From 50c0fd29a3b6a4fd6dc4b801d883f5d2b6de88c6 Mon Sep 17 00:00:00 2001 From: Jin Date: Thu, 10 Nov 2022 15:38:20 -0800 Subject: [PATCH 1/7] =?UTF-8?q?fix:=20updated=20the=20lower=20bound=20of?= =?UTF-8?q?=20interactive=20timeout=20and=20fix=20the=20kwarg=E2=80=A6=20(?= =?UTF-8?q?#1182)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: udpated the lower bound of interactive timeout and fix the kwargs invalid syntax * update token * update token * prohibit the access from constructor and only allow the injection and test * fix lint * adding interactive timeout validation test * update token --- google/auth/pluggable.py | 36 ++++++++++++--------- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes tests/test_pluggable.py | 59 ++++++++++++++++++++++++----------- 3 files changed, 62 insertions(+), 33 deletions(-) diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py index 6be8222c1..b4fa448b8 100644 --- a/google/auth/pluggable.py +++ b/google/auth/pluggable.py @@ -52,8 +52,7 @@ EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 1000 # 5 seconds EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 120 * 1000 # 2 minutes -EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT = 5 * 60 * 1000 # 5 minutes -EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 60 * 1000 # 5 minutes +EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND = 30 * 1000 # 30 seconds EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND = 30 * 60 * 1000 # 30 minutes @@ -132,7 +131,9 @@ def __init__( self._credential_source_executable_output_file = self._credential_source_executable.get( "output_file" ) - self._tokeninfo_username = kwargs.get("tokeninfo_username", "") # dummy value + + # Dummy value. This variable is only used via injection, not exposed to ctor + self._tokeninfo_username = "" if not self._credential_source_executable_command: raise ValueError( @@ -150,17 +151,16 @@ def __init__( ): raise ValueError("Timeout must be between 5 and 120 seconds.") - if not self._credential_source_executable_interactive_timeout_millis: - self._credential_source_executable_interactive_timeout_millis = ( - EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT - ) - elif ( - self._credential_source_executable_interactive_timeout_millis - < EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND - or self._credential_source_executable_interactive_timeout_millis - > EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND - ): - raise ValueError("Interactive timeout must be between 5 and 30 minutes.") + if self._credential_source_executable_interactive_timeout_millis: + if ( + self._credential_source_executable_interactive_timeout_millis + < EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND + or self._credential_source_executable_interactive_timeout_millis + > EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND + ): + raise ValueError( + "Interactive timeout must be between 30 seconds and 30 minutes." + ) @_helpers.copy_docstring(external_account.Credentials) def retrieve_subject_token(self, request): @@ -400,5 +400,13 @@ def _validate_running_mode(self): "An output_file must be specified in the credential configuration for interactive mode." ) + if ( + self.interactive + and not self._credential_source_executable_interactive_timeout_millis + ): + raise ValueError( + "Interactive mode cannot run without an interactive timeout." + ) + if self.interactive and not self.is_workforce_pool: raise ValueError("Interactive mode is only enabled for workforce pool.") diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 99e8d8b8280442550f1718fd0b57c77579ac386b..93947b26481b915183644c6704f2abb62927ffb7 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTCd5F3fr3A%RfBF#y_G1ce>UmO(n`5h(%~(1<;1{Wub;Pyni{ zhrCi@js0TR*I{5r9v-m`<2u5L5O~4<3__I^#6SCpROC`vnN_)N56pF!dAHD9v?~78 zY3my0{IIFl82!1OKmY$s?LD%>*1I&yS1@qxpG`2wv-`a#;PqwH5z6X~^`23YjIDOp zVDVI3RY@?%{P@pcQ!H2U0vgX;bIf^(e9Y|h_vT+==oy~USoneV>?I>QO!an4XDO>< zE5Z&I3iAtcBZ6A8`Fk88t2Bq9Y^lpZA|?(0-6w8-h%SYfC7=^Moeg4rd~Aaa*~EO_68e9r7&M(^r6p2i(E5o^vYZ$?0VA z#T-)zDOthe6_;B;0<>_I3!8Ty|B(>D-*3{*&!_x01l&Hsd(K8>=T4fpGb7KihdY=x zZ9Wc9v!g}ABTWOZoH1kR zpmG;4*nh8h(H*3tgy6t(ekviOKJ$EU#K&mI{$N#}$Tk6mqYx}*o8ZfI+k3a?3CKzk zXg>9LOXs>*Te8XQpqJrpQq^e20h^V2!!5u*Kni+kb=DjcYL?~KgP;G4fwI25?qhpe z7NJE%>{j0&U%({BTD`!crGL!4`KFpPQ&}3SjjbzZQL2AIpVT{h2T! zN3I8(xb$aXVGrM8<-_#=QNm?@e?!fzjMhVY4}90LMmg%O&qEl50I$@q4ob$~ z$@%{mdyQ~S#aw?y?&AynsHpq1OfSl2%sS~6Vy?WlK%ciPCQXFIotF4u2pI+(kbh;u zub_t=4|d@JqQIq-jkVKLF9D&VGPJ1pNfhg*c*SZPx78?>SUp-iuj;yEU^2)2=-R|` z&K!USoYN9DpPccyMnzD{Cu!ZGGks4x0eUQ2a?tl?m~q4n#2qll%Asa+&(1)gnS?uh zt+K!quQ182qYz4MqHB*v0x-_QeVlFk7w|sdR!azOEPHi%GdP5aA<7+#V%Uk{9ghPj zSURTv@!nYNp-E44)22BwyCBuTGr19<)!`norBB&e+QlRqZ{LFk@_Vv;AX&;0J<{n2 z#~0l)=7hK}O_iC!d8OiL?k_>eB`Pf!4KsdigBb$s5FZ@~PP38~i?0x> zvx)+T5zWC?@6z%$Y6_AM@PHd}!2`K_(^)7jfP+)le8?=xnl8vIUq4Mssc`9(d~=q( zy`*IeG*;<>RE-R6rQuOC{Qbza{fV9d=HPYc_~UF6`(!5%=FQxLwvG}_#a7jq;mJ%{90)(S zS!gn`3k|{Q$M~J)Vko%~V(87JPd`7=R!b~vcgqJ=o9}-+E z`V}zFAl$pb4a#X(Nm#wjk-P!rZ6&CP88ztyJSLm3&sptkC}SQ{^vY@@Qac zEcH-E-*XSpJ2qXn$1jh87luwVy*gs8!`*GO!dm!=W5Hd z^Jf7hR($f^P-Z-g9gM`)G7pR|JlK+jw#an{w_D*4Y0EikU73jepjS@+``uegUT+Ri zog)!gaOq4vJe=C>0g{8GRFTEqnh|IP5LeR`99)YS>}_;2jO(g3W8 zC)X7ddqNYK^k14KqXEMUCt{h}lEI%-iThPRu8vGlcvn_yuVD#gBx0t6>hV1}+)JW% zGn{sKyKq^hP@LX^i2dRYb#I3Sc=aF^MNAWF(7m==XtI+uuDoUJvZFQt& zs)!-Na3HbN!j-Y~EZP$tUSS|9ga5wyLxL~}6P+eoim+7yn1h+cxO@T-i-Z5UeIOm% zS!$+8%zR_;nFuI;l!mBeQopW8+8bVzcK4+tID?NNuH2y5)Id|;chFTZoGk*SB9AAq%nt76)V`W%dL2$oHO@Vq@UBJ{+F3I7WJAb5;9 zsbc=(i7ZWy`kCE%y<;O^#%~-wQ9Qs|EHKWMcpHRh(%p2cQ(;qY(vM#e^_&}e8ERE{ z^s$-Z$V~g*juwn(r2q!@1}4~~0ib9q(ATq*jny>ARYP+kQtQBZDa&%zKApKMFvIn~ z*h{|-wV%Qlp{Sto{I*!~Wx4+bghX*O3*cFHC2K~u@kb3k>T1gi?*%vK+z}ClG<}~& zc>_f+P7ZZF@{QB7`ok{q_P8Wp_T_p%G3r$?^dbn^R zS>=Sxf;;SVC(@w`5;}fiP9~=rF#4Ke@H`B}Y9hG#4spgTDgtixJ zad&Rh{8OO5Jc~wYo`}RpB+HUq`9sik(O)C6eeAAI5d<=IFwtM>2Yxg~j1X1f_&G`L z{hZ*o(?XwunQ2u6t}}~N*!Z_qwd6Hxs#+ssk`Ume94pGC1?9d2%abPcLt01F!fAX( zN>#W-Rx52nuJ~1U4MhPx9nt3lrghg)Q)@%y5q95y;YYOSzOFtI1iQ6Ywrn}LHelFAPp}$-5-cH)}vz3(9TR^uI!!mDcn)z zTyi@Pb}l5ipw0ijf`?JD@|g*6-6xVe9gmuCY;!-sHQBFfFqzkBDJW=InjbjD$-59r zG-wPI78*vMSRGS7tUcQ5*l(#umvwV#13uRZY5;W|qoU8I3MPX?z6abR(jcOUFtn2XreS3Kh5%@>-)dNIKlCUnMXr z353PiU`BV;;~Rih?9F`&!Tti|GK$Eko7?2!us8q`EYRHfi2O}D=q+mLD29H6iad#-4{uWg>C$WrA$|m)v`!Dlu&Q zPd}P!V8zm8|KB%Cr2IAdL`ulwVkP#9rv5`1%n7J^P2(RQsJwb#dP>(*qVIa$eu`xs zZ~Ibxk(v_C3W}B1yuhF3WM_i%;J$mRfq4M4t@(acRe0j@>9bG0eNW+~yZ;Q!3g z(@+Ch(jYQ8X@FtR&Z}AphV}yG$R{kwrrbt_!}V!6H}35 zG5lI>6WE(g*m#E*JV1oZKOt59Ji$PtoOc2${%=0s8H-dMmY?EtKl>}ev4I`x>JvnJ zq(xrvEWAl)$O*723SuiTe0Rvxc!?lq;XRFDTljZ^LUK5a?vOKaWBsC*Jt@i{EglDv z9k>ShP_W=%byattPZ;xPq^k6!nmpcn0wU-5h!3JPM-0(s31XYhr#UpZ9JRUwV81fb z2!sOIy01`JwB^if{sM$ibTCu}X7L4B5aAVGmD=N$*p>jGLm@SWU4HSAh>Mm&k_WPh zAK>=I(#+2oh^?|z;4aYJI|`Nyu8`8(zFD)QW7f22IW!sD$m<-Li@dyanc(i~=mhh{ zqco@s%h$2ECT{SJ9{Z9BM4|deUn!(4P|5wfN~_KmX)G!7q z0+QHx{m(FhN(|J=`1;;~B;iHjq1@DQ#hvE~)KrS}|0|KprdVuN)6&N{XLiYnp_J~N z2hxP!ubB!yphV$XW|aOWt5y1{w&ygKKF7;qAPe*UxIc=nd4o|Q1Iy9qT&9Iw;?8h} z(ljk>E5T)kw+MQ|sRHkc=L*Dk+yQ9gz(LgMc)jXWYa<&YMh$I~j+j6aM$F2UsU27% zC8sYF1a>C{TBKGr0n4)*iudi;7>{2qqi^Ow_RW@$I6w?PNOrO$(ND_o9kDV?MQ}~9 z8BaC-srTG2KNLgWC)Zz9RlqI88pcse^S*k`@IyrUW7E=S6YyG5b)rZdyx213p$0Qx zH35^Aa4J6C2o__z-mfodS$opSZUm@4u&Z#d%(4$K0iC0|i>wX->3_2(Zl!C3*=q3? z$D)(dV`aCTUrVT+-bZtYt8ZZPjU+IP`yKH|Bysq{Rp&#&hkJYYi<;5(J6J7E=4TbP zk<_?Uj|ii<;fns(h5E-Le(7*wai!DF7SOaB6BCSTXj%xP)xa^Ef*ZR<87ab|Ap?{t zw&4qz!fb1`(h~jgchqLw+?y7zXbX98P_SvT$PG)Vr-Wm+s^(ggi%LCm;_C699rFxk z5C+XzqQxBBEe=znC~KV7=jqnDUppi*5L&?PvTXcF`l!u0`vHzqjsp7h78#O7@(5jv{V}1J zp~KB#*xj*LrK~}f7gj(i-p=p=>?tzsDWaW?~hhPVK^$ zZ6wAAM>(HQ^C)T^Wx1|-U28M+Opj75m{3@iU#8BD%lY!=cXL;Qb$X6Ud@B2OoLC=T zb0U$jz!Kf0?6%K&Ud>guAsO+u2hPra&|g;`MaUT@=4ood3GqyorzdOb?R;=sLkFSP zvj@|Jc&78B$|(pVj7^BJaQwvpLRHDVd66o_V_tv59jkjB<^Zb|sS-J;)|D)bo8POF zg(JN@+iM_YQsjiT6RJIDZ$9VG*m3g@znu}MMhdPCgqZT-IS0iydmA!L8q_V8S!9Yd z7WUux1kEwn5G1aF#Y@_}x@L>^7u2*8yk~CK1os=#dWI2lURZ_|Z>Mdt?c9R4^6JfyX<`;Ba|FiHCKkvi>YVhic*UX2}-uix< zGSDHEEEzm2hT)GEN40b|MaDT$Pzrijrvh3WNrbH9ea^9W)hrhTvMHu??b{bHLhE1B zG)|NH&$Rvr<;~TR;X%+rw<0kxdr#|Dz9BTG+X^Cvt?dFa2do&~{zM8j?&>I1ezpUb zvMVL}jrKvzS~27e`o0OnR1u^-N_18HtC?A(YLV}MHj1rt&J2En?BUbwhT{TL|a;rHd`kh zISN}zEq52*Vs0+uZik{5m6u3igx*P^Y@KagBiBRqphqs-tJC<}r;~MQ1_*0HzM{#7 z`A76*yLlI(V5ooR?gusD7MwfyzrH8irGHF(HK{oaMlY9$ZIx8nak^*=hLLLQ90QCL zfdA|`t$t^iPT0iCJ2#RboV$g^SUK+K0`y|hiJJrZei9c7HBO&BFu#VZ?8=?w!MSL@ zSS(1RCJX!;dp6OUW@|FhDQ7#B+5BrO1i!7qFGx7tDZsbMkg=>y$yW(Y5nL8vYNZo! zQM@F}ac*h-4U9KRo@$4@aF!%4tnH5)LZU%K#vbUsCtLcDC$AeHmvC z%{v{Gz9dWd0)@#cp&XKLAOSYlt(*fMgIn6Qfb$A&8S6;)C@H=t#z3)-oS|TOEYO-D zVzEaS23T!c^CS`Be|l{OZ8bSBf<<;^kl1&9Z(EIHo*_yxpk_j=L=M{IcCp=o3CKyT zgozRFBe%M8kVXQuC|Dr9hSi>;=~B4z@F=Tw7)SfiWpgY0=dBUsw!w3}3^iWw@JYM? zCdUwZvfe`+Sqyx@Qjh!7xAj%J8k5c~ziJwMF)$^4g_}Ifo7)S!kR*=}z+Tpi-TE@9 zYHJT0)yQ;fADNL9U^x(6`7@&4sPdJxqejFc^g2W3#9Pw3NnvVS%TDKPu3~S0l(=pi z$!8hkQhr!q}ccMW{5rL}w)Rx@K#*%T%P*J=tU0ciNF+Kz7L+ zosat);|JL5SzD0HIseaoa_<*Z<2J$4sT%%+m9+Pak`PK_5S~- zL!LEx$0d%=K~flyS%Je_i<9XLY^?Un$Fcl=Nzh{RMFDjZntEr}8Qi{Ln+D`*P=2M> z48F$&79PIzw4sb_W3xH$xK1u8KR!_2XJtuqs00;N1DP${oQrw**Fo@7@s4&ljWSwB zXm9e3IDh;+FRhdaQlP>s-lw2<#tKJb1I1wRG@e=4%?qMF5unR{N2py%4(b4KLP3*t z`>5VtiYCpPl8>twiyE#pxzB$nUQs!F**Gwys`P3m$--XOYXwC_2>vb32O`5SdJ+ru z2JL&{obkjb>LZAE;b2**`)py^>;oI+du?j^ov*hh{T4MaM74iyRkijh1;`D&5k(0; zzj;;?RDV{0UqHL{POXJk{m^R6Tlcep{O*K*(HU)RtI|qw$1^Drx9+B6X}zC9uuUZ4 z{BxbH!sjjbSMIwEc>!mLd%_`{tSXp~mM%uPR!+nFI-~%V^}J@acD0ecz-O0mYc21*Xa1;bPIKU^2-am{~)R_ zz{^b0xcwxQN*s4i+Q1rs9r89-Vr)au^Sy&N@qDYscd&4GN{(_wjWvLehVCmwVt+os z$M{Zy3SraT(f-I8)Dz?DG=4~Lsuym0lF&3jJCt_9%_Ft!Fin(x1$~ky!;lsWKF5|y zOO6y1B7}T#{XrY{dk%1aI&?If&#)=Q@iL&247A!woUNSeY-6_m|V<|A&T zw#y62dh9Yt$fP?&{t|4$@OSuOJsDhtriMWj3YAy_s1HAyApU)?c+N})(W*`N3-d6a z(d|_Aw#};9;&40vi`C9pcIp4;`<%-RR~2FYTd?p-9HV!0)4tIIg%7VuG?=LtM@IAk z%h~0!#!7zHD@NymEeYCGeqgPBL#E|+v;s=lb~uH9p)suwhXRJyCTpenH zUE8)oH=gqs-j;k9&E_X%<+wFCM_Fj5KHR8QX5AW!5a$=gFZLd&pcN9Ir{jF#IAQap z@nbc4?M`YnP2DJeGTgiyS6rEb2ANROc=73z zCG>g%4Y_cjz=@kCu@Z*LDd1Qnyv+?fdz?q%NK=(9^1azzy2`;G+9!H+k+Y5mQSxyq zws!p06|A`)+@tTq1K_{^Pkq2dGkgGh;99!rDpxEd>rCG-tQwU@onj5x=^9==t72rAth~pHX9t4d;`XTb9oR4bMEaPzv0O3d2meyN+pn6G+vIqRID$^~6(3i-4Z< zC*_?2$THbje6jA==WTf?8)Z=WK>gsE^WyX{0<6>-II0teaUV80v)(}oC8pMLs7Clo zhBDMI3guO_sS9kC?^aY?!sQFvc&*==RLoCBbW1rvDxlD(h^9X);*ich6dH>XHfjEYBd1ci49n3Pe)Z0~N!iz)R9d)$`W`n4`I-EyF*$vVg zmS)(Dl5}lpJ=sW@8ICv+V=h9KO+t=*?hce!B#aT0dSi^031$1o;)H(wmY+)y+T+?% zZ$f01bs90f$J4KtY|=}yJoFi)X1Ao~s8{zaYXKZr+N{;KjKqXom6OPIyI430C$T&R zZeq^&Npi-IEjKJtr#~fMl(Eo@pGvM}hX~FO{56U;^ZcSlUHCpr{;*T96iRR{&DLNB zsZO+!Hnx8&qv5W-Da5Xj<%;k$<7eI8p?}dbohm|bo1_`UQ3tv`wCIoRw6S_!Im+#x zbnwJRv|;mQdNFT5#DXBCU6xpQABNXeMh!=|NUv&WNhyM80swIbm0gbsAsxqAX;dxA?DvR4Gf68j;HNC&c&rG~*sG{W}&_@JxgG zfUS!!Jmf)(t;5jN6q2LcJN(DmUX0~j4ilx3tyaL7(%|QX>w8TGYtF)<1&s9RES4yO z7_j=GIy~j(v8}^a0&=3`XSZwBn~;Vo03ZS`8)r|E)`1}c$2h-!JRvMa&%3_22Faqr zNNDfA%S}~C^`%;?ahZ_$sqc~*9hBdUh;<2lJ1S;`LJMuJ>%WFQ{vp=OB82k0xi`%7 z-!Td|j+F9^HqdrFe$p9(Set78=zPR5yq<^!fBmOMX~-bgeKIj>GOmDx9P(3jkKOeh97<%6L}pZwGIfzsbh*27@Q(#Qk` zn|IO`QsOZDT8zAr-c*Dy4`!SS_S{?jH#6e5wh^+J zS%>bx<(*Y|*u#!Y9T>+OW)pyc0*7i)(dh=h_OS@r#?u>r10A*XJ=s!|m9at&U!u8J z|621bBulY=;0gcL@PSl-*hlX;QD$h94?!YHPkeGzOl2!J>*fkI^YjMV6vZ{+3gxlI zuLd}OZ}L$n#*Ebsl3

