8bdZddlZddlZddlZddlmZddlmZddlmZddlmZddlm Z ddl m Z dd l m Z ddlZdd lmZmZeed d d dd lmZdZdZej,ddeedZGddej2ZGddeZGdde j:Zy)z!Tests for wrapped_credentials.py.N)aws)external_account) external_account_authorized_user) identity_pool) pluggable)testcase)WrappedCredentials)add_move MovedModulemockz unittest.mock)r foocontentz text/plain200)z content-typestatuszcontent-lengthc&eZdZdfd ZdZxZS)MockCredentialsct|i|d_|_d_fd}t j |_y)Nc~~_yNtoken)argskwargsselfrs 7platform/gsutil/gslib/tests/test_wrapped_credentials.py side_effectz-MockCredentials.__init__..side_effect4s djr)super__init__ _audienceexpiryrr Mockrefresh)rrr"rrr __class__s`` rr zMockCredentials.__init__.sA Gd%f%DNDKDJ995DLrcyrr'rrretrieve_subject_tokenz&MockCredentials.retrieve_subject_token:sr)NN)__name__ __module__ __qualname__r r( __classcell__)r%s@rrr,s  6 rrceZdZdZdZdZy)HeadersWithAuthzUA utility class to use to make sure a set of headers includes specific authenticationc|xsd|_y)Nr)rrs rr zHeadersWithAuth.__init__As "DJrc@|dtd|jzdk(S)Ns AuthorizationzBearer zutf-8)bytesr)rheaderss r__eq__zHeadersWithAuth.__eq__Ds# # $i$**.Dg(N NNrN)r)r*r+__doc__r r4r'rrr.r.>s]Orr.ceZdZdZej j edddZdZ dZ ej j edddZ d Z d Z d Zd Zd Zy)TestWrappedCredentialszRTest logic for interacting with Wrapped Credentials the way we intend to use them.HttpT)autospecc Nttf|jj_|jj}t t t dddd}tjj}|j||jd\}}|j|t|jjjtj |jddt#t dtj tj y) Nr barhttps://sts.googleapis.comqux)raudiencesubject_token_type token_urlcredential_source google.comuriGETmethodr3bodyconnection_type redirections)RESPONSECONTENT return_valuerequestr r ACCESS_TOKEN oauth2client transportget_http_object authorize assertEqual_baser$assert_called_once_withr ANYr.)rhttpreqcreds_rs rtestWrappedCredentialUsagez1TestWrappedCredentials.testWrappedCredentialUsageKs.6-@D*    # #C l!&+0">*/  1 2E  ! ! 1 1 3D OOD,/JAwWg& KK//9 ',(7 (E%)04-1XX  7rc ttjdddddi}t|_t j ddd d d |_|j}tj|}|j|d d|j|d t|j|d d|j|ddd|j|ddd|j|ddd|j|ddddtj|}|j|t|j|jtj|j|jd|j|jt|j|j |j y)QTest logic for converting Wrapped Credentials to and from JSON for serialization.r r;r<urlrB)r>r?r@rA r client_id access_token token_expiry2001-12-05T00:00:00ZrUr>r?r@rAN)r r CredentialsrOrddatetimereto_jsonjsonloadsrT from_jsonassertIsInstancerUrc)rrZ creds_json json_valuescreds2s r"testWrappedCredentialSerializationz9TestWrappedCredentials.testWrappedCredentialSerializationes !!55:,H5:L4I K LE &E!**4Q1=EJ**Z(K[-u5[0,?[02HI[)*5u=[)*>?G[)+613[)*=>uE!# ) )* 5F&"45&,, (A(ABV%%u-V((,7V((%*<*<=rctjtjdtddddddddd d }|j |t|j |j tjy ) zdTest logic for creating a Wrapped Credentials using keywords that exist in IdentityPool but not AWS.r rfrr;r<rB 1234567890)r_workforce_pool_user_project)typer>r?r@rA)rcrdrerUN) r rlrjdumpsrOrmrUrrgrrZs r1testWrappedCredentialSerializationMissingKeywordszHTestWrappedCredentials.testWrappedCredentialSerializationMissingKeywordssu  ( ( (2*!&+9'3?