Skip to content

Commit

Permalink
Revert "fix: migrate signBlob to iamcredentials.googleapis.com" (#563)
Browse files Browse the repository at this point in the history
Reverts #553

We have received reports that this is breaking users. See internal issue 161506225.
  • Loading branch information
busunkim96 committed Jul 17, 2020
1 parent c497661 commit a48b5b9
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 30 deletions.
3 changes: 0 additions & 3 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,3 @@ pylintrc.test
pytype_output/

.python-version
.DS_Store
cert_path
key_path
6 changes: 3 additions & 3 deletions google/auth/iam.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
from google.auth import crypt
from google.auth import exceptions

_IAM_API_ROOT_URI = "https://iamcredentials.googleapis.com/v1"
_IAM_API_ROOT_URI = "https://iam.googleapis.com/v1"
_SIGN_BLOB_URI = _IAM_API_ROOT_URI + "/projects/-/serviceAccounts/{}:signBlob?alt=json"


Expand Down Expand Up @@ -71,7 +71,7 @@ def _make_signing_request(self, message):
url = _SIGN_BLOB_URI.format(self._service_account_email)
headers = {}
body = json.dumps(
{"payload": base64.b64encode(message).decode("utf-8")}
{"bytesToSign": base64.b64encode(message).decode("utf-8")}
).encode("utf-8")

self._credentials.before_request(self._request, method, url, headers)
Expand All @@ -97,4 +97,4 @@ def key_id(self):
@_helpers.copy_docstring(crypt.Signer)
def sign(self, message):
response = self._make_signing_request(message)
return base64.b64decode(response["signedBlob"])
return base64.b64decode(response["signature"])
17 changes: 0 additions & 17 deletions system_tests/test_service_account.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@

from google.auth import _helpers
from google.auth import exceptions
from google.auth import iam
from google.oauth2 import service_account


Expand Down Expand Up @@ -47,19 +46,3 @@ def test_refresh_success(http_request, credentials, token_info):
"https://www.googleapis.com/auth/userinfo.profile",
]
)

def test_iam_signer(http_request, credentials):
credentials = credentials.with_scopes(
["https://www.googleapis.com/auth/iam"]
)

# Verify iamcredentials signer.
signer = iam.Signer(
http_request,
credentials,
credentials.service_account_email
)

signed_blob = signer.sign("message")

assert isinstance(signed_blob, bytes)
12 changes: 6 additions & 6 deletions tests/compute_engine/test_credentials.py
Original file line number Diff line number Diff line change
Expand Up @@ -363,11 +363,11 @@ def test_with_target_audience_integration(self):
signature = base64.b64encode(b"some-signature").decode("utf-8")
responses.add(
responses.POST,
"https://iamcredentials.googleapis.com/v1/projects/-/"
"serviceAccounts/service-account@example.com:signBlob?alt=json",
"https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
"service-account@example.com:signBlob?alt=json",
status=200,
content_type="application/json",
json={"keyId": "some-key-id", "signedBlob": signature},
json={"keyId": "some-key-id", "signature": signature},
)

id_token = "{}.{}.{}".format(
Expand Down Expand Up @@ -477,11 +477,11 @@ def test_with_quota_project_integration(self):
signature = base64.b64encode(b"some-signature").decode("utf-8")
responses.add(
responses.POST,
"https://iamcredentials.googleapis.com/v1/projects/-/"
"serviceAccounts/service-account@example.com:signBlob?alt=json",
"https://iam.googleapis.com/v1/projects/-/serviceAccounts/"
"service-account@example.com:signBlob?alt=json",
status=200,
content_type="application/json",
json={"keyId": "some-key-id", "signedBlob": signature},
json={"keyId": "some-key-id", "signature": signature},
)

id_token = "{}.{}.{}".format(
Expand Down
2 changes: 1 addition & 1 deletion tests/test_iam.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ def test_key_id(self):
def test_sign_bytes(self):
signature = b"DEADBEEF"
encoded_signature = base64.b64encode(signature).decode("utf-8")
request = make_request(http_client.OK, data={"signedBlob": encoded_signature})
request = make_request(http_client.OK, data={"signature": encoded_signature})
credentials = make_credentials()

signer = iam.Signer(request, credentials, mock.sentinel.service_account_email)
Expand Down

0 comments on commit a48b5b9

Please sign in to comment.