From 82e224b0854950a5607cd028edbcbcdc3e9e6505 Mon Sep 17 00:00:00 2001 From: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Date: Fri, 13 Mar 2020 13:21:18 -0700 Subject: [PATCH] fix: only add IAM scope to credentials that can change scopes (#451) --- CONTRIBUTING.rst | 50 +++++++-- google/auth/impersonated_credentials.py | 6 +- system_tests/conftest.py | 9 ++ system_tests/noxfile.py | 10 +- system_tests/secrets.tar.enc | Bin 10323 -> 10323 bytes system_tests/test_impersonated_credentials.py | 99 ++++++++++++++++++ tests/test_impersonated_credentials.py | 18 +++- 7 files changed, 179 insertions(+), 13 deletions(-) create mode 100644 system_tests/test_impersonated_credentials.py diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index f95b1f1dc..bd92ca8d4 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -43,21 +43,27 @@ To run a single session, specify it with ``nox -s``:: $ nox -f system_tests/noxfile.py -s service_account + +Project and Credentials Setup +------------------------------- + +Enable the IAM Service Account Credentials API on the project. + To run system tests locally, you will need to set up a data directory :: $ mkdir system_tests/data -Add a service account file and authorized user file to the data directory. -Your directory should look like this :: +Your directory should look like this. Follow the instructions below for creating each file. :: system_tests/ data/ - service_account.json authorized_user.json + impersonated_service_account.json + service_account.json -The files must be named exactly ``service_account.json`` -and ``authorized_user.json``. See `Creating and Managing Service Account Keys`_ for how to -obtain a service account. + +``authorized_user.json`` +~~~~~~~~~~~~~~~~~~~~~~~~ Use the `gcloud CLI`_ to get an authorized user file :: @@ -65,15 +71,41 @@ Use the `gcloud CLI`_ to get an authorized user file :: You will see something like:: - Credentials saved to file: [/usr/local/home/.config/gcloud/application_default_credentials.json]``` + Credentials saved to file: [/usr/local/home/.config/gcloud/application_default_credentials.json] Copy the contents of the file to ``authorized_user.json``. -.. _Creating and Managing Service Account Keys: https://cloud.google.com/iam/docs/creating-managing-service-account-keys +Open the IAM page of the Google Cloud Console. Grant the user the `Service Account Token Creator Role`. +This will allow the user to impersonate service accounts on the project. + .. _gcloud CLI: https://cloud.google.com/sdk/gcloud/ + +``service_account.json`` +~~~~~~~~~~~~~~~~~~~~~~~~ + +Follow `Creating and Managing Service Account Keys`_ to create a service account. + +Copy the credentials file to ``service_account.json``. + +Grant the account associated with ``service_account.json`` the following roles. + +- App Engine Admin (for App Engine tests) +- Service Account Token Creator (for impersonated credentials tests) +- Pub/Sub Viewer (for gRPC tests) +- Storage Object Viewer (for impersonated credentials tests) + +``impersonated_service_account.json`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Follow `Creating and Managing Service Account Keys`_ to create a service account. + +Copy the credentials file to ``impersonated_service_account.json``. + +.. _Creating and Managing Service Account Keys: https://cloud.google.com/iam/docs/creating-managing-service-account-keys + App Engine System Tests -^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~ To run the App Engine tests, you wil need to deploy a default App Engine service. If you already have a default service associated with your project, you can skip this step. diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py index bc7031e78..1bb6b8268 100644 --- a/google/auth/impersonated_credentials.py +++ b/google/auth/impersonated_credentials.py @@ -205,7 +205,11 @@ def __init__( super(Credentials, self).