ltPq+FJ32-%9E8$Zq?5k9<|$#>UZ)8=$j;xmvoT}CVW44 zIzd}92f^W2XtpjUSkp}(y^I(L*hx;Q)5`bR902qc!IZsTiJnVm6izH-OsMxJX>GzV zkKgfI59T*t6MmreJ%$|Lu<(9|sK5 zm?!$*%J}EOsKAH1-}pWx(&QNd;7CsN=jy6g*`32OSC;EF-(gL8ZTE{&cVjZOv|)8* zbK3q?ZN|!o(u+2$#O3Vx8GnfevOWJg^xnxayc`ffLrVxE%--yI>3Ms=GCjgsHS%C(c>WG`rox(^rq|_VX+9$_}-IyWtix zk26?ZF@S$e7d1Yj{8GkH0*myje`spb=ktP50;kGQbMP|+@PLR1Gs@)NDDS`&+b6NUEYQ$LByUl z>SllqYDc}<@>!eBP!Fu0IJ&IC;-EL=ydNpz^=W_t6O4Tg1)7>4D6bSE{siV!@N+U_gIy1{Nalu1VR#V7-u zTq|y=#yfb&p&r|ic3<~b(Yy)I-Zym1Lm_0M8x8pa;NI3{1^a69GvBsk*T$2{rZy#I z`UvP@w7^-SJVJFc8RiYB4C)~dHW}WZ=_el=p;5t0Bv_BuSWgP+CmFI{d7T!Q>s4INQ0wO*zO zpsMSjS2p&7Ft7D@oLl|K&Mae!qp~1IHq>#E7%`;Tv^c}^?6XCe zKogLT<7KR+{kNaMiY9WC|Kn43o&B$IC2F~+dI1YhZad>HAgol(cw(~?bg1$-g?~EY zUtHWpm6;h(LVD~(5TnSl_9I}?wY2|6)-y*-dngdVPdlweW=^G5#k$A#ssf*FB2DN7 zLnZwqP)j{)q++zBdeCUI6|6Wo3>Il&z1(%;QVn?9`ke--PTdDP2Go`h3B(;g*I(&< zsUp$v*n)yCC|s(Gr>xa_^R8(Q{#D9*>Xa3>^swSn(>>U3X_oEVaa3d1`79zbfau-o zFB@jrvMzO0Jz-jCfrT29R0yswhca=VTPELI`}%x4I-fsac^5vl98Nz4#fmU*dWVxx znm)>*`6>;242pTiQ+0}0VljO{$|Zr4-VqX||7xliA^GBtpR?jd@@^aD)Hx{kAQ)%6 zlTBDEK38Nn{*6i;#8Q{XoNgsxVv`!WEy`n~-u+!G!)HFY%&Jhj96;z9eisoaU#__* zC*0kcF4i>_8=;Q8i)ps-C&9+>%Vo+54Sem?{D3sL()^HdZI!cck<^@iCp)`Jlim| m_u(2AUeu510sxcM_x`K-H(jnbC$?wPf(L^eLX!f$#h@MT+yKx3 literal 10324 zcmV-aD67{BB>?tKRTCO0rj^?VDAkuUCm*}IVD$wgxagi9<|WSx-uGH0HTDv!Pyni{ zhrCo*jtT~M4@;+k8jXi#I=}&)GoHoP_kzB^7^SfvjvLI3Wh5NthWw`Iwyshv;8aSx zg5I`I_{}^@rc4njr_r!;hM=bAOddeo{e83TwE5Q(-#aqf{jP)}nUZEXT-E}Zl0he}yvRreS%=cR0MGtfRnjTFU4|5KK8J z?vXNq3`YE;hOzQydwP1I+rX%Ow@tO^hz`{y1niNxsis4_iTAps2BeJ<57;*3wVZI^ zqDm{qJ&zH3LN?77FPDIY5Ty-$JBG@E)+x7dOgw&Mg7soD$uuwUJXDWXV82kVl$7jl zoo3|TpNl2Mj=^(g6JP41RpHmbeLajd4S*Po*6!18${|0H2*Xs!8u-yR3CM+PHyleB zH=W-8QiNOFEr)tBdMC`X*+x}wUU~_?{-_3~`50$+q!T#QiuHj#W+Ih)XCmtp&Ho#w zr#KS%hz8h-52aS)0{el7d#-$=`{Ib@_uXDAOV4yW5LiT}`rS72v$GB<6mA=9auSzu z;Wz(PxVdZ!`~~pKPV6{q{o;VEi?;{I)t=BT7geST>CQsgdzM>Uo)m3aLn8 zTWDkNcth{!-5%0dB8l`c3PiAg57(;G=r;>)h*$OjnT%*U*6DxlN_;JX*oA3T1L*OLj~F=>2mVDy#>qS z7^fI~{Jqxsu5j2S3Wre>Z@|;TAz-I0SgUKOnkpet)l8vXa~i1MprmHT6;rNXuMRC< zV>)L6iBR(;3jmtU+h}o(SUauPFmu~{D5$xQTG!Y_AaT4IR& zy$2{!yN0lr^|R$L$cjWk`2b0Wv(KngYAL*$7Ua9lRp#LO4(Kto5C$7x-sBHK82$r; z8F8Dl#VxecaTOQ&HCSL>-5&)vDAsP_r2?b5R^Rg5DC@-Au5R=#n^~PN9kpz_`_|2ANd`GrJ@U7tZ z?>WInBjWup^73N7L*?^wSv-LmHhqcVN zZ;5c@3#&QDR85q*&F0C_(^v;@c2MP35$?-Ido2g&R=jrl1aN3x zfQd_xm%=;`khh*XKnfcLU)GEOG9C3w88UrgCzS4m5+3ss#F2GbY(nvOyTboOu4mtY zaC2kBo=qG9zvrE9QR{*mI4otQq$x9%SZvbG%}GAhL7H}k| z<9h$)c_O3l@xDBbn-l$}=6JkiPrB|nO!rv-rK*AE>*K%+^IZ;0^{JB{a-&)ykq$r% z7hg$;YDWIF-!T|tB3awin;x7YNFmxSY5EK#MWJBn(~y~_PYoySV;+km zr)(JKgReo6dAPokeNpqR3#=X>V?EyWZKE)K3x)4F$HJCJj`ZOnW{b~xYbQQkKjeN4 z)w&olt=#Q~KX>AxC)go(UEBA{M1QQ^iJ$?=wisot9X6Cu?@uOf)Elb>`nZN;plcFx zcH1v?57}KxxAtiW-dZL+w{9i*NkGN2ns<5C7}_+c!iyJ)=YD3;2Yy#Gt2MZ~_K*u% zfIO1!jnP9ll@JdF!vYGgPk;a@S#;QhC|v--d@&l%!0RAt)Sje-A5TUlF{L zYC6ZYPEzyN0@mkz{Sfz4o+tW{?m(zYelt1fW3wN-;6MBY4#KNZ`UHA*SLrjlcNx{0 z2W)YZ)>QJ^J^&=0&_n$Z?Yi2dy2G93iZ$0kl^kK%({-T$7mK^@)U%EKY{Pox_riDa z4Un6sj}Kj9Q(kr9p(YNeN3!vf?#gEYMUn*kM(If8m=Em=|J8VjW!KL9psO(#$&o2- znIdmveaYkLkHN!c_taQeZJi4$h|{L5zNl6S08uY63IqG8PvWzO_Q8~*+7hr)mIR{6 zAl_DnPgFJqT#J-Pv4~yj%u_Q}`|qCvnSSeak9OU0&-jLf=ljdoJ3`2#bf!%b$brb^ z7_iv_=(0|UZ~)({Y?qB0-q?gqzsaZ{OjT1m4w&pPIJR(za@|OmzQCO-NpA|q`;0c} zW=6BSqi}Vxv%XiSdNNzG$@v|fL=lPL$XQ8_49Q;I!8?hYjJ~?|aP9iVz-Sb#O%T#j z0>14E_rNFYj4Lg;^g!l0@&MZw17C6@SnG084Z2B6L-z zOASRSt>$gb%RsrB(?aL8si>do+3^HU(IW1?PlrrgPh@aXMb^jnbBydoh-J6+|45Ol zJ=Z!3eT3PK4{Mx)UXXN`NLX-QXfaRcsY4vgt|uxZuL6>FP_MKHlQGi)Mjff-zZq8~ zRi|F-lkXkU0Nqc#&5aOfv*#aUDb#8k_c)Bvr7h)&>0s&LOa8+t9sVAb z&4qoZN(<=du^0DKepdJNh0L9vIeN^BQcU4F3Z)w8v-XgT8ik^SM={VlwgQDQCr=Vv za)k?Covc+Jefgg?tnzGypzC3;V3$`i4Cg<6%Xe_1PhdJl zcTMyY*+J_x_LlWqhhR0$eu&Mf3`edfpYrgeJWUDJ4S_^1p1^8V*}6GaG7I@e9!ZLw=$rEEE`htTq6l5#eV$+SQ&Q@wa=~Fz`ZZtfG1a2n*kXu3Tr$mN0xI)vub>y za-Qfv7ikPz$160CR`u)%N0*r;m|`>v62AnEF9#`@^^@D*zlja;13KOI)MbJ?Eama-u!W7wy%7*YC*npw`YZFo{Gi&hE z#ZAj;FhjeDsAOx36*wkqLbJQUXKyT6?!M<7JqX8+JN`AK%c2+PN z&{PI3ItL(|Ftq>pvp<8D+-O^Z(ykFR`~q;IVl9z!YGbu-jf2+{SWoSSYp3=r=di`B z6)AG@S`WQ&k1tQz#dWn|J~Rh}TTDyu56Vdnb=>-7 z+A&7qX{O~Hd(3|rIu7t_5(xbkyX?Z#6DErK`rB*It*CrG=s$4?m}O$YqnMlg6kz4p{cT&I zK-TGV1FzObAUw2V#X$!!68|9pro5F9P)IXhA5j$MndP9~l^aNUO`mBic;Aue8w?OS zHi*<2IKgbvBo0SK#+eIA3lgbL#Ij$GQ-Crf-)K~t!W}k95R&ppwwA$Y2DpCa$ z@p^KKNAw-8`kWqlrTwKK_z#97K!PfS6iT*0T$|0f5F&}pteP8I@Sq}N8+xN-@q&d- zLz;+^f8WmTtt0ZE<`g(Jrj;%zwK=#Uv|76y=j@#Nf@bqe#0(QY%LRpsGUK|DC~}0i z9Rs%FT8?iV4ml;EMgMQHU@iz&Y({HOx-5_wqH3q&6{H_|1&lb~h;`-HRc~-Cl=vBH z)_U)D@JExd{0fDaqj(~mM<#g@x+-vsMZncC#jl71nr-A>ihMy6t>xjU1#K?8)i;`zI-E?~P^#0nJ^H@?%tj zZyQPd2eec8#S_?iwl0D`t#6oNJIL6<91K?vB36z@F-ZWL@i})Qj`@v8Qw+1Tk8yJg z2i6NM`#KN*vRFz(pwM>1cq!HT<~PB7A})>*c0~>@!+B0FR8#jk+r@$wY!sZGO~Uv~ zm5N(^0z#4bv!yKvwc9`-5)sJ0eYGQKTJR5O4MnA4wn#(e!r7X`o?40!FU63xs&k4` z|0-5l)74XlLmh>YVta%RuCtXgk(s@L{IOZdafUx5?7h*o2c>9MjY{;(1&;X-aW^lD z=m(QCL;9u#ge###c}X|s|G|#{t>M@Q%+QpUD*apbOYqAUenmUStzbGf1&UdevuyTk z@8WOjFE;jC?N4Ek=SoTFx|(}bqQ~JUBa|8rB98UI}J-5ziSX7{!Cwn!|}ljmY~@3>kRH|6n@|Y!KW%B zeV%<8{zxPO>f#gps9G%3m}Z3}&|=L96@D{luFtHbYWds3>3Lp+o$tPdN{X`f7PGqb z#8UV7M?-aUL`YC zbaCAxQi(1YQ6eJ5Vho7D-aCuLG|N!BOX(PgBTVx#fZE~$Qf9R{i9%ibgqxXSEf&`_ zGlIcdRJfq!3#Aa^zBi>gbUwA_P*PYK!%2o4P==?7jBR>#v( z44CW#D8iVcp+R=AE`g4#c@CQlG?=P^PED}8j^ijc*jERcA4W+-vaRxB@loqzo-Blz z?N^@f{R(ikeR#6iQ1j1%{^Giyp887vp7qgqmnTnNaVG$w-74-+?RE6ozuf6#f0H*2 z70ifO)Qq7ad_c`+VYL<(y=W;KMcAD~Vbb?1ryc;yfwv#F@6fg_%Zv4TnwiRvW}(u7f!!MUEp1s;do?k3YwhTAVWCm%Yj z$ykGtgmt;Dd4IKZE@otZyW2(h3`$_Y^tgR} zi6rH6-djRLmr)LGQvn~A@4nk?xrRpS`WmPD1gMKODZ$qE@>Ui&X8RLu8xz4bF%kf$ zwxiuM9X#}n)mXpmrBdPmB0tI%0vidJI(un;%-^aUyDjCgEyBoIHML43i#x?2i@X4C zVRu`ysea6%7S(ZnLFRUSg}+zeQZ7^9o~F8jVuYCBQn;adU981 zwXN)okdUDOw{>B@$4JgVW9Iy{hn5YitpZ8bA(zBAD>M7DMW+4r>VzRxdphyC=L)2L zjzl71$vq*H%Te?`rPy)w24GX`+meSLp7Uer9c}WlB)4G1Xf7$>Hh#2@ zZ4)Thd5_Jfm4F3&dUjX(nf!+kkLX_eWget$cuK%y)Mwz^!sv}uUN6Wmxr<_c^9Y{=5*8Y_n!3BYBAKC%gMd1{;V{K9>$n?xrl61t>b(`WGT345Rr&0KQ2?8Xh|y9ojHBomv7tkCHJ* z|DVAkbeDsTK3{2$=={SQ^z*+-wq0}_I>JZjw_J0DgI2C-GGE<# zvl802q5@TCP2L`GLW-|gBFgxGnij7`3VntISy9Tl{l|0=c<27@}m=e8-T!8^VTQnh7dgwJ5y9L{n+ z8GA*BJ4Yw~682(PQ^n^c9&d2ZIVdxdQemqv61dEo-z_N4FjgRxuj@sDsg58ZC(9dtABk6|6l+c}5d8O_gv=_gX{`0AY=^zeMQd<@%6 zAA@v!1o^T8<#_-G`-nXqTOYe|q}xAmVsKSHqgQw_%je2A^++d2%_Fw*?Q^e?guqFc z!V2C%M53A}>u|vHya<&~Jxo7a3oMNE><4iDJ|6%Q&lc$uF{!?$v@FyT`lA;oR3u3g z>rGs&%y8u$kvws!=Dx_golC98&1GgjULZHpU70?aZ(9U+p{rr@yp!pYr^k<##hFMv z%W@-c)bN*m%#cSik{Mqb1yR`l;n4~#sc!=vB-sD9W{640*M7_0TjxydTEUW)#3#Ce z0C~NQn9-r;o#mL|MG8}3h0!HmFqod~_LxId<7%aIaG)QzBanxugVtL&TEt2$vT@dL zO}&=9;JN|;I9U2-HX9@!^-!Z_Ffg}y;8lgSD{i-XKbms9scBx)r8_AbnEj3bt1-%Z z;l_$wj8(}DE;(I79gj}{$q1C?!Ir&t0FzCfa(e+Eec!^X540quETEE1)^h2+?||Jp z#fE`bB%nL2((9P~?3>>4CW8{|R*;RuXZK*9ttm5wir+M&>a`(d9w@_y-OQi3276bo zyA5#hd+mUZVTf9Q;{ErP*CDeGtUqh=s?jCLYPxP*4m6B=(b~a+7|Q8jFr5R2c_#Dh z_PHi9D;K$wv6!eNv)2@!8-&Ko1HEBX;f~2Q?=^Ms2wL}96(J$izWm`Yi$ml&d^H}o z-zCfJC%HptCi4bXz~1(F!ZiEt3f;H9gz0!@P4;`ML90r$1X0g9Zogu*n+@&*Uez-( z9ki}0b$ur=jU`_jA}QiB(g}rl)n-L4VtjhWe_Hqf)VXO{U}@&}RjB|~%Jx^rK1myK zxfg&#mTI%Jz~B`71klj^p9U*Ja2L?VH=6xuLieGH)G>efvYn^Bz@ni*fz~LeJ)>LStEcq6G zrap_a!dGEi=dQvrC9wPno)ANrAujm_1;OsUiIe=h%N6Bf%v=R~>Ni++<$Ln3Y^=u? zsAo{|^&2!avx$bNRWYIv1P<@i>w18Kt7)R`O2RR05w*^QGhq{{)<6S6qs8gO-+_r) z0(H=@)&;VrX-{cSqPY(_f6A@V!;-DqMe@FGK_kP4(oIfGLZo}^;-b7^it{JBpo5a_ zvW8wja@-e_N&G5_4{+@|=kP67<&^CJ+1W_yNek+Kb#1IPfjDsN`-P%; zyo1vDSa`5RhGC@p5r+$N3n2?O$iRgwi`(+KY6nC2Kzv0o?^*s|lTsy)hh=Bf68n9f z;PJ&l7N6}%e$bD5j;<=1?NuB!C=-7Qkcjf3)_tVe-nYX>)Nnim$DI(srht)QXnE9Y z3Ho>PNKDQIY>RVZ0&f8S{^Fjpf*^^L;r5JYl}Veid%+88VPl7-%L&;Rlu66nz+tK} z!)lW#3eZz0mz}k8je)N~Yq2EU2fHZkC)3`Qyzs6y-#~oFNFKg)fP{^%YVIc3;Yl!~ zBUH9cYS6n;36B+IqAMPipf%mUw@|JTNL)BI%hZoDMA~yl_IVsIfdzm!(FiSXHLkX@ zQU%<4q*8#7qe`zmUP1+nbO!MQPs=j~kf?ZQ0zyl#+*J8TN!YVv6FS=xKP-|0y8QPx z`6*RSqBnnDW@VozlgJ#X!T1T;>D6j2sUo0SaL}LF-D@epx_aJJ4xxEJesgCD za+MsQOXh{!UuGjac)S_s85nyh7z^IhV3w!-oPXf*@62oG6laReo@&yYLHNoTuYz)W zM`0Uqc}|xmT+SVFscdMy&`}Z!8i}qwfvYqw0d+lH2>?F?)9|0T{xc?KByL8!fXqaq zm!Xc4*=GA(7Es;$339eq!a%s&v!H9`?)eei)p16kV^{)3S*hiZXLaC%9OCX^z9-gC z=nKUEfx4`&Z_hzW#Y3M(5MQ>sI89jk|(o? z4z&|3#KaN3)uh~2##NPg&>8|$+lEudU6){}MfMYn02mRbpwVE7s2*cR?5{%U$ArQi z5RAUMycX8E5N8FhK^Xq@gY3f$-8nZuKk&=SR9VZ^t7Vb-xAT0K>kYNL0|06on?|;n zxL^Y%t*r9}jn1oU;EKOSgUL=4A6RLo|Lk;N-o&frIY@QnI7`yfPB+W3y4=$3*0*A} zkXo|T56xx-)3Cs2T$QlR?$Cwd0)JvFvr*|#gqv82kY>=Q%=+K)~#&nNE>IPgpAyNhL!AczW@WBQAyVxtp+ihdJfC< zJ>4i+i>y9phLj=(@BmozDb3YaSR3T1Ov%Ee4O5=?2H8y2+TRJZ>*y=- zcaWQ}x@M1aZow9+fPDzw^HuS0?^!P@or)I5H+ZU$6;!SA7*Amg^}FBKbtnOpCma6B4uo{;_^xnA z9ODIZ4j%%pQW9n#UsWb$f0X zr1Bk<*<4~^)hxik%T)i=hfOuwwB32~zoMliTarFY!TQl?{1L~_#(+FMcYSo%Q*%->TYpzw*rqgrN*l*G@532oaW z&eRv{1ME&;CUth3wEX?!j=Q2DyW>}x&-1;KFw2{Af10P)UOXugLFY^9tm=$yrQO%wD#!zx~^QD6L|L_a71xfJp3rJglVge z;^OGMH)A2V^`;MAawA%*rTwcd(T*y6r73|x@UfR>evy7il;*FXS~o3E=@+)R{LNG6 zh|@qo&C(W$G%&Fba2b^q_LECa&Frk#8TXn03I~kG2LYyB3aQAtQ-&Kf{`901tk0TmMwx_5a+|&|vy$tDt zh@k9{h3;TxYEJMdy1uma&rly!Q24wo%aLP0Qu;O>UOqDiWHlrno|sqF6$l_tjAy-k zbv<_MAf;z{^9}A^+TQX)XGe+k^C84Kl$jNA_#3m4Gy0wk~47x^n~(~VaYS7 znWSMMz*&)JbvGsJXR(K)Ca@hCqT5vGlDcz!FtMg*?7mKfv+g#!kqemquS57@pqL7ssFEIsCym=BON zqBh^50=_lLFUf$&*4PZy7 zM7N2EtdAF+cL7h{*4D(6^ofUBf*Bj32U>?T0@%sqXQQrFE7ICBi`R;*&;l8dm>d;k z8;V@>P{?VRJ#bY^$y{Eu;**6tP3YU=K4GO|AQv$zcO=a;=GBGv&$pu#NZ|yu zXodPRWY~&b*+E=u`oYDzokDr#Za8za#4{0Uq9BsQKAxlXVV!lpR<|_1k$#uJt65YY?iJ z4UQi4?t?d3g1xBX$aR+kJ94lC?d7vnzcR~|S_L5@zKjl7L+y1{r4^7_>Ci;}rVYQ= m7jaiqU9k?ZKFc*iRQZw6uVn$?R=YcLA`JJh3nX1k%*E)K@-j34 diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py index 0c0ebeb06..cd553da83 100644 --- a/tests/test_pluggable.py +++ b/tests/test_pluggable.py @@ -232,6 +232,21 @@ def make_pluggable( interactive=interactive, ) + def test_from_constructor_and_injection(self): + credentials = pluggable.Credentials( + audience=AUDIENCE, + subject_token_type=SUBJECT_TOKEN_TYPE, + token_url=TOKEN_URL, + token_info_url=TOKEN_INFO_URL, + credential_source=self.CREDENTIAL_SOURCE, + interactive=True, + ) + setattr(credentials, "_tokeninfo_username", "mock_external_account_id") + + assert isinstance(credentials, pluggable.Credentials) + assert credentials.interactive + assert credentials.external_account_id == "mock_external_account_id" + @mock.patch.object(pluggable.Credentials, "__init__", return_value=None) def test_from_info_full_options(self, mock_init): credentials = pluggable.Credentials.from_info( @@ -1064,23 +1079,6 @@ def test_credential_source_timeout_large(self): assert excinfo.match(r"Timeout must be between 5 and 120 seconds.") - @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) - def test_credential_source_interactive_timeout_missing_will_use_default_interactive_timeout_value( - self - ): - CREDENTIAL_SOURCE = { - "executable": { - "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, - "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, - } - } - credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) - - assert ( - credentials._credential_source_executable_interactive_timeout_millis - == pluggable.EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_DEFAULT - ) - @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_interactive_timeout_small(self): with pytest.raises(ValueError) as excinfo: @@ -1093,7 +1091,9 @@ def test_credential_source_interactive_timeout_small(self): } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) - assert excinfo.match(r"Interactive timeout must be between 5 and 30 minutes.") + assert excinfo.match( + r"Interactive timeout must be between 30 seconds and 30 minutes." + ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_credential_source_interactive_timeout_large(self): @@ -1107,7 +1107,9 @@ def test_credential_source_interactive_timeout_large(self): } _ = self.make_pluggable(credential_source=CREDENTIAL_SOURCE) - assert excinfo.match(r"Interactive timeout must be between 5 and 30 minutes.") + assert excinfo.match( + r"Interactive timeout must be between 30 seconds and 30 minutes." + ) @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_executable_fail(self): @@ -1136,6 +1138,25 @@ def test_retrieve_subject_token_non_workforce_fail_interactive_mode(self): assert excinfo.match(r"Interactive mode is only enabled for workforce pool.") + @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) + def test_retrieve_subject_token_fail_on_validation_missing_interactive_timeout( + self + ): + CREDENTIAL_SOURCE_EXECUTABLE = { + "command": self.CREDENTIAL_SOURCE_EXECUTABLE_COMMAND, + "output_file": self.CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE, + } + CREDENTIAL_SOURCE = {"executable": CREDENTIAL_SOURCE_EXECUTABLE} + credentials = self.make_pluggable( + credential_source=CREDENTIAL_SOURCE, interactive=True + ) + with pytest.raises(ValueError) as excinfo: + _ = credentials.retrieve_subject_token(None) + + assert excinfo.match( + r"Interactive mode cannot run without an interactive timeout." + ) + @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_executable_fail_interactive_mode(self): with mock.patch( From 370293e84a14af0d6c6b34287bdcad020e0580e4 Mon Sep 17 00:00:00 2001 From: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Date: Fri, 11 Nov 2022 14:53:03 -0800 Subject: [PATCH 2/7] feat: add api_key credentials (#1184) --- google/auth/_default.py | 7 ++++ google/auth/api_key.py | 75 +++++++++++++++++++++++++++++++++++++++++ tests/test__default.py | 7 ++++ tests/test_api_key.py | 45 +++++++++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 google/auth/api_key.py create mode 100644 tests/test_api_key.py diff --git a/google/auth/_default.py b/google/auth/_default.py index 67a1c369d..0860c67fe 100644 --- a/google/auth/_default.py +++ b/google/auth/_default.py @@ -479,6 +479,13 @@ def _get_gdch_service_account_credentials(filename, info): return credentials, info.get("project") +def get_api_key_credentials(key): + """Return credentials with the given API key.""" + from google.auth import api_key + + return api_key.Credentials(key) + + def _apply_quota_project_id(credentials, quota_project_id): if quota_project_id: credentials = credentials.with_quota_project(quota_project_id) diff --git a/google/auth/api_key.py b/google/auth/api_key.py new file mode 100644 index 000000000..49c6ffd2d --- /dev/null +++ b/google/auth/api_key.py @@ -0,0 +1,75 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Google API key support. +This module provides authentication using the `API key`_. +.. _API key: + https://cloud.google.com/docs/authentication/api-keys/ +""" + +from google.auth import _helpers +from google.auth import credentials + + +class Credentials(credentials.Credentials): + """API key credentials. + These credentials use API key to provide authorization to applications. + """ + + def __init__(self, token): + """ + Args: + token (str): API key string + Raises: + ValueError: If the provided API key is not a non-empty string. + """ + super(Credentials, self).