ԋddlZddlZddlmZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z ddl m Z ddl mZddlmZddlmZdd lmZej(j+ej(j-ed d Zeej(j+ed d 5Zej7Zdddej(j+edZej(j+edZdZdZ eed 5ZejBeZ"dddeed 5ZejBeZ#ddde jHjKedZ&dZ'dZ(dZ)ejTdZ+ejTdZ,GddZ-ejTdZ.ejTdZ/Gdde0Z1y#1swYxYw#1swYxYw#1swYxYw)N)_helpers)crypt) exceptions)impersonated_credentials) transport) Credentials) credentials)service_accountdatazprivatekey.pemrbzservice_account.jsonz8impersonated_service_account_authorized_user_source.jsona?eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiLCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0.redactedi?]1z https://example.com/oauth2/tokenz9gl-python/3.7 auth/1.1 auth-request-type/at cred-type/impz9gl-python/3.7 auth/1.1 auth-request-type/it cred-type/impc#Ktjdd5}dtjt j dzif|_|dddy#1swYyxYww)Ngoogle.oauth2._client.jwt_grantTautospecz source tokensecondsmockpatchrutcnowdatetime timedelta return_valuegrants ]platform/gsutil/third_party/google-auth-library-python/tests/test_impersonated_credentials.pymock_donor_credentialsr FsT 5 E  OO  2 23 ? ?    F E EA'8A A'A$ A'c#Ktjdd5}dtjt j dzif|_|dddy#1swYyxYww)NrTr1/fFAGRNJasdfz70BzhT3Zgrrrrs rmock_dwd_credentialsr$QsT 5 E % OO  2 23 ? ?    F E Er!ceZdZdZdZy) MockResponsec ||_||_yN) json_data status_code)selfr)r*s r__init__zMockResponse.__init__]s"&c|jSr()r))r+s rjsonzMockResponse.jsonas ~~r-N)__name__ __module__ __qualname__r,r/r-rr&r&\s 'r-r&c#Ktjdd5}ddd}t|tj|_|dddy#1swYyxYww)N8google.auth.transport.requests.AuthorizedSession.requestTrr c2lnbmF0dXJl)keyId signedBlob)rrr& http_clientOKr auth_sessionr s rmock_authorizedsession_signr=esL BT  N;$0{~~$F !    sA)A  A AAc#Ktjdd5}dti}t|tj |_|dddy#1swYyxYww)Nr5Trtoken)rr ID_TOKEN_DATAr&r9r:rr;s rmock_authorizedsession_idtokenrAosL BT  '$0{~~$F !    sA,A AAAceZdZdZdZdgZgZdZeje ee Z e jdZddjezZe eed d fd Zd Zd Zd ZdZdZdZdZdZdZej8d d dfdZdZej@jCdddgdZ"ej@jCdddgdZ#ej@jCdddgdZ$ej@jCdddgdZ%ej@jCdddgd Z&d!Z'd"Z(d#Z)d$Z*d%Z+d&Z,d'Z-d(Z.d)Z/d*Z0d+Z1d,Z2d-Z3e4jjd.d /d0Z6d1Z7ej@jCdddgd2Z8d3Z9d4Z:d5Z;d6Zd9Z?d:Z@d;ZAd<ZBd=ZCd>ZDd?ZEd@ZFy )ATestImpersonatedCredentialszservice-account@example.com,impersonated@project.iam.gserviceaccount.comz4https://www.googleapis.com/auth/devstorage.read_onlyiABCDE)r?z' $ 0 0 W W ?}} ; B B> R   ? >s BBctjt}d|d<tjt j 5}tjj|dddjdsJy#1swYxYw)N invalid_url!service_account_impersonation_urlz$Cannot extract target principal from) rZr[rSr\r]rr^rrrRr_ras rJtest_from_impersonated_service_account_info_with_invalid_impersonation_urlzfTestImpersonatedCredentials.test_from_impersonated_service_account_info_with_invalid_impersonation_urlsl}}UV4A 01 ]]:== >' $ 0 0 W W ?}}DEEE ? >s  A>>Bc|j}|jrJd|_|jddddk(sJy)N /path/to/filezimpersonated credentialsrD)credential_sourcecredential_type principal)rP get_cred_info_cred_file_pathrUs rtest_get_cred_infoz.TestImpersonatedCredentials.test_get_cred_infosW++- ,;,,...