__init__() self._source_credentials = copy.copy(source_credentials) - self._source_credentials._scopes = _IAM_SCOPE + # Service account source credentials must have the _IAM_SCOPE + # added to refresh correctly. User credentials cannot have + # their original scopes modified. + if isinstance(self._source_credentials, credentials.Scoped): + self._source_credentials = self._source_credentials.with_scopes(_IAM_SCOPE) self._target_principal = target_principal self._target_scopes = target_scopes self._delegates = delegates diff --git a/system_tests/conftest.py b/system_tests/conftest.py index 189300707..02de84664 100644 --- a/system_tests/conftest.py +++ b/system_tests/conftest.py @@ -25,6 +25,9 @@ HERE = os.path.dirname(__file__) DATA_DIR = os.path.join(HERE, "data") +IMPERSONATED_SERVICE_ACCOUNT_FILE = os.path.join( + DATA_DIR, "impersonated_service_account.json" +) SERVICE_ACCOUNT_FILE = os.path.join(DATA_DIR, "service_account.json") AUTHORIZED_USER_FILE = os.path.join(DATA_DIR, "authorized_user.json") URLLIB3_HTTP = urllib3.PoolManager(retries=False) @@ -39,6 +42,12 @@ def service_account_file(): yield SERVICE_ACCOUNT_FILE +@pytest.fixture +def impersonated_service_account_file(): + """The full path to a valid service account key file.""" + yield IMPERSONATED_SERVICE_ACCOUNT_FILE + + @pytest.fixture def authorized_user_file(): """The full path to a valid authorized user file.""" diff --git a/system_tests/noxfile.py b/system_tests/noxfile.py index e37049e52..811063223 100644 --- a/system_tests/noxfile.py +++ b/system_tests/noxfile.py @@ -170,7 +170,8 @@ def configure_cloud_sdk(session, application_default_credentials, project=False) # Test sesssions TEST_DEPENDENCIES = ["pytest", "requests"] -PYTHON_VERSIONS=['2.7', '3.7'] +PYTHON_VERSIONS = ["2.7", "3.7"] + @nox.session(python=PYTHON_VERSIONS) def service_account(session): @@ -186,6 +187,13 @@ def oauth2_credentials(session): session.run("pytest", "test_oauth2_credentials.py") +@nox.session(python=PYTHON_VERSIONS) +def impersonated_credentials(session): + session.install(*TEST_DEPENDENCIES) + session.install(LIBRARY_DIR) + session.run("pytest", "test_impersonated_credentials.py") + + @nox.session(python=PYTHON_VERSIONS) def default_explicit_service_account(session): session.env[EXPLICIT_CREDENTIALS_ENV] = SERVICE_ACCOUNT_FILE diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 1106f8a9154dada1eda23da37373f78eeb683bd9..af10c7134ad07e3e574392426671a0c48628a658 100644 GIT binary patch literal 10323 zcmV-ZD6H2CBmnkJRTHTs>+yI_6A{wVKLSu2=5A9`nrVcC!0&}dr)MI>W)iAU0DHWi zlbN?uKtt`47F47o!v82r{^xEn?`VZjmW&G-AmGb6DBh{DHjK9m<%pH+&MuZxP)=$x zHvAy~Ei;vwshvwVF<9>|+C^=~p`t$VSb?HD6xYPYcmt$CIEQVEroXGOlf%Why^ShI zrL3XYV;+X>f;UhDx$pYRCB32RSu>Kh8#rMUf$hOO_E8^AwbVTtf|6-Xfo7C2SwEaC zZl(TNfzLHaq{o5}_dSAyGOLj8Z;)5a|258AKKr52eo8f`=BgFd3KI&*NVkHH95CT?(&kSyb538 zZ`Nn9p0O8*b}pX#T5#-O;|e=KB7HTzH%e4Qo|Xk)(Q(i?Z_e0yk<#+aCj$^DA*5$c zSl>#&@%e|zq%S%P)Ce1~!REUR@o!