diff options
| author | AlexSm <alex@ydb.tech> | 2024-03-05 10:40:59 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-05 12:40:59 +0300 |
| commit | 1ac13c847b5358faba44dbb638a828e24369467b (patch) | |
| tree | 07672b4dd3604ad3dee540a02c6494cb7d10dc3d /contrib/python/google-auth/py3 | |
| parent | ffcca3e7f7958ddc6487b91d3df8c01054bd0638 (diff) | |
| download | ydb-1ac13c847b5358faba44dbb638a828e24369467b.tar.gz | |
Library import 16 (#2433)
Co-authored-by: robot-piglet <robot-piglet@yandex-team.com>
Co-authored-by: deshevoy <deshevoy@yandex-team.com>
Co-authored-by: robot-contrib <robot-contrib@yandex-team.com>
Co-authored-by: thegeorg <thegeorg@yandex-team.com>
Co-authored-by: robot-ya-builder <robot-ya-builder@yandex-team.com>
Co-authored-by: svidyuk <svidyuk@yandex-team.com>
Co-authored-by: shadchin <shadchin@yandex-team.com>
Co-authored-by: robot-ratatosk <robot-ratatosk@yandex-team.com>
Co-authored-by: innokentii <innokentii@yandex-team.com>
Co-authored-by: arkady-e1ppa <arkady-e1ppa@yandex-team.com>
Co-authored-by: snermolaev <snermolaev@yandex-team.com>
Co-authored-by: dimdim11 <dimdim11@yandex-team.com>
Co-authored-by: kickbutt <kickbutt@yandex-team.com>
Co-authored-by: abdullinsaid <abdullinsaid@yandex-team.com>
Co-authored-by: korsunandrei <korsunandrei@yandex-team.com>
Co-authored-by: petrk <petrk@yandex-team.com>
Co-authored-by: miroslav2 <miroslav2@yandex-team.com>
Co-authored-by: serjflint <serjflint@yandex-team.com>
Co-authored-by: akhropov <akhropov@yandex-team.com>
Co-authored-by: prettyboy <prettyboy@yandex-team.com>
Co-authored-by: ilikepugs <ilikepugs@yandex-team.com>
Co-authored-by: hiddenpath <hiddenpath@yandex-team.com>
Co-authored-by: mikhnenko <mikhnenko@yandex-team.com>
Co-authored-by: spreis <spreis@yandex-team.com>
Co-authored-by: andreyshspb <andreyshspb@yandex-team.com>
Co-authored-by: dimaandreev <dimaandreev@yandex-team.com>
Co-authored-by: rashid <rashid@yandex-team.com>
Co-authored-by: robot-ydb-importer <robot-ydb-importer@yandex-team.com>
Co-authored-by: r-vetrov <r-vetrov@yandex-team.com>
Co-authored-by: ypodlesov <ypodlesov@yandex-team.com>
Co-authored-by: zaverden <zaverden@yandex-team.com>
Co-authored-by: vpozdyayev <vpozdyayev@yandex-team.com>
Co-authored-by: robot-cozmo <robot-cozmo@yandex-team.com>
Co-authored-by: v-korovin <v-korovin@yandex-team.com>
Co-authored-by: arikon <arikon@yandex-team.com>
Co-authored-by: khoden <khoden@yandex-team.com>
Co-authored-by: psydmm <psydmm@yandex-team.com>
Co-authored-by: robot-javacom <robot-javacom@yandex-team.com>
Co-authored-by: dtorilov <dtorilov@yandex-team.com>
Co-authored-by: sennikovmv <sennikovmv@yandex-team.com>
Co-authored-by: hcpp <hcpp@ydb.tech>
Diffstat (limited to 'contrib/python/google-auth/py3')
20 files changed, 173 insertions, 66 deletions
diff --git a/contrib/python/google-auth/py3/.dist-info/METADATA b/contrib/python/google-auth/py3/.dist-info/METADATA index 48bac82c9d..c8e96994cf 100644 --- a/contrib/python/google-auth/py3/.dist-info/METADATA +++ b/contrib/python/google-auth/py3/.dist-info/METADATA @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.27.0 +Version: 2.28.0 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform diff --git a/contrib/python/google-auth/py3/google/auth/compute_engine/_metadata.py b/contrib/python/google-auth/py3/google/auth/compute_engine/_metadata.py index 1c884c3c43..108cbfe932 100644 --- a/contrib/python/google-auth/py3/google/auth/compute_engine/_metadata.py +++ b/contrib/python/google-auth/py3/google/auth/compute_engine/_metadata.py @@ -222,7 +222,7 @@ def get( content = _helpers.from_bytes(response.data) if response.status == http_client.NOT_FOUND and return_none_for_not_found_error: - _LOGGER.info( + _LOGGER.debug( "Compute Engine Metadata server call to %s returned 404, reason: %s", path, content, diff --git a/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py b/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py index 7541c1d8cf..008b991bb9 100644 --- a/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py +++ b/contrib/python/google-auth/py3/google/auth/compute_engine/credentials.py @@ -28,7 +28,6 @@ from google.auth import iam from google.auth import jwt from google.auth import metrics