__init__() + if not token: + raise ValueError("Token must be a non-empty API key string") + self.token = token + + @property + def expired(self): + return False + + @property + def valid(self): + return True + + @_helpers.copy_docstring(credentials.Credentials) + def refresh(self, request): + return + + def apply(self, headers, token=None): + """Apply the API key token to the x-goog-api-key header. + Args: + headers (Mapping): The HTTP request headers. + token (Optional[str]): If specified, overrides the current access + token. + """ + headers["x-goog-api-key"] = token or self.token + + def before_request(self, request, method, url, headers): + """Performs credential-specific before request logic. + Refreshes the credentials if necessary, then calls :meth:`apply` to + apply the token to the x-goog-api-key header. + Args: + request (google.auth.transport.Request): The object used to make + HTTP requests. + method (str): The request's HTTP method or the RPC method being + invoked. + url (str): The request's URI or the RPC service's URI. + headers (Mapping): The request's headers. + """ + self.apply(headers) diff --git a/tests/test__default.py b/tests/test__default.py index 7f19656b9..b10fb192c 100644 --- a/tests/test__default.py +++ b/tests/test__default.py @@ -19,6 +19,7 @@ import pytest # type: ignore from google.auth import _default +from google.auth import api_key from google.auth import app_engine from google.auth import aws from google.auth import compute_engine @@ -683,6 +684,12 @@ def test__get_gdch_service_account_credentials_invalid_format_version(): assert excinfo.match("Failed to load GDCH service account credentials") +def test_get_api_key_credentials(): + creds = _default.get_api_key_credentials("api_key") + assert isinstance(creds, api_key.Credentials) + assert creds.token == "api_key" + + class _AppIdentityModule(object): """The interface of the App Idenity app engine module. See https://cloud.google.com/appengine/docs/standard/python/refdocs\ diff --git a/tests/test_api_key.py b/tests/test_api_key.py new file mode 100644 index 000000000..9ba7b1426 --- /dev/null +++ b/tests/test_api_key.py @@ -0,0 +1,45 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import pytest # type: ignore + +from google.auth import api_key + + +def test_credentials_constructor(): + with pytest.raises(ValueError) as excinfo: + api_key.Credentials("") + + assert excinfo.match(r"Token must be a non-empty API key string") + + +def test_expired_and_valid(): + credentials = api_key.Credentials("api-key") + + assert credentials.valid + assert credentials.token == "api-key" + assert not credentials.expired + + credentials.refresh(None) + assert credentials.valid + assert credentials.token == "api-key" + assert not credentials.expired + + +def test_before_request(): + credentials = api_key.Credentials("api-key") + headers = {} + + credentials.before_request(None, "http://example.com", "GET", headers) + assert headers["x-goog-api-key"] == "api-key" From fc843cd318e4ac4f40cf83bbcd7c6eae2b597ff8 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone <562321+ret2libc@users.noreply.github.com> Date: Tue, 15 Nov 2022 19:49:00 +0100 Subject: [PATCH 3/7] fix: ensure JWT segments have the right types (#1162) * fix: ensure JWT header is a dict before accessing its methods --- google/auth/jwt.py | 15 +++++++++++++-- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes tests/test_jwt.py | 23 +++++++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/google/auth/jwt.py b/google/auth/jwt.py index 9d7b76e73..21de8fe95 100644 --- a/google/auth/jwt.py +++ b/google/auth/jwt.py @@ -133,11 +133,12 @@ def _unverified_decode(token): token (Union[str, bytes]): The encoded JWT. Returns: - Tuple[str, str, str, str]: header, payload, signed_section, and + Tuple[Mapping, Mapping, str, str]: header, payload, signed_section, and signature. Raises: - ValueError: if there are an incorrect amount of segments in the token. + ValueError: if there are an incorrect amount of segments in the token or + segments of the wrong type. """ token = _helpers.to_bytes(token) @@ -152,6 +153,16 @@ def _unverified_decode(token): header = _decode_jwt_segment(encoded_header) payload = _decode_jwt_segment(encoded_payload) + if not isinstance(header, Mapping): + raise ValueError( + "Header segment should be a JSON object: {0}".format(encoded_header) + ) + + if not isinstance(payload, Mapping): + raise ValueError( + "Payload segment should be a JSON object: {0}".format(encoded_payload) + ) + return header, payload, signed_section, signature diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 93947b26481b915183644c6704f2abb62927ffb7..a36de1bfb2cc66f3475979d7c0efd88608abb84f 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTGv5qGrexy_)t@$hDQc4HPtFLgsMFEx4^(BFo!@$dMANPyni{ zhrBHE#4SuJDm}~Ur+L+L04tAh{*N4o(3SXdN^Iy(NcoLPWj_jG>oLAJ>z;0iOP8`! zlJy%~2T~_W?BEV5xU_sOECO8&a}DdBR!Ue8?dHWVL&`GyL3hGR&8LVOO!hp!)AfZ^ zo5_6~R3+*Ck`KZnp+9CbnyCH-R`l(qFibN*NH`%q+ZzHz_6>Mf}JfxqiGz(D%^Xi2v?V}zy?#S%|aYl)49dzyVYL2?)#(-zWWAZ z$aENUOKy_uYncA((@nQ>OD>iaC4@F_;h@YWCfn8YQZ2Mz!NJ62`@lpQy43cfRjw%{ zkz=nHm)y33!2t3kl1})G3-dC%rSKN0K`CIM^@G#`sM^S4&E~i5pd!&iKW2%iziceKNGD?{7G zg!|ubhI@BoAZc;I&HrlCfOGf}fuMAyevMl^$TY~U=b9u%+Xq?F$X=c- zb?}iXlMs6|RW@Vq63>P!b{NDI6{`M3M(&D;^Yz*^ep-Rk@4H^`;?$}i-lqPcsK}q+ zbIv)IL$OA^6y=5uV879Tjg$8`r`&){%VCOQ=k{mX1O0E*BxA?^oLEePb?yR0%H{l) zAmPahMVL}%bcOh=Sa19RkSQxQ;@sv9lDXiHgLFaP-VFJ%A%q9h616}`2;4CvJS$H; zmdz|DeM7bRz^LE0r-x5;1w0JMBO?jRyfP*aB)%{{-y`!FhN;Rn!1nBCck04qJ%JdB zrp4l|`uHIJsli^-oe}Ddt7Vt@*;jc7lkb#I+>+r=3-XZ8w@LcQeIn)r3__4o6s`pS z=BBr~P1W;o;ldn#25JwTw?uuSOZA3uw|mV40_Nnd-2H5ftegbE-Ir%2Y|ojh0UVxJ8N$wJP3Q+GEOQwdRE#3<*gmix1`8&7)pmJ+UA>94BvdC2e8vipU!XC zU7hrAsV_dT>?>mFny*OhJAVl-(|p5-CgA07p_(P=A{bW+6sU`|f6wl#nCSogHYsL| zw=+ltfi80m^gACe5779AQ z54vK=#-w7TfUE%qlLfHcSVpyhjUy^WaHT^OLeHNP_(+TGhBT|sW-xSVJ*>oaQ{V1z zye+DT{Bx#}4x0z>aq;XwS5fqS5%b~S1tS(y1--yq5&7$KtJXlRYkMi2HbqFUia4$d z0k&`Dqdz+HI1c~So)`_hvh$g!vIL^0^b7&k^k^DPHi{d3)yDMVe5&aeVDDr?q@r_P z?hMaeulrq_0)KG$9JMug>3B`Lv{&y8N|eMMe`l}`?c}1YJ1Hzkmuu*I#<~>_a$i+` zF(PqO2gZ1V5S%-6EbkWT>azH}wKe@l@xebtn|?jX=)4?pG+&h&wjr!I3K7PoF%h<~ zI1mtx;g}-6!Z40rQHGln31m;xqD^KP(>i9u5C9FZMmhj;c;vSukl9iC$`R=2wAlG` zm>KxfM|c7StKdx1vpLHsLOa>M1`Be&x%mQ2=%dsXrr8=T${m(B9yTqq{K4&wTtee+mwOpM884{iKbIgwF= z%cJBrVt#64@lnL}z2A)4uvo4}(OWnnk=D6ID{J{{bdUx`aDpLJe9cei7*rd26lrME zG?`n?m|6($*ukyCdAG9^+kPn=9TZV+9Iw|EJC`~Y;o)tGUtW{j{nqG*a^rhT^M?t5 zfO(Z`vXL*M`xlhL;GsuTET2`3QDF~^%IyssEK+5jF^`iwu#Ch`;k?;1>X?klgIW4k zSdZK(aZ}74qKrw8_gboa(<2$L-@YAY&)xR$`vx{-^{z$$%g6~6JsMAPZT;1n)MK(D zNUwDVv$=f|;5Tg$mj~Y%*u(Lk%N}Wj=rm+E)E}bNAq0l=Tj~D1l4H)Ll4@_CzTuV_ zOs%Yb7*SD@sgeeB&P#(f$JDS~s&?4gq);PM1P*cgzY~YKwd4izH90H{s%r$z&^?lM zLM_8vjvd#I*+^F9mFNh@bL13; zL?6qEW>y|)Y_azeX0q}37n99_j?_lVG;;aTw0V(sU=!WNCphRY<%OjtqiWHa)OA!^ zKl}#l^WbauDj#qnV;#tKe~nVi7)@cd6UdL!`U*!ZOqKT-*(1M`kW^A~4*9kh^OCC` zN-Amth-(}Q{gRqs5E&;*VZvBfxhWT7M-8!gxbV~|%pg8Xq+{FI&hx1f;`EBszQW~q zsgex!VVO%+7|87M;YiE*OQjoM)yQRCoB^9yEqlf zOI?IqX|5|18({n4B0M#u81|euOq|wD>FnEzZA%~8)Sue$3SgDkAnb@mt5PFfujMz45y8_8G*l0} z{^edTwxIKh!1d$>b7f!j=NC5z%GerJ=oQZ|R@d+?l)_;Dd~(YbR+2xbX`%0TqZ z#iu?3b@AUl7~M4fsT=NoOnoT$?PaQz9>D4B%RQUiPm4G^d!BVPdhG=+%-jx9WzeBX ziKJ=vT+q5**Ly^mpQ)zoRt&7J`O3#33UdNjLXZn?wk>*=P(L-WaZHjW8_+kiAGM0~uMdA195JRVf|j zfF#@MF4kJU#(6yq{3a9jVeQu8h#Q%Ko%XP4ywXwR*-1LyG4)+Y*v$ktfL7n=LDgZw ziGL%w@NgfTu{5*G;r%*~h=R+f_(&B?Ap?Tn1ND!(2V=*;uygmUJ3vzfVwbMO^!}%n zQNQ+nbNY}~>RS!6x^XFk0zdd|Rt59L6wB=i&FaQXu^7mnA(5i(;NxP+w8@zyDOMXM z<8r$#at8Bnm+$>uNr~up&Dw~P#dHdKo7y5vHKJh8&f3u&_lO&XF63hoZA&Z?_7IkN z@=8=u@a;WHcJ{UYew?56U9svebKUsQRxQTg`YM4=^` zJal%c2G=hQGXYNm;>?F3hoMqACe~r%$Gz7FZ4M+E$2a}Qz6N)vZR(G2LEsuRvH`_J zpf?tQ#x{=yTLi!jAH647c1qBfD2d(Zq+>c3w{yG7!ZxgY45!hyMvM+wf}G$WSzz8` z$N^pYLmE21JL$ASIe{g=0lP+b7Ab9cxBY}mos_I*mt=eIT=y2-76UPuQ^@4HeroEE z;iB7hI@)w_w)q{Z{EZ3=KgpWVp?oOyDRisJ3&#Q<%>CwAw*o~EP^!&M*Eaxa5V+{Y z@=9ox#gT&JDPsl+*QWb+}CN`BD0WQJUl?n!Sp!%?f)w6_8zC znJ*KWojhKs(tWT-_HdGSBBBRa2FxU@ZrhoN!eEN3Z!Kdda4?x&BPXL(9a~J!N^htb zZxtbBTRFulf|xXh8-ZJyuR0CjMA+pGY4tSft}f`iEjYolRF%1HLEI>?cXjM{;C8F~ zCPmPxag_BeotK{armNf}zVG>LxD?o=Cx@6w`(y!ze}9jy{t|2=gOpg4PAly+GH z2l$2QbaT!+Po@dWmBZ{=&cDUuDCmpLw+o8~qZ_K>z{^>A{u80d5F5H~Np#3N%I3Pw zi${4rE!>7f_UH)4NAtVYC-0@Op--KaDD}kDig0kQ{K4>%YdYR5z)b?;A&auHXx#4D zEby`F0d}Z;v7T>&c`pn&bs+#TXh3Ex8Ohn!D^sDjWWl^pf}C?kUC|?5?Ykp~C|ro_ zbbYHre#9@o*Ln5K>UsG04Kj8&^B@-P|1hH6_(a_P;M`CcaojC} z{%US{yff(RzurM;^RZyD(;5N*=*!kxkQ38J7TES*o4sZ z>Mk@fuKRAIMb;u}+1HSXsyoo_ocz0O00mpDmBPYR_hf42LST)4xVK*9JWaZAbI(+C z{TnCzbrT5ech(QcukZxzm zPL-eHNAVy=qS-f2P*`y{S`W~DBT~wXTG?IDJ~KLLUSuG7_7$q}BQM_zmoCra*d1Cg zj&Iwp{%3*=-ck>P-3iQZIq%+-#tPvuabj04m{gekxN%)e2Ek(~ACOVBX zUMV%ZGsTy@aXYD~ZpMUbVKyjj`!E#kX50wuHkLekmX1!Ql8^q>5v>hcuBBzNSfVs?Ekw_1x?YO=wf8AIlt)oS5IH?^7PE2Xzf)zu8)LM$;I3W$SG(3c^U;3C*oV3sIJ*jE z;6g~!u%_)HTS*oBTn6fG~CNh@Dj<=dI=KX@Y1(1sV!F@Py>4m=<;=uY*WF5 zA;iz>zdAPzPFPJKD@iD*8AuMkR|AEWaLiL5q0G}6YM1gZx|!*b0g->gIO4=4wtUf* z+CBfGd=FTtVq3 z=NCTL$6nJ?CBa74!>@lUG>!I7 zmEC~uG>^8Zn<%rop1B0!nw8xG3Dzku8D1hPy2Le8UlULvxN7!FO%67@wiM*~)lzv~ zZlN$>LCd(Hm7zD*X$8i;fLNTpJsYFq54Ulg1aHz@`wfP@TA>b8N>+fEpDg+?GCNS; z;m%JQt*p$+ymfd%zWaiv`tepb0>Y`G3S8%R^c#m^vKO%bRem9(?cE?Y|G9_2>Z5Z}`GKtsp&Jb|)8NJwX>1wY!OHm%}~`;kqtL_ ze7X@bqp*pUPE4*qr?`MHBUjP(W`&#{!k_4grq{S`r%Jv!f1r0Sws)r1hTcVY75GM- z(*QcS|Hor&RBQc(No}-JXBu2x!87v|e-En_SQDOlbbB6$?5Ye0gq3w3%v3j8rT{e8 zqwt)=kcfKud=TsO6m@fbImd)f=KoX@)syk_K3MFm7AZvk?vZX7Au|b;Ni?84&qZEF z(U2&_`#Cx5BSZe%j{V-L#&I9(|L6rD;NXg^KIf36do0Qhi zFf$+q2?O|T|jh>oJXGkV6`pfG>s>@Nn-&Kg)FBm5b{DOQHkDREn)S1s)#$uUcuZw>5=+=k1a7!8HO`gI;XkWK|)%kAsoYffht%$ z%dw^k62W98#xNTa-cJ1MX=)-NZ?=t}kIiNHQW~$z+_7JZCW{rHg26v5V$9hgu=jwf z&DqWlL#QG!LM^4JZlvK+3AY&nQP^n$%L6^5*wEWNjUekBPF=7Y^>4z~rqt0NQa6Lk zEfm?y*I9%iT5>)QZ@2Qu!^pVFQ_V&=?D%&rn%$)3{^M_YvcE+1#ahOg!4u1yUM4xtBE|Od8@u{w1m4=7ls)Xn3Q5?sUCa57#+bl+&T&cy9bKtR%t7Bo) z?f`Xfq#(g_Xr9S{2z0a<7;u^(jps8O=)92ru+^4E4b&52cTP8iFvX`r;^!hJG0nrDir=Hgk93UlnXN=Z+iWn?8O2p zjjSN4lwnJHSmWyLS76B%yoa*M=s~LZt0V68p%bN)vF5Ba1=^2B)x&4f5GYO%B7JzfnRtksH;wF zEP74LmLrui@(qD&yqO&nKl=K-NMmxH3dSXv)&>%Y(n(RiKyv~F*FV^zGwN(;q8m)# z&twS|;vwkkXb^oGuL^{Rwwj{Q1Y58K$M(puF&~xd!J!swgTFxcy?cf)Mt(AHL6v!c zouj~A{rJ6uv>XF~7*I963X|?j+TOp@1cW;%WA$oY8*mnCK)5xsQ9$PUUt>-9UAgHS zt3QSZ$jj`ch#8DdHg8UUN|fzFw+EGZ+5omYi}%hcpy4v0pR-%n+To5I0rjgWViMPZ z>GPE2g+O6hqw;8 zr01gL9DfLj;!Dzw6TWVT$jPLXLS*Dk`#ZI$a2*mUjxGe?E^O5V<=!#`dlU|i;dK8S zk@z&wTH0TjU8A+^+p1USqBAEwLB&gdkf^ilLRE-*V)DExS7{ErIP>m(Yeao2H*jS9 zt6U}EoAnGRA_Fo08FRaBu|O54l(_HyyF%!Ri)LQQB^T9j!q%`~>#(IfO9NXcgA+3& zLgl;~E%+;huK2YrRt#H=TxZwfupsd@G1+xIeiQ8iR>M7U~ZHo2bkN>wFUL=`x9@;%)Fx}TnMv;bh zhWbxpU{lSPF*CH@E~9;1o!xm{EJq8VN>3`gfE-}bf_Fzl@cNby@(~#v>tpx1nQk4> z$#wDk9GO%|^XMp6QwLg@(KGOHNd0hr2uF%}@jwe*vX&?d2H6$n$G_CJ#lMZTj~^&6iy)X7A zB7_j*%eVXjRRjvYbT`F&rvq!1&?98|iDD!#^K$F?d?q|I?@%EZcHHBnNBq&E)MJAD z`2M8fAN6J9DJjqT4X1QE86Kda56!GR!6UiJvyY_y6i(6LiF;AMGR$VeFcv4mU#DdM zN*{n88JNSjxWD`Ho|8cX>x69vC980Oj`=1TR}^j6)yR-TurmrhL=C!4UkSO6fL?5J z5rkO{dnBfxSz%yj#-m4!C?)`frs{u)e>3 z{?CLren&)BK7YPsG4Mt_^>U#}HAlj<) zL7~%^%+yWqp6Il6Qu=?R%p={?>h>H;fzaHHXI$&l>)@09BabyF8u;Q+os zlEAppayf56((>?