=gTrO8_SX5`{KmmaL5a;0Hd)b5Ma z7OO0mH&X?_Fj%ut&L{Ej@0S=Ao{OukHL*t;mmI_p&M)em-`1L9&EJX1e38jtg?QAF zVD!{P_f{_gyo-*q;@iNGCP-?nW4cQ{XD%f6%Ox}Ym{Ur`=;p4N*SUg7Fvd0*pEDT& z3!IM)doU({Dju7~SJ;-vKi!*Saw=JTl~tBu`~1S8d^vR%Ukg*0XwwlmoCApK@ulq^ zx{!k?RDA_mMC&g2GcXI{ED;9S>plF+AFqM0-cSM0+o`WAILBQhtwEgecVmfwZYhyt-V7@~TnW?MrS*o+#sy zLZL%?krD_GVlz&^jhmJ0OI_&&yYzGOn5j ztzRO7BrN&Ob@(hiG6^5o@_vPi_m0A6bfNX2a3~T3W@3FlKgO^(Ua<{JbPP&G+mjV9 zz<<>#RfctU0$iM%!#lf(s&kP6)j^YN6^#F4NHV5XSHq+LG6y6r~Sd|YPX=x#jQEqkQ8v%D|e^+8awMb+d zRLP1qdll#b6oft&w9uKC*Tnf~v$gNPteR=)tcdoOwBecz>05#;6`T(vNT_ElUaPcI zmXnV%nmHW?Ky&4${m4>oZ)kP_J5z3Ffnk{N+W!P1Sp4exE#8hBX?15pd0f&SYjdKS zELD@$Lw$z}k-i4W++WewZ5X{Ce!K!RxdZDFg%^n(!R&?-&K`>>+Ux+mbFw+vUXI3G zh1m9GXXBXpE)F5cQN$FmfM1B!0$#bm^URW&oxFe2t;cN{vsaJNqqHhYO42~MI`0%^ z;LvhDsUe*k9$lpV(2>t=^D9Mjhoqua;84^5qcD&=>M~FMK$+qAnS%s_8aW8h)w?WO zNISC|yHJ5Rx-dSJ=&N{XkaI`b7EQbT@B_6!V@Yp^Z%lVG9hU>~(cb<}oP; zOHb8&R&Z5Y?~P0zG^@VojfJFw5@T9U;ejPXVi!L0PtT5{NZU?p@|V<%S71kAY`|2z zG0(QCX(^tQ&L4oLcOLeIVZ{=z7fX94;%;H-vX1(PNZIn{T9cx;$u?OdcU(Q=&E54~ zv9Cf`K^(_Fdh7f@UrZoXNWD|~E7M!-GXW|{ii@`*;c z5kiQz!sVNBZrE?~P+n|jZ1{I3Jb+HVV+LxKvi8zus}-=wSaTwdW~|e?4sv!7Am(4+ zGM#B{nS=X|BE$~m_<*1PTnALzW&Y zcEeqBiPtMIuc^QNs_9XPcB#}r3gHy#Wx+&JZj`2JHhZFQ-eC-^d5%#fqAHFVc2|&6o@1Yv|4|677kj6xoCNocRYi^jm1%D zb`h%i<~*fnOUWbQ6( z;Q>$=QBxKTJpsg1Jm-BAhLy&fsl91)M?D?3YS7Hs85HCMZ<)#hlr^61bAT->+L2wt z;9`!KF1urfeDA*cp@zXy3{=xVX1BP0bu%1B12&;#oVCLIXOu)x6GcNFDI=2j13C>S zX)6~D#3#*C$=DL5q;L0pZ$V^W-EsVXtp}jqMjSv?It$#M&c{4_8TW7sR$$ihTVcZbqi@3+7OU?v|QGp(Z42Y$zx zGXuFRmOE9fY}g}sA=iVFXx$?RS@e_Jogms51LZKR3^RT4n_b8rZGHjy-~Q)9t@-l7 zv_qyCryTGsLwkMRUDt8X`5z_2Tt0l|`~YucxP%PK?@uUN-{`pen=&~=rCeHP`vG%^ znh>S+;d_|uzs%r^bp!k440}VkeR3!TM%)X+=1@4sM>z3!uN%KV?AOo@SPkEnyY{oncwdxXK znS3~m56ga_EgfJq550k~s~u35R}Uv|qmr(rkZ*I#MpqrZJ7X=!W)~CWH#8W0{F-?% zQl>aj>P!t2=wgu=tMgd(gaHtP6*$^P&$cp8V9FFJb!ddL2V|;pf2pkb@_xb$^kVIx zBRi&8fG>ehOzoWMG&MJ?sKe5NVYl&3fmDXS$srk3slWDgHqwk_|7lxbdSiY)#p#`L z5AGl=pG3z7+Z-j6v-mkcNEdWyUs{abImy3UmiH@K5>pZ6autVl{s+a4^1s+4kdrO z_v=1Nl{U*u7Xnpof0*mq!^96;qg}`c+ z@2mkvfQNJ(7}2Gc3uZ3mmX`eUsNT}peOnDz+1hd7vq&4xMq^FIXF^{Os9b9sz>J*@ zKpy>UP(6sT8>MJloY0?!9?1Rzd%Egxut{Fc*Ty}s{DinyH-T{SiNpY6Bv*4Op0sKq zdOlNmqi)QD<*@LBM&Fh!8`Bb@I9euaVP4w?#i4JNKsZ&64$)6|Zw}UHSnCasFA7=~ zESWdw=cZ(gMVB{2N!+NQ4{^Ax@Htawok=``HzU3{(l^pITQHT581V24u~w#(uAO1= ze{(T@E%NYuZ_5X1Rz*QoVP-T+R5Cn*iQt!`3@knM&;R^3GeN~5=7bYx#0%rd-G$^R zG{cxkrs*0(9f0J#KwOpCKK34f^Dpj&ad%rzmx2_2R8)kyb&Ri{WP=O^#BoCo~l(Zlrdcs%S_#jQUB(@}`Zq(LGj%G9yg=4a4nJ|6$@Ryp|yQ z51Nq9F6LsigO3kVB|6<9)GfoLu)__-{uXYc)v-QwfuE#&yU15Z(fJm-qKJ_$d8H$l zy_8q$;Ol*qx4a;fKAG&4FU&=ot*sJ{$9m*V46~;;&t@w0Uk;CyA&UwBpN~izpnP4m%UdCA z62fy55`~nruAPUB+nl?4ZcmS-oz*E`;XRHh?B&W*}g#70QqL z5%;p-DVHUg)4^+JgEw;&ojd47lj_Jzz-R{*vgMedcASYxN#Bxh zDl71;ru$ziAwf1EdP8#s2IW%@`J7$XdF#zKd;2(pf#U2cxy|OxbXL8A6-=rz4uBzl z6ah5B6(pXIn9f$rK0e6B=%Z8@k`uIF+~56`gc2Xl<9XX#YZYPEkkLd7$ET9>KQ>DY zn}$NL?9uzq$RdYF4-QP?J7;v;y&`*xtY=yQIhUq@-HP^8(sEI?KvRLvO;K2b}@ z)Fr=6sR|XAA@h2VEFcR0NB2;vd;GO|b+5K=VF{C~0&Ijx_!fjL3d8x_uvh3GI&W{v z#;}@JuH)4BCQ`(r=orIajn9Sa*c#=KPe<45GkLayIZ`P_HWL`ZcEP0kiQ=gb`B=OA zFcswuDyD0QRc60p5;WlFbaYmZkcX~-@vch(e~Z=v|D^q%%q@9-HI)Qv@UOIzkD1=LJlqw&jwvR; zQl-xwVm~2vwTcqZFOyvX4%>8zvG0^A$${84c~s~&$(txG!^2c98;CE|FxC6H7!FDO zxSru`LbgErAqt`Gr0~l`%c%8QHalQovwoPx-ajoT98?@soy4iv6t$sj{;wTrQM)>0|9|tdma-^#8WqXThlyE4K1p@?NU9RS~zJwF4$%P^?