&5 #({((*!09G/    r-ctjtdtd}|j |}|j dk(sJy)Nsome@email.comfoo.baruniverse_domainrG)r rSIGNER TOKEN_URIrPrur+rGr s r$test_universe_domain_matching_sourcez@TestImpersonatedCredentials.test_universe_domain_matching_sourcesG,88 $i ++?Q+R **i777r-cv|j}d|_|j}|jdk(sJy)Nrj)rPro _make_copy)r+r cred_copys rtest__make_copy_get_cred_infoz9TestImpersonatedCredentials.test__make_copy_get_cred_infos<++- &5 #*K**, ((O;;;r-ct|j|j}|jrJ|jsJy)Nrv)rPUSER_SOURCE_CREDENTIALSvalidexpiredrUs rtest_make_from_user_credentialsz;TestImpersonatedCredentials.test_make_from_user_credentialss@++#;;, $$$$""""r-c\|j}|jrJ|jsJyr()rPrrrUs rtest_default_statez.TestImpersonatedCredentials.test_default_states.++- $$$$""""r-ctjt|jtd}|j |}|j jsJ|j jsJy)NT)always_use_jwt_accessrv) r rrwSERVICE_ACCOUNT_EMAILrxrP_source_credentials_always_use_jwt_access_jwt_credentialsrys r.test_make_from_service_account_self_signed_jwtzJTestImpersonatedCredentials.test_make_from_service_account_self_signed_jwtsc,88 D.. QU ++?Q+R ..EEEE..????r-Tctjtjd}||_|rt j |n||_|xsi|_tjtjd}||_ ||_ |S)NFinstance) rcreate_autospecrResponsestatusrto_bytesr headersRequest side_effectr)r+r rrruse_data_bytesresponserequests r make_requestz(TestImpersonatedCredentials.make_requestsr'' (:(:UK 3A))$/t "=b&&y'8'85I)'r-c|j}d|_d|_i}|jt j dd||ddk(sJ|ddk(sJy)Nr? authorizationz Bearer tokenx-goog-api-clientz cred-type/imp)rPr?expirybefore_requestrMock)r+r rs rtest_token_usage_metricsz4TestImpersonatedCredentials.test_token_usage_metricssh++- # ! " ""499;dGD'>999*+>>>r-rFc@|jd}d}tjjdt j dzj ddz}||d }|jtj|tj| }tjd t 5|j|ddd|j sJ|j"rJ|j$j&d dtk(sJy#1swYKxYw)NrKr?r microsecondrrTZ accessToken expireTimer rr:google.auth.metrics.token_request_access_token_impersonaterrr)rPrrreplacerr isoformatrr/dumpsr9r:rr)ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUErefreshrr call_argskwargs)r+rr r r? expire_time response_bodyrs rtest_refresh_successz0TestImpersonatedCredentials.test_refresh_successs++T+:  OO  % %! % 4x7I7IRU7V V )C.3 ).[I ##M*>>)$  ZZ HB  K   (      &&&&    $ $Y /0C D8 9  9  s 7DDcz|jdd}ddi}|jtj|tj |}t jdt5|j|ddd|jsJ|jrJ|jdk(sJy#1swY7xYw) Ntest@email.com)rLrK signedJwtexample_signed_jwtrrrr#) rPrr/rr9r:rrrrrrr?)r+rr$r rrs r!test_refresh_with_subject_successz=TestImpersonatedCredentials.test_refresh_with_subject_success%s++4Dt+T $&:; ##M*>>)$  ZZ HB  K   (      &&&&  $====  s (B11B:c tjtdtd}|j d|}d}t j jdtjd zjd d z}||d }|jtj|tj| }|j ||j"sJ|j$rJ|j&d} | ddk(sJy)NrrrsrtrKrGr?rrrrrrrrurlz}https://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateAccessToken)r rrwrxrPrrrrrrrr/rr9r:rrrr) r+rr rGr r?rrrrequest_kwargss rtest_refresh_success_nonGduz7TestImpersonatedCredentials.test_refresh_success_nonGdu;s,88 $i ++.@,  OO  % %! % 4x7I7IRU7V V )C.3 ).