i ddlZddlZddlmZddlZddlZddlZddlZddl m Z ddl Z ddl m Z mZddl mZddl mZddl mZddl mZddlmZd Zd Zd Zd Zd Zdj5eZeezZdZddgZej>jAej>jCe"dZ#ej>jAe#dZ$ej>jAe#dZ%ej>jAe#dZ&ej>jAe#dZ'ej>jAe#dZ(ej>jAe#dZ)ej>jAe#dZ*ej>jAe#dZ+dZ,e-e$5Z.e.j_Z0ddde-e%5Z.ejbe.Z2e2jge,Z4ddde-e)d5Z5ejle jne jpe jre jte5j_jwdZdZ?d Z@d!ZAd"ZBd#ZCd$ZDgd%ZEgd&ZFgd'ZGgd(ZHGd)d*ejZJGd+d,eKZLy#1swYkxYw#1swYDxYw#1swYxYw#1swYnxYw)-N)crypto)_helpersexternal_account) exceptions) identity_pool)metrics) transport)DEFAULT_UNIVERSE_DOMAINusernamepasswordzdXNlcm5hbWU6cGFzc3dvcmQ=z1service-1234@service-name.iam.gserviceaccount.comz.https://us-east1-iamcredentials.googleapis.comz5/v1/projects/-/serviceAccounts/{}:generateAccessTokenQUOTA_PROJECT_IDscope1scope2datazexternal_subject_token.txtzexternal_subject_token.jsonztrust_chain_with_leaf.pemztrust_chain_without_leaf.pemztrust_chain_wrong_order.pemzpublic_cert.pemzprivatekey.pemzother_cert.pem access_tokenrbutf-8z#https://sts.googleapis.com/v1/tokenz(https://sts.googleapis.com/v1/introspectz$urn:ietf:params:oauth:token-type:jwtzi//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_IDzR//iam.googleapis.com/locations/global/workforcePools/POOL_ID/providers/PROVIDER_IDz)urn:ietf:params:oauth:token-type:id_token"WORKFORCE_POOL_USER_PROJECT_NUMBER) https://sts.googleapis.comz$https://us-east-1.sts.googleapis.comz$https://US-EAST-1.sts.googleapis.comz$https://sts.us-east-1.googleapis.comz$https://sts.US-WEST-1.googleapis.comz$https://us-east-1-sts.googleapis.comz$https://US-WEST-1-sts.googleapis.comz/https://us-west-1-sts.googleapis.com/path?queryz&https://sts-us-east-1.p.googleapis.com)%https://iamcredentials.googleapis.comzsts.googleapis.comhttps://zhttp://sts.googleapis.comzhttps://st.s.googleapis.comz$https://us-eas -1.sts.googleapis.comz#https:/us-east-1.sts.googleapis.comz%https://US-WE/ST-1-sts.googleapis.comz$https://sts-us-east-1.googleapis.comz$https://sts-US-WEST-1.googleapis.comz(testhttps://us-east-1.sts.googleapis.comz,https://us-east-1.sts.googleapis.comevil.comz.https://us-east-1.us-east-1.sts.googleapis.comz$https://us-ea.s.t.sts.googleapis.comz"https://sts.googleapis.comevil.comz%hhttps://us-east-1.sts.googleapis.comz!https://us- -1.sts.googleapis.comzhttps://-sts.googleapis.comz-https://us-east-1.sts.googleapis.com.evil.comzhttps://sts.pgoogleapis.comhttps://p.googleapis.comzhttps://sts.p.comzhttp://sts.p.googleapis.comz