diff options
| author | robot-piglet <robot-piglet@yandex-team.com> | 2024-02-08 10:32:02 +0300 |
|---|---|---|
| committer | robot-piglet <robot-piglet@yandex-team.com> | 2024-02-08 10:47:15 +0300 |
| commit | 24828cfceda057875e0c8218307bb391451d5066 (patch) | |
| tree | ae0104ac158d58422c53ef805c455cfe82e858ad | |
| parent | 05b9571c1945803dff29dad60ea612dbafb94999 (diff) | |
| download | ydb-24828cfceda057875e0c8218307bb391451d5066.tar.gz | |
Intermediate changes
8 files changed, 139 insertions, 15 deletions
diff --git a/contrib/python/google-auth/py3/.dist-info/METADATA b/contrib/python/google-auth/py3/.dist-info/METADATA index 2820e8856d..48bac82c9d 100644 --- a/contrib/python/google-auth/py3/.dist-info/METADATA +++ b/contrib/python/google-auth/py3/.dist-info/METADATA @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.26.2 +Version: 2.27.0 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform diff --git a/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py b/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py index a035c7697a..7541c1d8cf 100644 --- a/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py +++ b/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py @@ -32,7 +32,11 @@ from google.auth.transport import requests as google_auth_requests from google.oauth2 import _client -class Credentials(credentials.Scoped, credentials.CredentialsWithQuotaProject): +class Credentials( + credentials.Scoped, + credentials.CredentialsWithQuotaProject, + credentials.CredentialsWithUniverseDomain, +): """Compute Engine Credentials. These credentials use the Google Compute Engine metadata server to obtain @@ -57,6 +61,7 @@ class Credentials(credentials.Scoped, credentials.CredentialsWithQuotaProject): quota_project_id=None, scopes=None, default_scopes=None, + universe_domain=None, ): """ Args: @@ -68,6 +73,10 @@ class Credentials(credentials.Scoped, credentials.CredentialsWithQuotaProject): scopes (Optional[Sequence[str]]): The list of scopes for the credentials. default_scopes (Optional[Sequence[str]]): Default scopes passed by a Google client library. Use 'scopes' for user-defined scopes. + universe_domain (Optional[str]): The universe domain. If not + provided or None, credential will attempt to fetch the value + from metadata server. If metadata server doesn't have universe + domain endpoint, then the default googleapis.com will be used. """ super(Credentials, self).__init__() self._service_account_email = service_account_email @@ -76,6 +85,9 @@ class Credentials(credentials.Scoped, credentials.CredentialsWithQuotaProject): self._default_scopes = default_scopes self._universe_domain_cached = False self._universe_domain_request = google_auth_requests.Request() + if universe_domain: + self._universe_domain = universe_domain + self._universe_domain_cached = True def _retrieve_info(self, request): """Retrieve information about the service account. @@ -146,23 +158,40 @@ class Credentials(credentials.Scoped, credentials.CredentialsWithQuotaProject): @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) def with_quota_project(self, quota_project_id): - return self.__class__( + creds = self.__class__( service_account_email=self._service_account_email, quota_project_id=quota_project_id, scopes=self._scopes, + default_scopes=self._default_scopes, ) + creds._universe_domain = self._universe_domain + creds._universe_domain_cached = self._universe_domain_cached + return creds @_helpers.copy_docstring(credentials.Scoped) def with_scopes(self, scopes, default_scopes=None): # Compute Engine credentials can not be scoped (the metadata service # ignores the scopes parameter). App Engine, Cloud Run and Flex support # requesting scopes. - return self.__class__( + creds = self.__class__( scopes=scopes, default_scopes=default_scopes, service_account_email=self._service_account_email, quota_project_id=self._quota_project_id, ) + creds._universe_domain = self._universe_domain + creds._universe_domain_cached = self._universe_domain_cached + return creds + + @_helpers.copy_docstring(credentials.CredentialsWithUniverseDomain) + def with_universe_domain(self, universe_domain): + return self.__class__( + scopes=self._scopes, + default_scopes=self._default_scopes, + service_account_email=self._service_account_email, + quota_project_id=self._quota_project_id, + universe_domain=universe_domain, + ) _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds diff --git a/contrib/python/google-auth/py3/google/auth/version.py b/contrib/python/google-auth/py3/google/auth/version.py index 6d53c4c411..e1fa722c81 100644 --- a/contrib/python/google-auth/py3/google/auth/version.py +++ b/contrib/python/google-auth/py3/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.26.2" +__version__ = "2.27.0" diff --git a/contrib/python/google-auth/py3/google/oauth2/credentials.py b/contrib/python/google-auth/py3/google/oauth2/credentials.py index 41f4a05bb6..c239beed13 100644 --- a/contrib/python/google-auth/py3/google/oauth2/credentials.py +++ b/contrib/python/google-auth/py3/google/oauth2/credentials.py @@ -87,6 +87,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr granted_scopes=None, trust_boundary=None, universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + account=None, ): """ Args: @@ -131,6 +132,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr trust_boundary (str): String representation of trust boundary meta. universe_domain (Optional[str]): The universe domain. The default universe domain is googleapis.com. + account (Optional[str]): The account associated with the credential. """ super(Credentials, self).