~RH6%Cx^3of>UW=c=;~m*3Nk2dMeQ4Q$=-7L$Snb+;u$NhD#ln0mXlOj z0*w)SX+#Du;fg5oMt%R^2N*@FrtcNA8Q@7=zAd(*k9DmY4By`eQ==1l3vBS1n?XIl z*9ZCZy>`~c83JOWyf{1uJKWb1zmeSx%XxJxLD9jpes z8l3OjoT8PV;&{vZ#9fxiE`_1+5~A*L_5(vs>-VasN_h>D5ih^N^^2nzn!|cjD`tn3#3!g0fsIO3V+e7yf;OU0~l% zuT)xc!eQLg6a!Kwx1X2b?)0z^icrNZ z*nY_ik>X-8_N;N}1Wkv7=7c}fp@%$=y`;uFrcwC<11l)BoRbx^xcQ0Ue9nLOD}OXw z#b|QplhpO`@SnuRUUU%>ogzg+WeR0_$+Ub^cw5Le@M`M({^{W~UwM0`lv9puEeSn$gul&7=NNuYIE!ZI zgD4ia8`d@8`Z{Fb5BhB6A38{=TAu`kn%ZmqnX(HSQ+vbXPs_zsNcjK7yL|`D-|JCI`q&S(=RemH^~W zN&%0Ql`$^dY|F^V3166E5f)THqLF_xa&k2Cs{&H<>R?J7nzKycYIfuh!Nc)_{&$38 zH6Wh+V-RCB{lt-$P*Ud%?S(S+nUSjBT#@OOp*6+=pQJA~eP`rjF?6%mUqQQ)>yG7A zs3afaaM1y4<;whm_11Xl=AzCp3MLYff_}oF3@oy4|3Q@uEQK1Lp39*NDNMNL6lJc$ z3q~psy`wY&AX*0Qoy244@c9(5l_Aoqwv@mTLDLObRAfHMN3x(K#s1Jfj06p?0mFag ziOtF)h4e>oXG~qS*%O@-2HDX=!hK>?8+Mw`)tZc&+ie2yN(7ZeDDE1Ih?bc^i#t+_ zU(EIP`h-=!Ia%;?t;#BKS$^uvn6H^vEj$<3fOGtpMLP^LNc>SL5_rmuFTXo=HHUVW zuUFpAs4Li<%lA%OW)KUvN0Fv-n_fEmE2_G5aZBkwWySb%bpx$Bto}|5!5MlJs---c zBH;Wvpyz2mqE1&<*f8UD$0T7}%|Op<2TyK=@{hld%c4hiD2~v%WrU>uOiC1@ae~VC zdUtGkHq@n#Q>=eS&;TG<5XUY;&zO&XNp)yi;8i=Ogw^>V7E!26#85EeG5HhF#Qlpoz-S{7iSoMzzUf$E;R(VMLi9;FVg!a zC~{ohXMO#EYc(_PiN~6PG!|59k$a57si3mFmFFX5Z@9~*z1+V=tzXmv>@6L_tauw| z;^q*2cZhR5P`j2L0gl8#cx$~t>gIWRU(YY?Z?75W=s+h4)F*7=*Of0G%(5T1q`=~D z*?A5|N*lk0_WB`7W|VM(oL1}pi;!-7=GOZ$o|mVNqy$z`zIPzi|F>+1lUHbZG1n=A zGp>r^vYm>$W6wI@rfhSBAXd()M0vXY8V@Vr$0@V#z|DRldYPtNI8KrH$3lI3ex3T= z(A?+eL*Yr-6fZ&AExtG-Yb!}vy`N#P=TYjAV2a2mm1(NTMeJDrR!cJqja1yBTw*~K zKKq(?>(FH<8WbuTZ&OSCbu$vo;a>CZ+)%#)Hkqsb{dz&~8K7`raCL##`n@!fGAXEv z^_RJSA{utWZGmxr>gUo)W)%|M5l46ipHz~O5yQ0CG<#OiCQ@U9h@5XMx6D|>Vicgo zw;(MY*(heLq$y&}vTnNNi}R$SB`=MW0XFa^Qenq8fy;i_Syp$fM zLT9S@)iM$epVW&Ay3_R{$Z$l88S8kPE@vX>-Tnpo(82&t#^&=HiLCTl>SA^AG8{ku z>_s(xI*MTs9<75Q9i-uoN%Q}c1D{IS_ya<(?(YE~+4&dg@rrF_td!UbPXr_6_5nsu1vXBtz|DV=FXFKlQuf(QD;CF93Kb#m< z0FJ8YlEcL|ZawU$67pr!QLr!ME>-u7D#8Ai*-GUVTb5?#s)%(hEXh6 zJ=HXXPBzG^3)~=suW)F*P0Nj4Ay_`#=A*MjUl=`GuJdcvp(J3NQzuwV*e=20#46`@ zZB>6`6K5)H^Y8I< z1;t2+VOoq%vNe2(XGpDFhigvm9o%E&1asB)oS#LiJ9{6yk`JdSg1T1)|Nnb@7cZcn mDy-@k1Zg`%SJc;RvsA$bPE&|s?{l77ObT5hQyVMY^yZDU?PWp$ literal 10324 zcmV-aD67{BB>?tKRTCd5F3fr3A%RfBF#y_G1ce>UmO(n`5h(%~(1<;1{Wub;Pyni{ zhrCi@js0TR*I{5r9v-m`<2u5L5O~4<3__I^#6SCpROC`vnN_)N56pF!dAHD9v?~78 zY3my0{IIFl82!1OKmY$s?LD%>*1I&yS1@qxpG`2wv-`a#;PqwH5z6X~^`23YjIDOp zVDVI3RY@?%{P@pcQ!H2U0vgX;bIf^(e9Y|h_vT+==oy~USoneV>?I>QO!an4XDO>< zE5Z&I3iAtcBZ6A8`Fk88t2Bq9Y^lpZA|?(0-6w8-h%SYfC7=^Moeg4rd~Aaa*~EO_68e9r7&M(^r6p2i(E5o^vYZ$?0VA z#T-)zDOthe6_;B;0<>_I3!8Ty|B(>D-*3{*&!_x01l&Hsd(K8>=T4fpGb7KihdY=x zZ9Wc9v!g}ABTWOZoH1kR zpmG;4*nh8h(H*3tgy6t(ekviOKJ$EU#K&mI{$N#}$Tk6mqYx}*o8ZfI+k3a?3CKzk zXg>9LOXs>*Te8XQpqJrpQq^e20h^V2!!5u*Kni+kb=DjcYL?~KgP;G4fwI25?qhpe z7NJE%>{j0&U%({BTD`!crGL!4`KFpPQ&}3SjjbzZQL2AIpVT{h2T! zN3I8(xb$aXVGrM8<-_#=QNm?@e?!fzjMhVY4}90LMmg%O&qEl50I$@q4ob$~ z$@%{mdyQ~S#aw?y?&AynsHpq1OfSl2%sS~6Vy?WlK%ciPCQXFIotF4u2pI+(kbh;u zub_t=4|d@JqQIq-jkVKLF9D&VGPJ1pNfhg*c*SZPx78?>SUp-iuj;yEU^2)2=-R|` z&K!USoYN9DpPccyMnzD{Cu!ZGGks4x0eUQ2a?tl?m~q4n#2qll%Asa+&(1)gnS?uh zt+K!quQ182qYz4MqHB*v0x-_QeVlFk7w|sdR!azOEPHi%GdP5aA<7+#V%Uk{9ghPj zSURTv@!nYNp-E44)22BwyCBuTGr19<)!`norBB&e+QlRqZ{LFk@_Vv;AX&;0J<{n2 z#~0l)=7hK}O_iC!d8OiL?k_>eB`Pf!4KsdigBb$s5FZ@~PP38~i?0x> zvx)+T5zWC?@6z%$Y6_AM@PHd}!2`K_(^)7jfP+)le8?=xnl8vIUq4Mssc`9(d~=q( zy`*IeG*;<>RE-R6rQuOC{Qbza{fV9d=HPYc_~UF6`(!5%=FQxLwvG}_#a7jq;mJ%{90)(S zS!gn`3k|{Q$M~J)Vko%~V(87JPd`7=R!b~vcgqJ=o9}-+E z`V}zFAl$pb4a#X(Nm#wjk-P!rZ6&CP88ztyJSLm3&sptkC}SQ{^vY@@Qac zEcH-E-*XSpJ2qXn$1jh87luwVy*gs8!`*GO!dm!=W5Hd z^Jf7hR($f^P-Z-g9gM`)G7pR|JlK+jw#an{w_D*4Y0EikU73jepjS@+``uegUT+Ri zog)!gaOq4vJe=C>0g{8GRFTEqnh|IP5LeR`99)YS>}_;2jO(g3W8 zC)X7ddqNYK^k14KqXEMUCt{h}lEI%-iThPRu8vGlcvn_yuVD#gBx0t6>hV1}+)JW% zGn{sKyKq^hP@LX^i2dRYb#I3Sc=aF^MNAWF(7m==XtI+uuDoUJvZFQt& zs)!-Na3HbN!j-Y~EZP$tUSS|9ga5wyLxL~}6P+eoim+7yn1h+cxO@T-i-Z5UeIOm% zS!$+8%zR_;nFuI;l!mBeQopW8+8bVzcK4+tID?NNuH2y5)Id|;chFTZoGk*SB9AAq%nt76)V`W%dL2$oHO@Vq@UBJ{+F3I7WJAb5;9 zsbc=(i7ZWy`kCE%y<;O^#%~-wQ9Qs|EHKWMcpHRh(%p2cQ(;qY(vM#e^_&}e8ERE{ z^s$-Z$V~g*juwn(r2q!@1}4~~0ib9q(ATq*jny>ARYP+kQtQBZDa&%zKApKMFvIn~ z*h{|-wV%Qlp{Sto{I*!~Wx4+bghX*O3*cFHC2K~u@kb3k>T1gi?*%vK+z}ClG<}~& zc>_f+P7ZZF@{QB7`ok{q_P8Wp_T_p%G3r$?^dbn^R zS>=Sxf;;SVC(@w`5;}fiP9~=rF#4Ke@H`B}Y9hG#4spgTDgtixJ zad&Rh{8OO5Jc~wYo`}RpB+HUq`9sik(O)C6eeAAI5d<=IFwtM>2Yxg~j1X1f_&G`L z{hZ*o(?XwunQ2u6t}}~N*!Z_qwd6Hxs#+ssk`Ume94pGC1?9d2%abPcLt01F!fAX( zN>#W-Rx52nuJ~1U4MhPx9nt3lrghg)Q)@%y5q95y;YYOSzOFtI1iQ6Ywrn}LHelFAPp}$-5-cH)}vz3(9TR^uI!!mDcn)z zTyi@Pb}l5ipw0ijf`?JD@|g*6-6xVe9gmuCY;!-sHQBFfFqzkBDJW=InjbjD$-59r zG-wPI78*vMSRGS7tUcQ5*l(#umvwV#13uRZY5;W|qoU8I3MPX?z6abR(jcOUFtn2XreS3Kh5%@>-)dNIKlCUnMXr z353PiU`BV;;~Rih?9F`&!Tti|GK$Eko7?2!us8q`EYRHfi2O}D=q+mLD29H6iad#-4{uWg>C$WrA$|m)v`!Dlu&Q zPd}P!V8zm8|KB%Cr2IAdL`ulwVkP#9rv5`1%n7J^P2(RQsJwb#dP>(*qVIa$eu`xs zZ~Ibxk(v_C3W}B1yuhF3WM_i%;J$mRfq4M4t@(acRe0j@>9bG0eNW+~yZ;Q!3g z(@+Ch(jYQ8X@FtR&Z}AphV}yG$R{kwrrbt_!}V!6H}35 zG5lI>6WE(g*m#E*JV1oZKOt59Ji$PtoOc2${%=0s8H-dMmY?EtKl>}ev4I`x>JvnJ zq(xrvEWAl)$O*723SuiTe0Rvxc!?lq;XRFDTljZ^LUK5a?vOKaWBsC*Jt@i{EglDv z9k>ShP_W=%byattPZ;xPq^k6!nmpcn0wU-5h!3JPM-0(s31XYhr#UpZ9JRUwV81fb z2!sOIy01`JwB^if{sM$ibTCu}X7L4B5aAVGmD=N$*p>jGLm@SWU4HSAh>Mm&k_WPh zAK>=I(#+2oh^?|z;4aYJI|`Nyu8`8(zFD)QW7f22IW!sD$m<-Li@dyanc(i~=mhh{ zqco@s%h$2ECT{SJ9{Z9BM4|deUn!(4P|5wfN~_KmX)G!7q z0+QHx{m(FhN(|J=`1;;~B;iHjq1@DQ#hvE~)KrS}|0|KprdVuN)6&N{XLiYnp_J~N z2hxP!ubB!yphV$XW|aOWt5y1{w&ygKKF7;qAPe*UxIc=nd4o|Q1Iy9qT&9Iw;?8h} z(ljk>E5T)kw+MQ|sRHkc=L*Dk+yQ9gz(LgMc)jXWYa<&YMh$I~j+j6aM$F2UsU27% zC8sYF1a>C{TBKGr0n4)*iudi;7>{2qqi^Ow_RW@$I6w?PNOrO$(ND_o9kDV?MQ}~9 z8BaC-srTG2KNLgWC)Zz9RlqI88pcse^S*k`@IyrUW7E=S6YyG5b)rZdyx213p$0Qx zH35^Aa4J6C2o__z-mfodS$opSZUm@4u&Z#d%(4$K0iC0|i>wX->3_2(Zl!C3*=q3? z$D)(dV`aCTUrVT+-bZtYt8ZZPjU+IP`yKH|Bysq{Rp&#&hkJYYi<;5(J6J7E=4TbP zk<_?Uj|ii<;fns(h5E-Le(7*wai!DF7SOaB6BCSTXj%xP)xa^Ef*ZR<87ab|Ap?{t zw&4qz!fb1`(h~jgchqLw+?y7zXbX98P_SvT$PG)Vr-Wm+s^(ggi%LCm;_C699rFxk z5C+XzqQxBBEe=znC~KV7=jqnDUppi*5L&?PvTXcF`l!u0`vHzqjsp7h78#O7@(5jv{V}1J zp~KB#*xj*LrK~}f7gj(i-p=p=>?tzsDWaW?~hhPVK^$ zZ6wAAM>(HQ^C)T^Wx1|-U28M+Opj75m{3@iU#8BD%lY!=cXL;Qb$X6Ud@B2OoLC=T zb0U$jz!Kf0?6%K&Ud>guAsO+u2hPra&|g;`MaUT@=4ood3GqyorzdOb?R;=sLkFSP zvj@|Jc&78B$|(pVj7^BJaQwvpLRHDVd66o_V_tv59jkjB<^Zb|sS-J;)|D)bo8POF zg(JN@+iM_YQsjiT6RJIDZ$9VG*m3g@znu}MMhdPCgqZT-IS0iydmA!L8q_V8S!9Yd z7WUux1kEwn5G1aF#Y@_}x@L>^7u2*8yk~CK1os=#dWI2lURZ_|Z>Mdt?c9R4^6JfyX<`;Ba|FiHCKkvi>YVhic*UX2}-uix< zGSDHEEEzm2hT)GEN40b|MaDT$Pzrijrvh3WNrbH9ea^9W)hrhTvMHu??b{bHLhE1B zG)|NH&$Rvr<;~TR;X%+rw<0kxdr#|Dz9BTG+X^Cvt?dFa2do&~{zM8j?&>I1ezpUb zvMVL}jrKvzS~27e`o0OnR1u^-N_18HtC?A(YLV}MHj1rt&J2En?BUbwhT{TL|a;rHd`kh zISN}zEq52*Vs0+uZik{5m6u3igx*P^Y@KagBiBRqphqs-tJC<}r;~MQ1_*0HzM{#7 z`A76*yLlI(V5ooR?gusD7MwfyzrH8irGHF(HK{oaMlY9$ZIx8nak^*=hLLLQ90QCL zfdA|`t$t^iPT0iCJ2#RboV$g^SUK+K0`y|hiJJrZei9c7HBO&BFu#VZ?8=?w!MSL@ zSS(1RCJX!;dp6OUW@|FhDQ7#B+5BrO1i!7qFGx7tDZsbMkg=>y$yW(Y5nL8vYNZo! zQM@F}ac*h-4U9KRo@$4@aF!%4tnH5)LZU%K#vbUsCtLcDC$AeHmvC z%{v{Gz9dWd0)@#cp&XKLAOSYlt(*fMgIn6Qfb$A&8S6;)C@H=t#z3)-oS|TOEYO-D zVzEaS23T!c^CS`Be|l{OZ8bSBf<<;^kl1&9Z(EIHo*_yxpk_j=L=M{IcCp=o3CKyT zgozRFBe%M8kVXQuC|Dr9hSi>;=~B4z@F=Tw7)SfiWpgY0=dBUsw!w3}3^iWw@JYM? zCdUwZvfe`+Sqyx@Qjh!7xAj%J8k5c~ziJwMF)$^4g_}Ifo7)S!kR*=}z+Tpi-TE@9 zYHJT0)yQ;fADNL9U^x(6`7@&4sPdJxqejFc^g2W3#9Pw3NnvVS%TDKPu3~S0l(=pi z$!8hkQhr!q}ccMW{5rL}w)Rx@K#*%T%P*J=tU0ciNF+Kz7L+ zosat);|JL5SzD0HIseaoa_<*Z<2J$4sT%%+m9+Pak`PK_5S~- zL!LEx$0d%=K~flyS%Je_i<9XLY^?Un$Fcl=Nzh{RMFDjZntEr}8Qi{Ln+D`*P=2M> z48F$&79PIzw4sb_W3xH$xK1u8KR!_2XJtuqs00;N1DP${oQrw**Fo@7@s4&ljWSwB zXm9e3IDh;+FRhdaQlP>s-lw2<#tKJb1I1wRG@e=4%?qMF5unR{N2py%4(b4KLP3*t z`>5VtiYCpPl8>twiyE#pxzB$nUQs!F**Gwys`P3m$--XOYXwC_2>vb32O`5SdJ+ru z2JL&{obkjb>LZAE;b2**`)py^>;oI+du?j^ov*hh{T4MaM74iyRkijh1;`D&5k(0; zzj;;?RDV{0UqHL{POXJk{m^R6Tlcep{O*K*(HU)RtI|qw$1^Drx9+B6X}zC9uuUZ4 z{BxbH!sjjbSMIwEc>!mLd%_`{tSXp~mM%uPR!+nFI-~%V^}J@acD0ecz-O0mYc21*Xa1;bPIKU^2-am{~)R_ zz{^b0xcwxQN*s4i+Q1rs9r89-Vr)au^Sy&N@qDYscd&4GN{(_wjWvLehVCmwVt+os z$M{Zy3SraT(f-I8)Dz?DG=4~Lsuym0lF&3jJCt_9%_Ft!Fin(x1$~ky!;lsWKF5|y zOO6y1B7}T#{XrY{dk%1aI&?If&#)=Q@iL&247A!woUNSeY-6_m|V<|A&T zw#y62dh9Yt$fP?&{t|4$@OSuOJsDhtriMWj3YAy_s1HAyApU)?c+N})(W*`N3-d6a z(d|_Aw#};9;&40vi`C9pcIp4;`<%-RR~2FYTd?p-9HV!0)4tIIg%7VuG?=LtM@IAk z%h~0!#!7zHD@NymEeYCGeqgPBL#E|+v;s=lb~uH9p)suwhXRJyCTpenH zUE8)oH=gqs-j;k9&E_X%<+wFCM_Fj5KHR8QX5AW!5a$=gFZLd&pcN9Ir{jF#IAQap z@nbc4?M`YnP2DJeGTgiyS6rEb2ANROc=73z zCG>g%4Y_cjz=@kCu@Z*LDd1Qnyv+?fdz?q%NK=(9^1azzy2`;G+9!H+k+Y5mQSxyq zws!p06|A`)+@tTq1K_{^Pkq2dGkgGh;99!rDpxEd>rCG-tQwU@onj5x=^9==t72rAth~pHX9t4d;`XTb9oR4bMEaPzv0O3d2meyN+pn6G+vIqRID$^~6(3i-4Z< zC*_?2$THbje6jA==WTf?8)Z=WK>gsE^WyX{0<6>-II0teaUV80v)(}oC8pMLs7Clo zhBDMI3guO_sS9kC?^aY?!sQFvc&*==RLoCBbW1rvDxlD(h^9X);*ich6dH>XHfjEYBd1ci49n3Pe)Z0~N!iz)R9d)$`W`n4`I-EyF*$vVg zmS)(Dl5}lpJ=sW@8ICv+V=h9KO+t=*?hce!B#aT0dSi^031$1o;)H(wmY+)y+T+?% zZ$f01bs90f$J4KtY|=}yJoFi)X1Ao~s8{zaYXKZr+N{;KjKqXom6OPIyI430C$T&R zZeq^&Npi-IEjKJtr#~fMl(Eo@pGvM}hX~FO{56U;^ZcSlUHCpr{;*T96iRR{&DLNB zsZO+!Hnx8&qv5W-Da5Xj<%;k$<7eI8p?}dbohm|bo1_`UQ3tv`wCIoRw6S_!Im+#x zbnwJRv|;mQdNFT5#DXBCU6xpQABNXeMh!=|NUv&WNhyM80swIbm0gbsAsxqAX;dxA?DvR4Gf68j;HNC&c&rG~*sG{W}&_@JxgG zfUS!!Jmf)(t;5jN6q2LcJN(DmUX0~j4ilx3tyaL7(%|QX>w8TGYtF)<1&s9RES4yO z7_j=GIy~j(v8}^a0&=3`XSZwBn~;Vo03ZS`8)r|E)`1}c$2h-!JRvMa&%3_22Faqr zNNDfA%S}~C^`%;?ahZ_$sqc~*9hBdUh;<2lJ1S;`LJMuJ>%WFQ{vp=OB82k0xi`%7 z-!Td|j+F9^HqdrFe$p9(Set78=zPR5yq<^!fBmOMX~-bgeKIj>GOmDx9P(3jkKOeh97<%6L}pZwGIfzsbh*27@Q(#Qk` zn|IO`QsOZDT8zAr-c*Dy4`!SS_S{?jH#6e5wh^+J zS%>bx<(*Y|*u#!Y9T>+OW)pyc0*7i)(dh=h_OS@r#?u>r10A*XJ=s!|m9at&U!u8J z|621bBulY=;0gcL@PSl-*hlX;QD$h94?!YHPkeGzOl2!J>*fkI^YjMV6vZ{+3gxlI zuLd}OZ}L$n#*Ebsl3

ltPq+FJ32-%9E8$Zq?5k9<|$#>UZ)8=$j;xmvoT}CVW44 zIzd}92f^W2XtpjUSkp}(y^I(L*hx;Q)5`bR902qc!IZsTiJnVm6izH-OsMxJX>GzV zkKgfI59T*t6MmreJ%$|Lu<(9|sK5 zm?!$*%J}EOsKAH1-}pWx(&QNd;7CsN=jy6g*`32OSC;EF-(gL8ZTE{&cVjZOv|)8* zbK3q?ZN|!o(u+2$#O3Vx8GnfevOWJg^xnxayc`ffLrVxE%--yI>3Ms=GCjgsHS%C(c>WG`rox(^rq|_VX+9$_}-IyWtix zk26?ZF@S$e7d1Yj{8GkH0*myje`spb=ktP50;kGQbMP|+@PLR1Gs@)NDDS`&+b6NUEYQ$LByUl z>SllqYDc}<@>!eBP!Fu0IJ&IC;-EL=ydNpz^=W_t6O4Tg1)7>4D6bSE{siV!@N+U_gIy1{Nalu1VR#V7-u zTq|y=#yfb&p&r|ic3<~b(Yy)I-Zym1Lm_0M8x8pa;NI3{1^a69GvBsk*T$2{rZy#I z`UvP@w7^-SJVJFc8RiYB4C)~dHW}WZ=_el=p;5t0Bv_BuSWgP+CmFI{d7T!Q>s4INQ0wO*zO zpsMSjS2p&7Ft7D@oLl|K&Mae!qp~1IHq>#E7%`;Tv^c}^?6XCe zKogLT<7KR+{kNaMiY9WC|Kn43o&B$IC2F~+dI1YhZad>HAgol(cw(~?bg1$-g?~EY zUtHWpm6;h(LVD~(5TnSl_9I}?wY2|6)-y*-dngdVPdlweW=^G5#k$A#ssf*FB2DN7 zLnZwqP)j{)q++zBdeCUI6|6Wo3>Il&z1(%;QVn?9`ke--PTdDP2Go`h3B(;g*I(&< zsUp$v*n)yCC|s(Gr>xa_^R8(Q{#D9*>Xa3>^swSn(>>U3X_oEVaa3d1`79zbfau-o zFB@jrvMzO0Jz-jCfrT29R0yswhca=VTPELI`}%x4I-fsac^5vl98Nz4#fmU*dWVxx znm)>*`6>;242pTiQ+0}0VljO{$|Zr4-VqX||7xliA^GBtpR?jd@@^aD)Hx{kAQ)%6 zlTBDEK38Nn{*6i;#8Q{XoNgsxVv`!WEy`n~-u+!G!)HFY%&Jhj96;z9eisoaU#__* zC*0kcF4i>_8=;Q8i)ps-C&9+>%Vo+54Sem?{D3sL()^HdZI!cck<^@iCp)`Jlim| m_u(2AUeu510sxcM_x`K-H(jnbC$?wPf(L^eLX!f$#h@MT+yKx3 diff --git a/tests/test_jwt.py b/tests/test_jwt.py index bc01ebfc7..d45d5daa9 100644 --- a/tests/test_jwt.py +++ b/tests/test_jwt.py @@ -126,6 +126,29 @@ def test_decode_valid(token_factory): assert payload["metadata"]["meta"] == "data" +def test_decode_header_object(token_factory): + payload = token_factory() + # Create a malformed JWT token with a number as a header instead of a + # dictionary (3 == base64d(M7==)) + payload = b"M7." + b".".join(payload.split(b".")[1:]) + + with pytest.raises(ValueError) as excinfo: + jwt.decode(payload, certs=PUBLIC_CERT_BYTES) + assert excinfo.match(r"Header segment should be a JSON object: " + str(b"M7")) + + +def test_decode_payload_object(signer): + # Create a malformed JWT token with a payload containing both "iat" and + # "exp" strings, although not as fields of a dictionary + payload = jwt.encode(signer, "iatexp") + + with pytest.raises(ValueError) as excinfo: + jwt.decode(payload, certs=PUBLIC_CERT_BYTES) + assert excinfo.match( + r"Payload segment should be a JSON object: " + str(b"ImlhdGV4cCI") + ) + + def test_decode_valid_es256(token_factory): payload = jwt.decode( token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES From c86dd69cf79809e2d532a745a236db840fd8bc5d Mon Sep 17 00:00:00 2001 From: Carl Lundin <108372512+clundin25@users.noreply.github.com> Date: Wed, 16 Nov 2022 22:00:13 +0000 Subject: [PATCH 4/7] fix: Allow mtls sts endpoint for external account token urls. (#1185) * fix: Allow mtls sts endpoint for external account token urls. --- google/auth/external_account.py | 10 +++++----- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes tests/test_external_account.py | 12 ++++++++++++ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/google/auth/external_account.py b/google/auth/external_account.py index 7edb55f63..4249529e8 100644 --- a/google/auth/external_account.py +++ b/google/auth/external_account.py @@ -437,11 +437,11 @@ def _initialize_impersonated_credentials(self): @staticmethod def validate_token_url(token_url, url_type="token"): _TOKEN_URL_PATTERNS = [ - "^[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$", - "^sts\\.googleapis\\.com$", - "^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$", - "^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$", - "^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$", + "^[^\\.