[I ##M*>>)$   G$    &&&& **1- 5 !O O  Or-c|jd|j}d}tjj dt j dzjddz}||d }|jtj|tj| }|j||jsJ|jrJ|j d }|d |jk(sJy) NrKrMr?rrrrrrrrrr)rPIAM_ENDPOINT_OVERRIDErrrrrrrr/rr9r:rrrr) r+rr r r?rrrrs r*test_refresh_success_iam_endpoint_overridezFTestImpersonatedCredentials.test_refresh_success_iam_endpoint_override[s++1K1K,  OO  % %! % 4x7I7IRU7V V )C.3 ).[I ##M*>>)$   G$    &&&& **1-e$(B(BBBBr- time_skewijc|jd}tjtjzt j |z|j _d|j _tjdd5}tjjdt j d zjd d z}d |d }|jtj|t j"}|j$||j&sJ|j(rJ|dkDr|j+n|j-dddy#1swYyxYw)NrrTokenz1google.oauth2.service_account.Credentials.refreshTrrrrrrr?rr r)rPrrREFRESH_THRESHOLDrrrrr?rrrrrr/rr9r:rrrassert_not_calledassert_called_once)r+rr source_cred_refreshrrrs rtest_refresh_source_credentialsz;TestImpersonatedCredentials.test_refresh_source_credentialswsE++T+: OO (( )  3 4 ''. 18 ''- ZZ ?$ !))a)8$$S12ins#K-4;OM''ZZ .{~~(G K   ($$ $$"** **1}#557#668-   s CE**E3c |jd}d}tjtjdzj d}||d}|j tj|tj}tjtj5}|j|dddj!t"j$sJ|j&rJ|j(sJy#1swYGxYw)Nrr?rrrrr)rPrrrrrrr/rr9r:r\r]r RefreshErrorrr_r_REFRESH_ERRORrr)r+r r r?rrrrcs r*test_refresh_failure_malformed_expire_timezFTestImpersonatedCredentials.test_refresh_failure_malformed_expire_times++T+: (8+=+=c+JJUU  ).[I ##M*;>>$ ]]:22 3w K   (4}}5DDEEE$$$$"""" 4 3s +DD c|jd}dddddi}|jtj|tj }t jtj5}|j|dddjtjsJ|jrJ|jsJy#1swYGxYw)Nrerrorz#The caller does not have permissionPERMISSION_DENIED)codemessagerr)rPrr/rr9 UNAUTHORIZEDr\r]rrrr_rrrrr+r r rrrcs r test_refresh_failure_unauthorzedz>  '' (:(:UK*77 /GH ZZ C! z6677  &8  }}566687   s$$$D C>D >D D  Dc|jd}i}|jtj|tj }t jtj5}|j|dddjtjsJ|jrJ|jsJy#1swYGxYw)Nrr)rPrr/rr9 HTTPExceptionr\r]rrrr_rrrrrs rtest_refresh_failure_http_errorz;TestImpersonatedCredentials.test_refresh_failure_http_errors++T+:  ##M*;3L3L$ ]]:22 3w K   (4}}5DDEEE$$$$"""" 4 3s ,CCc<tjtdtd}|j |d}t j jdjdd z}d |d }|jtj|tj }tjt j"5}|j$|dddj'd sJ|j(rJ|j*sJy#1swY9xYw)Nrrrsrtr)rGrLrrrrr?rrzNDomain-wide delegation is not supported in universes other than googleapis.com)r rrwrxrPrrrrrr/rr9r:r\r]rGoogleAuthErrorrr_rr)r+r rGr rrrrcs r3test_refresh_failure_subject_with_nondefault_domainzOTestImpersonatedCredentials.test_refresh_failure_subject_with_nondefault_domains -88 $i ++1;K,  (00Q0?JJ3ORUU (/{K ##M*;>>$ ]]:55 6' K   (7}} $   $$$$""""7 6s DDcD|jd}|jsJy)Nr)rPrrUs r test_expiredz(TestImpersonatedCredentials.test_expired s$++T+: """"r-cp|j}t|jtjsJyr()rPrTsignerrrrUs r test_signerz'TestImpersonatedCredentials.test_signers-++- +,,.F.R.RSSSr-cr|j|j}|j|jk(sJyN)rH)rPTARGET_PRINCIPAL signer_emailrUs rtest_signer_emailz-TestImpersonatedCredentials.test_signer_emails5++T=R=R+S ''4+@+@@@@r-cr|j|j}|j|jk(sJyr)rPrservice_account_emailrUs rtest_service_account_emailz6TestImpersonatedCredentials.test_service_account_emails5++T=R=R+S 00D4I4IIIIr-cT|jd}d}|j||||y)Nrzyhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:signBlob)rP_sign_bytes_helper)r+r r=r expected_urls rtest_sign_bytesz+TestImpersonatedCredentials.test_sign_bytess7++T+: S    " '   r-ctjtdtd}|j d|}d}|j ||||y)Nrrrsrtrzrhttps://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:signBlob)r rrwrxrPr)r+r r=rGr rs rtest_sign_bytes_nonGduz2TestImpersonatedCredentials.test_sign_bytes_nonGdu$s^-88 $i ++.