__init__() self.token = token @@ -149,6 +151,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr self._enable_reauth_refresh = enable_reauth_refresh self._trust_boundary = trust_boundary self._universe_domain = universe_domain or _DEFAULT_UNIVERSE_DOMAIN + self._account = account or "" def __getstate__(self): """A __getstate__ method must exist for the __setstate__ to be called @@ -189,6 +192,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr self._refresh_handler = None self._refresh_worker = None self._use_non_blocking_refresh = d.get("_use_non_blocking_refresh", False) + self._account = d.get("_account", "") @property def refresh_token(self): @@ -268,6 +272,11 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr raise TypeError("The provided refresh_handler is not a callable or None.") self._refresh_handler = value + @property + def account(self): + """str: The user account associated with the credential. If the account is unknown an empty string is returned.""" + return self._account + @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) def with_quota_project(self, quota_project_id): @@ -286,6 +295,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr enable_reauth_refresh=self._enable_reauth_refresh, trust_boundary=self._trust_boundary, universe_domain=self._universe_domain, + account=self._account, ) @_helpers.copy_docstring(credentials.CredentialsWithTokenUri) @@ -306,6 +316,35 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr enable_reauth_refresh=self._enable_reauth_refresh, trust_boundary=self._trust_boundary, universe_domain=self._universe_domain, + account=self._account, + ) + + def with_account(self, account): + """Returns a copy of these credentials with a modified account. + + Args: + account (str): The account to set + + Returns: + google.oauth2.credentials.Credentials: A new credentials instance. + """ + + return self.__class__( + self.token, + refresh_token=self.refresh_token, + id_token=self.id_token, + token_uri=self._token_uri, + client_id=self.client_id, + client_secret=self.client_secret, + scopes=self.scopes, + default_scopes=self.default_scopes, + granted_scopes=self.granted_scopes, + quota_project_id=self.quota_project_id, + rapt_token=self.rapt_token, + enable_reauth_refresh=self._enable_reauth_refresh, + trust_boundary=self._trust_boundary, + universe_domain=self._universe_domain, + account=account, ) @_helpers.copy_docstring(credentials.CredentialsWithUniverseDomain) @@ -326,6 +365,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr enable_reauth_refresh=self._enable_reauth_refresh, trust_boundary=self._trust_boundary, universe_domain=universe_domain, + account=self._account, ) def _metric_header_for_usage(self): @@ -474,6 +514,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr rapt_token=info.get("rapt_token"), # may not exist trust_boundary=info.get("trust_boundary"), # may not exist universe_domain=info.get("universe_domain"), # may not exist + account=info.get("account", ""), # may not exist ) @classmethod @@ -518,6 +559,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr "scopes": self.scopes, "rapt_token": self.rapt_token, "universe_domain": self._universe_domain, + "account": self._account, } if self.expiry: # flatten expiry timestamp prep["expiry"] = self.expiry.isoformat() + "Z" diff --git a/contrib/python/google-auth/py3/google/oauth2/id_token.py b/contrib/python/google-auth/py3/google/oauth2/id_token.py index 2b1abec2b4..e5dda508da 100644 --- a/contrib/python/google-auth/py3/google/oauth2/id_token.py +++ b/contrib/python/google-auth/py3/google/oauth2/id_token.py @@ -62,7 +62,6 @@ import os from google.auth import environment_vars from google.auth import exceptions from google.auth import jwt -import google.auth.transport.requests # The URL that provides public certificates for verifying ID tokens issued @@ -282,6 +281,8 @@ def fetch_id_token_credentials(audience, request=None): # Create a request object if not provided. if not request: + import google.auth.transport.requests + request = google.auth.transport.requests.Request() if _metadata.ping(request): diff --git a/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py b/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py index 5d6ccdcdec..f04bb1304a 100644 --- a/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py +++ b/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py @@ -50,13 +50,27 @@ ID_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/it cred-type/mds" ) +FAKE_SERVICE_ACCOUNT_EMAIL = "foo@bar.com" +FAKE_QUOTA_PROJECT_ID = "fake-quota-project" +FAKE_SCOPES = ["scope1", "scope2"] +FAKE_DEFAULT_SCOPES = ["scope3", "scope4"] +FAKE_UNIVERSE_DOMAIN = "fake-universe-domain" + class TestCredentials(object): credentials = None + credentials_with_all_fields = None @pytest.fixture(autouse=True) def credentials_fixture(self): self.credentials = credentials.Credentials() + self.credentials_with_all_fields = credentials.Credentials( + service_account_email=FAKE_SERVICE_ACCOUNT_EMAIL, + quota_project_id=FAKE_QUOTA_PROJECT_ID, + scopes=FAKE_SCOPES, + default_scopes=FAKE_DEFAULT_SCOPES, + universe_domain=FAKE_UNIVERSE_DOMAIN, + ) def test_default_state(self): assert not self.credentials.valid @@ -68,6 +82,9 @@ class TestCredentials(object): assert self.credentials.service_account_email == "default" # No quota project assert not self.credentials._quota_project_id + # Universe domain is the default and not cached + assert self.credentials._universe_domain == "googleapis.com" + assert not self.credentials._universe_domain_cached @mock.patch( "google.auth._helpers.utcnow", @@ -187,17 +204,35 @@ class TestCredentials(object): assert self.credentials.valid def test_with_quota_project(self): - quota_project_creds = self.credentials.with_quota_project("project-foo") + creds = self.credentials_with_all_fields.with_quota_project("project-foo") - assert quota_project_creds._quota_project_id == "project-foo" + assert creds._quota_project_id == "project-foo" + assert creds._service_account_email == FAKE_SERVICE_ACCOUNT_EMAIL + assert creds._scopes == FAKE_SCOPES + assert creds._default_scopes == FAKE_DEFAULT_SCOPES + assert creds.universe_domain == FAKE_UNIVERSE_DOMAIN + assert creds._universe_domain_cached def test_with_scopes(self): - assert self.credentials._scopes is None - scopes = ["one", "two"] - self.credentials = self.credentials.with_scopes(scopes) + creds = self.credentials_with_all_fields.with_scopes(scopes) - assert self.credentials._scopes == scopes + assert creds._scopes == scopes + assert creds._quota_project_id == FAKE_QUOTA_PROJECT_ID + assert creds._service_account_email == FAKE_SERVICE_ACCOUNT_EMAIL + assert creds._default_scopes is None + assert creds.universe_domain == FAKE_UNIVERSE_DOMAIN + assert creds._universe_domain_cached + + def test_with_universe_domain(self): + creds = self.credentials_with_all_fields.with_universe_domain("universe_domain") + + assert creds._scopes == FAKE_SCOPES + assert creds._quota_project_id == FAKE_QUOTA_PROJECT_ID + assert creds._service_account_email == FAKE_SERVICE_ACCOUNT_EMAIL + assert creds._default_scopes == FAKE_DEFAULT_SCOPES + assert creds.universe_domain == "universe_domain" + assert creds._universe_domain_cached def test_token_usage_metrics(self): self.credentials.token = "token" @@ -213,8 +248,9 @@ class TestCredentials(object): return_value="fake_universe_domain", ) def test_universe_domain(self, get_universe_domain): - self.credentials._universe_domain_cached = False - self.credentials._universe_domain = "googleapis.com" + # Check the default state + assert not self.credentials._universe_domain_cached + assert self.credentials._universe_domain == "googleapis.com" # calling the universe_domain property should trigger a call to # get_universe_domain to fetch the value. The value should be cached. @@ -232,6 +268,15 @@ class TestCredentials(object): self.credentials._universe_domain_request ) + @mock.patch("google.auth.compute_engine._metadata.get_universe_domain") + def test_user_provided_universe_domain(self, get_universe_domain): + assert self.credentials_with_all_fields.universe_domain == FAKE_UNIVERSE_DOMAIN + assert self.credentials_with_all_fields._universe_domain_cached + + # Since user provided universe_domain, we will not call the universe + # domain endpoint. + get_universe_domain.assert_not_called() + class TestIDTokenCredentials(object): credentials = None diff --git a/contrib/python/google-auth/py3/tests/oauth2/test_credentials.py b/contrib/python/google-auth/py3/tests/oauth2/test_credentials.py index 5f1dcf3cbf..67b6b9c1ad 100644 --- a/contrib/python/google-auth/py3/tests/oauth2/test_credentials.py +++ b/contrib/python/google-auth/py3/tests/oauth2/test_credentials.py @@ -794,6 +794,12 @@ class TestCredentials(object): new_creds = creds.with_universe_domain("dummy_universe.com") assert new_creds.universe_domain == "dummy_universe.com" + def test_with_account(self): + creds = credentials.Credentials(token="token") + assert creds.account == "" + new_creds = creds.with_account("mock@example.com") + assert new_creds.account == "mock@example.com" + def test_with_token_uri(self): info = AUTH_USER_INFO.copy() @@ -889,6 +895,7 @@ class TestCredentials(object): assert json_asdict.get("client_secret") == creds.client_secret assert json_asdict.get("expiry") == info["expiry"] assert json_asdict.get("universe_domain") == creds.universe_domain + assert json_asdict.get("account") == creds.account # Test with a `strip` arg json_output = creds.to_json(strip=["client_secret"]) diff --git a/contrib/python/google-auth/py3/ya.make b/contrib/python/google-auth/py3/ya.make index 976b926bff..5ece69bc98 100644 --- a/contrib/python/google-auth/py3/ya.make +++ b/contrib/python/google-auth/py3/ya.make @@ -2,7 +2,7 @@ PY3_LIBRARY() -VERSION(2.26.2) +VERSION(2.27.0) LICENSE(Apache-2.0) |