from google.auth.compute_engine import _metadata -from google.auth.transport import requests as google_auth_requests from google.oauth2 import _client @@ -84,7 +83,6 @@ class Credentials( self._scopes = scopes self._default_scopes = default_scopes self._universe_domain_cached = False - self._universe_domain_request = google_auth_requests.Request() if universe_domain: self._universe_domain = universe_domain self._universe_domain_cached = True @@ -150,8 +148,11 @@ class Credentials( def universe_domain(self): if self._universe_domain_cached: return self._universe_domain + + from google.auth.transport import requests as google_auth_requests + self._universe_domain = _metadata.get_universe_domain( - self._universe_domain_request + google_auth_requests.Request() ) self._universe_domain_cached = True return self._universe_domain diff --git a/contrib/python/google-auth/py3/google/auth/credentials.py b/contrib/python/google-auth/py3/google/auth/credentials.py index a4fa1829c7..27abd443dc 100644 --- a/contrib/python/google-auth/py3/google/auth/credentials.py +++ b/contrib/python/google-auth/py3/google/auth/credentials.py @@ -24,6 +24,8 @@ from google.auth import exceptions from google.auth import metrics from google.auth._refresh_worker import RefreshThreadManager +DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" + class Credentials(metaclass=abc.ABCMeta): """Base class for all credentials. @@ -57,7 +59,7 @@ class Credentials(metaclass=abc.ABCMeta): """Optional[dict]: Cache of a trust boundary response which has a list of allowed regions and an encoded string representation of credentials trust boundary.""" - self._universe_domain = "googleapis.com" + self._universe_domain = DEFAULT_UNIVERSE_DOMAIN """Optional[str]: The universe domain value, default is googleapis.com """ diff --git a/contrib/python/google-auth/py3/google/auth/downscoped.py b/contrib/python/google-auth/py3/google/auth/downscoped.py index b4d9d386e5..ea75be90fe 100644 --- a/contrib/python/google-auth/py3/google/auth/downscoped.py +++ b/contrib/python/google-auth/py3/google/auth/downscoped.py @@ -63,7 +63,7 @@ _STS_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange" # The token exchange requested_token_type. This is always an access_token. _STS_REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" # The STS token URL used to exchanged a short lived access token for a downscoped one. -_STS_TOKEN_URL = "https://sts.googleapis.com/v1/token" +_STS_TOKEN_URL_PATTERN = "https://sts.{}/v1/token" # The subject token type to use when exchanging a short lived access token for a # downscoped token. _STS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" @@ -437,7 +437,11 @@ class Credentials(credentials.CredentialsWithQuotaProject): """ def __init__( - self, source_credentials, credential_access_boundary, quota_project_id=None + self, + source_credentials, + credential_access_boundary, + quota_project_id=None, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, ): """Instantiates a downscoped credentials object using the provided source credentials and credential access boundary rules. @@ -456,6 +460,7 @@ class Credentials(credentials.CredentialsWithQuotaProject): the upper bound of the permissions that are available on that resource and an optional condition to further restrict permissions. quota_project_id (Optional[str]): The optional quota project ID. + universe_domain (Optional[str]): The universe domain value, default is googleapis.com Raises: google.auth.exceptions.RefreshError: If the source credentials return an error on token refresh. @@ -467,7 +472,10 @@ class Credentials(credentials.CredentialsWithQuotaProject): self._source_credentials = source_credentials self._credential_access_boundary = credential_access_boundary self._quota_project_id = quota_project_id - self._sts_client = sts.Client(_STS_TOKEN_URL) + self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN + self._sts_client = sts.Client( + _STS_TOKEN_URL_PATTERN.format(self.universe_domain) + ) @_helpers.copy_docstring(credentials.Credentials) def refresh(self, request): diff --git a/contrib/python/google-auth/py3/google/auth/external_account.py b/contrib/python/google-auth/py3/google/auth/external_account.py