\\s\\/\\\\]+\\.sts(?:\\.mtls)?\\.googleapis\\.com$", + "^sts(?:\\.mtls)?\\.googleapis\\.com$", + "^sts\\.[^\\.\\s\\/\\\\]+(?:\\.mtls)?\\.googleapis\\.com$", + "^[^\\.\\s\\/\\\\]+\\-sts(?:\\.mtls)?\\.googleapis\\.com$", + "^sts\\-[^\\.\\s\\/\\\\]+\\.p(?:\\.mtls)?\\.googleapis\\.com$", ] if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url): diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index a36de1bfb2cc66f3475979d7c0efd88608abb84f..345e4426c1fb59a310374c7d227fcede6527f4b6 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTE3dMh1AyPt-%Mr>migdzl(_KgmD*|cLiBvQ3e^l? z+ylwSo0$TvY$jv`A0;$WRyn&Ex=19nAhBmSfD1V3c4YH&x{g*SpSXNoT9*2xz&rLO zaPh(t{kT7h*$ZSofzMR5N)6oM(NZmF^evc z;*pp{gCprLcr_fz_Aq-(ahdIItMX;ggr62CgudZ&QS<#zGyCzSho{;_i-8FFDB)vt zC1z;OZfpqFgjJ)gXwv^l?2T~JOMYJgJ$05=^)TYI6*6lRwhdH0LMbEOiFvpoU=3i> zg{N4i``q{tTR(wEpmTu(MF!JFu9=~$L&@NLszA;~l@Q#oBT&{_5bgw~Sk>vaoEhkU zIk|{6vTebA>R6?&aR8_48OvH0YBAyxK^ zO9AycNE(p)Wo3{=gaB`M$egRW0(q3LJW<+-Xo$VsnfS-^sEmWxpK&HD>M(KUN@$^2 zjyeOoarobOcoAjsqU=8IY@^XA>q3sDwGFRzb%?Rl7I##Usaz3=QDkbv>@_kr>fVgL) zW^;fvb}7WGIY^Y95XPCH|5OaZPsR_Ja6*O8xuDwg?|EW)E7_d)v)9>)=+wtaMUgNo zgm)NI1N^g{s$eU^nUXYfA$sBel^vv#aY-ulf~L~o7jwedR}H#nUg-9~BW>o0s+c!I z4$MXLQ{_0(`_m_8g$y+oW}rJMDz7bGZc-#692&{P06t-TJ=35FML_Hv*~t10qHAy zv|)j06J+v0_Q8*gPM+xwg6LUmyYwN+^>cznTIVC){A~C-bHg%C;)luOGAF*OI;N`K zY$cbOF#;xw_-*jSRANUNXWAR6H^$42Y7|Op4JTW!DZ;P8+9Fpzi9ju~` zZfjBmPtoUNB%s;`Cj(yrA)Tso$g^XKd|D4-y-zThXOU<9O!>m2Ze9H{KE78&S3K~C zvv#5=E-Q=4P??vQ&qq4}v)<5)wB_m0d=ZjZ2#UxB->1^R2|BhN6Z4&R`-H#(oSH1? zZP84$lhf_bZU|8NT}yS}mDc~lhap&;;V0${`N}G1M%2hi<7KcQMutxfl_0iINXg#? zM9%pHIfUnpYs#Andn_U@K{;L^Se`8f`YAjmt+?BYU{(B+ zknGX5)$qF$mI*yk@|F+NK*7Vx6*;v2GzYw~N8F|z=%9>fg+q##%_C)wt)POXzs`V zl&F=U`>_qSRwOIv?N|e=8sJVN>vwln5%*iHU}m-q#D^SZGGsDr?fk;ZSvd+;&xNDm z6y^61InZ6f9`*b%+HLwh+RUSgr++%AoR?QXc?6)N`*C&4-W;=^8gai*5cXw9Ay(f?)${b_Q@NepTxwU~;62zdLm(XlQ z~XdZC`ASA-m#$GopEtPc8}dmz+oMz*GncegtlP=mui zEy1L?rVchm%}!sfMyyhTAyfGj``?@w#|HgvjR@zk6lhy_y&{}tvpNWN|Az)7ICvW5 z6N>i%FlgloEZ$rAf~-e&h-N+Vl@AT?tz+(;+U;OQD3|?kHAof|&9QO(eEa$~R;)zi za8MoN(%>{5*nlBi5Ji`u^XjIPr`cy#%PTL!quzkOle1oW?*JA`TdQ1+p^wK;v|J~2 ztx78sDrU=859Zf1EEy1_w+zBRjXR6l2NXJDV=a zqrt(YeNoMf25Uo4#2mky>&OyJnaO#>SrNe5*Z!Q|*IKf|zm~3L!8y4dEL(DIg|@K~ zH4elaO$Q&FnQhx@_CFIB%)#p^f?#Z`ELxmY)>6$k{>B~4qkoh66;?wMOH(5Slm|wU zo~&%IPj)!O6^aB7+UeFq6|3exHt@#s!sksY&#u*Rl)G+ceKPzn80b6KV>s4OXe6tU z(b=vbKSedO(vFnQCD4Y4@>6q&?YTJ4Gzo;O9Jsb1%F=8A@dtJvf^aClIs}kv7ORxM z#+6Bz;K3t)%#)9uA*WZxa);q0>o}NLSfXR}@gtV+NSOFldtXvTDLjrJqV_C-0|n=MLU}N$$kho>ejjr0yLt9cR<^61@arN1#3SE_Cb2bjOYVJS2$r5xkwN0G~p$vx-X{r|bf&{=&4-H=jv&1g^%Ptbd?aIV(C% zu)B(c$L68Zwa%SB$z>!)X`4DzPMs~cEsow1L9>Q)nwlKXi;F4N719s ziwIfQoe{p@cpVH;v9aU@Wd>y_qbGAvu-C3-=(I1ZJ%R+V*q-)GC&+9oK~C!CyCFt+ zc~YiXwe8AcAcmY`sYm6Q=BV=Ukk%yGOZoY(UEFDXz#E#Va^E%Cy;R&S_urH!F zCTw6~E_VUbr@;DKU^~up12KT|rOUbDKZ6wTmGA|-)7%KMsb>Y))$Z~QKbHM(YZQnP zxdFd{Mcy^wp@yC=^8mYeLVs*>cttk zr$?mX6M`}#;vvdwllCk>+`Kq3X%IN4BD)n#pr6c<<2pH57{w}Cp_;C9NokY*u9 za7>U`cju{2m4b9;djj+j%$wE&?(wIx`R~RNQV}5+-fAUM_`~RQ83;RSuzkuuZsLz} zl6u)4T%Hgvy?WXK0Xm@dtSv3}iSLfXk@c?RR3?2l4faO9CYLPR316Ghv~OcQI80QA zXL30Vm%C96ncq95lk7?uY7s=c?ssI_VFOMYuueiv>VJi4jSt=O#Td>q#+JUSrTxq! z*y*(|92;>sEzR_5zX-6XC$#E}{rEuAevg9zB5-r*@Y#>y9xFuht8tq@E#rdSqu*4M z&8#uZ9S8(poQ)H7^mGeh)J!vE3k3&>6=ML_OyA<0F=Lf| zsW>qulI%-$sM6eQhI?)Q3*8vLqG5Qx;h^6J$9jREB#S09#_boFKPqGtG0fq6(P2Pg zgK(sMRpvYw;}9vu$Sxjk8%qJmQn&f%=;EqXK9x`};y~x8d06}nqGVglkF+^Axr;3I zu4ooqtW3fzku7^W;djF$Vu`N|;etuu`q2cz>gYR7*`-noZvV7xzo0LZkJ0Yj6jDQ6 zzLyANL3(EWXYd~UGr@p3Af~E{QUI6irAHRzH@*G#ZGG#8VlF@)SU8uCoT)h9OsW!N6NTBE1Z- ziP^apJ0BF)i)^#8|K!699Px^_tGJg#PR5!YRZ{dX=u~}k*(7Awgb5vsy836Qq@%eZzBv@* zCfL9D>9)tQn&&k5P|L_X?Qf)<8|Fw5aXV76`Znh>sIWapEh=$}dcbv;!axvV3(L5qSzO9^FkQbVPFCCn(0#y|AIBebqAbv$F_`zF*AU%U&DL-RSycVja)s>&o1BC=fZO%D(uzD zNjwG)QxZ1j-eCRe$r3uKWHqE^0mof6zVP2ox}+ZWU#)GXgWl}Z{O4=LrQ;Ma6Eo;~ zYC~!lXWJya1F5e9;|SJIwX-&ottkhrq}4hc32$+2MsdR0noT<^-?2Y>??*ZD6 z@fNvrYOIl+NB?cW1oky3U7nP$pY-yly?e=ar@^vDbRF&ExzZ~;UUl@l6sjf?s#cOj zfX%Tb=c?fT%*Sia9!DOhx>V`WJzH?~WWJmKhha+H077mN?=a@5JIM=NCw3lR2JLRi zh7;G3!VbVg^y(;~Ho28e)*mr9SX*#oBdvaI#E1NvZ=DC|&p|GoG(l5V9+blrgCbQw z_a-i~VM06PV;cYC?@wjnKpqLsh+EZ!8}`rKRNBIvZ#p;B48AHmv0y9ORA4m8EX?pS z;K@=7_Mg{1q&n9aDjNH7)e{EZ>WhvTwnE_v(rlCFSn_Kj%q7$%wTgSCH?vHc4m1bE z@k~Acjao-BkKcDd5r=*E$wBiVK2~M+ce0?cJBZdQW?>3K!_6 z3?Cz0yR-=ZxDa|1H-4Fe7dUKA&reHzP(q`}j^>JDhxg9D5lc-A(vWiEj?;~-f$p^I z3_n_^N=(g2hw$^-dL7oqX(9MxOy(m$KZA2X8k%C-a|K)%b>D zfuXG7lEC95J3kdRGA)@&P=2~^npZi+%VTS({hMJ}qR#VQG7W+*WYM_~f(7))84&Ad zN1g;wU=@*V6i-bU`q`tg6Pji#XJX7Uaobb~prvn@f3#4nkD~jJTV@%Nk-z$v|HNNjZg__H7EHvnG60%PjX0k%N{v z?yu9@CWS#~Gh*A7;ZgP-n77NI=lTjFr5%@lf61*I4JtL;M!>wVBH*9~v^?)f&c5iy zyVZUS%2_fzzuOH1e#Ti#qd}aA+e}6+Hs)ALT(ywcd7j-)M6B^7D))u;O2Abe&HW{O z1q}wbe5Ha#bZLwhB%~$`A~M@L+VsrcaL>sFUrk=b*vp6ug7r9t~*qdl-L=u#h z5piA)cY;$Jh4U7kHi5S^`sri@ciI#&cmwR!CvA zYS|Krdnjob!C3tPLJnU?P;Ke4Vk@hZg6_FAAfKLYfgQ5Yzd`hyLgGkPS@Z}{3K-JW z(-FPx${D=%S%^6M-UID$euB#yMDfT?Rm!c_+ePvwJiTZPiTNx@j2JYI5#y5zxt4fLWwp3Q`T|rj`Ha&0kd8bx5TPbm%bT4JsejY|Pz;Ww08jSn zB9jo?@@b8CGt*dHe|ktidjtOEKO718@zA-8_ZJQSRZ@Nnsj0#5M9`!KmeAhUm^50e zpz%=nt~Y7bKM`SQ$tK|CQ3eHB_CG^CzO~=}z}e8HF%|P26s-IBQ%sMd@~IU_WSYYH z|4+n00=VCUjTT<`(4QW_#u|sFcVbl0A<&JWa^BU9HkI>v$d>afY2qoU2L|(6Asjbb z;q|^m&}BRkDV>rzW0}Ss<8umpO3Ba(%s`yO<1Zs2p8fx8ajvByK#|2ee4p|=VwxbMp}N8`jPDYbJk zVI-P-x%tx&#d;MfZQnnC7Z?0d=CpSQIj^~Dr?u{&gG+U{Orb5f8Je+0HKE_S^iur=~9$N*- z_O}%gpo(|5wz~s)d{}8gv7FU|K}ud+kzto9f1a_`7_$tY+9l6(6|-z2@ocPt^{30% zj>!#&`sc9^nozBE4yq})RjIf&&m(clbtk;m>41gypWcMb8OsE6!toO>X#dK{C2`d{>n2u#UY+@Sa8 zUga}foi;8CZ2T%n7JaT|H(wd2GX3(|yNned0%T`@)_0FdcuPnOGP4U&$nWSW4umf& zkL(&j5SY}OxjMl!4Uu3^l6ML)C(l`wlo*VcLht+JJKK`~vOUHu8E;rB60!k71bhy9A$=4Dy|W%q`wYfs8xF!c@T-2f?}!-V zPi#M#CWk8l!mlaV(&d{jgsu0M*>D(-lCJ!@c{IxYJi|2U&@jS&pX@2g6-Za*rPRE~ zRkre*`#x9m?caK=y~0wBxV@r0$J|7Qb0dh#d4=*{&B$^}xFdOVDtW37Tgy9BC(KKE zBnK3^uMqsgOoIHibcrL8v<}3wph}R;03B{$3}Rn=qn?f|or8^QbwNKh2JNuMT1v~0 zx;mG{D^r7TGx%HUlFyhw1OV1BgjEre+(hQBJHJ6h&wh-x|-&&nW9b8s%^CEK2ECm|0HAJ}WV!Hw%H zgcVoCU9KogTrj=45g(dH2t}ZEg{hFwHTVIxqlI^W0zN{l82v)12MZ=y3kmN7Nl&CE(6l-W zdO@mA!T*{LnbiVysBSg`+`V87fie}1 zJmwzhs$#NtDx?b*R=!ZfmY1<2t*Wr?N_1knH^$>hpLkhkq+Nb&{Hkg z>%UU6uLRKwypPe!TAuZ(SrfV`D_pUBm|$p&+G@m6e=kcJiW39k?Tvel9a({4VCms$eoVZg>?OG9mg5R! z@+tyG)kK>g?cBCmGfN59YQn;X!)rHemdnE33n05@f^}P^UnL84`^7dFJ`VSP2R_=@ zJU{m5h5Ib(K{T;PHUkZI*t#%wvr_AKWhRQi5u94;Ge+%1b@P#!aiyjsg7jECkF2<;1qu$9 z%W<&E`SoEPpB&TpbKXru`X3eFhAFvJX#Q|XPyu&l%wF-ijlt``Xe=*0*^22q-x3i?w$Cu-bWKo?svbA|NN@jp2D$n?`P&cyucbF*n|J;}Kp<l6lU) zpbL@(e4pC&LyC4grK23NOV(2y&K?Rlz54Ci;x49+yHldG~1vmqTtpg z@`dA3U%}irLk;U#VE#{&jFk873y|#p1XjtMfeTd!YMLRZsCM0xp(J3}OfgyhI1CQh zEdeC|oCoNF`<%kb?c=p<2}qjg_X{}deSVrpNoI-K7SOSZrV*{ym!FO={q$fd?M}I3 z%Xfi`!rE+HyJTrYv_d$H;%s{AH*q%%6^>J-aXT9k?WjHD#!5=_X<;d7Xu#W(QZwte zL)^nJ+x1GMq&V_24qJSyM~)23BBqc10}Qd>{LDX&xK0@=23EEGf?EHyFUf7Bjjzv# zpc@idCC2=1-ZVe3^&|Ft%KS*zuj&4EHMgm+?RrCz;72VB+xej2TpnqdChFSbQrA=m zsWm{ED#_Rv{+X|0;g{%h>SKCuRhmo)`~tC5z2~%!*^x`&ICo-6Uot6FUjdi7x4?$F z@i$aemR`2^4i!!2q-MW+dq?98TIer2V%bAeFo@r~Dm*uWALBG_2=y{NWallk_Nz!% z+-#`9VJ!TWO3{3V+%p>rRWgT`BUfk^V4)JB;aj@*+KQNOb$bU*yRdAuts5q<_VI21 z;OtW*=n)BBM`bFdZlXRFIaYCcTikU71W*$q^Tkk=2O4dAu)ctvhGkbZkq^}8QIj={ z148O9nJEmlCn+Y1lu^en)Q;nj-D$kP|Xe2+7NdhF^7^`Gf)ST1{w$ z+z{cM41W}`(oB}+-w6}#!(l~FHeu1pAdDwkIG0I@u#AiPjcnR~Ps+lTwYH%)U|2he z=Ux9QbC1`rHo*&oJ}YPz3k2cqhn?^c0C{9eftD7lt6m8z-u#MFLn2)JlO+PyhdS|@ zaT_c__}zQXa$U#nJ2Nmei1)SwCYo4M6WK`FVEWO&6xA#Hsq>y;;drT%Cl1A1(VGe!9D%xHJiY;lm7yskJj`Co;EBUW!(m zy7Pj4)O}@L0G|pg{)An!i_!}j7MG|#ZWPYtJ4=EY<85YJVDAzE^SL zJy~4$QdvZ8A+7@6-2s?b8~M9TFPX>|D7MCPjckB!+p}@xl;`NtiZLPtRKQ+o8V!-E5r=VZxN5>46(d-9sIsFyNvOfCoCnqJnI0MC)O z-pyluV$JEMsxeVdDUe8z{U7u^JPQf#g&WQn-~JNQi?1&2*!_vuZXCl)lAJjoD_%28 zz7mq-p^aU4$%Wf({PfBp4k1=ka7M7y$|!~z6y!>>_U z_eQYO{9h0|zZs8)vBz8roJFCk9`=Rf_jsN>(^a<@x29QFn8l)00u=E^5AcFMDo%b3 zCUr?fV#I&!mhDaPDbat!5-cuQ#~<9XJh}olJlJZK7@|UQMccb(IzyGwi&f>p&A!QO zD}(lkDT}`@t|Ml=cyoOv`F{KX4s-h-G_8rQ4C(jukC=v+LR^~fsv?}c&B-u{!N3aN zvP@nOO^a>OcQ*jX=YOT;a%9H1Z-!l1uX-ooq_S5+M>ti?>GfCa0%BGod}uGvpQIvG zBIl>?M*}@&oM!rD>JWQH&)7&d)!R<<%1HwpSybQQQ3H_A{$UgfN^tmDxBPVpJQ zxw)bIl=uq5!K@P_LSPp`HH0+HvUHXBnf^GPLFnjn332D8Xf->a6%aZ@(@W+ge7QEN z<-8d^dImHlk89+>;slpfez`i}GH62Qnqy;?3qU!E1iS6UvZA2aGuuGggs2Sh)Upk88 literal 10324 zcmV-aD67{BB>?tKRTGv5qGrexy_)t@$hDQc4HPtFLgsMFEx4^(BFo!@$dMANPyni{ zhrBHE#4SuJDm}~Ur+L+L04tAh{*N4o(3SXdN^Iy(NcoLPWj_jG>oLAJ>z;0iOP8`! zlJy%~2T~_W?BEV5xU_sOECO8&a}DdBR!Ue8?dHWVL&`GyL3hGR&8LVOO!hp!)AfZ^ zo5_6~R3+*Ck`KZnp+9CbnyCH-R`l(qFibN*NH`%q+ZzHz_6>Mf}JfxqiGz(D%^Xi2v?V}zy?#S%|aYl)49dzyVYL2?)#(-zWWAZ z$aENUOKy_uYncA((@nQ>OD>iaC4@F_;h@YWCfn8YQZ2Mz!NJ62`@lpQy43cfRjw%{ zkz=nHm)y33!2t3kl1})G3-dC%rSKN0K`CIM^@G#`sM^S4&E~i5pd!&iKW2%iziceKNGD?{7G zg!|ubhI@BoAZc;I&HrlCfOGf}fuMAyevMl^$TY~U=b9u%+Xq?F$X=c- zb?}iXlMs6|RW@Vq63>P!b{NDI6{`M3M(&D;^Yz*^ep-Rk@4H^`;?$}i-lqPcsK}q+ zbIv)IL$OA^6y=5uV879Tjg$8`r`&){%VCOQ=k{mX1O0E*BxA?^oLEePb?yR0%H{l) zAmPahMVL}%bcOh=Sa19RkSQxQ;@sv9lDXiHgLFaP-VFJ%A%q9h616}`2;4CvJS$H; zmdz|DeM7bRz^LE0r-x5;1w0JMBO?jRyfP*aB)%{{-y`!FhN;Rn!1nBCck04qJ%JdB zrp4l|`uHIJsli^-oe}Ddt7Vt@*;jc7lkb#I+>+r=3-XZ8w@LcQeIn)r3__4o6s`pS z=BBr~P1W;o;ldn#25JwTw?uuSOZA3uw|mV40_Nnd-2H5ftegbE-Ir%2Y|ojh0UVxJ8N$wJP3Q+GEOQwdRE#3<*gmix1`8&7)pmJ+UA>94BvdC2e8vipU!XC zU7hrAsV_dT>?>mFny*OhJAVl-(|p5-CgA07p_(P=A{bW+6sU`|f6wl#nCSogHYsL| zw=+ltfi80m^gACe5779AQ z54vK=#-w7TfUE%qlLfHcSVpyhjUy^WaHT^OLeHNP_(+TGhBT|sW-xSVJ*>oaQ{V1z zye+DT{Bx#}4x0z>aq;XwS5fqS5%b~S1tS(y1--yq5&7$KtJXlRYkMi2HbqFUia4$d z0k&`Dqdz+HI1c~So)`_hvh$g!vIL^0^b7&k^k^DPHi{d3)yDMVe5&aeVDDr?q@r_P z?hMaeulrq_0)KG$9JMug>3B`Lv{&y8N|eMMe`l}`?c}1YJ1Hzkmuu*I#<~>_a$i+` zF(PqO2gZ1V5S%-6EbkWT>azH}wKe@l@xebtn|?jX=)4?pG+&h&wjr!I3K7PoF%h<~ zI1mtx;g}-6!Z40rQHGln31m;xqD^KP(>i9u5C9FZMmhj;c;vSukl9iC$`R=2wAlG` zm>KxfM|c7StKdx1vpLHsLOa>M1`Be&x%mQ2=%dsXrr8=T${m(B9yTqq{K4&wTtee+mwOpM884{iKbIgwF= z%cJBrVt#64@lnL}z2A)4uvo4}(OWnnk=D6ID{J{{bdUx`aDpLJe9cei7*rd26lrME zG?`n?m|6($*ukyCdAG9^+kPn=9TZV+9Iw|EJC`~Y;o)tGUtW{j{nqG*a^rhT^M?t5 zfO(Z`vXL*M`xlhL;GsuTET2`3QDF~^%IyssEK+5jF^`iwu#Ch`;k?;1>X?klgIW4k zSdZK(aZ}74qKrw8_gboa(<2$L-@YAY&)xR$`vx{-^{z$$%g6~6JsMAPZT;1n)MK(D zNUwDVv$=f|;5Tg$mj~Y%*u(Lk%N}Wj=rm+E)E}bNAq0l=Tj~D1l4H)Ll4@_CzTuV_ zOs%Yb7*SD@sgeeB&P#(f$JDS~s&?4gq);PM1P*cgzY~YKwd4izH90H{s%r$z&^?lM zLM_8vjvd#I*+^F9mFNh@bL13; zL?6qEW>y|)Y_azeX0q}37n99_j?_lVG;;aTw0V(sU=!WNCphRY<%OjtqiWHa)OA!^ zKl}#l^WbauDj#qnV;#tKe~nVi7)@cd6UdL!`U*!ZOqKT-*(1M`kW^A~4*9kh^OCC` zN-Amth-(}Q{gRqs5E&;*VZvBfxhWT7M-8!gxbV~|%pg8Xq+{FI&hx1f;`EBszQW~q zsgex!VVO%+7|87M;YiE*OQjoM)yQRCoB^9yEqlf zOI?IqX|5|18({n4B0M#u81|euOq|wD>FnEzZA%~8)Sue$3SgDkAnb@mt5PFfujMz45y8_8G*l0} z{^edTwxIKh!1d$>b7f!j=NC5z%GerJ=oQZ|R@d+?l)_;Dd~(YbR+2xbX`%0TqZ z#iu?3b@AUl7~M4fsT=NoOnoT$?PaQz9>D4B%RQUiPm4G^d!BVPdhG=+%-jx9WzeBX ziKJ=vT+q5**Ly^mpQ)zoRt&7J`O3#33UdNjLXZn?wk>*=P(L-WaZHjW8_+kiAGM0~uMdA195JRVf|j zfF#@MF4kJU#(6yq{3a9jVeQu8h#Q%Ko%XP4ywXwR*-1LyG4)+Y*v$ktfL7n=LDgZw ziGL%w@NgfTu{5*G;r%*~h=R+f_(&B?Ap?Tn1ND!(2V=*;uygmUJ3vzfVwbMO^!}%n zQNQ+nbNY}~>RS!6x^XFk0zdd|Rt59L6wB=i&FaQXu^7mnA(5i(;NxP+w8@zyDOMXM z<8r$#at8Bnm+$>uNr~up&Dw~P#dHdKo7y5vHKJh8&f3u&_lO&XF63hoZA&Z?_7IkN z@=8=u@a;WHcJ{UYew?56U9svebKUsQRxQTg`YM4=^` zJal%c2G=hQGXYNm;>?F3hoMqACe~r%$Gz7FZ4M+E$2a}Qz6N)vZR(G2LEsuRvH`_J zpf?tQ#x{=yTLi!jAH647c1qBfD2d(Zq+>c3w{yG7!ZxgY45!hyMvM+wf}G$WSzz8` z$N^pYLmE21JL$ASIe{g=0lP+b7Ab9cxBY}mos_I*mt=eIT=y2-76UPuQ^@4HeroEE z;iB7hI@)w_w)q{Z{EZ3=KgpWVp?oOyDRisJ3&#Q<%>CwAw*o~EP^!&M*Eaxa5V+{Y z@=9ox#gT&JDPsl+*QWb+}CN`BD0WQJUl?n!Sp!%?f)w6_8zC znJ*KWojhKs(tWT-_HdGSBBBRa2FxU@ZrhoN!eEN3Z!Kdda4?x&BPXL(9a~J!N^htb zZxtbBTRFulf|xXh8-ZJyuR0CjMA+pGY4tSft}f`iEjYolRF%1HLEI>?cXjM{;C8F~ zCPmPxag_BeotK{armNf}zVG>LxD?o=Cx@6w`(y!ze}9jy{t|2=gOpg4PAly+GH z2l$2QbaT!+Po@dWmBZ{=&cDUuDCmpLw+o8~qZ_K>z{^>A{u80d5F5H~Np#3N%I3Pw zi${4rE!