https://xyz-sts.p.googleapis.comz$https://sts-xyz.123.p.googleapis.comz!https://sts-xyz.p1.googleapis.comzhttps://sts-xyz.p.foo.comz$https://sts-xyz.p.foo.googleapis.com) rz/https://us-east-1.iamcredentials.googleapis.comz/https://US-EAST-1.iamcredentials.googleapis.comz/https://iamcredentials.us-east-1.googleapis.comz/https://iamcredentials.US-WEST-1.googleapis.comz/https://us-east-1-iamcredentials.googleapis.comz/https://US-WEST-1-iamcredentials.googleapis.comz:https://us-west-1-iamcredentials.googleapis.com/path?queryz1https://iamcredentials-us-east-1.p.googleapis.com)rziamcredentials.googleapis.comrz$http://iamcredentials.googleapis.comz&https://iamcre.dentials.googleapis.comz/https://us-eas -1.iamcredentials.googleapis.comz.https:/us-east-1.iamcredentials.googleapis.comz0https://US-WE/ST-1-iamcredentials.googleapis.comz/https://iamcredentials-us-east-1.googleapis.comz/https://iamcredentials-US-WEST-1.googleapis.comz3testhttps://us-east-1.iamcredentials.googleapis.comz7https://us-east-1.iamcredentials.googleapis.comevil.comz9https://us-east-1.us-east-1.iamcredentials.googleapis.comz/https://us-ea.s.t.iamcredentials.googleapis.comz-https://iamcredentials.googleapis.comevil.comz0hhttps://us-east-1.iamcredentials.googleapis.comz,https://us- -1.iamcredentials.googleapis.comz&https://-iamcredentials.googleapis.comz8https://us-east-1.iamcredentials.googleapis.com.evil.comz&https://iamcredentials.pgoogleapis.comrzhttps://iamcredentials.p.comz&http://iamcredentials.p.googleapis.comz+https://xyz-iamcredentials.p.googleapis.comz/https://iamcredentials-xyz.123.p.googleapis.comz,https://iamcredentials-xyz.p1.googleapis.comz$https://iamcredentials-xyz.p.foo.comz/https://iamcredentials-xyz.p.foo.googleapis.comceZdZ ddZdZy)TestSubjectTokenSupplierNc.||_||_||_yN)_subject_token_subject_token_exception_expected_context)self subject_tokensubject_token_exceptionexpected_contexts Rplatform/gsutil/third_party/google-auth-library-python/tests/test_identity_pool.py__init__z!TestSubjectTokenSupplier.__init__s,(?%!1c|j|j|k(sJ|j |j|jSr)rrr)r contextrequests r$get_subject_tokenz*TestSubjectTokenSupplier.get_subject_tokensF  ! ! -))W4 44  ( ( 4// /"""r&)NNN)__name__ __module__ __qualname__r%r*r&r$rrsQU2#r&rc"eZdZdeiZeddddZdZdeiZeddddZ d d d iiZ d d d iiZ d d e diZ d d ediZd d ediZdddddj%edZedZeej0dfdZeefdZeefdZeefdZe dmdZee e!ee"dddddddddf dZ#e$jJjMe'jPdddZ)e$jJjMe'jPddd Z*e$jJjMe'jPddd!Z+e$jJjMe'jPddd"Z,e$jJjMe'jPddd#Z-e$jJjMe'jPddd$Z.e$jJjMe'jPddd%Z/d&Z0d'Z1d(Z2d)Z3d*Z4d+Z5d,Z6d-Z7d.Z8d/Z9d0Z:d1Z;d2Zd5Z?d6Z@d7ZAd8ZBd9ZCd:ZDd;ZEd<ZFd=ZGe$jJd>eHeIfd?ZJe$jJd>eHeIfd@ZKe$jJd>eHeIfdAZLe$jJd>eHeIfdBZMe$jJd>eHeIfdCZNe$jJd>eHeIfdDZOe$jJd>eHeIfdEZPdFZQdGZRdHZSdIZTdJZUdKZVdLZWdMZXdNZYdOZZdPZ[dQZ\dRZ]dSZ^dTZ_dUZ`dVZadWZbdXZcdYZddZZed[Zfd\Zgd]Zhd^Zid_Zjd`ZkdaZldbZmdcZnddZodeZpdfZqdgZrdhZsdiZte$jJd>djdkZudlZvy)nTestCredentialsfilejsonrtypesubject_token_field_namer1formatzhttp://fakeurl.comurlr8r7 