&& z@&z)$NQXi@P$ zPA0a@+_ZJ;??W#l4P^ph1il{rMBib?GgshrBwshUa|Krm(b>6Vu!SigJfB{Ar)PiJ zL1};+i;ojFwT@5nHMcd-vENKyj&66x)i1Z+kuHHKAPvHo&D5cJ_*t8FP!!Dzz zFhTxWh;xUH(Tpuzfk0rtE=c?y+Ts2-TjR5+WJJ`1)Az!ET@C(8$;-vKe*5LtY|4Kq z?0hz)1JO!`bVwkIY+ez^iy<8(60&}2fPDApU8aymxvbZ{7-u0AZcEHUkaNolvyJUX zyS3G4*>Mer+@Xg3ZPXN;r~51e=iPk5)pnS_!DnU9Pk6$ACY9{Qt{&Nai1aHR|NP>N zgCFeNf1rdZmk8#KKoI(xz~3|G=uB$y&}mLdqY+FR0g-%WacBERwzxqptVpn54XmzW zYmrxC=HPAaJbLoC^R|PwnFx4>>9DDIrW=`W%|vp_R>4U&3xI}!f{A=mJh$jgdQBw+ z98O4vx=gizvj~)V#^0#{rRu4pkkuhUro*dQvmAoA3c2pmp5kjU-*1oN$X}4Ug#x^ z98d5`OsrNWE92f3Gar>X@(>4q6PbsPH?wxnI%TT7JwqlcbKUwPdtxu+$=!+3YMBKI z!+h5(t?|;P6W%2d z8$cdM+?U9WVn`c%`V_?Tsg$6jjrTEP89-}Dnu20WGNyXXGX~dyZx{L|WhJ85mO9Yg z9wj|Zj$b8jk6V1^`z=DKGd1y|55;KX7uBz-Z{pMJGQm*he2K#zrfDRk7S112Rlw$@ zXOqyr2J7O0Ia_d>7MypnIdVsv0hsVJZn#?*p+fhd9=J9ifR|u7bs=6sUUmSwf|YE$EGGd`Rg)gq7S{b;tsz9`5FT?c9O<&n%p^L;VNMI*>ecS~un3Q_r7_fi|I3 z(?2IX_{di1^PpHv#AS4vf?=g3z*?W|MX={11>k*@$ST}C`u7vG<^LN`Qje3 zgR`ri9U)a+aC{g2N?ZV+d1c|Qg+AlQI=-#q_`vO0{MpUj_NTq4arm(dzSsHff+zq* zCPcei(>GYzV7AvgKh{{oH6NcMc!Er{pSh_zSAUY{`Kx^#Y)W4dH_rj&FPBMEd_;Ve}ZP5M`mF^*|1j#j?5Pq z`ICgLw*I5hdzA1R0}9o*alslMw-yMqcmQ3#Epxwo>3aSY8ltrfEK65{N{Wdl>9TFG z$!#Gw8t^c$m2aIWn`d#qF~9uuQy4zP3lAU`1{?*YrH@q_WYjX6hMtV9x-xK72$ma|iP2{+bW3NxPVeKGq9Jl3U9s zaFq)%wx5$-;~F!yqmL*Gb%0Ae!R6%-WF+Bzxt;=Y{S8cdloBG}d;LgO-F=gS2n}r( zV7`AF^Z143q%l@h=Esv62Vy-{kEl~5JbSJg>H+YBXYM%Wjl%MB`Qzukk;E@pd#v#q zMA5j!?kk{eR6`;PDue=xa?S(e=|2ZO3}4-T%Y^^o#UoVSVw0zCdM+%JgAHx3n)6Cr zl(c5ui5+VNK+u4~;6hmC+Zb(7-4&Axty!y!97(*I0y_wMG7gFLS8fp5Id8%!CInnUo@FY{M*5U>+1huR!Vt!OVjgZMT76>KJZ5RoE82+%ZnN}^>&+q(D>&c+y&h)2{Lyf>9N!a0R} zC11M>d={!AGB3J8`1+%*l{%P}#)O;3BkE39`)PA7j^6!Gj8(6R%Iin)USI^94DTd- zENim#0sfB6H`DB}8C&M~SNJ4My#Dj;C}e{jow2EYn_k>?SU&f3AG`9DV9NWjKGyz{ zNa1}Jl164C&?4e=H`i;HW-~z5Rz9m3$X%|EcT@iMLD-Gj|v)FOb!DfR?qc6QPjuw zvzfnwFYr4a|L2>z%tkt*9F}J!9-{(}tb2`TsGAF2qk5f51v*tktPr0sKQ{dhFs_px z7z>f|;(gD^(CFuU)6mzRjMfwOIDI`pa!|crm+di{<9jE7FM^E00e_Y{+0?vcPp<)| zTee6MIGj#NmZ$2!G@?8J^s`0@Lk$UC6ue_oRaUWz-3sn3p(G(}FY5v=xcnx7k&hYc zIFx>O6h>!<<`d(wdfqOzHEBu^@b7_QLF(a_dXynFEh%L6n*jur@>Z*Dh zUCdJ1XT1~kzX^@inqzXt`^~=dwWpR1cZa2m-CSb>+x2=AJM6-zHlZ;$E;nbk%*cV` zrFbWU-4a3cz1(+lpq>R&g}~Z>+V2+YRjE(wCgI@U#jo7VTebcF0}c0MeT(Nb8Q7V2rB7+!SYmDkyf9)ZAK&$a1$i2sC2RR0tyJ02e0 zr9a&=Ta-PSDf}v$(HWX+SuFvCG6NXqKpt-AKc0yg@3?cg;yCLTX&)bCtG0{WQCGT3ay zo6vleoejSqeql&lQ=mQH>1i5AGYB2hN-{=Y|GNv!3U_C|aceFt{stC$KzMQ8FzP-Rv<8m+vrQ z7>&kZXP<_SPHSn>y0$pzOATj24GjWqajGA2Os+~u&Hl~@lbA*{4DzG z9fF(5%fBaEMqHCLWgt-gb7j(K1)ek27vU?(8 zs$}MjaM8`aBvwyDg|MCY?PLL)dB%Nv6wp`mTCZC4+7902S_aDs+1k4BzDd4qM3pK# z?g1Y}BCT9-4bIzn(X+91wlW~+!uw=s+2r^E_30{e{G{X2k({p z^6mlZgALG;_l2$C45kI)bw3157uS1-+x-b1MeW0VM~azQ6=Q=@!sjT79Hc(O;eN{8 zz^ba-@U|(?wvScSh4mQ?+j_o76pC>cWTuEdPO&OE{|V8>|9}VK1pF%B@jB9y!o6M@ z8K6kHWtuL0v^E|UR={iOAEFJEctv*9*#|nb+?7!8k~CdM&dL_nLE}Vr<0c8Ob7uXW zohR|t#xV1`7{+kH8%wtgq4tG2#%1ng2up3=-SsRtuwI(OdMK@J^74^g7m#G2YUm`g zdfEL{9FO^@l2~kSBFM=UY5U5Web;)o(W}7*0ZD}Dn)2`RlLz010Z%!Fq~X&ykwYKa zsdc#CQd)BO-(jp#+{xe;*ww$y!s#o{W6}s2sjhs*DhFhA$lyLxI`<%@4mXN7tntf# z#CzQ$V;r}_pT)(yF1Xe)=p1v5um^!b+AV)alJ$@R=H=fC>rF&bDejd(DM}T!W@QVWE8~Q7Z zjCy^frTL}n8(%;GjFpvu&6Jv*&et9Udf(d9XVfZg$;j}4S*U(2s+fN-|71KcO+{R_ zq>aKD)D1W^Q7X9jAnc##h2Dxgp5jGV$_?|PPFP98yQdLmE-H*bmas!7(>a&`e8DuX z-sb9RCG%axCqe>u(iut@1IMsw>aE7$kJ6na2KhZ_O~aDQHMd@`YSfdwJNpFEbXfk) z0HiX&{53~HoRu8n4~n-ci<}(>`P$hp%`p0{H9ayFr#*d-1F)JW;RL$W?