GddlmZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z dZ dZdZGd d eZy) N) exceptions) transport)sts)utilsusernamepasswordzdXNlcm5hbWU6cGFzc3dvcmQ=ceZdZdZdZdZddgZdZdZdZ d Z dZ d Z d d iZ d dgddiZddddddZddddZddddZej&ej(j*eeZej&ej(j2eeZed/dZeej<fdZed Z d!Z!d"Z"d#Z#d$Z$d%Z%d&Z&d'Z'd(Z(d)Z)d*Z*d+Z+d,Z,d-Z-d.Z.y)0 TestStsClientz/urn:ietf:params:oauth:grant-type:token-exchangezhttps://api.example.com/zurn:example:cooperation-contextscope1scope2z-urn:ietf:params:oauth:token-type:access_tokenz&HEADER.SUBJECT_TOKEN_PAYLOAD.SIGNATUREz$urn:ietf:params:oauth:token-type:jwtz$HEADER.ACTOR_TOKEN_PAYLOAD.SIGNATUREz https://example.com/token.oauth2zx-client-versionz0.1.2 additionaloptionsz some-value)z non-standardother ACCESS_TOKENBeareriz scope1 scope2) access_tokenissued_token_type token_type expires_inscopeabcxyz)r refresh_tokenrinvalid_requestzInvalid subject tokenz#https://tools.ietf.org/html/rfc6749)errorerror_description error_uriNcBtj|j|SN)rClientTOKEN_EXCHANGE_ENDPOINT)cls client_auths Oplatform/gsutil/third_party/google-auth-library-python/tests/oauth2/test_sts.py make_clientzTestStsClient.make_clientFszz#55{CCctjtjd}||_t j |jd|_tjtj}||_ |S)NT)instanceutf-8) mockcreate_autospecrResponsestatusjsondumpsencodedataRequest return_value)r"r1r-responserequests r$make_mock_requestzTestStsClient.make_mock_requestJs_'' (:(:TJ  4(//8 &&y'8'89'r&cX|d|jk(sJ|ddk(sJ|d|k(sJ|dJtjj|d}|D]-\}}|j d||j dk(r-Jt |t |j k(sJy)zEAsserts the request was called with the expected parameters. urlmethodPOSTheadersbodyNr))r!urllibparse parse_qsldecodelenkeys)r"request_kwargsr; request_data body_tupleskvs r$assert_request_kwargsz#TestStsClient.assert_request_kwargsUse$(C(CCCCh'6111i(G333f%111ll,,^F-CD !FQ88G$ QXXg5F(GG GG";3|'8'8':#;;;;r&c|j}|jj}d|d<|j|j|j dj |j|j|j|j|j|jtjjt!j"|j$d }|j't(j*|j,}|j/||j|j|j|j|j |j|j|j|j|j$|j }|j1|j2d||||j,k(sJy)zaTest token exchange success without client authentication using full parameters. !application/x-www-form-urlencoded Content-Type grant_typeresourceaudiencerrequested_token_type subject_tokensubject_token_type actor_tokenactor_token_typerr-r1N)r% ADDON_HEADERScopy GRANT_TYPERESOURCEAUDIENCEjoinSCOPESREQUESTED_TOKEN_TYPE SUBJECT_TOKENSUBJECT_TOKEN_TYPE ACTOR_TOKENACTOR_TOKEN_TYPEr=r>quoter.r/ ADDON_OPTIONSr6 http_clientOKSUCCESS_RESPONSEexchange_tokenrH call_argsselfclientr;rDr5r4s r$-test_exchange_token_full_success_without_authz;TestStsClient.test_exchange_token_full_success_without_authbss!!#$$))+"E//  XXdkk*$($=$=!//"&"9"9++ $ 5 5||))$**T5G5G*HI  ((>>(=(=) ((  OO     # # MM MM KK  % %     ! !         ""7#4#4Q#7,O400000r&c|j}ddi}|j|j|j|j|j d}|j tj|j}|j||j|j|j |j|j}|j|jd||||jk(sJy)ztTest token exchange success without client authentication using partial (required only) parameters. rKrJrNrPrQrRrSrVrNrRrSrPrQrWN) r%rZr\r_r`rar6rfrgrhrirHrjrks r$0test_exchange_token_partial_success_without_authz>TestStsClient.test_exchange_token_partial_success_without_auths!!#!#FG// $($=$=!//"&"9"9  ((>>(=(=) (( ,,#66]]!%!:!: )  ""7#4#4Q#7,O400000r&c$|j}|jtj|j}t j tj5}|j||j|j|j|j|j|j|j |j"|j$|j&|j( dddj+dsJy#1swYxYw)zPTest token exchange without client auth responding with non-200 status. rVNWError code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749)r%r6rf BAD_REQUESTERROR_RESPONSEpytestraisesr OAuthErrorrirZr`rar[r\r^r_rbrcrerXmatchrlrmr5excinfos r$'test_exchange_token_non200_without_authz5TestStsClient.test_exchange_token_non200_without_auths!!#((**1D1D) ]]:00 1W  ! !""''   ))  %%"""" 2 }} f   !2 1s B DDc|j|j}|jj}d|d<dj t |d<|j |j|jdj|j|j|j|j|j|jt j"j%t'j(|j*d }|j-t.j0|j2}|j5||j |j|j|j|j|j|j|j|j|j*|j }|j7|j8d||||j2k(sJy ) zdTest token exchange success with basic client authentication using full parameters. rJrKBasic {} AuthorizationrLrMrVrWN)r%CLIENT_AUTH_BASICrXrYformatBASIC_AUTH_ENCODINGrZr[r\r]r^r_r`rarbrcr=r>rdr.r/rer6rfrgrhrirHrjrks r$0test_exchange_token_full_success_with_basic_authz>TestStsClient.test_exchange_token_full_success_with_basic_auths!!$"8"89$$))+"E#-#4#45H#I //  XXdkk*$($=$=!//"&"9"9++ $ 5 5||))$**T5G5G*HI  ((>>(=(=) ((  OO     # # MM MM KK  % %     ! !         ""7#4#4Q#7,O400000r&c(|j|j}ddjtd}|j|j |j |j|jd}|jtj|j}|j||j|j|j|j |j }|j|jd||||jk(sJy) zwTest token exchange success with basic client authentication using partial (required only) parameters. rJr)rKrrprVrqrWN)r%rrrrZr\r_r`rar6rfrgrhrirHrjrks r$3test_exchange_token_partial_success_with_basic_authzATestStsClient.test_exchange_token_partial_success_with_basic_auths!!$"8"89?'../BC  // $($=$=!//"&"9"9  ((>>(=(=) (( ,,#66]]!%!:!: )  ""7#4#4Q#7,O400000r&c:|j|j}|jtj|j }t jtj5}|j||j|j|j|j|j|j |j"|j$|j&|j(|j* dddj-dsJy#1swYxYw)z[Test token exchange with basic client auth responding with non-200 status. rVNrt)r%rr6rfrurvrwrxrryrirZr`rar[r\r^r_rbrcrerXrzr{s r$*test_exchange_token_non200_with_basic_authz8TestStsClient.test_exchange_token_non200_with_basic_auths!!$"8"89((**1D1D) ]]:00 1W  ! !""''   ))  %%"""" 2 }} f   !2 1 *B DDc|j|j}|jj}d|d<|j|j |j dj|j|j|j|j|j|jtjj!t#j$|j&t(t*d }|j-t.j0|j2}|j5||j|j|j|j |j |j|j|j|j|j&|j }|j7|j8d||||j2k(sJy)zkTest token exchange success with request body client authenticaiton using full parameters. rJrKrL) rNrOrPrrQrRrSrTrUr client_id client_secretrVrWN)r%CLIENT_AUTH_REQUEST_BODYrXrYrZr[r\r]r^r_r`rarbrcr=r>rdr.r/re CLIENT_ID CLIENT_SECRETr6rfrgrhrirHrjrks r$2test_exchange_token_full_success_with_reqbody_authz@TestStsClient.test_exchange_token_full_success_with_reqbody_auth+s!!