@, L    " '   r-c d}tjjdtjdzj ddz}||d}t jtjd }tj|_ tjtj||_t jtj"d } || _|j&| |j(sJ|j*rJ|j,d } |j/t j0d |dd gdddi| dk(sJy)Nr?rrrrrrrFrs signed bytesPOSTc2lnbmVkIGJ5dGVz)payloadrJz Content-Typezapplication/json)r/rs signature)rrrrrrrrrrr9r:rrr/rr rrrrr sign_bytesassert_called_withANY) r+r r r=rr?rtoken_response_bodyrr signatures rrz.TestImpersonatedCredentials._sign_bytes_helper5s6 OO  % %! % 4x7I7IRU7V V )C.3 /4;O'' (:(:UK%.. ))$**5H*IJ &&y'8'85I' G$    &&&&*K**?; #66 HH   /bA#%78 7 L(((r-c|jd}tjdd5}ddddi}t|tj }||_tjtj5}|jd dddjd sJ dddy#1swY&xYw#1swYyxYw) Nrr5Trrr unauthorizedrrfooz 'code': 403) rPrrr&r9rrr\r]rTransportErrorrr_)r+r r<r mock_responsercs rtest_sign_bytes_failurez3TestImpersonatedCredentials.test_sign_bytes_failureZs++T+: ZZ FQU cnEFD({/G/GHM(5L %z889W& &&v.:==/ //  :9  $A B:6B. B:.B7 3B::Cz time.sleeprc|jd}tjdd5}ddddi}t|tj }||_tjtj5}|jd dddjd sJ dddy#1swY&xYw#1swYyxYw) Nrr5Trrrinternal_failurer r z#exhausted signBlob endpoint retries) rPrrr&r9INTERNAL_SERVER_ERRORrr\r]rr rr_)r+ mock_timer r<r r rcs r!test_sign_bytes_retryable_failurez=TestImpersonatedCredentials.test_sign_bytes_retryable_failurehs++T+: ZZ FQU c6HIJD({/P/PQM(5L %z889W& &&v.:==!FG GG  :9  rcj|j}|jd}|jdk(sJy)N project-foo)rPwith_quota_project_quota_project_id)r+r quota_project_credss rtest_with_quota_projectz3TestImpersonatedCredentials.test_with_quota_projectws7++- >)$  ##G,"((((&.... **1-e$(B(BBBBr-c|j}g|_|jdusJ|jddg}|jdusJ|jddgk(sJy)NT fake_scope1 fake_scope2F)rP_target_scopesrequires_scopes with_scopesrUs rtest_with_scopesz,TestImpersonatedCredentials.test_with_scopessp++- %' "**d222-k--}m.LM **e333))m]-KKKKr-c|j}g|_|jdgdg}|jdgk(sJy)Nrr)default_scopes)rPr r"rUs r'test_with_scopes_provide_default_scopeszCTestImpersonatedCredentials.test_with_scopes_provide_default_scopessK++- %' "-k-- O]O ))m_<<>$   G$    &&&&+>>   !~~...("3"3"D"D_"UUUUr-cx|jd}d|_d|_d}tj||}t j dt5t j dd 5}dti}t|tj|_ |jd|jtk(sJ|jtjjt k(sJ|j"j$d d tk(sJ ddddddy#1swYxYw#1swYyxYw) Nrr?r(rz6google.auth.metrics.token_request_id_token_impersonaterrTrrr)rPr?rrrrr%ID_TOKEN_REQUEST_METRICS_HEADER_VALUEr@r&r9r:rrrr)r*rr)r+r r rr mock_postr s rtest_id_token_metricsz1TestImpersonatedCredentials.test_id_token_metricss&++T+: # ! ++>>  ZZ D> GRV/)5dKNN)K &  &~~666(*;*;*L*L#+''..y9:MN<==      s%D0-B%D$D0$D- )D00D9cz|jd}|jd}d}|j|||||y)Nrzhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateIdToken)rP_test_id_token_helper)r+r rAr target_credentialsrs rtest_id_token_from_credentialz9TestImpersonatedCredentials.test_id_token_from_credentialsP++T+: !22D2AZ  ""   " *   r-ctjtdtd}|j d|}|j d|}d}|j |||||y)Nrrrsrtrzyhttps://iamcredentials.foo.bar/v1/projects/-/serviceAccounts/impersonated@project.iam.gserviceaccount.com:generateIdToken)r rrwrxrPr2)r+r rArGr r3rs r$test_id_token_from_credential_nonGduz@TestImpersonatedCredentials.test_id_token_from_credential_nonGdus-88 $i ++.