`~$+x2lUV z|K-#@NWMCrXA$&VtjBsQ)kfj<(1qw^Ss)I-hB=TKF7k{Vwz0ysj6Ki0RqHPv1n;Z( z3QuG4;0Xp=BC)hACH%bGN?uWp)=NdTrXCU6@TK!efow7T5INnqi8ZmXpk_GP$T(Un z8o|-KAGCidPOwMP^9xl%RvTIcEPZIux&U@c2jF!ZO@jqN%x52Z#hmL~94Xyei*~=Q zM1prw>XNm)F*fyP)B~rA4bkPNyBm?w?mMwm0r0JgMO76O2~$-kj>b7iu<)KC)ENhP zgC=wG#Ul^sehEruLz#(;?Ct1B@TJlZu5PUhrlDdYc8AxbG-K1(11aHY_EO=j&uhk! zW;ef{`6qHBAbIDr=ss{v1Ye&p*RSQ>GY{&XT1w1AaSTt>N7{(b@>A0bD*-A% zK~AiZ6n@6W^0Tb7vwskiS{yiXr)y7(u?DRHyB$tp!6?Dc^_h;+zlS)aG2mS*%|A=( zD1dZU^JU%jlxYes%|`6PF98eOOIPbwZ={t#>sge)3_tk6IX&wuM*6@7rtd3g!F!(? zmosshNbb|ZTZnhX!DNZ$^~)j;GLMZfA|n9U$U_fT3g!u$mi9L#?SCGTUmh%DUBQxna;6kaX)!pn3SZ*^4JxH%$7UPW*AukU3 zTZTZ2vl7joVj=w5oNLV~`@NPwFA8JJJ2-SN%rYjrNC}z;L8MZy35yZm(^H-ZM_Oy$ z?|r6;Um-G!o^D>DXXRv0kOYF&Bnyl6U9%iuW(u?VSLjcDEgT;ok)Qa=LD{P4Af4?l z$&yrxLNQwgz5cUW52-;7F!qSV>uRS4Cyfdqkd9Q%@4#Ab-HFdm z`3qO&!2Qixp3tv2dqwK`X_1}^`@R{w0S)Im16)m#Y(5a0!4OCLDRCwE?+Xaa*wv_< z@{W#lRy|3pQ`av6_-&^l?tpthUiyWhOrF6jHlrhYv9rk4Kc9iXC{8ODij zeQ}_3kyNv)0C$>rj1IJh3G`03W)LU}J6v0FyI`sCB0G|#A!vytB-+uNems!to7hcv zd1aQ5dfJa@i^*Pr3IHL5=sV-9jWQJhr-SASm`VUXS7|FDz$EaBsSjPwxPwsJ?k&)# zIyzG%ha)HhbjT{-^6&w(bx=mv%^G>GaX4h(vY05^Ta!UD6XtCux#9k{9<;R4A4_bS z8xOvv0RO&Cva6EeyuLKL!ud=~U?bn3yyz38@YFy|L)u8PaufAlv;JPVP0{iFzGy(B zqKDVJ@{Notok@0scqAKw3>|&fumGxtYeDFnA)!)eg+3-T6XX37NRKh;#c&}s*|o6! zM+plI7T472$HyA0CsBkuSL-Fk2D;E{NAwes+dGG&YJ{kwaC86$!_&JEuPyR@a|iCe zK$-KH1L(+t!SMrQ94hNrZz=mH@OpQAThIcKI$T&marZjfr=SJ5HIY;=>Xmv8&C>ux zwR9`cfu&VmRw6jd{)rm|GX#*>W6P14X{?J1gvT~JrCP90Gm>>tksP0YcKu^&b^onj zZr+wKnlJtFH|hv@jCEUeY1mpW4ijv8}@AGDIb6z2OVc` zyCjI}D5dkNKfo5LWdSRJ*eYmwQS2q%9n^}y=sI3I)x$fO%nPkE5zBa3;t(Ot-h3Y@ lM9#b*_==a2Ff(YEXI|LrE3-dXH7YYIywduPToIrw^RP~K;#~j$ literal 10323 zcmV-ZD6H2CBmnkJRTE|uK;s}+8cF0tRQ6BKbc8T0KF?7oZU%3*)qTiNHc zQ^kV*Q~VsQx2=%8jd)Y!%P3|c)%X`o;XsSis@SV$v@6Gm4Rm_5niuM9 z{chzmKqDq%Kvc$w!Gq_10Iu8D1Yn#_^am+8<80E3A|Si-4%qJorUlVl*0b$t04JqA zyx=##7`=t9ljM-o!#3+2mumjwnPXJEbtr^PC_#|3gbIqJK55@-lsgn+FEGpzN)`{f z1BR`0ge#MmOLpLIvC(c<{VRit2PoeaZmezm=c8Sx+*c-6nora`FiR;wE-p&Qolw>oiVZ!JgFx^D8Z+<}LZ9Eob|ho!v7x@9b}0F4&F zG4u(7Tk(zF3?^e6(B*l>>5%y9KP4l7sF_;5C^Vgwb<6Zn0`X5RvZfNGT6a! zPIX=I-gR}Moz8Z{Lb5<)YV$}2Hz`%*@?ZlSs=nHL?e%+!B}s%6aG!sj^@xnAkS<| zr^@7Idt7zM_~mq~>2%EAmX23zMvaUBFzAV|@l7*N-}|s;l$ACAbT`1gO$B?J8Mn7w zo_bt=h|>K!Qfv;@;ON_Dx4A42>I#?5E-|gB%e@Nb0u*2P1i4;gTnWOvs1Y5do_4)*?y?k zS+()vAll?=w9G|-Rt6hzSIqk*4sBKT$3Kejj@pk48>7b3cgAa$S#E%6DE@eJvz#Tl z+7JAlnRy;S=QO>@QkHAAB9Z?4qX51aM5kO!vZl^NI+ zU8>*vS7;)!*Bz0;zr7RwM`}{zXCc5&oaRgij|+TsUzjX|K|6aCx}bGFm0{!1)gWesK@X}R0+6h^ZR$d^mf=@tcPMIIMwj2@t507Ode(|l*eiRb|!@sjL#V-bmLHEa2Zh!1qh&w>R~}N`j1IJAI9o3j&^uwmaV4l<7Gu1 zfv3!ueaLzH`SS*&9(Q%*1z7xWboD1AuGdlb3=z1WN*Ahr@TxJ6A<`i)MFUZ}R~LtQ z%?bVy0*HW_?Uy`2fOJrc_yx2`d6V;j8jAp*V?HwjTvQRIt%%65*fcI0=E^Y%u6ZC+ zfEKyPxTT#Q;31=B#i)3CI~jQiz>^(HHZ9Vs<+N1OEkGReEm(j?tkJ6^IH(#WlPa0H zV-8u87LLH00xp!ZRfUm5njqK~H;*_LkyQXcm;e62Kvq*eVF^+XqKt#Hs-VEldLTXe z^F{~|GoxXQ&0#WK5&t~IqDrHJ{JPp6Srr&9Hf&r{&8btV`7B8n!VX#wiuH-;Q|V%7 zL^HHOB ziS_ohPK>yKn} z5hHc*81+;Xu-uAVzMH`mcNeb&u%Nk=4C{NKDU`tp$bh#rul4XQ0uvG~T+3f%TeYi2>|nX2xDQ@3uW z;gJn*L=ovIH0hziLdw^vdUwVkHe^N?rty8<)?4K4fM%LlNSt2)N&8uH8f`J^WKJ3G zZbFr+`3BMd*Sw4gz681zSofvKgT$R$*bWwW#r1g2n}}aRD{_7Yrl+jGiXt`B(Qw|1 zo+Dg6ccrm(4rbQ&xE#Iv$Cl&9EZ1@u_l?=G#Zipx)VM!;xL(0xLLqGfvr%Xb+o2}W zBM*Wiqz}jI@|7R1rsJ}~6HMZg(?WpK12OEvD0Mh6eMc4XltbP1n~UWS9xp>*n2!hh zx-(otzZrA!+35@A4M{@>-JP|Wt3ql?()W+P3);42e-JyM01i`AE_#z|W7I7^<#0Cu zbxzyt{v(!