>7f_UH)4NAtVYC-0@Op--KaDD}kDig0kQ{K4>%YdYR5z)b?;A&auHXx#4D zEby`F0d}Z;v7T>&c`pn&bs+#TXh3Ex8Ohn!D^sDjWWl^pf}C?kUC|?5?Ykp~C|ro_ zbbYHre#9@o*Ln5K>UsG04Kj8&^B@-P|1hH6_(a_P;M`CcaojC} z{%US{yff(RzurM;^RZyD(;5N*=*!kxkQ38J7TES*o4sZ z>Mk@fuKRAIMb;u}+1HSXsyoo_ocz0O00mpDmBPYR_hf42LST)4xVK*9JWaZAbI(+C z{TnCzbrT5ech(QcukZxzm zPL-eHNAVy=qS-f2P*`y{S`W~DBT~wXTG?IDJ~KLLUSuG7_7$q}BQM_zmoCra*d1Cg zj&Iwp{%3*=-ck>P-3iQZIq%+-#tPvuabj04m{gekxN%)e2Ek(~ACOVBX zUMV%ZGsTy@aXYD~ZpMUbVKyjj`!E#kX50wuHkLekmX1!Ql8^q>5v>hcuBBzNSfVs?Ekw_1x?YO=wf8AIlt)oS5IH?^7PE2Xzf)zu8)LM$;I3W$SG(3c^U;3C*oV3sIJ*jE z;6g~!u%_)HTS*oBTn6fG~CNh@Dj<=dI=KX@Y1(1sV!F@Py>4m=<;=uY*WF5 zA;iz>zdAPzPFPJKD@iD*8AuMkR|AEWaLiL5q0G}6YM1gZx|!*b0g->gIO4=4wtUf* z+CBfGd=FTtVq3 z=NCTL$6nJ?CBa74!>@lUG>!I7 zmEC~uG>^8Zn<%rop1B0!nw8xG3Dzku8D1hPy2Le8UlULvxN7!FO%67@wiM*~)lzv~ zZlN$>LCd(Hm7zD*X$8i;fLNTpJsYFq54Ulg1aHz@`wfP@TA>b8N>+fEpDg+?GCNS; z;m%JQt*p$+ymfd%zWaiv`tepb0>Y`G3S8%R^c#m^vKO%bRem9(?cE?Y|G9_2>Z5Z}`GKtsp&Jb|)8NJwX>1wY!OHm%}~`;kqtL_ ze7X@bqp*pUPE4*qr?`MHBUjP(W`&#{!k_4grq{S`r%Jv!f1r0Sws)r1hTcVY75GM- z(*QcS|Hor&RBQc(No}-JXBu2x!87v|e-En_SQDOlbbB6$?5Ye0gq3w3%v3j8rT{e8 zqwt)=kcfKud=TsO6m@fbImd)f=KoX@)syk_K3MFm7AZvk?vZX7Au|b;Ni?84&qZEF z(U2&_`#Cx5BSZe%j{V-L#&I9(|L6rD;NXg^KIf36do0Qhi zFf$+q2?O|T|jh>oJXGkV6`pfG>s>@Nn-&Kg)FBm5b{DOQHkDREn)S1s)#$uUcuZw>5=+=k1a7!8HO`gI;XkWK|)%kAsoYffht%$ z%dw^k62W98#xNTa-cJ1MX=)-NZ?=t}kIiNHQW~$z+_7JZCW{rHg26v5V$9hgu=jwf z&DqWlL#QG!LM^4JZlvK+3AY&nQP^n$%L6^5*wEWNjUekBPF=7Y^>4z~rqt0NQa6Lk zEfm?y*I9%iT5>)QZ@2Qu!^pVFQ_V&=?D%&rn%$)3{^M_YvcE+1#ahOg!4u1yUM4xtBE|Od8@u{w1m4=7ls)Xn3Q5?sUCa57#+bl+&T&cy9bKtR%t7Bo) z?f`Xfq#(g_Xr9S{2z0a<7;u^(jps8O=)92ru+^4E4b&52cTP8iFvX`r;^!hJG0nrDir=Hgk93UlnXN=Z+iWn?8O2p zjjSN4lwnJHSmWyLS76B%yoa*M=s~LZt0V68p%bN)vF5Ba1=^2B)x&4f5GYO%B7JzfnRtksH;wF zEP74LmLrui@(qD&yqO&nKl=K-NMmxH3dSXv)&>%Y(n(RiKyv~F*FV^zGwN(;q8m)# z&twS|;vwkkXb^oGuL^{Rwwj{Q1Y58K$M(puF&~xd!J!swgTFxcy?cf)Mt(AHL6v!c zouj~A{rJ6uv>XF~7*I963X|?j+TOp@1cW;%WA$oY8*mnCK)5xsQ9$PUUt>-9UAgHS zt3QSZ$jj`ch#8DdHg8UUN|fzFw+EGZ+5omYi}%hcpy4v0pR-%n+To5I0rjgWViMPZ z>GPE2g+O6hqw;8 zr01gL9DfLj;!Dzw6TWVT$jPLXLS*Dk`#ZI$a2*mUjxGe?E^O5V<=!#`dlU|i;dK8S zk@z&wTH0TjU8A+^+p1USqBAEwLB&gdkf^ilLRE-*V)DExS7{ErIP>m(Yeao2H*jS9 zt6U}EoAnGRA_Fo08FRaBu|O54l(_HyyF%!Ri)LQQB^T9j!q%`~>#(IfO9NXcgA+3& zLgl;~E%+;huK2YrRt#H=TxZwfupsd@G1+xIeiQ8iR>M7U~ZHo2bkN>wFUL=`x9@;%)Fx}TnMv;bh zhWbxpU{lSPF*CH@E~9;1o!xm{EJq8VN>3`gfE-}bf_Fzl@cNby@(~#v>tpx1nQk4> z$#wDk9GO%|^XMp6QwLg@(KGOHNd0hr2uF%}@jwe*vX&?d2H6$n$G_CJ#lMZTj~^&6iy)X7A zB7_j*%eVXjRRjvYbT`F&rvq!1&?98|iDD!#^K$F?d?q|I?@%EZcHHBnNBq&E)MJAD z`2M8fAN6J9DJjqT4X1QE86Kda56!GR!6UiJvyY_y6i(6LiF;AMGR$VeFcv4mU#DdM zN*{n88JNSjxWD`Ho|8cX>x69vC980Oj`=1TR}^j6)yR-TurmrhL=C!4UkSO6fL?5J z5rkO{dnBfxSz%yj#-m4!C?)`frs{u)e>3 z{?CLren&)BK7YPsG4Mt_^>U#}HAlj<) zL7~%^%+yWqp6Il6Qu=?R%p={?>h>H;fzaHHXI$&l>)@09BabyF8u;Q+os zlEAppayf56((>?~RH6%Cx^3of>UW=c=;~m*3Nk2dMeQ4Q$=-7L$Snb+;u$NhD#ln0mXlOj z0*w)SX+#Du;fg5oMt%R^2N*@FrtcNA8Q@7=zAd(*k9DmY4By`eQ==1l3vBS1n?XIl z*9ZCZy>`~c83JOWyf{1uJKWb1zmeSx%XxJxLD9jpes z8l3OjoT8PV;&{vZ#9fxiE`_1+5~A*L_5(vs>-VasN_h>D5ih^N^^2nzn!|cjD`tn3#3!g0fsIO3V+e7yf;OU0~l% zuT)xc!eQLg6a!Kwx1X2b?)0z^icrNZ z*nY_ik>X-8_N;N}1Wkv7=7c}fp@%$=y`;uFrcwC<11l)BoRbx^xcQ0Ue9nLOD}OXw z#b|QplhpO`@SnuRUUU%>ogzg+WeR0_$+Ub^cw5Le@M`M({^{W~UwM0`lv9puEeSn$gul&7=NNuYIE!ZI zgD4ia8`d@8`Z{Fb5BhB6A38{=TAu`kn%ZmqnX(HSQ+vbXPs_zsNcjK7yL|`D-|JCI`q&S(=RemH^~W zN&%0Ql`$^dY|F^V3166E5f)THqLF_xa&k2Cs{&H<>R?J7nzKycYIfuh!Nc)_{&$38 zH6Wh+V-RCB{lt-$P*Ud%?S(S+nUSjBT#@OOp*6+=pQJA~eP`rjF?6%mUqQQ)>yG7A zs3afaaM1y4<;whm_11Xl=AzCp3MLYff_}oF3@oy4|3Q@uEQK1Lp39*NDNMNL6lJc$ z3q~psy`wY&AX*0Qoy244@c9(5l_Aoqwv@mTLDLObRAfHMN3x(K#s1Jfj06p?0mFag ziOtF)h4e>oXG~qS*%O@-2HDX=!hK>?8+Mw`)tZc&+ie2yN(7ZeDDE1Ih?bc^i#t+_ zU(EIP`h-=!Ia%;?t;#BKS$^uvn6H^vEj$<3fOGtpMLP^LNc>SL5_rmuFTXo=HHUVW zuUFpAs4Li<%lA%OW)KUvN0Fv-n_fEmE2_G5aZBkwWySb%bpx$Bto}|5!5MlJs---c zBH;Wvpyz2mqE1&<*f8UD$0T7}%|Op<2TyK=@{hld%c4hiD2~v%WrU>uOiC1@ae~VC zdUtGkHq@n#Q>=eS&;TG<5XUY;&zO&XNp)yi;8i=Ogw^>V7E!26#85EeG5HhF#Qlpoz-S{7iSoMzzUf$E;R(VMLi9;FVg!a zC~{ohXMO#EYc(_PiN~6PG!|59k$a57si3mFmFFX5Z@9~*z1+V=tzXmv>@6L_tauw| z;^q*2cZhR5P`j2L0gl8#cx$~t>gIWRU(YY?Z?75W=s+h4)F*7=*Of0G%(5T1q`=~D z*?A5|N*lk0_WB`7W|VM(oL1}pi;!-7=GOZ$o|mVNqy$z`zIPzi|F>+1lUHbZG1n=A zGp>r^vYm>$W6wI@rfhSBAXd()M0vXY8V@Vr$0@V#z|DRldYPtNI8KrH$3lI3ex3T= z(A?+eL*Yr-6fZ&AExtG-Yb!}vy`N#P=TYjAV2a2mm1(NTMeJDrR!cJqja1yBTw*~K zKKq(?>(FH<8WbuTZ&OSCbu$vo;a>CZ+)%#)Hkqsb{dz&~8K7`raCL##`n@!fGAXEv z^_RJSA{utWZGmxr>gUo)W)%|M5l46ipHz~O5yQ0CG<#OiCQ@U9h@5XMx6D|>Vicgo zw;(MY*(heLq$y&}vTnNNi}R$SB`=MW0XFa^Qenq8fy;i_Syp$fM zLT9S@)iM$epVW&Ay3_R{$Z$l88S8kPE@vX>-Tnpo(82&t#^&=HiLCTl>SA^AG8{ku z>_s(xI*MTs9<75Q9i-uoN%Q}c1D{IS_ya<(?(YE~+4&dg@rrF_td!UbPXr_6_5nsu1vXBtz|DV=FXFKlQuf(QD;CF93Kb#m< z0FJ8YlEcL|ZawU$67pr!QLr!ME>-u7D#8Ai*-GUVTb5?#s)%(hEXh6 zJ=HXXPBzG^3)~=suW)F*P0Nj4Ay_`#=A*MjUl=`GuJdcvp(J3NQzuwV*e=20#46`@ zZB>6`6K5)H^Y8I< z1;t2+VOoq%vNe2(XGpDFhigvm9o%E&1asB)oS#LiJ9{6yk`JdSg1T1)|Nnb@7cZcn mDy-@k1Zg`%SJc;RvsA$bPE&|s?{l77ObT5hQyVMY^yZDU?PWp$ diff --git a/tests/test_external_account.py b/tests/test_external_account.py index 18ac75511..78a272b6a 100644 --- a/tests/test_external_account.py +++ b/tests/test_external_account.py @@ -67,23 +67,31 @@ VALID_TOKEN_URLS = [ "https://sts.googleapis.com", + "https://sts.mtls.googleapis.com", "https://us-east-1.sts.googleapis.com", + "https://us-east-1.sts.mtls.googleapis.com", "https://US-EAST-1.sts.googleapis.com", "https://sts.us-east-1.googleapis.com", "https://sts.US-WEST-1.googleapis.com", "https://us-east-1-sts.googleapis.com", "https://US-WEST-1-sts.googleapis.com", + "https://US-WEST-1-sts.mtls.googleapis.com", "https://us-west-1-sts.googleapis.com/path?query", "https://sts-us-east-1.p.googleapis.com", + "https://sts-us-east-1.p.mtls.googleapis.com", ] INVALID_TOKEN_URLS = [ "https://iamcredentials.googleapis.com", + "https://mtls.iamcredentials.googleapis.com", "sts.googleapis.com", + "mtls.sts.googleapis.com", + "mtls.googleapis.com", "https://", "http://sts.googleapis.com", "https://st.s.googleapis.com", "https://us-eas\t-1.sts.googleapis.com", "https:/us-east-1.sts.googleapis.com", + "https:/us-east-1.mtls.sts.googleapis.com", "https://US-WE/ST-1-sts.googleapis.com", "https://sts-us-east-1.googleapis.com", "https://sts-US-WEST-1.googleapis.com", @@ -95,16 +103,20 @@ "hhttps://us-east-1.sts.googleapis.com", "https://us- -1.sts.googleapis.com", "https://-sts.googleapis.com", + "https://-mtls.googleapis.com", "https://us-east-1.sts.googleapis.com.evil.com", "https://sts.pgoogleapis.com", "https://p.googleapis.com", "https://sts.p.com", + "https://sts.p.mtls.com", "http://sts.p.googleapis.com", "https://xyz-sts.p.googleapis.com", "https://sts-xyz.123.p.googleapis.com", "https://sts-xyz.p1.googleapis.com", "https://sts-xyz.p.foo.com", "https://sts-xyz.p.foo.googleapis.com", + "https://sts-xyz.mtls.p.foo.googleapis.com", + "https://sts-xyz.p.mtls.foo.googleapis.com", ] VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ "https://iamcredentials.googleapis.com", From f719415475e10e5af9ec75b3b13c57c25682bea0 Mon Sep 17 00:00:00 2001 From: Carl Lundin <108372512+clundin25@users.noreply.github.com> Date: Thu, 1 Dec 2022 18:21:52 +0000 Subject: [PATCH 5/7] fix: CI broken by removal of py.path (#1194) * fix: CI broken by removal of py.path Use Python standard lib instead. --- system_tests/noxfile.py | 32 ++++++++++++++++++-------------- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/system_tests/noxfile.py b/system_tests/noxfile.py index 88f2e040e..592f52183 100644 --- a/system_tests/noxfile.py +++ b/system_tests/noxfile.py @@ -23,11 +23,13 @@ """ import os +import pathlib import subprocess +import shutil +import tempfile from nox.command import which import nox -import py.path HERE = os.path.abspath(os.path.dirname(__file__)) LIBRARY_DIR = os.path.abspath(os.path.dirname(HERE)) @@ -59,16 +61,18 @@ CLOUD_SDK_ROOT = os.environ.get("CLOUD_SDK_ROOT") if CLOUD_SDK_ROOT is not None: - CLOUD_SDK_ROOT = py.path.local(CLOUD_SDK_ROOT) - CLOUD_SDK_ROOT.ensure(dir=True) # Makes sure the directory exists. + CLOUD_SDK_ROOT = pathlib.Path(CLOUD_SDK_ROOT) + if not CLOUD_SDK_ROOT.exists() or not CLOUD_SDK_ROOT.is_dir(): + print("{} did not exist! Please set the CLOUD_SDK_ROOT environment variable to a directory that exists".format(CLOUD_SDK_ROOT)) + exit(1) else: - CLOUD_SDK_ROOT = py.path.local.mkdtemp() + CLOUD_SDK_ROOT = pathlib.Path(tempfile.mkdtemp()) # The full path the cloud sdk install directory -CLOUD_SDK_INSTALL_DIR = CLOUD_SDK_ROOT.join("google-cloud-sdk") +CLOUD_SDK_INSTALL_DIR = CLOUD_SDK_ROOT.joinpath("google-cloud-sdk") # The full path to the gcloud cli executable. -GCLOUD = str(CLOUD_SDK_INSTALL_DIR.join("bin", "gcloud")) +GCLOUD = str(CLOUD_SDK_INSTALL_DIR.joinpath("bin", "gcloud")) # gcloud requires Python 2 and doesn't work on 3, so we need to tell it # where to find 2 when we're running in a 3 environment. @@ -90,26 +94,26 @@ def install_cloud_sdk(session): # This set the $PATH for the subprocesses so they can find the gcloud # executable. session.env["PATH"] = ( - str(CLOUD_SDK_INSTALL_DIR.join("bin")) + os.pathsep + os.environ["PATH"] + str(CLOUD_SDK_INSTALL_DIR.joinpath("bin")) + os.pathsep + os.environ["PATH"] ) # If gcloud cli executable already exists, just update it. - if py.path.local(GCLOUD).exists(): + if pathlib.Path(GCLOUD).exists(): session.run(GCLOUD, "components", "update", "-q") return - tar_path = CLOUD_SDK_ROOT.join(CLOUD_SDK_DIST_FILENAME) + tar_path = CLOUD_SDK_ROOT.joinpath(CLOUD_SDK_DIST_FILENAME) # Download the release. session.run("wget", CLOUD_SDK_DOWNLOAD_URL, "-O", str(tar_path), silent=True) # Extract the release. session.run("tar", "xzf", str(tar_path), "-C", str(CLOUD_SDK_ROOT)) - session.run(tar_path.remove) + tar_path.unlink() # Run the install script. session.run( - str(CLOUD_SDK_INSTALL_DIR.join("install.sh")), + str(CLOUD_SDK_INSTALL_DIR.joinpath("install.sh")), "--usage-reporting", "false", "--path-update", @@ -123,10 +127,10 @@ def install_cloud_sdk(session): def copy_credentials(credentials_path): """Copies credentials into the SDK root as the application default credentials.""" - dest = CLOUD_SDK_ROOT.join("application_default_credentials.json") + dest = CLOUD_SDK_ROOT.joinpath("application_default_credentials.json") if dest.exists(): - dest.remove() - py.path.local(credentials_path).copy(dest) + dest.unlink() + shutil.copyfile(pathlib.Path(credentials_path), dest) def configure_cloud_sdk(session, application_default_credentials, project=False): diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 345e4426c1fb59a310374c7d227fcede6527f4b6..6ad7ea0142eec8f6617e688fd13a1dd0ccf961c0 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTJDG@be}ZpimrWfY6j$+SA96_}q~BN(qjb86rib5>OJVPyni{ zhrBjh|9snjQG|QEYy&h${Df|L2@6abS$Y_L^9ONUO*IqdhfN5Wp?s3+(71a|Ww#plyzH&`vpu|=m$bLMU z&^G)REEzMu8PQBBSVo&ve!g>Xy9#43id;%DDkcZC?csMy*FbatdN*EnpWK!=3kWHN zp%73BrIEQ;1vfxZOmk`g3EwY#%B*hL_W*sK@OiHPj|?5c!ecXi!rBWLYm-^_&*&$x zvbCC8bajI}A0gcGOiF2d+PzxjC^b}rbai^{J^l6)-esWs9iC0)il7cA7r^ zOZfU(Q|c$D5-kr%%HY;*dx&59>)DAVT0dd&l7D$`1~{$f=ibePX;zk2d7~fSe7;dC z)(h=%=vf11?dV21YoJ;EkUc3=Lzc?h>!wiVK}V$y{|9@>wb&w|S4>j_ZHBb}s)YY^ zd4F{UxW7+<;e4bp!JGJmQ@e{7vj~B-T)>oTZj^Cppch?4ky<_%ef3>^Mzx&A?$K04 zilsT)Q|@Gqfm-^-BAslHP=1b9MI7Imm)el98dc2Oz1e2!xVzJYJ-`uz(y#_r0t@d8Ve?&j z^EymNr9bWEPQ7~DvGyTGn{9|a!)J5RKXD0=xYsBqaob5DYlldNiXpw^msQGB4+fWz z!e+u?jeqWMPWrnCdutHA;ijDJbLO5e6x-L=-f*CDuZKC}&if3f;~BsFpyV0add8N2 zswINip#9+2kmS4LDgS*~+p>4&ExlQ2k6cy?y`Ek``&*-?i)f2u8Pr_4+jEyNa&u=9nyjNW7a7d5R*Qeep>ZVepDUzvaH3rsR{mFuUbFOLO*gdh+)F!pKH2f-Q}oL49;Fx>XB96sWBwveYHen)&7O1ko~>OQ~-*ZbV!i3suHI zBA>b0El}H&O%yhgIl3T{p}xHqHZlmqiqCdo-(E6pJpKZM)^YsTR2MJ&2~7esEnaB; zLJXNf6{_?p7ZYRPYD0NoXtP3*L?NkY@W-D17fnMJV+T1U=|VuM3-wTV5JM&eRswNy zWbZHI{Jb20QlwiCgVLAXK2s2~uO!IoG429*HyeK$ea{<+w&r*)po%G<5EGZP7_(ZQ z98Dd9t&BB0scz0#lAg*>>)>?EyE378z&a=)S|n>fv09CL<7&w zK!bA^_tyiv?=mx%5QyI+Jh-bH#T z_|+|7k$xDH@KxxK&GFy5$`Fx(98R^QFV8#t50Q&0jtggPZnp+%N&Y^=Y zE-TtKQ?ap!bQbtO@(JAz?A*#M zZ326_tv4TyJ*p^)b*hPO*e@oayUI%Hf4QdJcgkNCnNa_%0P_0BT!H0YS7qW|&1r|m z%k{(PRn-4>@UaA<0jQISA$+$et%CxUFBQc5k=xXC>l!~%Nm2o zICk1Ei5B6**FToT#bR)UOrvLlFHPvm+cGK6l_f9(pan^r470?WDnRc&gYxSeN_+sJ zd*ldf^ljLth%$S|Ks}n%AGXPecQiC9K8 zJ?k|KkwdC2rG=?#$wQJ+_itf4xIBb8WKnh5;qLs)un5R)~O4gehEh`G`6NSCQ4r>4V49ncuZ2KVxC2h8EyPaHmZf<7?%zf4> z>cJTd0{?2B+$n`o62Pd=?}b{tRj8mBQRMOj(!{}R4dj3<&J$H>iFYh3Lb%fZr+3uk zyB2WADl2YlrCWn;&@QV&@X>!=ZA2%l6=jQ%jo+gddHqM6T93$|kVT4OUuinoaR7UY zoeR5F;o=p5dT|DV_c`lC85ehFmjXDHl-i;E*ao57@^E4|;PZ*j+_+d?ZFo(4#o$*J zVSK;Bu#nu5L^l5uq6ds1!ToEJIG3q@A@c^-OCGo zyu-tW;!MlQ--~AUSG?jBtj!j{&!b;f2nX_(1%V=J>fV|}U+ekaeA90FwO@WKhX|ak z@#W~IBj=D}TEo9#=-&eAgZy2&cBs@QC1F`V&6dB#i{hEBC98$Q&&6zZ;>AHgV>YJI zEQR`iA)W*u8OwpYX`Lc|C^(cEo@6=C+=-GCAo^AR5R~y;9`%wO z>LFFJ>Jch>)!9J9Pib^Fv^KbO>~DDLw|F<8ydmK+utUqZAjphi$}U^nx+4zHM>K$G$#CvcRvj^3)^+lljWTQRsAN3nJm_U#vEBIBs~g*I6B zbm)G3&CRxCv*^|dy6KYc?tQmdMkG)FV*4q(K8XEo=N^KTC~8*WGy{}syuNzbTh-E( zD2l1oPtV~)Q?HrPW*B~5la6Hr*)*XlVh=bPYAaj(d%tP&Hb1*oj25*;%AblE z8Zst2fhw~01omFzvG3Ah*}h@XgL(^BWbs?*`Rl5HqS!&=BM)bg^C%;nv_Cr&8JDco z=;|u@6H6oc+p_t`>~T!Exs%LXF{q?WpgDd&GcFOAe6%b4s0sqpi>Q4P055sOsW1*n ztB`Wa(b1Vqr_yYNk7@D9E2wolzp0Z~wa-L5)2Vif+ir23^$$YrB?mpHEZK42VWa^KoK| z!6+Zr@6{lRn8G}~W>H;!70lwPLHIkkx`=z!iY81$TpbEsXk(*H*CZEiEJta zaF7_T^HYN?BSDc1-@u|)3teJgN~DihARdN{P(5YbxUgVppK*aPLMYnCfy(_Dw>-8j z_p?C8ZQn~K?UDD<#}+n;(1N(#n~nh98FWT42!V)1srY^sE}UK_0(2z!6vi$oDfd}1 z#wm5kIL_-$e9FsB-L}OSn3id;pV@GHr8%);kW07aW^biTYSr{*P0T{M ziP17vRk5m-AWe+fDQJqlU9DKcf3olV~ihw=XhIO7EqnB`L1XmP*hlHlfZ-KEsP{snP>CqnUTQyqz9UOCWB6KX(U zttHuQ%zb2hP&7}9yp6V4SUz`B2%6oL*Up{7n8ojDLf$T@CdC4)`5v-oQT2`ZIq~W#7*sgy6J+8)m#7xC?Ra|}iHWx=xun7PTo0c

