.assertEqual(credentials.access_token, token1)
self.assertFalse(credentials.access_token_expired)
token = credentials.get_access_token(http=http)
# Make sure no refresh occurred since the token was not expired.
self.assertEqual(token1, token.access_token)
self.assertEqual(lifetime, token.expires_in)
self.assertEqual(token_response_first, credentials.token_response)
# Three more utcnow calls are expected:
# - access_token_expired
# - get_access_token() -> access_token_expired
# - get_access_token -> _expires_in
expected_utcnow_calls = [mock.call()] * (2 + 3)
self.assertEqual(expected_utcnow_calls, utcnow.mock_calls)
# No call to sign() expected: the token was not expired.
self.assertEqual(len(signer.sign.mock_calls), 1 + 0)
# Get Access Token, Third Attempt (force expiration)
self.assertEqual(credentials.access_token, token1)
credentials.token_expiry = NOW # Manually force expiry.
self.assertTrue(credentials.access_token_expired)
token = credentials.get_access_token(http=http)
# Make sure refresh occurred since the token was not expired.
self.assertEqual(token2, token.access_token)
self.assertEqual(lifetime, token.expires_in)
self.assertFalse(credentials.access_token_expired)
self.assertEqual(token_response_second, credentials.token_response)
# Five more utcnow calls are expected:
# - access_token_expired
# - get_access_token -> access_token_expired
# - get_access_token -> _do_refresh_request
# - get_access_token -> _expires_in
# - access_token_expired
expected_utcnow_calls = [mock.call()] * (2 + 3 + 5)
self.assertEqual(expected_utcnow_calls, utcnow.mock_calls)
# One more call to sign() expected: Actual refresh was needed.
self.assertEqual(len(signer.sign.mock_calls), 1 + 0 + 1)
self.assertEqual(credentials.access_token, token2)
def _MakeEmptyServiceAccountCredentialsOauth2client():
return service_account.ServiceAccountCredentials(None, None)