certificateuse_default_certificate_configtruecertificate_config_locationzpath/to/configr;trust_chain_path ACCESS_TOKEN-urn:ietf:params:oauth:token-type:access_tokenBearer )rissued_token_type token_type expires_inscopectjtjd}||_t |t r+tj|jd|_ |S||_ |S)NT)instancer) mockcreate_autospecr Responsestatus isinstancedictr2dumpsencoder)clsrNrresponses r$make_mock_responsez"TestCredentials.make_mock_responses['' (:(:TJ  dD ! JJt,33G,> M+FGH- y ) H  -!))a)8$$T23ins#K 1)& " !3!,!3!3N>4R!S%9', % !"$#* &  OO[^^_= >!(m89 ,*-h- ' OO[^^-CD E'#'')O3R"3")OP ZZ H-     (  7))*c(m;;;   0 01G1G1J11Mt T ''  " "#6 7 :      -  3 3&&'BCAF%*1   $$(>}(MM MM$$~(FF FF++/????!!V+++))^;;;A*P  s)L L""L+cFtj||||| | | ||||| |  S)N) rrrstoken_info_urlrzcredential_sourcesubject_token_supplier client_id client_secretrrrr)r Credentials)rSrrrsrrrrrrrzrrrs r$make_credentialsz TestCredentials.make_credentialss>"((1).O/#9'-)(C  r&r%rctjjttt t tddittt|jd }t|tjsJ|jttt t tdditt|jdtdt y)Ntoken_lifetime_seconds rrrsrrzservice_account_impersonationrrrr rrrsrrz%service_account_impersonation_optionsrrrrrruniverse_domain)rr from_infoAUDIENCESUBJECT_TOKEN_TYPE TOKEN_URLTOKEN_INFO_URL!SERVICE_ACCOUNT_IMPERSONATION_URL CLIENT_ID CLIENT_SECRETr CREDENTIAL_SOURCE_TEXTrOassert_called_once_withr r mock_initrs r$test_from_info_full_optionsz+TestCredentials.test_from_info_full_optionss#//99$&8&"05V2JD1Q&!.$4%)%@%@   +}'@'@AAA))1).O3KT2R'"99#'-(,3 * r&c tjjttt |j d}t|tjsJ|jttt ddidd|j dddt y)Nrrrsrr) rrrrrrrrOrr rs r$$test_from_info_required_options_onlyz4TestCredentials.test_from_info_required_options_onlys#//99$&8&%)%@%@   +}'@'@AAA))1.224"99#'!(,3 * r&c t}tjjtt t |d}t|tjsJ|jtt t ddiddd|ddt y)N)rrrsrr) rrrrrrrrOrr )r rsupplierrs r$test_from_info_supplierz'TestCredentials.test_from_info_suppliers+-#//99$&8&*2   +}'@'@AAA))1.224"#+!(,3 * r&c2tjjttt |j td}t|tjsJ|jttt ddidd|j ddtt y)Nrrrsrrr) rrrWORKFORCE_AUDIENCEWORKFORCE_SUBJECT_TOKEN_TYPErrWORKFORCE_POOL_USER_PROJECTrOrr rs r$test_from_info_workforce_poolz-TestCredentials.test_from_info_workforce_pool9s#//99.&B&%)%@%@/J   +}'@'@AAA))';.224"99#'!(C3 * r&ctttttddit t t|jd }|jd}|jtj|tjjt!|}t#|tjsJ|j%tttttddit t |jdtdt& y)Nrrr config.jsonr)rrrrrrrr rrwriter2rQrr from_filestrrOrr r rtmpdirinfo config_filers r$test_from_file_full_optionsz+TestCredentials.test_from_file_full_optionsWs!"4",1R.F-M"* 0!%!"!