index c314ea799e..0420883f86 100644 --- a/contrib/python/google-auth/py3/google/auth/external_account.py +++ b/contrib/python/google-auth/py3/google/auth/external_account.py @@ -51,8 +51,6 @@ _STS_REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token" # Cloud resource manager URL used to retrieve project information. _CLOUD_RESOURCE_MANAGER = "https://cloudresourcemanager.googleapis.com/v1/projects/" -_DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" - class Credentials( credentials.Scoped, @@ -83,7 +81,7 @@ class Credentials( scopes=None, default_scopes=None, workforce_pool_user_project=None, - universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, trust_boundary=None, ): """Instantiates an external account credentials object. @@ -131,7 +129,7 @@ class Credentials( self._scopes = scopes self._default_scopes = default_scopes self._workforce_pool_user_project = workforce_pool_user_project - self._universe_domain = universe_domain or _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN self._trust_boundary = { "locations": [], "encoded_locations": "0x0", @@ -513,7 +511,9 @@ class Credentials( credential_source=info.get("credential_source"), quota_project_id=info.get("quota_project_id"), workforce_pool_user_project=info.get("workforce_pool_user_project"), - universe_domain=info.get("universe_domain", _DEFAULT_UNIVERSE_DOMAIN), + universe_domain=info.get( + "universe_domain", credentials.DEFAULT_UNIVERSE_DOMAIN + ), **kwargs ) diff --git a/contrib/python/google-auth/py3/google/auth/external_account_authorized_user.py b/contrib/python/google-auth/py3/google/auth/external_account_authorized_user.py index 526588f7e8..f73387172c 100644 --- a/contrib/python/google-auth/py3/google/auth/external_account_authorized_user.py +++ b/contrib/python/google-auth/py3/google/auth/external_account_authorized_user.py @@ -43,7 +43,6 @@ from google.auth import exceptions from google.oauth2 import sts from google.oauth2 import utils -_DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" _EXTERNAL_ACCOUNT_AUTHORIZED_USER_JSON_TYPE = "external_account_authorized_user" @@ -76,7 +75,7 @@ class Credentials( revoke_url=None, scopes=None, quota_project_id=None, - universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, ): """Instantiates a external account authorized user credentials object. @@ -120,7 +119,7 @@ class Credentials( self._revoke_url = revoke_url self._quota_project_id = quota_project_id self._scopes = scopes - self._universe_domain = universe_domain or _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN if not self.valid and not self.can_refresh: raise exceptions.InvalidOperation( @@ -342,7 +341,9 @@ class Credentials( revoke_url=info.get("revoke_url"), quota_project_id=info.get("quota_project_id"), scopes=info.get("scopes"), - universe_domain=info.get("universe_domain", _DEFAULT_UNIVERSE_DOMAIN), + universe_domain=info.get( + "universe_domain", credentials.DEFAULT_UNIVERSE_DOMAIN + ), **kwargs ) diff --git a/contrib/python/google-auth/py3/google/auth/version.py b/contrib/python/google-auth/py3/google/auth/version.py index e1fa722c81..9672a6c412 100644 --- a/contrib/python/google-auth/py3/google/auth/version.py +++ b/contrib/python/google-auth/py3/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.27.0" +__version__ = "2.28.0" diff --git a/contrib/python/google-auth/py3/google/oauth2/credentials.py b/contrib/python/google-auth/py3/google/oauth2/credentials.py index c239beed13..5ca00d4c5a 100644 --- a/contrib/python/google-auth/py3/google/oauth2/credentials.py +++ b/contrib/python/google-auth/py3/google/oauth2/credentials.py @@ -49,7 +49,6 @@ _LOGGER = logging.getLogger(__name__) # The Google OAuth 2.0 token endpoint. Used for authorized user credentials. _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" -_DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaProject): @@ -86,7 +85,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr enable_reauth_refresh=False, granted_scopes=None, trust_boundary=None, - universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, account=None, ): """ @@ -150,7 +149,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr self.refresh_handler = refresh_handler self._enable_reauth_refresh = enable_reauth_refresh self._trust_boundary = trust_boundary - self._universe_domain = universe_domain or _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN self._account = account or "" def __getstate__(self): @@ -187,7 +186,9 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr self._rapt_token = d.get("_rapt_token") self._enable_reauth_refresh = d.get("_enable_reauth_refresh") self._trust_boundary = d.get("_trust_boundary") - self._universe_domain = d.get("_universe_domain") or _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = ( + d.get("_universe_domain") or credentials.DEFAULT_UNIVERSE_DOMAIN + ) # The refresh_handler setter should be used to repopulate this. self._refresh_handler = None self._refresh_worker = None @@ -373,7 +374,7 @@ class Credentials(credentials.ReadOnlyScoped, credentials.CredentialsWithQuotaPr @_helpers.copy_docstring(credentials.Credentials) def refresh(self, request): - if self._universe_domain != _DEFAULT_UNIVERSE_DOMAIN: + if self._universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: raise exceptions.RefreshError( "User credential refresh is only supported in the default " "googleapis.com universe domain, but the current universe " diff --git a/contrib/python/google-auth/py3/google/oauth2/service_account.py b/contrib/python/google-auth/py3/google/oauth2/service_account.py index 4502c6f68c..04fd7797ad 100644 --- a/contrib/python/google-auth/py3/google/oauth2/service_account.py +++ b/contrib/python/google-auth/py3/google/oauth2/service_account.py @@ -82,7 +82,6 @@ from google.auth import metrics from google.oauth2 import _client _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds -_DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" @@ -139,7 +138,7 @@ class Credentials( quota_project_id=None, additional_claims=None, always_use_jwt_access=False, - universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, trust_boundary=None, ): """ @@ -182,9 +181,9 @@ class Credentials( self._quota_project_id = quota_project_id self._token_uri = token_uri self._always_use_jwt_access = always_use_jwt_access - self._universe_domain = universe_domain or _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = universe_domain or credentials.DEFAULT_UNIVERSE_DOMAIN - if universe_domain != _DEFAULT_UNIVERSE_DOMAIN: + if universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: self._always_use_jwt_access = True self._jwt_credentials = None @@ -216,7 +215,9 @@ class Credentials( service_account_email=info["client_email"], token_uri=info["token_uri"], project_id=info.get("project_id"), - universe_domain=info.get("universe_domain", _DEFAULT_UNIVERSE_DOMAIN), + universe_domain=info.get( + "universe_domain", credentials.DEFAULT_UNIVERSE_DOMAIN + ), trust_boundary=info.get("trust_boundary"), **kwargs ) @@ -316,7 +317,7 @@ class Credentials( """ cred = self._make_copy() if ( - cred._universe_domain != _DEFAULT_UNIVERSE_DOMAIN + cred._universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN and not always_use_jwt_access ): raise exceptions.InvalidValue( @@ -329,7 +330,7 @@ class Credentials( def with_universe_domain(self, universe_domain): cred = self._make_copy() cred._universe_domain = universe_domain - if universe_domain != _DEFAULT_UNIVERSE_DOMAIN: + if universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: cred._always_use_jwt_access = True return cred @@ -427,7 +428,10 @@ class Credentials( # created, try to create one with scopes self._create_self_signed_jwt(None) - if self._universe_domain != _DEFAULT_UNIVERSE_DOMAIN and self._subject: + if ( + self._universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN + and self._subject + ): raise exceptions.RefreshError( "domain wide delegation is not supported for non-default universe domain" ) @@ -556,7 +560,7 @@ class IDTokenCredentials( target_audience, additional_claims=None, quota_project_id=None, - universe_domain=_DEFAULT_UNIVERSE_DOMAIN, + universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN, ): """ Args: @@ -588,11 +592,11 @@ class IDTokenCredentials( self._use_iam_endpoint = False if not universe_domain: - self._universe_domain = _DEFAULT_UNIVERSE_DOMAIN + self._universe_domain = credentials.DEFAULT_UNIVERSE_DOMAIN else: self._universe_domain = universe_domain - if universe_domain != _DEFAULT_UNIVERSE_DOMAIN: + if universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: self._use_iam_endpoint = True if additional_claims is not None: @@ -708,7 +712,10 @@ class IDTokenCredentials( default and use_iam_endpoint is False. """ cred = self._make_copy() - if cred._universe_domain != _DEFAULT_UNIVERSE_DOMAIN and not use_iam_endpoint: + if ( + cred._universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN + and not use_iam_endpoint + ): raise exceptions.InvalidValue( "use_iam_endpoint should be True for non-default universe domain" ) diff --git a/contrib/python/google-auth/py3/tests/compute_engine/test__metadata.py b/contrib/python/google-auth/py3/tests/compute_engine/test__metadata.py index 5e037a940b..35e3c089f9 100644 --- a/contrib/python/google-auth/py3/tests/compute_engine/test__metadata.py +++ b/contrib/python/google-auth/py3/tests/compute_engine/test__metadata.py @@ -400,6 +400,19 @@ def test_get_universe_domain_success(): assert universe_domain == "fake_universe_domain" +def test_get_universe_domain_success_empty_response(): + request = make_request("", headers={"content-type": "text/plain"}) + + universe_domain = _metadata.get_universe_domain(request) + + request.assert_called_once_with( + method="GET", + url=_metadata._METADATA_ROOT + "universe/universe_domain", + headers=_metadata._METADATA_HEADERS, + ) + assert universe_domain == "googleapis.com" + + def test_get_universe_domain_not_found(): # Test that if the universe domain endpoint returns 404 error, we should # use googleapis.com as the universe domain diff --git a/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py b/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py index f04bb1304a..9cca317924 100644 --- a/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py +++ b/contrib/python/google-auth/py3/tests/compute_engine/test_credentials.py @@ -257,16 +257,12 @@ class TestCredentials(object): assert self.credentials.universe_domain == "fake_universe_domain" assert self.credentials._universe_domain == "fake_universe_domain" assert self.credentials._universe_domain_cached - get_universe_domain.assert_called_once_with( - self.credentials._universe_domain_request - ) + get_universe_domain.assert_called_once() # calling the universe_domain property the second time should use the # cached value instead of calling get_universe_domain assert self.credentials.universe_domain == "fake_universe_domain" - get_universe_domain.assert_called_once_with( - self.credentials._universe_domain_request - ) + get_universe_domain.assert_called_once() @mock.patch("google.auth.compute_engine._metadata.get_universe_domain") def test_user_provided_universe_domain(self, get_universe_domain): diff --git a/contrib/python/google-auth/py3/tests/oauth2/test_service_account.py b/contrib/python/google-auth/py3/tests/oauth2/test_service_account.py index 8dd5f219be..ce0c72fa0a 100644 --- a/contrib/python/google-auth/py3/tests/oauth2/test_service_account.py +++ b/contrib/python/google-auth/py3/tests/oauth2/test_service_account.py @@ -24,6 +24,7 @@ from google.auth import crypt from google.auth import exceptions from google.auth import jwt from google.auth import transport +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN from google.oauth2 import service_account @@ -59,7 +60,7 @@ class TestCredentials(object): TOKEN_URI = "https://example.com/oauth2/token" @classmethod - def make_credentials(cls, universe_domain=service_account._DEFAULT_UNIVERSE_DOMAIN): + def make_credentials(cls, universe_domain=DEFAULT_UNIVERSE_DOMAIN): return service_account.Credentials( SIGNER, cls.SERVICE_ACCOUNT_EMAIL, @@ -71,7 +72,7 @@ class TestCredentials(object): credentials = service_account.Credentials( SIGNER, self.SERVICE_ACCOUNT_EMAIL, self.TOKEN_URI, universe_domain=None ) - assert credentials.universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN + assert credentials.universe_domain == DEFAULT_UNIVERSE_DOMAIN def test_from_service_account_info(self): credentials = service_account.Credentials.from_service_account_info( @@ -81,7 +82,7 @@ class TestCredentials(object): assert credentials._signer.key_id == SERVICE_ACCOUNT_INFO["private_key_id"] assert