$"?"?@$$))+"E//  XXdkk*$($=$=!//"&"9"9++ $ 5 5||))$**T5G5G*HI"*  ((>>(=(=) ((  OO     # # MM MM KK  % %     ! !         ""7#4#4Q#7,O400000r&c|j|j}ddi}|j|j|j|j |j ttd}|jtj|j}|j||j|j |j |j|j}|j|jd||||jk(sJy)z~Test token exchange success with request body client authentication using partial (required only) parameters. rKrJ)rNrPrQrRrSrrrVrqrWN)r%rrZr\r_r`rarrr6rfrgrhrirHrjrks r$5test_exchange_token_partial_success_with_reqbody_authzCTestStsClient.test_exchange_token_partial_success_with_reqbody_authVs!!$"?"?@!#FG// $($=$=!//"&"9"9"* ((>>(=(=) (( ,,#66]]!%!:!: )  ""7#4#4Q#7,O400000r&c:|j|j}|jtj|j }t jtj5}|j||j|j|j|j|j|j |j"|j$|j&|j(|j* dddj-dsJy#1swYxYw)zgTest token exchange with POST request body client auth responding with non-200 status. rVNrt)r%rr6rfrurvrwrxrryrirZr`rar[r\r^r_rbrcrerXrzr{s r$,test_exchange_token_non200_with_reqbody_authz:TestStsClient.test_exchange_token_non200_with_reqbody_authus!!$"?"?@((**1D1D) ]]:00 1W  ! !""''   ))  %%"""" 2 }} f   !2 1rc*|j|j}|jtj|j }|j |d}ddd}ddd}|j|jd||||j k(sJy z,Test refresh token with successful response.rV refreshtokenBasic dXNlcm5hbWU6cGFzc3dvcmQ=rJ)rrKr)rNrrWN) r%rr6rfrgrhrrHrjrlrmr5r4r;rDs r$test_refresh_token_successz(TestStsClient.test_refresh_token_successs!!$"8"89((>>(=(=) ''@>? '6W  ""7#4#4Q#7,O400000r&c*|j|j}|jtj|j }|j |d}ddd}ddd}|j|jd||||j k(sJy r) r%rr6rfrgSUCCESS_RESPONSE_WITH_REFRESHrrHrjrs r$'test_refresh_token_success_with_refreshz5TestStsClient.test_refresh_token_success_with_refreshs!!$"8"89((>>(J(J) ''@>? '6W  ""7#4#4Q#7,O4=====r&cJ|j|j}|jtj|j }t jtj5}|j|ddddjdsJy#1swYxYw))Test refresh token with failure response.rVrNrt) r%rr6rfrurvrwrxrryrrzr{s r$test_refresh_token_failurez(TestStsClient.test_refresh_token_failures!!$"8"89((**1D1D) ]]:00 1W  . 92}} f   2 1s *BB"c4|j|j}|jtj|j }|j |ddiddi}dddd}ddi}|j|jd ||||j k(sJy ) z*Test base method with successful response.rVabcdrrJ)rrKrrWN) r%rr6rfrgrh _make_requestrHrjrs r$test__make_request_successz(TestStsClient.test__make_request_successs!!$"8"89((>>(=(=) ''#sc3ZH>?  Sz  ""7#4#4Q#7,O400000r&cT|j|j}|jtj|j }t jtj5}|j|ddiddidddjdsJy#1swYxYw)rrVrrrrNrt) r%rr6rfrurvrwrxrryrrzr{s r$test_make_request_failurez'TestStsClient.test_make_request_failures!!$"8"89((**1D1D) ]]:00 1W  3*sCj A2}} f   2 1s *BB'r)/__name__ __module__ __qualname__rZr[r\r^r_r`rarbrcr!rXrerhrrvrClientAuthenticationClientAuthTypebasicrrr request_bodyr classmethodr%rfrgr6rHrnrrr}rrrrrrrrrrrr&r$r r !ssBJ)H0H !FJ :1">"  1$  r&r ) http.clientrmrfr.r=r*rw google.authrr google.oauth2rrrrrobjectr rr&r$rs@" "!   0 F r&