%!test_constructor_nonworkforce_with_workforce_pool_user_projectzNTestCredentials.test_constructor_nonworkforce_with_workforce_pool_user_projectsT ]]: &'  ! !!,G " ' }}    ' &s AAcddi}tjt5}|j|dddj dsJy#1swYxYw)N unsupportedvaluerzMissing credential_sourcerrrrrr rrs r$ test_constructor_invalid_optionsz0TestCredentials.test_constructor_invalid_optionssP*G4 ]]: &'  ! !4E ! F'}}9:::' &s A  Ac|jtd}tjt5}|j |dddj dsJy#1swYxYw)N)r8r1rAmbiguous credential_source)CREDENTIAL_URLSUBJECT_TOKEN_TEXT_FILErrrrrrs r$-test_constructor_invalid_options_url_and_filez=TestCredentials.test_constructor_invalid_options_url_and_files[&&+  ]]: &'  ! !4E ! F'}};<<<' & AA%c|jdddiid}tjt5}|j |dddj dsJy#1swYxYw)Nr:r;T)r8r:rr r rrrrrrs r$4test_constructor_invalid_options_url_and_certificatezDTestCredentials.test_constructor_invalid_options_url_and_certificatesf&&),Ld+ST  ]]: &'  ! !4E ! F'}};<<<' &rctdddiid}tjt5}|j |dddj dsJy#1swYxYw)Nr:use_default_certificateT)r1r:rr )r rrrrrrs r$5test_constructor_invalid_options_file_and_certificatezETestCredentials.test_constructor_invalid_options_file_and_certificates`+),Et+LM  ]]: &'  ! !4E ! F'}};<<<' &s AAct|jdddiid}tjt5}|j |dddj dsJy#1swYxYw)Nr:rT)r1r8r:rr )r r rrrrrrs r$9test_constructor_invalid_options_url_file_and_certificatezITestCredentials.test_constructor_invalid_options_url_file_and_certificatesi+&&),Et+LM  ]]: &'  ! !4E ! F'}};<<<' &s A!!A*c|jdd}tjt5}|j |dddj dsJy#1swYxYw)Naws1)r8environment_idrz>Invalid Identity Pool credential_source field 'environment_id'rrs r$/test_constructor_invalid_options_environment_idz?TestCredentials.test_constructor_invalid_options_environment_ids\$($7$76R ]]: &'  ! !4E ! F'}} M   ' &s AA!ctjt5}|jddddj dsJy#1swYxYw)Nznon-dictrz?Invalid credential_source. The credential_source is not a dict.rrs r$*test_constructor_invalid_credential_sourcez:TestCredentials.test_constructor_invalid_credential_sourcesJ ]]: &'  ! !J ! ?'}} N   ' &s A  Actjt5}|jdddj dsJy#1swYxYw)NzGA valid credential source or a subject token supplier must be provided.rrs r$9test_constructor_invalid_no_credential_source_or_supplierzITestCredentials.test_constructor_invalid_no_credential_source_or_supplier sE ]]: &'  ! ! #'}} V   ' &s AAct}tjt5}|j |j |dddj dsJy#1swYxYw)N)rrz[Identity pool credential cannot have both a credential source and a subject token supplier.)rrrrrrr)r rrs r$sV*-Mu,UV ]]: &'  ! !4E ! F'}}ABBB' &s AAc |jtt|jj t }|j dtttt|jt tdk(sJy)N)rrrrr)r4rrrsrrrr) rrrCREDENTIAL_SOURCE_TEXT_URLrrrrrr r rs r$*test_info_with_workforce_pool_user_projectz:TestCredentials.test_info_with_workforce_pool_user_projectFso++';"==BBD(C , &*">",!%!@!@+F6 $   r&c |j|jj}|jdtt t t|jtdk(sJyNrr)r4rrrsrrr) rr/rrrrrrr r0s r$%test_info_with_file_credential_sourcez5TestCredentials.test_info_with_file_credential_sourceYc++"==BBD, & "4",!%!@!