`U=Ny_z1L(z;tSF_QdAJ?wn0m8HX-dUjKKl&cUU#_Ei$MrfXJ-Js`C(V z2`|y7r?uLnXF%3=+oAtTN-e+c?ozIM4$8T$-5>D-1ma9JXUy1CD3MWpN0o;Pgb{CB zBJtYgWD=TwFSH1{QjAii+&pkvm-ItlB(JC*E`5fF7^?OkF3vwmX$-uljt=E?15}$N z6i6>zLqYpjrEIc?0K*|2*&KdXW@zP+!01L220O~G%BIE(4YVLA-x8A`t~+JFHXI@I z<*-!Ihe{zVL{!95=O3DIX=vze+(?IVS=I1MGC4!jY<8o@JVbt165|1d_5oseO4-oB z)XcxNkDjPb@(z{fVB9+rZa# z;i6NZQv|7{{d9x{Z=HUx1-vufupb%EdQqIFj*zOT16B)b{uim zwLSes0uS+_O}dFBGU1W*a~Y~akC&z5SgtLLfn-97+tX@QP_^qL`1e2UTLLqXDf4Jy ze*B3m7YVw#$a3io8r|(+v8o$2wZD!<5-&#`gLqQR95FoBXKE?3xW05CIkwP)@6N6E zq6e=(3`|Ba!JjCRa;A{NE)R>B)Oo~y9?EetkQkT|faVB?!_-e-y$?o_}9UN?VIsPUO(5`y+ZplE@AW%4T9 zq%ak-KfbHNqxj=wQ2ULy78NZVcO}>j8?ms&s6Dybtg-xX=OApDWW}E-}GtVp%nA^A{MZFp4EhNQGD`Iljz# z=`wb{tUx&;KQ;G|!qq`b)MDAzG8PJuh27{tj5i;jlT3SBdrD!{cmFjwWVR`%v!Bx+ zHj}*|RS4SHp*2ktoq}3G{Viw#-xM-M-SWo?Ql~RN?a;OSg1e9JyE9&+!ZPF1< zD_J;SwAw=+(??pVcl|qf4U)vs!jB=AC?j|83^BP$72Oc&oPequMPoI5$#nnZC|Vr` z>p~>}M&L*dHDa-(a;0wjTmYdX{RdCfVUsSxw9yNmSa}y1hm$VTz(UXj?fX!!lnBN<`aOR-LvTskvF;Ap_RsU z50+i!BHs0$*i%JTZt6ZL1Ye9r_rNCvHE+3_<4rK7&s*#xJ5y&N;w3P0!AgHW1M%p6 zYAgK`>QH_>4!&B<4!YovFodUS&+|v5`F@*EC-V+RO#qJ1mYB=ay0VGp&XgX~=aj7FUrz?K#c=b zVu013E!^N)c8)%=qgF^=;(rn&1=wz?Aei4&5IKzW{k`Z=Ztnn6S$OK|*g ziw_kCJs#c2xNPjF)yhf?4*n4q&1Xrz2bt#7b*a3CB(Llu&OoHo97+H1pp&-o1Y6s< zOwsTD8cy$iILF35OGI85S?_YphQ@_v3r6A+UFlLpep~68r5f65G|li$a*w1H;~hp? z%9fJ#{V$h4w{VB&eqqc0fDqK5PONJgvV`2>mNJ6$Sn^_QOo3NY^oyuXTm&06wl} zNiBP>NFuWhd3Es}c$$P-0-4s!f75KKbaNv}FRvQPNzjf*|E+dE7fR9w!ZEJ?@Bc)) z7Cf?U?GDzf%0ZJ8d$#`X>oS+Gz0V68li$`4YxSFr+>sp zCFh~D%Ri%x&K*2lhR_#s#w}*0v2t0-sqkv&^lUC=PtB)qhGGt~BA-;Nnz-*aX8{~s zi1_Mp$-23r@m@&}r_!~*2)X{(NT@EL4*6G4JoAyEPZmPP z;&mgI#}!;?XeEIsIZy+x1pDsjk<0z0l!)=;O!~DKS|MLfU%_?{?p1FbZy(qG9mEf1 zk9!!vtzOdIB1dlTUvId{f@`-6C0E)z_?f!dSw$HtrWv)zp?7!I&DrQy>NCbuLwZ_$ zO-gcKDhQHDIVFvQs-9$jfe!C#HGF*4IkmNXM(8f>gD}2t5nK#tNwEO2E2Q!My~X9ahjemi3}h+eGw{TdjVT~R z{~{hjjaCqMDg;uHJnNjkz7J;}&XHm;*U-DbZ_U6w zCGVEiy~xY)J#anr&QgjS)KM3m8#>E1#trI<8mgknf~zRHY-x09h~*61S)Bo7u3p@} zLp0rHnJkTm_(@r`Rqy#GNKI=&;h8{YZwElU%xEl7!2g&!h(!ng+}En0^MD)a3; zG6su$=}B}9JK;AcO{@+jG%-F6P6ks@Eq*=X$z+aY)M3mu_xRr_`BQRDhVSa>EXg zOS`A}0p08lkgRjT-1h~+xDb=m!>nC;<>~SQOLaCK^#PJ)z&;pKTh%~boEQ(m%;U`d z64xdARHT+0auewn1yz=sp4you5S zL%p6S)zpgW6@?df)V&xoYP~@YaR2*{TCeGt!HT9P;HtJfF9b2ltgrA-z}~OB%sT#} zU3FrDA-g>AqZN`1he`1Etd%-%r~M8LP; z=)xDB?-2Y!M$M+FFDEI-M*6_z;!IZY(~Q)}=RuPI_t3~@T)6nMyQ$K!;pRpCDR3Av zsJ?O_AMvIggtb^B{IYKP3OdH>2F(L0|8V1SSAHGPQBjE@lx_4K90&0UtnkLYV{%wx zXComC8Y5>4m9;tY0&e47M(60|u?wr2VXFe|_)=@xuW$3#MQxZCzY&HaA8wdvqQ4L3 z@c4zXKaRCGt|ovRjHfl=jPPT)^UMuCz5!^N&6ZkteJY93jAcr{F3i1VB#a*PJe7@_ z;Zlcbi77;v+y7_Q-I1%#=ioQWEstfC3!>(0{Oy7stA%>|AuOS>s&YdW`|ffxrYtfs z3d!Sz>;h2X96Vj@coCUrFq~-o`&U%Nq*b57a?r=_qS)1#>*X%M+sx`mL-N_pVMl0a z>1dLKTddTkI=k`dS=_-Ox9rNocC2e)BKeTeE@1#wsP(sYs$D`0cB-P8y{UAsi!i>( zlBgvPZ0w{YvnppLxr)yQEM5zD@Z}6UpkFuA+p&1H*{$>V3LdAx`As3-cpKCkcxC6O zhPP28t3<=nzK@7*7_ADsjbxW;t{_ zewMEv_G}LCDNwU+;_6th48K*-bz<5?z70_ROiby(Zr~@SyG5n3R5w)q8CLcuChhK1 z79o$AJ%Ym#HXC>}L|-!blv+Ut##ow1zz7B;g?Uzl|t!ME7WD~?cXn3*}eP@#7 z&>wt^hMo3zo<M>hO6=GxLx@get{#Pa#_MBWU3$eofqU)U{p@D8%m9`NQ+E1Mwj0G&URzNwE=rr&+`GRiW^loPA<2wp) zXI{iy?9*4g`64GkzoeUxHS<(L@3K7|rm$4i$;_DB*~;&=UF!(fO^sDy(G&fl2r&HY zdc;yzKPHI-LKm}QynF{dSSvkyZA~=+;aIylkH&ghn+QHs4Hs7lpQZ{ND@$wfo{S>| zkZ1Y{qK;jg^0E9_UZGfI9q216U=mVIqq9+;2xw#12Mqq!FIR)t!{0jWnGsi?$?H9n zsa|&OTVeG<-R$eN@)e(C@)86~z0gMuW#ZYLI+88}yS|>|tnezPo~FNcNHcXH)Kz&h zoGBUV#X|OI=K2v=w?Ikv0nNKy_=VM==Pci#N6|mGdg!F+$e_(Wk?