feat: add integration tests for pluggable auth (#1073)

* feat: add integration tests for pluggable auth

system_tests/noxfile.py

@@ -37,6 +37,7 @@
 EXPLICIT_CREDENTIALS_ENV = "GOOGLE_APPLICATION_CREDENTIALS"
 EXPLICIT_PROJECT_ENV = "GOOGLE_CLOUD_PROJECT"
 EXPECT_PROJECT_ENV = "EXPECT_PROJECT_ID"
+ALLOW_PLUGGABLE_ENV = "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES"
 
 SKIP_GAE_TEST_ENV = "SKIP_APP_ENGINE_SYSTEM_TEST"
 GAE_APP_URL_TMPL = "https://{}-dot-{}.appspot.com"
@@ -168,7 +169,7 @@ def configure_cloud_sdk(session, application_default_credentials, project=False)
 
 # Test sesssions
 
-TEST_DEPENDENCIES_ASYNC = ["aiohttp", "pytest-asyncio", "nest-asyncio"]
+TEST_DEPENDENCIES_ASYNC = ["aiohttp", "pytest-asyncio", "nest-asyncio", "mock"]
 TEST_DEPENDENCIES_SYNC = ["pytest", "requests", "mock"]
 PYTHON_VERSIONS_ASYNC = ["3.7"]
 PYTHON_VERSIONS_SYNC = ["2.7", "3.7"]
@@ -379,10 +380,11 @@ def mtls_http(session):
     )
 
 
-@nox.session(python=PYTHON_VERSIONS_SYNC)
+@nox.session(python=PYTHON_VERSIONS_ASYNC)
 def external_accounts(session):
+    session.env[ALLOW_PLUGGABLE_ENV] = "1"
     session.install(
-        *TEST_DEPENDENCIES_SYNC,
+        *TEST_DEPENDENCIES_ASYNC,
         LIBRARY_DIR,
         "google-api-python-client",
     )

system_tests/system_tests_sync/test_external_accounts.py

@@ -32,11 +32,13 @@
 # original service account key.
 
 
+import datetime
 import json
 import os
 import socket
 from tempfile import NamedTemporaryFile
 import threading
+import time
 
 import sys
 import google.auth
@@ -331,3 +333,45 @@ def test_aws_based_external_account(
                 },
             },
         )
+
+
+# This test makes sure that setting up an executable to provide credentials
+# works to allow access to Google resources.
+def test_pluggable_external_account(
+    oidc_credentials, service_account_info, dns_access
+):
+    now = datetime.datetime.now()
+    unix_seconds = time.mktime(now.timetuple())
+    expiration_time = (unix_seconds + 1 * 60 * 60) * 1000
+    credential = {
+        "success": True,
+        "version": 1,
+        "expiration_time": expiration_time,
+        "token_type": "urn:ietf:params:oauth:token-type:jwt",
+        "id_token": oidc_credentials.token,
+    }
+
+    tmpfile = NamedTemporaryFile(delete=True)
+    with open(tmpfile.name, "w") as f:
+        f.write("#!/bin/bash\n")
+        f.write("echo \"{}\"\n".format(json.dumps(credential).replace('"', '\\"')))
+    tmpfile.file.close()
+
+    os.chmod(tmpfile.name, 0o777)
+    assert get_project_dns(
+        dns_access,
+        {
+            "type": "external_account",
+            "audience": _AUDIENCE_OIDC,
+            "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+            "token_url": "https://sts.googleapis.com/v1/token",
+            "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateAccessToken".format(
+                oidc_credentials.service_account_email
+            ),
+            "credential_source": {
+                "executable": {
+                    "command": tmpfile.name,
+                }
+            },
+        },
+    )

testing/requirements.txt

@@ -17,4 +17,4 @@ grpcio
 pytest-asyncio; python_version > '3.0'
 aioresponses; python_version > '3.0'
 asynctest; python_version > '3.0'
-aiohttp; python_version > '3.0'
+aiohttp; python_version > '3.0'