@6$    r&c |j|jj}|jdtt t t|jtdk(sJyr3) rCREDENTIAL_SOURCE_JSON_URLrrrrrrr r0s r$$test_info_with_url_credential_sourcez4TestCredentials.test_info_with_url_credential_sourcehr5r&c |j|jj}|jdtt t t|jtdk(sJyr3) rCREDENTIAL_SOURCE_CERTIFICATErrrrrrr r0s r$,test_info_with_certificate_credential_sourcez!%!@!@/ $    r&c>|jd}|jddt|i}|j|}t j t j5}|jddddjdsJy#1swYxYw)Nz empty.txtr1rz3Missing subject_token in the credential_source file) rrrrrrr RefreshErrorretrieve_subject_tokenr)r r empty_filerrrs r$1test_retrieve_subject_token_missing_subject_tokenzATestCredentials.test_retrieve_subject_token_missing_subject_tokens[[- #S_5++>O+P ]]:22 3w  . .t 44}}STTT4 3s %BBct|j|j}|jd}|tk(sJyNr)rrrGTEXT_FILE_SUBJECT_TOKENr rr!s r$%test_retrieve_subject_token_text_filez5TestCredentials.test_retrieve_subject_token_text_fileA++"99, $::4@  7777r&ct|j|j}|jd}|tk(sJyrK)rCREDENTIAL_SOURCE_JSONrGJSON_FILE_SUBJECT_TOKENrMs r$%test_retrieve_subject_token_json_filez5TestCredentials.test_retrieve_subject_token_json_filerOr&zCgoogle.auth.transport._mtls_helper._get_workload_cert_and_key_pathsc|j|j}|jd}|tjt gk(sJyrK)rr:rGr2rQCERT_FILE_CONTENTr $mock_get_workload_cert_and_key_pathsrr!s r$/test_retrieve_subject_token_certificate_defaultz?TestCredentials.test_retrieve_subject_token_certificate_defaultsO++"@@, $::4@  ,=+> ????r&c|j|j}|jd}|tjt gk(sJyrK)rr=rGr2rQrUrVs r$8test_retrieve_subject_token_certificate_non_default_pathzHTestCredentials.test_retrieve_subject_token_certificate_non_default_pathsO++"LL, $::4@  ,=+> ????r&c|j|j}|jd}|tjt t gk(sJyrK)r3CREDENTIAL_SOURCE_CERTIFICATE_TRUST_CHAIN_WITH_LEAFrGr2rQrUOTHER_CERT_FILE_CONTENTrVs r$=test_retrieve_subject_token_certificate_trust_chain_with_leafzMTestCredentials.test_retrieve_subject_token_certificate_trust_chain_with_leafsR++"VV, $::4@  ,=?V+W XXXXr&c|j|j}|jd}|tjt t gk(sJyrK)r6CREDENTIAL_SOURCE_CERTIFICATE_TRUST_CHAIN_WITHOUT_LEAFrGr2rQrUr]rVs r$@test_retrieve_subject_token_certificate_trust_chain_without_leafzPTestCredentials.test_retrieve_subject_token_certificate_trust_chain_without_leafsR++"YY, $::4@  ,=?V+W XXXXr&c|j|j}tjtj 5}|j ddddjdsJy#1swYxYw)Nrz?The leaf certificate must be at the top of the trust chain file)r5CREDENTIAL_SOURCE_CERTIFICATE_TRUST_CHAIN_WRONG_ORDERrrrrFrGrr rWrrs r$Atest_retrieve_subject_token_certificate_trust_chain_invalid_orderzQTestCredentials.test_retrieve_subject_token_certificate_trust_chain_invalid_orderso++"XX, ]]:22 3w  . .t 44}} M   4 3s A..A7c|jddddi}tjtj5}|j ddddj dsJy#1swYxYw)Nr:r<zfake.pemr>rz*Trust chain file 'fake.pem' was not found.rrrrrFrGrrds