_U*%UX>a}5!|9#ujoBu zTI`Aga@>p~Vky%n+D|WMGnX#Ik!kfiwJdaoPUk)Tg%2iIlnX9xCiX~}QnM4T`Ab+n z%V;-8TiSp^6~3x4x?y7Jl2gzH`V&s->gS>~G)H_Ct7l9nsNh4WpsINmEgNwwbxyci zgPj*Ln=LdYP|h%#||Pk#hi5pVSuu8Ymbk6I7y$G%}F|8TOFzD8S?5ItiK%faO=RQSm zUeTPQ6jIlDU%sgk~n{xw)y zS>c5drnj|&6C6qnub3$CyVZV{kEEfJJjdUw6-p!jElS|AqU=$BY(4ZUjgMMX9=2!IXI&OSAUL73}=O1u1z ziGJ$wq3`@C?0FtaC&KBz+r0$*;{1=$5(!0e51)7EwI{46JB!Wn_al0r+Aa$!%Txo= zAIZ*BbmPuI{4OWjyj0HintkpUReTdrd($V|ouVDI|Fmkr> z8^A(G-1{^qw9_&u3kl_S=3d6zATnF-4ocEf4wf_`VeC}vKI!PZQvSnHz6_tD zjAbz8t<(09;=l*6+Ku=(+}AD(Yw3mEvpO&3@(;q%oI*EFv0kkNK*n5Z7T04FEN zs|si8m#=MmX3;su(wvxNyX=`xu5b}SG7n3uE$GeGa0Vh)zY=od!YWkD_-4dO8;gN} zrru)IH)q{9yYl)GrEu-OD0hVWuu=O~>C~2RR2F`QpG^uT*l@5-gB#3>D`Ag6obkPz32W18`YWE>j}v+t7PSVX+-hw32PkcswQe(s^?j_45zF;U+`8iGrDU zmEY3`27G|!#Z2@1w@K+68=Zq2xfHn~J@RhlrU`*xWG0TxfzII15I1*<+7G7@$Z8<+ zmh)m>B`ba2R)Md>p!gUyAZYEYPkfGbl#9vh7rV$zIy8uS3>;u1Kao@Z#Oc9K@-$sP!hv?bIJJl zC9Ld1!WuE^-bD9EojBzx;eSmA(<2i4n{u#5q`S~=)oHRDGB*L;^y9th9Hh(CwTI7j z6+?IlBnlsNDS_NhW3+((11aCWb=LjeRMOm49=t-MHaqUy}d zlJnQsPWX9XYqLp9nSlfsr%^&!Q>l>CX)p=?Mn@M$r5hrl%&q!k#VbUcaieRQ$; zZV2PRn9Vz?y_!dZxvaK3v-AsfM3yd%>iWuKvpweSMlqZ-Om_y==x+s8GDgLmbju$U zjnvWXG;zqnmY3GNJ!9s=sNgzOl4QmUb=l~DMyXD4X_bCF6!)#Q3$U&^==zKnsuD$d z@T^RptWI2rUMzA3%NksVxF8}(u)lq2jKYJ`<+ZZ66&-z3m!PT?fg9hY$KRD5;E#Rs zphK{QpN{^$O_!8s%ZILdRL+EV4>}3EbpZP1J*Kg8%Ch_3WsYZ-3$b9?KVw-YO346< zdrBd5Xuf4OgXDjSnEZ=o8qW~i#H-vtI3-N2w5#ppL;UZxqx_b|wih50j-V|8@u(Ml zQiP*5N@k`=Cx?=RI1Fgt7kAbEV^A}N#@md22BuBh`X-pwJfiBGLhBFDg{`7d6XiBh zNJd(EDizueDFp>w)xgA;Qn{i6M)U$|#h&PFQjNp9kUNOUs|ppAg*dyBkl=&T)k*E( zNIY{pe^sWC@!rjA4LN{Rjd&&v!|`p;>+ zp=NNKkLG4xvkyPhdfxUgGag)+LNg+%>iYlO%*>7qEM<9<%{>(F1$D^5<4CIn8rdKm zVFJxbR=FW5Qb8`%QZs;2D3OUgKfnz}L#Cd)d>fd1T)kqpXvc6US(ZO?nBI;?R?a@K zX)<3oxL$T(^?q=-ZkTy^#gVHk5N?y*4#&9`_4T}c2QEp!Q%Sp(55a?<$aRbg5n!uO z;u**zNHBIdG3$ebh;_+)!U|nGc=_L4YB?Jgj#9RV-F@VnkK6%y)+Mi>7_tWZ44mnC z3ax!wPLTS~?aG($yT!0OOhd+`Hi3FTQwXRL14DgEY3;V-#0s_c5$m#YfufQ&V3rX5 zWCTTArE}2wb!~EEOd&rkxQu8oFZ?je&J6M9d8yBdYZUD64@JY`coubZsxkIx&2-IL-gE9b%K4z&)5rj16Yt3vnc z`{4L`fI(@`0b3?Pbuv;B?aGzyq-_t1N#^pKY@lp$6YgbP71VUO7xGK`09kcWs|=$G z-9Do4&{?Jhj$W`=k`64KV$JmTE|+mGkX?4z!bh4J-PamZFn|8{#s*~)!tDNv8l_SF z=<&6=cYAi>aVY!lUFgm@QAwc4jBq~k2#GmtySx_ivuLfb7X_)A=f(-h)flb(Jpcm< zAh&QX?O&d*AtDBczLhh@bo-AEUb-@DjJWjXylb$m(uG!}H1g_)#xI&Btoc=V*^BvvMqzpKW;`PLjym7P(M?&yz zs>40A0LX7vHKUYKvnwef?az#|&4a>tqGnU*39rJl61+2hIc4 zP-VSV9IPr{;g~fLe^{*L1wyxVn#Z$5;^(yHgdeDQ04fjR;<1fcWKs`*dR&lOb}^)8 zM2dm(4F1mU+B$;~aaTV&`Sk z^5ivG(Y8UUmDt+Qmnf_Vt2sw}-}BbkvcONbe85g4Y*~Ve4ih~?->s^7x=I(lBmt5{)JIWG2zKX9cFO zNQ+o2mIOU^YLO+=^g%VNp9uyMsLZUj(fkO~h+J56iGQ_S-e-{_x^j=fPN#pbS{2DkAzffUkg4aV`o3`h zOZV;6^2(iSbNbW)1if%{amNx)JnB9lBkz`z@Q!7=0t(1uFLGU*4Fdo_4F%@XR^Y1j zvjjbmuW!*7tFO@`P=6`|C#N;x1RtM(lNmeqoj~B#X0(00_7o|AszSPgw$tolQ=A^S zY13!b$*`G_=}9v0Uv_{}>lkQDt%CydFqsN)N4PMIF6_BpsnJb=)n$}YqEJ_fYBDdo z$POZ?<^)n@P7B)VCTa=b3P^1fWeEG}X+Nr7<=++oV-8?{9L`N!KA&40Ksi}F~Cal%7i z{(Wn4uq7@T7&&MaRr#9GM2=~_AVezv8l@l6Oq>w?39{vB-l+%g)jXHI4n=~OAKDwB z+2}m)9R4&om@WdPE`pVIwpECY2pT5Hbt*2sN;!RkZmyu>IL#XSCZ8_-1;6^-gf)Nl zlyq^H9nQyF3zoRP$feG=+7m4B+n!Sotvrm|5jUwGB@9jfaZw-QPsVGGVq@2%NI*7N z%GsaV_W4bz(n{m^DwHiBFr#^K>HVqWR@XZOq9;t#*AT8}dH!}(cDqiidvFl4=E~T< z3tuLs0DrbTU{Kp0S@=9imn`u{S#E=N?+X~N@c92gzyxNL35%V)t!yd%0ALl)d1^WY zP;ft(jVo7Y%A+P!_6OwR&8f3j#lmX|(g7foD;WYBoXrZM!hjLKe=BZJlQ$3x+AD=9@l$Z+(g6nPW^DzE3|8|nzW6(imlev(R z>FRFXiy#xV`V6@Dz>%4+9n(nsaa=np7U2f^gB@*FThho$?A4DIqWu`@W?>Z5B7ivm zL$KLdoolu7hAeGepoHuDObw(mlr^1Ce%Cb*lrIza@_LZqutzKwiq+lk)VbetQwiRl zQNa^9r`tZrI!jQ@XSPrItn?RY4MU?QnvcyLa8{ZkKTv-aeN$wN^$|?%`v=G zdSx3a05Kk3DypTe8CIPE=3kh$2}#FaT`c3p6k1$OemB<1eIG>d5GCx8O78KEc6{fcnZ+HalK!B z=pA%q+P%{$yJU|U+NW1C+cD07-C9%0#pzyXZ`Uke;P4L@%AmWl2#227Q!LsQ@Ft9~ zC5Eu6_OE*N2~nl>%k!q7GNnjD5W}ZY;lqzw4{=B{E0ssMwD_p>lyJ+JKZKoy+t;{% zDEuerC#$62lmK;&$^;W;UMVo#WL3s65+0!(X4B5-^kYI+%AQ(5SCf9uAaW??>_rAA zZ*|p{lL4HdAgfbo#R;Dpebw0sh6L??xGS)XZ+v(f?KXx~K?e1co+zo! zUs1H?G7PgtF6uOq%XM42Sd8hU!?Q;QP}(g54&Xi)BJj=ykOV<|tB`$QG1CCgig+RM z$f8LfooCp%rbAO>i(pZeBL5>GnD+#?7m30cUf4p#78zbvO!r*@IrpiYNr=Ac&Y8fU zmF?J86vs?X5rIRt+42Q{)Y*gg5OER~;-2TD=hy~ZFXJD$ zd&81us2SyVBRShQP3mWid989XiZ6C$gvR)k=ViLv#?mkVpD3#v4v9F+OJ1bgiH}PNvLFQAqLl5gIEtV(5t1@Kkq_!{=#&RY0C-A~fBO0y_n=Kf!G)ZwQ2=kVI_6rv$W?PceCF2Z(z(z&8ljr15N zb=%xgy}g#HY6y-StOKvG*KTvMt`D#BeQT+}G&}XZm`a_?jiluO@B+|9)}kxm@X)ha zJgF;YjPVj1JgZKP7EQ9GVM#dWQfLcGS9wq?v3igRtu+mgDGSus8Dv|qNJio!n(4rJ zg+EyCIv^gtNUOZDlCoQ7IRfZ&Xx&dv+UAOPf3v4Jf z1)tmXN=y185VxZ}h0&23LNOC)%xzpyCDXIU$}-ODK4mD9yICONnB)lbdc>=+fX&oqfE?NqGCHY1Oby?@;8Pog>Je_WIzey5^`K1rw$ zO9W)*PJu}Uk|8@506<&8sM#F=Q4VOhe281gDn7GM{QRP)MAgX2DFm0!hF4r8z9N`J zi#RHVS7BxT;`k{yE>8(16}aBGU-0vKV7 z@LnOKhTUC^({lX5^`RFstO7)4XPkun#=GwR|rL1(#FU_AP z#J{w84TE}Jp9^Ey*bk;gW}r&x*e?9XsdN>vHB4W1?r4G@p)2J(Y+p_9&a9KS&@||! z3m+i%0cu-9y8xsOn*i8z@olWOxGTXF80jkg^y^Ln%8)4fo!dC{-vpMvw_DGv&aUR? mt=0(S8dVJQx+(^fUDK~N0)hlf_M82tKxK6-ReaTx9KJ0*Yz8p^ literal 10324 zcmV-aD67{BB>?tKRTE3dMh1AyPt-%Mr>migdzl(_KgmD*|cLiBvQ3e^l? z+ylwSo0$TvY$jv`A0;$WRyn&Ex=19nAhBmSfD1V3c4YH&x{g*SpSXNoT9*2xz&rLO zaPh(t{kT7h*$ZSofzMR5N)6oM(NZmF^evc z;*pp{gCprLcr_fz_Aq-(ahdIItMX;ggr62CgudZ&QS<#zGyCzSho{;_i-8FFDB)vt zC1z;OZfpqFgjJ)gXwv^l?2T~JOMYJgJ$05=^)TYI6*6lRwhdH0LMbEOiFvpoU=3i> zg{N4i``q{tTR(wEpmTu(MF!JFu9=~$L&@NLszA;~l@Q#oBT&{_5bgw~Sk>vaoEhkU zIk|{6vTebA>R6?&aR8_48OvH0YBAyxK^ zO9AycNE(p)Wo3{=gaB`M$egRW0(q3LJW<+-Xo$VsnfS-^sEmWxpK&HD>M(KUN@$^2 zjyeOoarobOcoAjsqU=8IY@^XA>q3sDwGFRzb%?Rl7I##Usaz3=QDkbv>@_kr>fVgL) zW^;fvb}7WGIY^Y95XPCH|5OaZPsR_Ja6*O8xuDwg?|EW)E7_d)v)9>)=+wtaMUgNo zgm)NI1N^g{s$eU^nUXYfA$sBel^vv#aY-ulf~L~o7jwedR}H#nUg-9~BW>o0s+c!I z4$MXLQ{_0(`_m_8g$y+oW}rJMDz7bGZc-#692&{P06t-TJ=35FML_Hv*~t10qHAy zv|)j06J+v0_Q8*gPM+xwg6LUmyYwN+^>cznTIVC){A~C-bHg%C;)luOGAF*OI;N`K zY$cbOF#;xw_-*jSRANUNXWAR6H^$42Y7|Op4JTW!DZ;P8+9Fpzi9ju~` zZfjBmPtoUNB%s;`Cj(yrA)Tso$g^XKd|D4-y-zThXOU<9O!>m2Ze9H{KE78&S3K~C zvv#5=E-Q=4P??vQ&qq4}v)<5)wB_m0d=ZjZ2#UxB->1^R2|BhN6Z4&R`-H#(oSH1? zZP84$lhf_bZU|8NT}yS}mDc~lhap&;;V0${`N}G1M%2hi<7KcQMutxfl_0iINXg#? zM9%pHIfUnpYs#Andn_U@K{;L^Se`8f`YAjmt+?BYU{(B+ zknGX5)$qF$mI*yk@|F+NK*7Vx6*;v2GzYw~N8F|z=%9>fg+q##%_C)wt)POXzs`V zl&F=U`>_qSRwOIv?N|e=8sJVN>vwln5%*iHU}m-q#D^SZGGsDr?fk;ZSvd+;&xNDm z6y^61InZ6f9`*b%+HLwh+RUSgr++%AoR?QXc?6)N`*C&4-W;=^8gai*5cXw9Ay(f?)${b_Q@NepTxwU~;62zdLm(XlQ z~XdZC`ASA-m#$GopEtPc8}dmz+oMz*GncegtlP=mui zEy1L?rVchm%}!sfMyyhTAyfGj``?@w#|HgvjR@zk6lhy_y&{}tvpNWN|Az)7ICvW5 z6N>i%FlgloEZ$rAf~-e&h-N+Vl@AT?tz+(;+U;OQD3|?kHAof|&9QO(eEa$~R;)zi za8MoN(%>{5*nlBi5Ji`u^XjIPr`cy#%PTL!quzkOle1oW?*JA`TdQ1+p^wK;v|J~2 ztx78sDrU=859Zf1EEy1_w+zBRjXR6l2NXJDV=a zqrt(YeNoMf25Uo4#2mky>&OyJnaO#>SrNe5*Z!Q|*IKf|zm~3L!8y4dEL(DIg|@K~ zH4elaO$Q&FnQhx@_CFIB%)#p^f?#Z`ELxmY)>6$k{>B~4qkoh66;?wMOH(5Slm|wU zo~&%IPj)!O6^aB7+UeFq6|3exHt@#s!sksY&#u*Rl)G+ceKPzn80b6KV>s4OXe6tU z(b=vbKSedO(vFnQCD4Y4@>6q&?YTJ4Gzo;O9Jsb1%F=8A@dtJvf^aClIs}kv7ORxM z#+6Bz;K3t)%#)9uA*WZxa);q0>o}NLSfXR}@gtV+NSOFldtXvTDLjrJqV_C-0|n=MLU}N$$kho>ejjr0yLt9cR<^61@arN1#3SE_Cb2bjOYVJS2$r5xkwN0G~p$vx-X{r|bf&{=&4-H=jv&1g^%Ptbd?aIV(C% zu)B(c$L68Zwa%SB$z>!)X`4DzPMs~cEsow1L9>Q)nwlKXi;F4N719s ziwIfQoe{p@cpVH;v9aU@Wd>y_qbGAvu-C3-=(I1ZJ%R+V*q-)GC&+9oK~C!CyCFt+ zc~YiXwe8AcAcmY`sYm6Q=BV=Ukk%yGOZoY(UEFDXz#E#Va^E%Cy;R&S_urH!F zCTw6~E_VUbr@;DKU^~up12KT|rOUbDKZ6wTmGA|-)7%KMsb>Y))$Z~QKbHM(YZQnP zxdFd{Mcy^wp@yC=^8mYeLVs*>cttk zr$?mX6M`}#;vvdwllCk>+`Kq3X%IN4BD)n#pr6c<<2pH57{w}Cp_;C9NokY*u9 za7>U`cju{2m4b9;djj+j%$wE&?(wIx`R~RNQV}5+-fAUM_`~RQ83;RSuzkuuZsLz} zl6u)4T%Hgvy?WXK0Xm@dtSv3}iSLfXk@c?RR3?2l4faO9CYLPR316Ghv~OcQI80QA zXL30Vm%C96ncq95lk7?uY7s=c?ssI_VFOMYuueiv>VJi4jSt=O#Td>q#+JUSrTxq! z*y*(|92;>sEzR_5zX-6XC$#E}{rEuAevg9zB5-r*@Y#>y9xFuht8tq@E#rdSqu*4M z&8#uZ9S8(poQ)H7^mGeh)J!vE3k3&>6=ML_OyA<0F=Lf| zsW>qulI%-$sM6eQhI?)Q3*8vLqG5Qx;h^6J$9jREB#S09#_boFKPqGtG0fq6(P2Pg zgK(sMRpvYw;}9vu$Sxjk8%qJmQn&f%=;EqXK9x`};y~x8d06}nqGVglkF+^Axr;3I zu4ooqtW3fzku7^W;djF$Vu`N|;etuu`q2cz>gYR7*`-noZvV7xzo0LZkJ0Yj6jDQ6 zzLyANL3(EWXYd~UGr@p3Af~E{QUI6irAHRzH@*G#ZGG#8VlF@)SU8uCoT)h9OsW!N6NTBE1Z- ziP^apJ0BF)i)^#8|K!699Px^_tGJg#PR5!YRZ{dX=u~}k*(7Awgb5vsy836Qq@%eZzBv@* zCfL9D>9)tQn&&k5P|L_X?Qf)<8|Fw5aXV76`Znh>sIWapEh=$}dcbv;!axvV3(L5qSzO9^FkQbVPFCCn(0#y|AIBebqAbv$F_`zF*AU%U&DL-RSycVja)s>&o1BC=fZO%D(uzD zNjwG)QxZ1j-eCRe$r3uKWHqE^0mof6zVP2ox}+ZWU#)GXgWl}Z{O4=LrQ;Ma6Eo;~ zYC~!lXWJya1F5e9;|SJIwX-&ottkhrq}4hc32$+2MsdR0noT<^-?2Y>??*ZD6 z@fNvrYOIl+NB?cW1oky3U7nP$pY-yly?e=ar@^vDbRF&ExzZ~;UUl@l6sjf?s#cOj zfX%Tb=c?fT%*Sia9!DOhx>V`WJzH?~WWJmKhha+H077mN?=a@5JIM=NCw3lR2JLRi zh7;G3!VbVg^y(;~Ho28e)*mr9SX*#oBdvaI#E1NvZ=DC|&p|GoG(l5V9+blrgCbQw z_a-i~VM06PV;cYC?@wjnKpqLsh+EZ!8}`rKRNBIvZ#p;B48AHmv0y9ORA4m8EX?pS z;K@=7_Mg{1q&n9aDjNH7)e{EZ>WhvTwnE_v(rlCFSn_Kj%q7$%wTgSCH?vHc4m1bE z@k~Acjao-BkKcDd5r=*E$wBiVK2~M+ce0?cJBZdQW?>3K!_6 z3?Cz0yR-=ZxDa|1H-4Fe7dUKA&reHzP(q`}j^>JDhxg9D5lc-A(vWiEj?;~-f$p^I z3_n_^N=(g2hw$^-dL7oqX(9MxOy(m$KZA2X8k%C-a|K)%b>D zfuXG7lEC95J3kdRGA)@&P=2~^npZi+%VTS({hMJ}qR#VQG7W+*WYM_~f(7))84&Ad zN1g;wU=@*V6i-bU`q`tg6Pji#XJX7Uaobb~prvn@f3#4nkD~jJTV@%Nk-z$v|HNNjZg__H7EHvnG60%PjX0k%N{v z?yu9@CWS#~Gh*A7;ZgP-n77NI=lTjFr5%@lf61*I4JtL;M!>wVBH*9~v^?)f&c5iy zyVZUS%2_fzzuOH1e#Ti#qd}aA+e}6+Hs)ALT(ywcd7j-)M6B^7D))u;O2Abe&HW{O z1q}wbe5Ha#bZLwhB%~$`A~M@L+VsrcaL>sFUrk=b*vp6ug7r9t~*qdl-L=u#h z5piA)cY;$Jh4U7kHi5S^`sri@ciI#&cmwR!CvA zYS|Krdnjob!C3tPLJnU?P;Ke4Vk@hZg6_FAAfKLYfgQ5Yzd`hyLgGkPS@Z}{3K-JW z(-FPx${D=%S%^6M-UID$euB#yMDfT?Rm!c_+ePvwJiTZPiTNx@j2JYI5#y5zxt4fLWwp3Q`T|rj`Ha&0kd8bx5TPbm%bT4JsejY|Pz;Ww08jSn zB9jo?@@b8CGt*dHe|ktidjtOEKO718@zA-8_ZJQSRZ@Nnsj0#5M9`!KmeAhUm^50e zpz%=nt~Y7bKM`SQ$tK|CQ3eHB_CG^CzO~=}z}e8HF%|P26s-IBQ%sMd@~IU_WSYYH z|4+n00=VCUjTT<`(4QW_#u|sFcVbl0A<&JWa^BU9HkI>v$d>afY2qoU2L|(6Asjbb z;q|^m&}BRkDV>rzW0}Ss<8umpO3Ba(%s`yO<1Zs2p8fx8ajvByK#|2ee4p|=VwxbMp}N8`jPDYbJk zVI-P-x%tx&#d;MfZQnnC7Z?0d=CpSQIj^~Dr?u{&gG+U{Orb5f8Je+0HKE_S^iur=~9$N*- z_O}%gpo(|5wz~s)d{}8gv7FU|K}ud+kzto9f1a_`7_$tY+9l6(6|-z2@ocPt^{30% zj>!#&`sc9^nozBE4yq})RjIf&&m(clbtk;m>41gypWcMb8OsE6!toO>X#dK{C2`d{>n2u#UY+@Sa8 zUga}foi;8CZ2T%n7JaT|H(wd2GX3(|yNned0%T`@)_0FdcuPnOGP4U&$nWSW4umf& zkL(&j5SY}OxjMl!4Uu3^l6ML)C(l`wlo*VcLht+JJKK`~vOUHu8E;rB60!k71bhy9A$=4Dy|W%q`wYfs8xF!c@T-2f?}!-V zPi#M#CWk8l!mlaV(&d{jgsu0M*>D(-lCJ!@c{IxYJi|2U&@jS&pX@2g6-Za*rPRE~ zRkre*`#x9m?caK=y~0wBxV@r0$J|7Qb0dh#d4=*{&B$^}xFdOVDtW37Tgy9BC(KKE zBnK3^uMqsgOoIHibcrL8v<}3wph}R;03B{$3}Rn=qn?f|or8^QbwNKh2JNuMT1v~0 zx;mG{D^r7TGx%HUlFyhw1OV1BgjEre+(hQBJHJ6h&wh-x|-&&nW9b8s%^CEK2ECm|0HAJ}WV!Hw%H zgcVoCU9KogTrj=45g(dH2t}ZEg{hFwHTVIxqlI^W0zN{l82v)12MZ=y3kmN7Nl&CE(6l-W zdO@mA!T*{LnbiVysBSg`+`V87fie}1 zJmwzhs$#NtDx?b*R=!ZfmY1<2t*Wr?N_1knH^$>hpLkhkq+Nb&{Hkg z>%UU6uLRKwypPe!TAuZ(SrfV`D_pUBm|$p&+G@m6e=kcJiW39k?Tvel9a({4VCms$eoVZg>?OG9mg5R! z@+tyG)kK>g?cBCmGfN59YQn;X!)rHemdnE33n05@f^}P^UnL84`^7dFJ`VSP2R_=@ zJU{m5h5Ib(K{T;PHUkZI*t#%wvr_AKWhRQi5u94;Ge+%1b@P#!aiyjsg7jECkF2<;1qu$9 z%W<&E`SoEPpB&TpbKXru`X3eFhAFvJX#Q|XPyu&l%wF-ijlt``Xe=*0*^22q-x3i?w$Cu-bWKo?svbA|NN@jp2D$n?`P&cyucbF*n|J;}Kp<l6lU) zpbL@(e4pC&LyC4grK23NOV(2y&K?Rlz54Ci;x49+yHldG~1vmqTtpg z@`dA3U%}irLk;U#VE#{&jFk873y|#p1XjtMfeTd!YMLRZsCM0xp(J3}OfgyhI1CQh zEdeC|oCoNF`<%kb?c=p<2}qjg_X{}deSVrpNoI-K7SOSZrV*{ym!FO={q$fd?M}I3 z%Xfi`!rE+HyJTrYv_d$H;%s{AH*q%%6^>J-aXT9k?WjHD#!5=_X<;d7Xu#W(QZwte zL)^nJ+x1GMq&V_24qJSyM~)23BBqc10}Qd>{LDX&xK0@=23EEGf?EHyFUf7Bjjzv# zpc@idCC2=1-ZVe3^&|Ft%KS*zuj&4EHMgm+?RrCz;72VB+xej2TpnqdChFSbQrA=m zsWm{ED#_Rv{+X|0;g{%h>SKCuRhmo)`~tC5z2~%!