@, "22.@3 S  ""   " *   r-cd}d}tjjdtjdzj ddz}||d } |j tj| tj } |j| |jsJ|jrJtj||d } | j!| } | j| |j"j$} | d|k(sJ| j&t(k(sJ| j*d usJ| j,|usJy)Nr?r(rrrrrrrrT)r include_email)r3)rrrrrrrr/rr9r:rrrrrfrom_credentialsrargsr?r@_include_email_target_credentials) r+r r3r rArr?rrrrrr;s rr2z1TestImpersonatedCredentials._test_id_token_helper sG+ OO  % %! % 4x7I7IRU7V V )C.3 ).[I ##M*;>>$   G$    &&&&+>>  ,,@R,S!-77<<Aw,&&&~~...&&$...++/AAAAr-c|jd}d}d}tjjdt j dzj dd z}||d }|jtj|tj }|j||jsJ|jrJtj |d } | j#|} | j|| j$t&k(sJ| j(tjj+t,k(sJ| j.d usJy)Nrr?r(rrrrrrrrT)r8r)rPrrrrrrrr/rr9r:rrrrrwith_target_audiencer?r@rr)r*r<r+s r"test_id_token_with_target_audiencez>TestImpersonatedCredentials.test_id_token_with_target_audience0sB++T+: + OO  % %! % 4x7I7IRU7V V )C.3 ).[I ##M*;>>$   G$    &&&&+>> t 000Q!~~...("3"3"D"D_"UUUU&&$...r-cd}tjtj5}t j |dddj dsJy#1swYxYw)Nz4Provided Credential must be impersonated_credentials)r\r]rrrrr_)r+r rAr rcs rtest_id_token_invalid_credz6TestImpersonatedCredentials.test_id_token_invalid_credOsN ]]:55 6' $ 7 7 D7}}VWWW7 6s AA!c4|jd}d}d}tjjdt j dzj dd z}||d }|jtj|tj }|j||jsJ|jrJtj || } | j#d } | j|| j$t&k(sJy)Nrr?r(rrrrrrrrrT)rPrrrrrrrr/rr9r:rrrrrwith_include_emailr?r@r+s r test_id_token_with_include_emailz>$   G$    &&&&+>>  ..t4!~~...r-c,|jd}d}d}tjjdt j dzj dd z}||d }|jtj|tj }|j||jsJ|jrJtj || } | j#d } | j|| j$d k(sJy)Nrr?r(rrrrrrrrrr)rPrrrrrrrr/rr9r:rrrrrrquota_project_idr+s r test_id_token_with_quota_projectz>$   G$    &&&&+>>  ..}=!((M999r-c Xd}d}d|d}|jtj|tj}t j ||ii}||k(sJ|jdditjgtjid jd  y) Nfoo@example.comcorrect_signed_jwtr)r7rrrrmrrz[https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/foo@example.com:signJwtr)rJrzutf-8)rmethodrbody) rr/rr9r:r_sign_jwt_requestassert_called_once_withencode)r+rmexpected_signed_jwtrr signed_jwts rtest_sign_jwt_request_successz9TestImpersonatedCredentials.test_sign_jwt_request_successs% 2"%4GH ##M*;>>$ .??y"b 0000''m"BHIPP ( r-cd}|jdtj}tjt j 5}tj||ii}dddjtjsJ|jjddk(sJ|jjddk(sJy#1swYgxYw)NrJ error_messagerrLrz*Unable to acquire impersonated credentialsr) rr9 BAD_REQUESTr\r]rrrrOr_rvaluer;r+rmrrc_s r test_sign_jwt_request_http_errorz 8 [[-e}=>>>* [[-e}= > > [[-e}=C>C6 [[[3+6#97#9J#*#.7*#"#6#TAJ  "#)J 0TZZ 40 H1 HF  [[-e}=C>C:L=V:<   *%BN/>X/::: .8"7r-rC)2rZr http.clientclientr9r/osrr\ google.authrrrrr$google.auth.impersonated_credentialsr google.oauth2r r pathjoindirname__file__DATA_DIRopenfhreadPRIVATE_KEY_BYTESSERVICE_ACCOUNT_JSON_FILE8IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_FILEr@r*loadSERVICE_ACCOUNT_INFOrS RSASigner from_stringrwrxrr.fixturer r$r&r=rAobjectrCr3r-rr{s ! "0!<%) 77<<12v > "'',,x!1 2D9R :GGLL3IJ;=77<< H<8  #T*b$499R=+ BDIR?Htyy}<J  $ $%6 < . @*@& R 7&R 7m:9$+*JIs$(GG*GGGG'