>`-Uy$Z$1x4A4 zxdsQSIz&qkI#;*mK7qpCElkZsqbWFLZyzT>cX>RW+BSa z*?TR`gGV2h&d`!c;A-R8$YKK4ApiO-e$;aH359XRO4ITTh{VbX|AW#|>rjuH8#$b@ z3#DRg7HqA#m$h|E8TDt;qm-~yskXyJSDU9Gmsw`7gQRYj|KGST#@WRorL~qN&)gCh zO`FzmTJNWCC4U`er3J5L}J9=TlR>=_oA)4MgB9JD{;~N?Ix>y2(PVao}Cae7pT>)GWvtVrVY5KCY#RSU| zIj&PyeGTyxFmu;Sv6NoGSsd&24`{GQTE2jS&$x0iMYaOxn@sAP-7}2W>^k*yrQ}D& z&8dW6+Y0g4^H6lHl|M9xYp*%7*+ zF#_%Swegnk{v$CoA_T0Wk8TAw0^Fgi?A;#0oYXgi)U+iO6$A56r z)ubrm-og?|lMBW)+P_zAr(AU)D;@}LCnP863YtYM_OVhuHcMZ2W6_uQ07EQ9U~*_8 zJ_xOaJEr5?Mu$k+!q=+SH7du$!SzRm7SI6%`!=LApf` zyp*?%Xy*+V9MzmcQgffE5}a+ z$_w8EckHc$G!pU6I#0k5R6h8%R8*a9rP3&`-}15KhPu8#lIrg|xT*4Ok7Cw(wRA4B zxyh9R^gJv*nI)KY2;Iik!qYtPv2VOOEi$UP?8|dGN(z7ptQzXBaA-&JMCon>qyY>B4s~S_i;~jb_i6s>rANY4jX>L21};>x)iNRljujMF_6z zehcM^UhJ&|V88#ujK-+Q_f90q+9A{575{qQtwvwf=Exu)dYjv=@-R=t zjMs;y=*QR$E8j?}km^J|&lhd1g}hQpNJb%tS|JGKKnMGOVrG;SqQ-BBq3nw}S)BhSA$SDlha zPe4wAV90H8IBCo!l-VA@H{-6OnvM`45Qc`h8>aGYesY>eCqY}#%F%ICza2dRCXaRx zBMzNC_bdWgo z4{NAdh$jJOt6B}Z|B*w2$d9^0=ENr`b=+0X>m4aas~@GCBdX}OI5=k3hrxob;>*Gx zNv0{@W>;6y18pVP)`FQEa|8-bc%2D)bQu8XDkE{+iA=>3S696NKL zSx5^m*8hkP)Erg0IaQy#ZhDwx5vI>Tw-BpAoD8|ia!=_Rx1oHrIi@L;G=&aeR2TwC z8JaDOAVw{#3D>tD;7Vq^Cv#*uO%Z{w+gm`oZ!Y~l;m&Xq^^Ktnn9}9>O`}$53XSab z2j)`Q6;kU1je(fmLi+e%fLhs& z%XAA1IWSv|u-t&>0;WyOxwQ-A>I_N_lISVprXxn0$#HT%gY0kkHcGR`vuBY^5$B}Z zy-)~jMPL=7T0oHXvKBo+59HQ-tY2);QC0Lrtv%niGvhloQL_P~cg7qSUoT zQo-;LiiUhBt$le+ndUBde#D=mn`-6OJ&_>$wUYQ6?2nKb+0LtQ91LPU=5XtRx&9fro-ci-C!tz6Cn)wjX29dTRM3XG4A#x*PeghDd!1gGXEva%-XI*nEL`n3k+E#sJlKXwqFf%FHVsPyA=*fLeEivvtN zZ!c2MT@}!muL649+lwMB4p93Pms$za%_uur#XC0V;b@q5z&sj1GroEP1&FY3!si21 z;~OOBWeIW#;6uAg^w{F)XQ2xI9u1ers zeih$abZ9OeRX4$0UnMm4mBKw$Q$g|J(ix$AE&jpPF_&lDyIe|37qx*Ipo&e2o>gO+ zX60xhz`|}W&;Ul6VCF>}$hkgXj^FdfYnxt9`Gjd@5L*zT*hWE-Hp`!i_5|+{ z_dJgh-=uG1;eAH%A&tFF! zXFqjib9$b!90e+@puPj_4OAxj=s?sGu`m2ONb;eCnttFjsf(>NRSMZ9hucG&qSXzv zT3DQp3_>PEf8?r%RSXDbmBjiEKkK;{QEnb>g4qVifYL|H`Fx& z*J)AF?Y7mE%If(fkdRTw1HiLUcX#C%0*;(8+r82CNJrY5!v-v9gN6fX#Y zaubYnvuFJDn4GKz#A9?(EOEKA`01jUexdjvtmLpvQiqP7lRKQ};kEyk;w$!@IT`ou zqGntLPM~8O$*oiI%8C;2MD~1Gi*&+G)((^f#DJ7`wUa>;XC>fZpcN5g#1G{V zes7JlADS}b&h&7B4FqE6gw?wPLdauS74ZbnuR_^B-2F3L+c+p1u|*d(BT-DT2&@|g z8tXEA;QBHu-T8eM{I#ifB!P|2Nd9ySpvOMTPVN>YZqTaXs8>%L$#Y-hgMZQNrA413 zzF8=BN^P!%a0s0$JBRPlfI>$Pw{Zt8lOS2VBV&6p#cWm}(l^f8#TgcfUfJpJ1n8D0 zDX>ox*<-OXcUyMP1~EVkViP1Gmv!4iREopxfU3```plAJA6psd;~Xoz!}}sIj&(Wj zJ@qjSKZpoh3h%;9cD?Xrux~F_sRze|HAtN;M41a>K27`>iLr;AyEG$0v8dy&{&Hew zzG293LS7Wc>yIfPd9`qU_tm6Wu{1=cHv^Q-fNNYM*uwnHVa+g3orVW!`U!}yZ&i?K zX&jo$80!Jx;^lNfsbU90m8yhOh=FYq(eNQ#Pkf%{>?*)7C%oF~;fS zu*r^UD8TKxX=Xw`DyvwscjB{zsZdPPcGcIt!P)*S#V{`Pp^rf$R5=d9avi}YCbQRY zr8*6zg@=VRx@8^UeK!XF5)cIiR))4)EaC4LH(}3Cm~NZ@M(c~ z+j)vQm*4?M6a?h?ZdWE;|0sBY4D9uRfdq{Kb ln#y2j*5ExtA`Jil diff --git a/system_tests/test_impersonated_credentials.py b/system_tests/test_impersonated_credentials.py new file mode 100644 index 000000000..6689e8943 --- /dev/null +++ b/system_tests/test_impersonated_credentials.py @@ -0,0 +1,99 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import json +import pytest + +import google.oauth2.credentials +from google.oauth2 import service_account +import google.auth.impersonated_credentials +from google.auth import _helpers + + +GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" + + +@pytest.fixture +def service_account_credentials(service_account_file): + yield service_account.Credentials.from_service_account_file(service_account_file) + + +@pytest.fixture +def impersonated_service_account_credentials(impersonated_service_account_file): + yield service_account.Credentials.from_service_account_file( + impersonated_service_account_file + ) + + +def