def _create_authenticator(a_service):
"""Create an instance of :class:`google.auth.tokens.Authenticator`.
Args:
a_service (:class:`google.api.gen.servicecontrol_v1_messages.Service`): a
service instance
"""
if not isinstance(a_service, messages.Service):
raise ValueError("service is None or not an instance of Service")
authentication = a_service.authentication
if not authentication:
logger.info("authentication is not configured in service, "
"authentication checks will be disabled")
return
issuers_to_provider_ids = {}
issuer_uri_configs = {}
for provider in authentication.providers:
issuer = provider.issuer
jwks_uri = provider.jwksUri
# Enable openID discovery if jwks_uri is unset
open_id = jwks_uri is None
issuer_uri_configs[issuer] = suppliers.IssuerUriConfig(
open_id, jwks_uri)
issuers_to_provider_ids[issuer] = provider.id
key_uri_supplier = suppliers.KeyUriSupplier(issuer_uri_configs)
jwks_supplier = suppliers.JwksSupplier(key_uri_supplier)
authenticator = tokens.Authenticator(issuers_to_provider_ids,
jwks_supplier)
return authenticator
def test_supply_issuer(self):
issuer = "https://issuer.com"
jwks_uri = "https://issuer.com/jwks/uri"
configs = {issuer: suppliers.IssuerUriConfig(False, jwks_uri)}
supplier = suppliers.KeyUriSupplier(configs)
self.assertEquals(jwks_uri, supplier.supply(issuer))
self.assertIsNone(supplier.supply("random-issuer"))
def test_openid_discovery_with_bad_json(self):
@httmock.urlmatch(scheme="https", netloc="issuer.com")
def _mock_response_with_bad_json(url, request): # pylint: disable=unused-argument
return "bad-json"
issuer = "https://issuer.com"
configs = {issuer: suppliers.IssuerUriConfig(True, None)}
supplier = suppliers.KeyUriSupplier(configs)
with httmock.HTTMock(_mock_response_with_bad_json):
with self.assertRaises(suppliers.UnauthenticatedException):
supplier.supply(issuer)
def test_openid_discovery(self):
jwks_uri = "https://issuer.com/jwks/uri"
@httmock.urlmatch(scheme="https",
netloc="issuer.com",
path="/" + suppliers._OPEN_ID_CONFIG_PATH)
def _mock_response(url, request): # pylint: disable=unused-argument
response = {"jwks_uri": jwks_uri}
return json.dumps(response)
issuer = "https://issuer.com"
configs = {issuer: suppliers.IssuerUriConfig(True, None)}
supplier = suppliers.KeyUriSupplier(configs)
with httmock.HTTMock(_mock_response):
self.assertEquals(jwks_uri, supplier.supply(issuer))
def test_issuer_without_protocol(self):
jwks_uri = "https://issuer.com/jwks/uri"
@httmock.urlmatch(scheme="https",
netloc="issuer.com",
path="/" + suppliers._OPEN_ID_CONFIG_PATH)
def _mock_response(url, request): # pylint: disable=unused-argument
response = {"jwks_uri": jwks_uri}
return json.dumps(response)
# Specify an issuer without protocol to make sure the "https://" prefix is
# added automatically.
issuer = "issuer.com"
configs = {issuer: suppliers.IssuerUriConfig(True, None)}
supplier = suppliers.KeyUriSupplier(configs)
with httmock.HTTMock(_mock_response):
self.assertEquals(jwks_uri, supplier.supply(issuer))
def create_authenticator(issuers_to_provider_ids, issuer_uri_configs):
key_uri_supplier = suppliers.KeyUriSupplier(issuer_uri_configs)
jwks_supplier = suppliers.JwksSupplier(key_uri_supplier)
return tokens.Authenticator(issuers_to_provider_ids, jwks_supplier)