r$Gtest_retrieve_subject_token_certificate_trust_chain_file_does_not_existzWTestCredentials.test_retrieve_subject_token_certificate_trust_chain_file_does_not_exist!ss++6<(2 , ]]:22 3w  . .t 44}}IJJJ4 3s A))A2c|jddtdi}tjtj 5}|j ddddjdsJy#1swYxYw)Nr:r<r>rz8Error loading PEM certificates from the trust chain file)rr rrrrFrGrrds r$@test_retrieve_subject_token_certificate_invalid_trust_chain_filezPTestCredentials.test_retrieve_subject_token_certificate_invalid_trust_chain_file7ss++6<(? , ]]:22 3w  . .t 44}}WXXX4 3s A--A6c tdddd}|j|}tjtj 5}|j ddddjdjtdsJy#1swY1xYwNr2 not_foundr3r6r@Unable to parse subject_token from JSON file '{}' using key '{}') SUBJECT_TOKEN_JSON_FILErrrrrFrGrr7r rrrs r$8test_retrieve_subject_token_json_file_invalid_field_namezHTestCredentials.test_retrieve_subject_token_json_file_invalid_field_nameMs+%;O ++>O+P ]]:22 3w  . .t 44}} N U U'    4 3 BB cx|jd}|jdt|dddd}|j|}t j t j5}|jddddjdjt|dsJy#1swY6xYw) Nz invalid.json{r2rr3r6rrn) rrrrrrrrFrGrr7)r rinvalid_json_filerrrs r$(test_retrieve_subject_token_invalid_jsonz8TestCredentials.test_retrieve_subject_token_invalid_json]s"KK7$)*%>R ++>O+P ]]:22 3w  . .t 44}} N U U%&    4 3s )B00B9cddi}|j|}tjtj5}|j ddddj dsJy#1swYxYw)Nr1z./not_found.txtrz$File './not_found.txt' was not foundrgrps r$*test_retrieve_subject_token_file_not_foundz:TestCredentials.test_retrieve_subject_token_file_not_foundpsg#%67++>O+P ]]:22 3w  . .t 44}}DEEE4 3s A((A1cf|j|j}|jtk(sJyrK)rrQrrr0s r$test_token_info_urlz#TestCredentials.test_token_info_urlys6++"99, ))^;;;r&ctD]D}|j|jj|dz}|j|dzk(rDJy)Nz /introspectrr)VALID_TOKEN_URLSrrQrrr r8rs r$test_token_info_url_customz*TestCredentials.test_token_info_url_customsV#C//"&"="="B"B"D #m 30K --}1DD DD $r&cv|j|jjd}|jrJy)Nr|)rrQrrr0s r$test_token_info_url_negativez,TestCredentials.test_token_info_url_negatives@++"99>>@QU, -----r&ctD]D}|j|jj|dz}|j|dzk(rDJy)Nz/token)rrs)r}rrQr _token_urlr~s r$test_token_url_customz%TestCredentials.test_token_url_customsT#C//"&"="="B"B"D>0K ))cHn= == $r&ctD]L}|j|jj|tz}|j |tzk(rLJy)N)rrz)(VALID_SERVICE_ACCOUNT_IMPERSONATION_URLSrrQr'SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTErr~s r$-test_service_account_impersonation_url_customz=TestCredentials.test_service_account_impersonation_url_customs_;C//"&"="="B"B"DAA0KAA== TestCredentials.test_refresh_with_retrieve_subject_token_errors+%;O ++>O+P ]]:22 3w    %4}} N U U'    4 3rrc|j|j}|jt}|j |}|tk(sJ|j |j dddyNrr^rrW)rr/rarLrGrirr rr)r!s r$$test_retrieve_subject_token_from_urlz4TestCredentials.test_retrieve_subject_token_from_urlsu++"==, ((4K(L#::7C  7777 --g.D.DQ.G.JDQr&c|j|jddid}|jt}|j |}|tk(sJ|j |j ddddiy)Nfoobar)r8rerrrrW)rr rarLrGrirrs