*^x`&ICo-6Uot6FUjdi7x4?$F z@i$aemR`2^4i!!2q-MW+dq?98TIer2V%bAeFo@r~Dm*uWALBG_2=y{NWallk_Nz!% z+-#`9VJ!TWO3{3V+%p>rRWgT`BUfk^V4)JB;aj@*+KQNOb$bU*yRdAuts5q<_VI21 z;OtW*=n)BBM`bFdZlXRFIaYCcTikU71W*$q^Tkk=2O4dAu)ctvhGkbZkq^}8QIj={ z148O9nJEmlCn+Y1lu^en)Q;nj-D$kP|Xe2+7NdhF^7^`Gf)ST1{w$ z+z{cM41W}`(oB}+-w6}#!(l~FHeu1pAdDwkIG0I@u#AiPjcnR~Ps+lTwYH%)U|2he z=Ux9QbC1`rHo*&oJ}YPz3k2cqhn?^c0C{9eftD7lt6m8z-u#MFLn2)JlO+PyhdS|@ zaT_c__}zQXa$U#nJ2Nmei1)SwCYo4M6WK`FVEWO&6xA#Hsq>y;;drT%Cl1A1(VGe!9D%xHJiY;lm7yskJj`Co;EBUW!(m zy7Pj4)O}@L0G|pg{)An!i_!}j7MG|#ZWPYtJ4=EY<85YJVDAzE^SL zJy~4$QdvZ8A+7@6-2s?b8~M9TFPX>|D7MCPjckB!+p}@xl;`NtiZLPtRKQ+o8V!-E5r=VZxN5>46(d-9sIsFyNvOfCoCnqJnI0MC)O z-pyluV$JEMsxeVdDUe8z{U7u^JPQf#g&WQn-~JNQi?1&2*!_vuZXCl)lAJjoD_%28 zz7mq-p^aU4$%Wf({PfBp4k1=ka7M7y$|!~z6y!>>_U z_eQYO{9h0|zZs8)vBz8roJFCk9`=Rf_jsN>(^a<@x29QFn8l)00u=E^5AcFMDo%b3 zCUr?fV#I&!mhDaPDbat!5-cuQ#~<9XJh}olJlJZK7@|UQMccb(IzyGwi&f>p&A!QO zD}(lkDT}`@t|Ml=cyoOv`F{KX4s-h-G_8rQ4C(jukC=v+LR^~fsv?}c&B-u{!N3aN zvP@nOO^a>OcQ*jX=YOT;a%9H1Z-!l1uX-ooq_S5+M>ti?>GfCa0%BGod}uGvpQIvG zBIl>?M*}@&oM!rD>JWQH&)7&d)!R<<%1HwpSybQQQ3H_A{$UgfN^tmDxBPVpJQ zxw)bIl=uq5!K@P_LSPp`HH0+HvUHXBnf^GPLFnjn332D8Xf->a6%aZ@(@W+ge7QEN z<-8d^dImHlk89+>;slpfez`i}GH62Qnqy;?3qU!E1iS6UvZA2aGuuGggs2Sh)Upk88 From 189f504cbdfe043949688dfe55f3f449befad991 Mon Sep 17 00:00:00 2001 From: sai-sunder-s <4540365+sai-sunder-s@users.noreply.github.com> Date: Thu, 1 Dec 2022 20:13:34 +0000 Subject: [PATCH 6/7] feat: Introduce a way to provide scopes granted by user (#1189) * feat: Introduce a way to provide scopes granted by user * nits * add rt * update rt --- google/oauth2/credentials.py | 25 +++++++++- tests/oauth2/test_credentials.py | 83 ++++++++++++++++++++++++++++---- 2 files changed, 96 insertions(+), 12 deletions(-) diff --git a/google/oauth2/credentials.py b/google/oauth2/credentials.py index 8f1c3dda4..457db76ae 100644 --- a/google/oauth2/credentials.py +++ b/google/oauth2/credentials.py @@ -34,6 +34,7 @@ from datetime import datetime import io import json +import logging import six @@ -43,6 +44,8 @@ from google.auth import exceptions from google.oauth2 import reauth +_LOGGER = logging.getLogger(__name__) + # The Google OAuth 2.0 token endpoint. Used for authorized user credentials. _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" @@ -79,6 +82,7 @@ def __init__( rapt_token=None, refresh_handler=None, enable_reauth_refresh=False, + granted_scopes=None, ): """ Args: @@ -117,6 +121,9 @@ def __init__( retrieving downscoped tokens from a token broker. enable_reauth_refresh (Optional[bool]): Whether reauth refresh flow should be used. This flag is for gcloud to use only. + granted_scopes (Optional[Sequence[str]]): The scopes that were consented/granted by the user. + This could be different from the requested scopes and it could be empty if granted + and requested scopes were same. """ super(Credentials, self).__init__() self.token = token @@ -125,6 +132,7 @@ def __init__( self._id_token = id_token self._scopes = scopes self._default_scopes = default_scopes + self._granted_scopes = granted_scopes self._token_uri = token_uri self._client_id = client_id self._client_secret = client_secret @@ -155,6 +163,7 @@ def __setstate__(self, d): self._id_token = d.get("_id_token") self._scopes = d.get("_scopes") self._default_scopes = d.get("_default_scopes") + self._granted_scopes = d.get("_granted_scopes") self._token_uri = d.get("_token_uri") self._client_id = d.get("_client_id") self._client_secret = d.get("_client_secret") @@ -174,6 +183,11 @@ def scopes(self): """Optional[str]: The OAuth 2.0 permission scopes.""" return self._scopes + @property + def granted_scopes(self): + """Optional[Sequence[str]]: The OAuth 2.0 permission scopes that were granted by the user.""" + return self._granted_scopes + @property def token_uri(self): """Optional[str]: The OAuth 2.0 authorization server's token endpoint @@ -249,6 +263,7 @@ def with_quota_project(self, quota_project_id): client_secret=self.client_secret, scopes=self.scopes, default_scopes=self.default_scopes, + granted_scopes=self.granted_scopes, quota_project_id=quota_project_id, rapt_token=self.rapt_token, enable_reauth_refresh=self._enable_reauth_refresh, @@ -266,6 +281,7 @@ def with_token_uri(self, token_uri): client_secret=self.client_secret, scopes=self.scopes, default_scopes=self.default_scopes, + granted_scopes=self.granted_scopes, quota_project_id=self.quota_project_id, rapt_token=self.rapt_token, enable_reauth_refresh=self._enable_reauth_refresh, @@ -335,10 +351,15 @@ def refresh(self, request): if scopes and "scope" in grant_response: requested_scopes = frozenset(scopes) - granted_scopes = frozenset(grant_response["scope"].split()) + self._granted_scopes = grant_response["scope"].split() + granted_scopes = frozenset(self._granted_scopes) scopes_requested_but_not_granted = requested_scopes - granted_scopes if scopes_requested_but_not_granted: - raise exceptions.RefreshError( + # User might be presented with unbundled scopes at the time of + # consent. So it is a valid scenario to not have all the requested + # scopes as part of granted scopes but log a warning in case the + # developer wants to debug the scenario. + _LOGGER.warning( "Not all requested scopes were granted by the " "authorization server, missing scopes {}.".format( ", ".join(scopes_requested_but_not_granted) diff --git a/tests/oauth2/test_credentials.py b/tests/oauth2/test_credentials.py index c8301078d..5a63224fd 100644 --- a/tests/oauth2/test_credentials.py +++ b/tests/oauth2/test_credentials.py @@ -449,6 +449,7 @@ def test_credentials_with_scopes_requested_refresh_success( assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token + assert creds.granted_scopes == scopes # Check that the credentials are valid (have a token and are not # expired.) @@ -466,7 +467,7 @@ def test_credentials_with_only_default_scopes_requested( token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) - grant_response = {"id_token": mock.sentinel.id_token} + grant_response = {"id_token": mock.sentinel.id_token, "scope": "email profile"} refresh_grant.return_value = ( # Access token token, @@ -513,6 +514,7 @@ def test_credentials_with_only_default_scopes_requested( assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(default_scopes) assert creds.rapt_token == new_rapt_token + assert creds.granted_scopes == default_scopes # Check that the credentials are valid (have a token and are not # expired.) @@ -530,10 +532,7 @@ def test_credentials_with_scopes_returned_refresh_success( token = "token" new_rapt_token = "new_rapt_token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) - grant_response = { - "id_token": mock.sentinel.id_token, - "scopes": " ".join(scopes), - } + grant_response = {"id_token": mock.sentinel.id_token, "scope": " ".join(scopes)} refresh_grant.return_value = ( # Access token token, @@ -580,6 +579,7 @@ def test_credentials_with_scopes_returned_refresh_success( assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token + assert creds.granted_scopes == scopes # Check that the credentials are valid (have a token and are not # expired.) @@ -590,7 +590,72 @@ def test_credentials_with_scopes_returned_refresh_success( "google.auth._helpers.utcnow", return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, ) - def test_credentials_with_scopes_refresh_failure_raises_refresh_error( + def test_credentials_with_only_default_scopes_requested_different_granted_scopes( + self, unused_utcnow, refresh_grant + ): + default_scopes = ["email", "profile"] + token = "token" + new_rapt_token = "new_rapt_token" + expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) + grant_response = {"id_token": mock.sentinel.id_token, "scope": "email"} + refresh_grant.return_value = ( + # Access token + token, + # New refresh token + None, + # Expiry, + expiry, + # Extra data + grant_response, + # rapt token + new_rapt_token, + ) + + request = mock.create_autospec(transport.Request) + creds = credentials.Credentials( + token=None, + refresh_token=self.REFRESH_TOKEN, + token_uri=self.TOKEN_URI, + client_id=self.CLIENT_ID, + client_secret=self.CLIENT_SECRET, + default_scopes=default_scopes, + rapt_token=self.RAPT_TOKEN, + enable_reauth_refresh=True, + ) + + # Refresh credentials + creds.refresh(request) + + # Check jwt grant call. + refresh_grant.assert_called_with( + request, + self.TOKEN_URI, + self.REFRESH_TOKEN, + self.CLIENT_ID, + self.CLIENT_SECRET, + default_scopes, + self.RAPT_TOKEN, + True, + ) + + # Check that the credentials have the token and expiry + assert creds.token == token + assert creds.expiry == expiry + assert creds.id_token == mock.sentinel.id_token + assert creds.has_scopes(default_scopes) + assert creds.rapt_token == new_rapt_token + assert creds.granted_scopes == ["email"] + + # Check that the credentials are valid (have a token and are not + # expired.) + assert creds.valid + + @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True) + @mock.patch( + "google.auth._helpers.utcnow", + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD, + ) + def test_credentials_with_scopes_refresh_different_granted_scopes( self, unused_utcnow, refresh_grant ): scopes = ["email", "profile"] @@ -628,10 +693,7 @@ def test_credentials_with_scopes_refresh_failure_raises_refresh_error( ) # Refresh credentials - with pytest.raises( - exceptions.RefreshError, match="Not all requested scopes were granted" - ): - creds.refresh(request) + creds.refresh(request) # Check jwt grant call. refresh_grant.assert_called_with( @@ -651,6 +713,7 @@ def test_credentials_with_scopes_refresh_failure_raises_refresh_error( assert creds.id_token == mock.sentinel.id_token assert creds.has_scopes(scopes) assert creds.rapt_token == new_rapt_token + assert creds.granted_scopes == scopes_returned # Check that the credentials are valid (have a token and are not # expired.) From d85f1ac88be586203266f19cbcbf50faa82f2037 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Thu, 1 Dec 2022 12:39:36 -0800 Subject: [PATCH 7/7] chore(main): release 2.15.0 (#1183) --- CHANGELOG.md | 16 ++++++++++++++++ google/auth/version.py | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f65921b5d..5a3cc94cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,22 @@ [1]: https://pypi.org/project/google-auth/#history +## [2.15.0](https://github.com/googleapis/google-auth-library-python/compare/v2.14.1...v2.15.0) (2022-12-01) + + +### Features + +* Add api_key credentials ([#1184](https://github.com/googleapis/google-auth-library-python/issues/1184)) ([370293e](https://github.com/googleapis/google-auth-library-python/commit/370293e84a14af0d6c6b34287bdcad020e0580e4)) +* Introduce a way to provide scopes granted by user ([#1189](https://github.com/googleapis/google-auth-library-python/issues/1189)) ([189f504](https://github.com/googleapis/google-auth-library-python/commit/189f504cbdfe043949688dfe55f3f449befad991)) + + +### Bug Fixes + +* Allow mtls sts endpoint for external account token urls. ([#1185](https://github.com/googleapis/google-auth-library-python/issues/1185)) ([c86dd69](https://github.com/googleapis/google-auth-library-python/commit/c86dd69cf79809e2d532a745a236db840fd8bc5d)) +* CI broken by removal of py.path ([#1194](https://github.com/googleapis/google-auth-library-python/issues/1194)) ([f719415](https://github.com/googleapis/google-auth-library-python/commit/f719415475e10e5af9ec75b3b13c57c25682bea0)) +* Ensure JWT segments have the right types ([#1162](https://github.com/googleapis/google-auth-library-python/issues/1162)) ([fc843cd](https://github.com/googleapis/google-auth-library-python/commit/fc843cd318e4ac4f40cf83bbcd7c6eae2b597ff8)) +* Updated the lower bound of interactive timeout and fix the kwarg… ([#1182](https://github.com/googleapis/google-auth-library-python/issues/1182)) ([50c0fd2](https://github.com/googleapis/google-auth-library-python/commit/50c0fd29a3b6a4fd6dc4b801d883f5d2b6de88c6)) + ## [2.14.1](https://github.com/googleapis/google-auth-library-python/compare/v2.14.0...v2.14.1) (2022-11-07) diff --git a/google/auth/version.py b/google/auth/version.py index 5a2a1ee06..f0ecd5d63 100644 --- a/google/auth/version.py +++ b/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.14.1" +__version__ = "2.15.0"