credentials.service_account_email == SERVICE_ACCOUNT_INFO["client_email"] assert credentials._token_uri == SERVICE_ACCOUNT_INFO["token_uri"] - assert credentials._universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN + assert credentials._universe_domain == DEFAULT_UNIVERSE_DOMAIN assert not credentials._always_use_jwt_access def test_from_service_account_info_non_gdu(self): @@ -596,7 +597,7 @@ class TestIDTokenCredentials(object): TARGET_AUDIENCE = "https://example.com" @classmethod - def make_credentials(cls, universe_domain=service_account._DEFAULT_UNIVERSE_DOMAIN): + def make_credentials(cls, universe_domain=DEFAULT_UNIVERSE_DOMAIN): return service_account.IDTokenCredentials( SIGNER, cls.SERVICE_ACCOUNT_EMAIL, @@ -613,7 +614,7 @@ class TestIDTokenCredentials(object): self.TARGET_AUDIENCE, universe_domain=None, ) - assert credentials._universe_domain == service_account._DEFAULT_UNIVERSE_DOMAIN + assert credentials._universe_domain == DEFAULT_UNIVERSE_DOMAIN def test_from_service_account_info(self): credentials = service_account.IDTokenCredentials.from_service_account_info( diff --git a/contrib/python/google-auth/py3/tests/test_aws.py b/contrib/python/google-auth/py3/tests/test_aws.py index db2e984100..3f358d52b0 100644 --- a/contrib/python/google-auth/py3/tests/test_aws.py +++ b/contrib/python/google-auth/py3/tests/test_aws.py @@ -26,7 +26,7 @@ from google.auth import aws from google.auth import environment_vars from google.auth import exceptions from google.auth import transport - +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" @@ -75,7 +75,6 @@ REQUEST_PARAMS = '{"KeySchema":[{"KeyType":"HASH","AttributeName":"Id"}],"TableN # Each tuple contains the following entries: # region, time, credentials, original_request, signed_request -DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" VALID_TOKEN_URLS = [ "https://sts.googleapis.com", "https://us-east-1.sts.googleapis.com", diff --git a/contrib/python/google-auth/py3/tests/test_downscoped.py b/contrib/python/google-auth/py3/tests/test_downscoped.py index 8cc2a30d16..fe6e291c75 100644 --- a/contrib/python/google-auth/py3/tests/test_downscoped.py +++ b/contrib/python/google-auth/py3/tests/test_downscoped.py @@ -25,6 +25,7 @@ from google.auth import credentials from google.auth import downscoped from google.auth import exceptions from google.auth import transport +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN from google.auth.credentials import TokenState @@ -447,7 +448,11 @@ class TestCredentialAccessBoundary(object): class TestCredentials(object): @staticmethod - def make_credentials(source_credentials=SourceCredentials(), quota_project_id=None): + def make_credentials( + source_credentials=SourceCredentials(), + quota_project_id=None, + universe_domain=None, + ): availability_condition = make_availability_condition( EXPRESSION, TITLE, DESCRIPTION ) @@ -458,7 +463,10 @@ class TestCredentials(object): credential_access_boundary = make_credential_access_boundary(rules) return downscoped.Credentials( - source_credentials, credential_access_boundary, quota_project_id + source_credentials, + credential_access_boundary, + quota_project_id, + universe_domain, ) @staticmethod @@ -473,10 +481,12 @@ class TestCredentials(object): return request @staticmethod - def assert_request_kwargs(request_kwargs, headers, request_data): + def assert_request_kwargs( + request_kwargs, headers, request_data, token_endpoint=TOKEN_EXCHANGE_ENDPOINT + ): """Asserts the request was called with the expected parameters. """ - assert request_kwargs["url"] == TOKEN_EXCHANGE_ENDPOINT + assert request_kwargs["url"] == token_endpoint assert request_kwargs["method"] == "POST" assert request_kwargs["headers"] == headers assert request_kwargs["body"] is not None @@ -496,6 +506,33 @@ class TestCredentials(object): assert not credentials.expired # No quota project ID set. assert not credentials.quota_project_id + assert credentials.universe_domain == DEFAULT_UNIVERSE_DOMAIN + + def test_default_state_with_explicit_none_value(self): + credentials = self.make_credentials(universe_domain=None) + + # No token acquired yet. + assert not credentials.token + assert not credentials.valid + # Expiration hasn't been set yet. + assert not credentials.expiry + assert not credentials.expired + # No quota project ID set. + assert not credentials.quota_project_id + assert credentials.universe_domain == DEFAULT_UNIVERSE_DOMAIN + + def test_create_with_customized_universe_domain(self): + test_universe_domain = "foo.com" + credentials = self.make_credentials(universe_domain=test_universe_domain) + # No token acquired yet. + assert not credentials.token + assert not credentials.valid + # Expiration hasn't been set yet. + assert not credentials.expiry + assert not credentials.expired + # No quota project ID set. + assert not credentials.quota_project_id + assert credentials.universe_domain == test_universe_domain def test_with_quota_project(self): credentials = self.make_credentials() @@ -507,6 +544,49 @@ class TestCredentials(object): assert quota_project_creds.quota_project_id == "project-foo" @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) + def test_refresh_on_custom_universe(self, unused_utcnow): + test_universe_domain = "foo.com" + response = SUCCESS_RESPONSE.copy() + # Test custom expiration to confirm expiry is set correctly. + response["expires_in"] = 2800 + expected_expiry = datetime.datetime.min + datetime.timedelta( + seconds=response["expires_in"] + ) + headers = {"Content-Type": "application/x-www-form-urlencoded"} + request_data = { + "grant_type": GRANT_TYPE, + "subject_token": "ACCESS_TOKEN_1", + "subject_token_type": SUBJECT_TOKEN_TYPE, + "requested_token_type": REQUESTED_TOKEN_TYPE, + "options": urllib.parse.quote(json.dumps(CREDENTIAL_ACCESS_BOUNDARY_JSON)), + } + request = self.make_mock_request(status=http_client.OK, data=response) + source_credentials = SourceCredentials() + credentials = self.make_credentials( + source_credentials=source_credentials, universe_domain=test_universe_domain + ) + token_exchange_endpoint = downscoped._STS_TOKEN_URL_PATTERN.format( + test_universe_domain + ) + + # Spy on calls to source credentials refresh to confirm the expected request + # instance is used. + with mock.patch.object( + source_credentials, "refresh", wraps=source_credentials.refresh + ) as wrapped_souce_cred_refresh: + credentials.refresh(request) + + self.assert_request_kwargs( + request.call_args[1], headers, request_data, token_exchange_endpoint + ) + assert credentials.valid + assert credentials.expiry == expected_expiry + assert not credentials.expired + assert credentials.token == response["access_token"] + # Confirm source credentials called with the same request instance. + wrapped_souce_cred_refresh.assert_called_with(request) + + @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min) def test_refresh(self, unused_utcnow): response = SUCCESS_RESPONSE.copy() # Test custom expiration to confirm expiry is set correctly. diff --git a/contrib/python/google-auth/py3/tests/test_external_account.py b/contrib/python/google-auth/py3/tests/test_external_account.py index 7f33b1dfa2..03a5014ce5 100644 --- a/contrib/python/google-auth/py3/tests/test_external_account.py +++ b/contrib/python/google-auth/py3/tests/test_external_account.py @@ -24,9 +24,9 @@ from google.auth import _helpers from google.auth import exceptions from google.auth import external_account from google.auth import transport +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN from google.auth.credentials import TokenState - IMPERSONATE_ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE = ( "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/imp" ) @@ -150,7 +150,7 @@ class TestCredentials(object): default_scopes=None, service_account_impersonation_url=None, service_account_impersonation_options={}, - universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, + universe_domain=DEFAULT_UNIVERSE_DOMAIN, ): return CredentialsImpl( audience=cls.AUDIENCE, @@ -386,7 +386,7 @@ class TestCredentials(object): quota_project_id=self.QUOTA_PROJECT_ID, scopes=["email"], default_scopes=["default2"], - universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, + universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) def test_with_token_uri(self): @@ -474,7 +474,7 @@ class