r$1test_retrieve_subject_token_from_url_with_headerszATestCredentials.test_retrieve_subject_token_from_url_with_headerss++&*&9&9uenU, ((4K(L#::7C  7777 --  " "1 %a (5%. r&c|j|j}|jt}|j |}|t k(sJ|j |jdddyr)rr7raJSON_FILE_CONTENTrGrRrirrs r$)test_retrieve_subject_token_from_url_jsonz9TestCredentials.test_retrieve_subject_token_from_url_jsonsu++"==, ((4E(F#::7C  7777 --g.D.DQ.G.JDQr&c|j|jdddddid}|jt}|j |}|t k(sJ|j |jd d ddiy) Nr2rr3rr)r8r7rerrrrW)rr rarrGrRrirrs r$6test_retrieve_subject_token_from_url_json_with_headerszFTestCredentials.test_retrieve_subject_token_from_url_json_with_headerss++**#)~V!5>, ((4E(F#::7C  7777 --  " "1 %a (5%. r&c|j|j}tjtj 5}|j |jdtdddjdsJy#1swYxYw)Nri)r]r^z.Unable to retrieve Identity Pool subject token) rr/rrrrFrGrarrr rrs r$.test_retrieve_subject_token_from_url_not_foundz>TestCredentials.test_retrieve_subject_token_from_url_not_founds{++"==, ]]:22 3w  . .&&CDU&V 4 }}MNNN 4 3s 'BB c`|jdddd}|j|}tjtj 5}|j |jtdddjdj|jdsJy#1swY7xYwNr2rmr3r9rrrn) r rrrrrFrGrarrr7rps r$7test_retrieve_subject_token_from_url_json_invalid_fieldzGTestCredentials.test_retrieve_subject_token_from_url_json_invalid_fields&&%;O ++>O+P ]]:22 3w  . .&&2C&D 4 }} N U U##[    4 3 &B$$B-cH|j|j}tjtj 5}|j |jddddjdj|jdsJy#1swY7xYw)Nrrtrrnr) rr7rrrrFrGrarr7r rs r$8test_retrieve_subject_token_from_url_json_invalid_formatzHTestCredentials.test_retrieve_subject_token_from_url_json_invalid_formats++"==, ]]:22 3w  . .t/E/EQT/E/U V4}} N U U##^    4 3s "BB!c|jtt|jt}|j |t tttdtdttdt yNr rrr!rrsrzrrrrrr) rrrr/rrrrLrrrr0s r$8test_refresh_text_file_success_without_impersonation_urlzHTestCredentials.test_refresh_text_file_success_without_impersonation_urlsb++'"== ,  22#11.2 3!3 3 r&c|j|jtt}|j |t t tttddttdt  yNrr) rr/rrrrrLrrr0s r$5test_refresh_text_file_success_with_impersonation_urlzETestCredentials.test_refresh_text_file_success_with_impersonation_url+s_++"==.O ,  22#11.O $!3 3 r&c|jtt|jt}|j |t tttdtdttdt yr) rrrr7rrrrRrrrrr0s r$8test_refresh_json_file_success_without_impersonation_urlzHTestCredentials.test_refresh_json_file_success_without_impersonation_urlCsb++'"== ,  22#11.2 3!- 3 r&c|j|jtt}|j |t t tttddttdt yr) rr7rrrrrRrrrr0s r$5test_refresh_json_file_success_with_impersonation_urlzETestCredentials.test_refresh_json_file_success_with_impersonation_url[s_++"==.O ,  22#11.O $!- 3 r&c`|jdddd}|j|}tjtj 5}|j |jtdddjdj|jdsJy#1swY7xYwr) r rrrrrFrrarrr7rps r$2test_refresh_with_retrieve_subject_token_error_urlzBTestCredentials.test_refresh_with_retrieve_subject_token_error_urlss&&%;O ++>O+P ]]:22 3w    6 6BS 6 T U4}} N U U##[    4 3rctt}|j|}|jd}|tk(sJy)Nr!r)rrRrrG)r rrr!s r$$test_retrieve_subject_token_supplierz4TestCredentials.test_retrieve_subject_token_suppliers?