&     E" %!34%++}'@'@Arc ttf|jj_|jj}t t j ddddddfd}tj| j_ tjj}j||jd \}}|j|tjjj!tj"|j!d d t%t&dtj"tj" y)N^//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID refreshToken)https://sts.googleapis.com/v1/oauth/token)https://sts.googleapis.com/v1/instrospectclientId clientSecretr> refresh_tokenr@token_info_urlrc client_secretc4~~tj_yr)rOrUr)rrrZs r_refresh_token_side_effectzrTestWrappedCredentials.testWrappedCredentialUsageExternalAccountAuthorizedUser.._refresh_token_side_effects &ekkrrrBrCrErF)rKrLrMrNr rrgr r#rUr$rPrQrRrSrTrVrWr.rO)rrXrYrr[rrZs @r7testWrappedCredentialUsageExternalAccountAuthorizedUserzNTestWrappedCredentials.testWrappedCredentialUsageExternalAccountAuthorizedUsers.6-@D*    # #C (44 l(AF ( * +E'))0JKEKK  ! ! 1 1 3D OOD,/JAwWg& KK//9 ',(7 (E%)04-1XX  7rc ~ttjdddddd}t|_t j dd d d d |_|j}tj|}id d dddddtdddddddddddddddgddddddd dd!d"dtddddddd#d$ }|j||tj|}|j|t|j|jtj|j|jdy)%r^rzr{r|r}r~rrr`rarbr_classr _modulezgslib.utils.wrapped_credentialsrcrdrerfrrid_tokenN id_token_jwtinvalidF revoke_uriscopestoken_info_uritoken_response token_uri user_agentrUrzgoogleapis.com) rur>rr"r@rrrcruniverse_domain)r rrgrOrdrhrerirjrkrTrlrmrUrc)rrZrnroexpected_json_valuesrps r?testWrappedCredentialSerializationExternalAccountAuthorizedUserzVTestWrappedCredentials.testWrappedCredentialSerializationExternalAccountAuthorizedUsers (44 l(AF ( * +E&E!**4Q1=EJ**Z(K'&'4' Z'  ' . '  ' ' D' ' 5' d' "' $' $' T' d!'" 2p&;; ) #'P ["67  ) )* 5F&"45&,,:FFHV%%z2rc Dtjtjddddddddd d d d i}|j |t|j |j t j|j |j tjy) NrUi//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_IDaws1zChttp://169.254.169.254/latest/meta-data/placement/availability-zonezNhttps://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15z@http://169.254.169.254/latest/meta-data/iam/security-credentials)environment_id region_urlregional_cred_verification_urlr_https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-1234@service-name.iam.gserviceaccount.com:generateAccessTokenz+urn:ietf:params:aws:token-type:aws4_request#https://sts.googleapis.com/v1/tokenrr>rA!service_account_impersonation_urlr?r@ru) r rlrjrvrmrUrrgrrws rtestFromJsonAWSCredentialsz1TestWrappedCredentials.testFromJsonAWSCredentialss  ( ( ]hZ &`A9&)   E4 %!34%++'7'C'CD%++s7rc >tjtjddddiddddd i}|j |t|j |j t j|j |j tjy) NrUrfilez/var/run/secrets/goog.id/tokenr$urn:ietf:params:oauth:token-type:jwtrrr) r rlrjrvrmrUrrgrrws r testFromJsonFileBasedCredentialsz7TestWrappedCredentials.testFromJsonFileBasedCredentialss  ( ( <&`:9&   E& %!34%++'7'C'CD%++}'@'@Arc Btjtjdddddiidddd d i}|j |t|j |j t j|j |j tjy) NrUr executablecommandz/path/to/command.shrrrrr) r rlrjrvrmrUrrgrrws r testFromJsonPluggableCredentialsz7TestWrappedCredentials.testFromJsonPluggableCredentials0s  ( (  !#8#& `:9&   E* %!34%++'7'C'CD%++y'<'<=rc tjtjddddddddd i}|j |t|j |j t jy) NrUrrzr{r|r}r~r)rur>rr@rrcr)r rlrjrvrmrUrrgrws r4testFromJsonExternalAccountAuthorizedUserCredentialszKTestWrappedCredentials.testFromJsonExternalAccountAuthorizedUserCredentialsJsq  ( ( 6t"??"   E( %!34%++:FFHrN)r)r*r+r5r patchobjecthttplib2r\rqrxrrrrrrr'rrr7r7HsZ::Xv57672>8B,::Xv5 76 7D=3~8>B0>4Hrr7)r5rhrjr google.authrrrrr gslib.testsrgslib.utils.wrapped_credentialsr rPsixr r six.movesr rOrLResponselenrKrgrdictr.GsUtilUnitTestCaser7r'rrrs( (8%! >%VV_ 56  8   'l  &22 $OdOYHX88YHr