TestCredentials(object): quota_project_id="project-foo", scopes=self.SCOPES, default_scopes=["default1"], - universe_domain=external_account._DEFAULT_UNIVERSE_DOMAIN, + universe_domain=DEFAULT_UNIVERSE_DOMAIN, ) def test_with_invalid_impersonation_target_principal(self): @@ -504,7 +504,7 @@ class TestCredentials(object): assert credentials.universe_domain == "dummy_universe.com" credentials = self.make_credentials() - assert credentials.universe_domain == external_account._DEFAULT_UNIVERSE_DOMAIN + assert credentials.universe_domain == DEFAULT_UNIVERSE_DOMAIN def test_with_universe_domain(self): credentials = self.make_credentials() @@ -523,7 +523,7 @@ class TestCredentials(object): "token_url": self.TOKEN_URL, "credential_source": self.CREDENTIAL_SOURCE.copy(), "workforce_pool_user_project": self.WORKFORCE_POOL_USER_PROJECT, - "universe_domain": external_account._DEFAULT_UNIVERSE_DOMAIN, + "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_info_with_full_options(self): @@ -548,7 +548,7 @@ class TestCredentials(object): "quota_project_id": self.QUOTA_PROJECT_ID, "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, - "universe_domain": external_account._DEFAULT_UNIVERSE_DOMAIN, + "universe_domain": DEFAULT_UNIVERSE_DOMAIN, } def test_service_account_email_without_impersonation(self): diff --git a/contrib/python/google-auth/py3/tests/test_external_account_authorized_user.py b/contrib/python/google-auth/py3/tests/test_external_account_authorized_user.py index 7213a23486..743ee9c848 100644 --- a/contrib/python/google-auth/py3/tests/test_external_account_authorized_user.py +++ b/contrib/python/google-auth/py3/tests/test_external_account_authorized_user.py @@ -22,6 +22,7 @@ import pytest # type: ignore from google.auth import exceptions from google.auth import external_account_authorized_user from google.auth import transport +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" @@ -45,7 +46,6 @@ BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ=" SCOPES = ["email", "profile"] NOW = datetime.datetime(1990, 8, 27, 6, 54, 30) FAKE_UNIVERSE_DOMAIN = "fake-universe-domain" -DEFAULT_UNIVERSE_DOMAIN = external_account_authorized_user._DEFAULT_UNIVERSE_DOMAIN class TestCredentials(object): diff --git a/contrib/python/google-auth/py3/tests/test_identity_pool.py b/contrib/python/google-auth/py3/tests/test_identity_pool.py index 2d10a5d268..96be1d61c2 100644 --- a/contrib/python/google-auth/py3/tests/test_identity_pool.py +++ b/contrib/python/google-auth/py3/tests/test_identity_pool.py @@ -26,7 +26,7 @@ from google.auth import exceptions from google.auth import identity_pool from google.auth import metrics from google.auth import transport - +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN CLIENT_ID = "username" CLIENT_SECRET = "password" @@ -68,8 +68,6 @@ WORKFORCE_AUDIENCE = ( WORKFORCE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token" WORKFORCE_POOL_USER_PROJECT = "WORKFORCE_POOL_USER_PROJECT_NUMBER" -DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" - VALID_TOKEN_URLS = [ "https://sts.googleapis.com", "https://us-east-1.sts.googleapis.com", diff --git a/contrib/python/google-auth/py3/tests/test_pluggable.py b/contrib/python/google-auth/py3/tests/test_pluggable.py index 783bbcaec0..24cd0e2ec9 100644 --- a/contrib/python/google-auth/py3/tests/test_pluggable.py +++ b/contrib/python/google-auth/py3/tests/test_pluggable.py @@ -21,6 +21,7 @@ import pytest # type: ignore from google.auth import exceptions from google.auth import pluggable +from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN from .test__default import WORKFORCE_AUDIENCE CLIENT_ID = "username" @@ -45,7 +46,6 @@ TOKEN_URL = "https://sts.googleapis.com/v1/token" TOKEN_INFO_URL = "https://sts.googleapis.com/v1/introspect" SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt" AUDIENCE = "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" -DEFAULT_UNIVERSE_DOMAIN = "googleapis.com" VALID_TOKEN_URLS = [ "https://sts.googleapis.com", diff --git a/contrib/python/google-auth/py3/ya.make b/contrib/python/google-auth/py3/ya.make index 5ece69bc98..7863862fdc 100644 --- a/contrib/python/google-auth/py3/ya.make +++ b/contrib/python/google-auth/py3/ya.make @@ -2,7 +2,7 @@ PY3_LIBRARY() -VERSION(2.27.0) +VERSION(2.28.0) LICENSE(Apache-2.0) |