+:QR++8+L #::4@  7777r&ctttjtt }|j |}|jdy)N)r!r#r)rrRrSupplierContextrrrrGr rrs r$4test_retrieve_subject_token_supplier_correct_contextzDTestCredentials.test_retrieve_subject_token_supplier_correct_contextsE+1-=="H ++8+L **40r&cJtjd}t|}|j|}t j tj5}|j |jtdddjdsJy#1swYxYw)Nz test error)r"rr) rrFrrrrrrarr)r expected_exceptionrrrs r$*test_retrieve_subject_token_supplier_errorz:TestCredentials.test_retrieve_subject_token_supplier_errors'44\B+DVW++8+L ]]:22 3w    6 6BS 6 T U4}}\***4 3s &BB"c tt}|j|tt}|j |t ttttddttd y)Nr)rrzrr) rrRrrrrrrLrrrs r$4test_refresh_success_supplier_with_impersonation_urlzDTestCredentials.test_refresh_success_supplier_with_impersonation_urlsa+:QR++#+.O, 22#11.O $! 3 r&c tt}|j|t}|j |t t ttddttd y)Nr)rr) rrr!rrsrrrrr) rrRrrrrrLrrrs r$7test_refresh_success_supplier_without_impersonation_urlzGTestCredentials.test_refresh_success_supplier_without_impersonation_urlsZ+:QR++#+F,  22#11 $! 3 r&)certkeyc|j|jj}|j\}}|dk(sJ|dk(sJy)Nrrr)rr:r_get_mtls_cert_and_key_paths)r rWrrrs r$test_get_mtls_certsz#TestCredentials.test_get_mtls_certssW ++"@@EEG,  <<> cv~~e||r&c|j|jj}tjt j 5}|jdddjdsJy#1swYxYw)NrzThe credential is not configured to use mtls requests. The credential should include a "certificate" section in the credential source.) rrrrrrrFrrrs r$test_get_mtls_certs_invalidz+TestCredentials.test_get_mtls_certs_invalidsw++"99>>@, ]]:22 3w  4 4 64}} U   4 3s A;;B)NNNNNNNN)wr+r,r-r rrorQr r/r7r:r=TRUST_CHAIN_WITH_LEAF_FILEr\TRUST_CHAIN_WITHOUT_LEAF_FILEr`TRUST_CHAIN_WRONG_ORDER_FILErcrrr classmethodrUrrrarirrwrr|rrrrrrKrobjectrrrrrrrrrrrr rrrrrrr r$r'r+r-r1r4r8r;r>rArCrIrNrS CERT_FILEKEY_FILErXrZr^rarerhrjrqrvrxrzrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr.r&r$r0r0s$&=>'!~N*N"'!8!~N" 8&A%! 57GH1- .4 : ;7 .4 = >: .4 < =9'L&! %..T(*888>G H H +L ) )+/ $(E<E  6 6 6 6 8 2 2 4 . . R  R O $   0 0 0 0 8 1 + . (TZZM$   r&r0)Mbase64r http.clientclientrr2osrmrKOpenSSLrr google.authrrrrrr google.auth.credentialsr rrrSERVICE_ACCOUNT_EMAIL&SERVICE_ACCOUNT_IMPERSONATION_URL_BASEr7rrr rpathrdirname__file__DATA_DIRr rorrrrrOTHER_CERT_FILESUBJECT_TOKEN_FIELD_NAMEopenfhreadrLloadrrgrRf b64encodedump_certificate FILETYPE_ASN1load_certificate FILETYPE_PEMrqrUr]rrrrrrrr}INVALID_TOKEN_URLSr*INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLSSubjectTokenSupplierrrr0r.r&r$rs!  2"%!;   0K4'+b*h*h+'+-TT"& H  77<<16 :'',,x1MN'',,x1NOWW\\(4OP " X7U V!ww||H6ST GGLL#4 5 77<<"2 3'',,x)9:) !"b ggi# !"b! " /334LM# )Ta(((  "9&"9"9&:M:Mqvvx"X  fWo  /4 A.f..  "9&"9"9&:M:Mqvvx"X  fWo ! 2 ;; vX KB < ,(.*@ #}AA # d fd G#"#"! s2L5$L*A&L(!A&L4LL%(L14L=