test_refresh_with_user_credentials_as_source( + authorized_user_file, + impersonated_service_account_credentials, + http_request, + token_info, +): + with open(authorized_user_file, "r") as fh: + info = json.load(fh) + + source_credentials = google.oauth2.credentials.Credentials( + None, + refresh_token=info["refresh_token"], + token_uri=GOOGLE_OAUTH2_TOKEN_ENDPOINT, + client_id=info["client_id"], + client_secret=info["client_secret"], + # The source credential needs this scope for the generateAccessToken request + # The user must also have `Service Account Token Creator` on the project + # that owns the impersonated service account. + # See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials + scopes=["https://www.googleapis.com/auth/cloud-platform"], + ) + + source_credentials.refresh(http_request) + + target_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/analytics", + ] + target_credentials = google.auth.impersonated_credentials.Credentials( + source_credentials=source_credentials, + target_principal=impersonated_service_account_credentials.service_account_email, + target_scopes=target_scopes, + lifetime=100, + ) + + target_credentials.refresh(http_request) + assert target_credentials.token + + +def test_refresh_with_service_account_credentials_as_source( + http_request, + service_account_credentials, + impersonated_service_account_credentials, + token_info, +): + source_credentials = service_account_credentials.with_scopes(["email"]) + source_credentials.refresh(http_request) + assert source_credentials.token + + target_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/analytics", + ] + target_credentials = google.auth.impersonated_credentials.Credentials( + source_credentials=source_credentials, + target_principal=impersonated_service_account_credentials.service_account_email, + target_scopes=target_scopes, + ) + + target_credentials.refresh(http_request) + assert target_credentials.token diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py index 1cfcc7c6c..31075ca84 100644 --- a/tests/test_impersonated_credentials.py +++ b/tests/test_impersonated_credentials.py @@ -26,6 +26,7 @@ from google.auth import impersonated_credentials from google.auth import transport from google.auth.impersonated_credentials import Credentials +from google.oauth2 import credentials from google.oauth2 import service_account DATA_DIR = os.path.join(os.path.dirname(__file__), "", "data") @@ -102,17 +103,30 @@ class TestImpersonatedCredentials(object): SOURCE_CREDENTIALS = service_account.Credentials( SIGNER, SERVICE_ACCOUNT_EMAIL, TOKEN_URI ) + USER_SOURCE_CREDENTIALS = credentials.Credentials(token="ABCDE") - def make_credentials(self, lifetime=LIFETIME, target_principal=TARGET_PRINCIPAL): + def make_credentials( + self, + source_credentials=SOURCE_CREDENTIALS, + lifetime=LIFETIME, + target_principal=TARGET_PRINCIPAL, + ): return Credentials( - source_credentials=self.SOURCE_CREDENTIALS, + source_credentials=source_credentials, target_principal=target_principal, target_scopes=self.TARGET_SCOPES, delegates=self.DELEGATES, lifetime=lifetime, ) + def test_make_from_user_credentials(self): + credentials = self.make_credentials( + source_credentials=self.USER_SOURCE_CREDENTIALS + ) + assert not credentials.valid + assert credentials.expired + def test_default_state(self): credentials = self.make_credentials() assert not credentials.valid