diff --git a/.coveragerc b/.coveragerc index 494c03f07..9ba3d3fe6 100644 --- a/.coveragerc +++ b/.coveragerc @@ -5,6 +5,7 @@ branch = True omit = */samples/* */conftest.py + */google-cloud-sdk/lib/* exclude_lines = # Re-enable the standard pragma pragma: NO COVER diff --git a/CHANGELOG.md b/CHANGELOG.md index bcda51152..73440f7e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ [1]: https://pypi.org/project/google-auth/#history +### [2.3.3](https://www.github.com/googleapis/google-auth-library-python/compare/v2.3.2...v2.3.3) (2021-11-01) + + +### Bug Fixes + +* add fetch_id_token_credentials ([#866](https://www.github.com/googleapis/google-auth-library-python/issues/866)) ([8f1e9cf](https://www.github.com/googleapis/google-auth-library-python/commit/8f1e9cfd56dbaae0dff64499e1d0cf55abc5b97e)) +* fix error in sign_bytes ([#905](https://www.github.com/googleapis/google-auth-library-python/issues/905)) ([ef31284](https://www.github.com/googleapis/google-auth-library-python/commit/ef3128474431b07d1d519209ea61622bc245ce91)) +* use 'int.to_bytes' and 'int.from_bytes' for py3 ([#904](https://www.github.com/googleapis/google-auth-library-python/issues/904)) ([bd0ccc5](https://www.github.com/googleapis/google-auth-library-python/commit/bd0ccc5fe77d55f7a19f5278d6b60587c393ee3c)) + ### [2.3.2](https://www.github.com/googleapis/google-auth-library-python/compare/v2.3.1...v2.3.2) (2021-10-26) diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py index b239fcd4f..1b08ab87f 100644 --- a/google/auth/_helpers.py +++ b/google/auth/_helpers.py @@ -17,6 +17,7 @@ import base64 import calendar import datetime +import sys import six from six.moves import urllib @@ -233,3 +234,12 @@ def unpadded_urlsafe_b64encode(value): Union[str|bytes]: The encoded value """ return base64.urlsafe_b64encode(value).rstrip(b"=") + + +def is_python_3(): + """Check if the Python interpreter is Python 2 or 3. + + Returns: + bool: True if the Python interpreter is Python 3 and False otherwise. + """ + return sys.version_info > (3, 0) diff --git a/google/auth/crypt/es256.py b/google/auth/crypt/es256.py index c6d617606..42823a7a5 100644 --- a/google/auth/crypt/es256.py +++ b/google/auth/crypt/es256.py @@ -53,8 +53,16 @@ def verify(self, message, signature): sig_bytes = _helpers.to_bytes(signature) if len(sig_bytes) != 64: return False - r = utils.int_from_bytes(sig_bytes[:32], byteorder="big") - s = utils.int_from_bytes(sig_bytes[32:], byteorder="big") + r = ( + int.from_bytes(sig_bytes[:32], byteorder="big") + if _helpers.is_python_3() + else utils.int_from_bytes(sig_bytes[:32], byteorder="big") + ) + s = ( + int.from_bytes(sig_bytes[32:], byteorder="big") + if _helpers.is_python_3() + else utils.int_from_bytes(sig_bytes[32:], byteorder="big") + ) asn1_sig = encode_dss_signature(r, s) message = _helpers.to_bytes(message) @@ -121,7 +129,11 @@ def sign(self, message): # Convert ASN1 encoded signature to (r||s) raw signature. (r, s) = decode_dss_signature(asn1_signature) - return utils.int_to_bytes(r, 32) + utils.int_to_bytes(s, 32) + return ( + (r.to_bytes(32, byteorder="big") + s.to_bytes(32, byteorder="big")) + if _helpers.is_python_3() + else (utils.int_to_bytes(r, 32) + utils.int_to_bytes(s, 32)) + ) @classmethod def from_string(cls, key, key_id=None): diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py index b8a6c49a1..80d6fdfdc 100644 --- a/google/auth/impersonated_credentials.py +++ b/google/auth/impersonated_credentials.py @@ -290,6 +290,11 @@ def sign_bytes(self, message): url=iam_sign_endpoint, headers=headers, json=body ) + if response.status_code != http_client.OK: + raise exceptions.TransportError( + "Error calling sign_bytes: {}".format(response.json()) + ) + return base64.b64decode(response.json()["signedBlob"]) @property diff --git a/google/auth/version.py b/google/auth/version.py index cd24dc54a..ad9a0c7a4 100644 --- a/google/auth/version.py +++ b/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.3.2" +__version__ = "2.3.3" diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py index 20d3ac1af..74899ae55 100644 --- a/google/oauth2/id_token.py +++ b/google/oauth2/id_token.py @@ -64,6 +64,7 @@ from google.auth import environment_vars from google.auth import exceptions from google.auth import jwt +import google.auth.transport.requests # The URL that provides public certificates for verifying ID tokens issued @@ -201,8 +202,8 @@ def verify_firebase_token(id_token, request, audience=None, clock_skew_in_second ) -def fetch_id_token(request, audience): - """Fetch the ID Token from the current environment. +def fetch_id_token_credentials(audience, request=None): + """Create the ID Token credentials from the current environment. This function acquires ID token from the environment in the following order. See https://google.aip.dev/auth/4110. @@ -224,15 +225,22 @@ def fetch_id_token(request, audience): request = google.auth.transport.requests.Request() target_audience = "https://pubsub.googleapis.com" - id_token = google.oauth2.id_token.fetch_id_token(request, target_audience) + # Create ID token credentials. + credentials = google.oauth2.id_token.fetch_id_token_credentials(target_audience, request=request) + + # Refresh the credential to obtain an ID token. + credentials.refresh(request) + + id_token = credentials.token + id_token_expiry = credentials.expiry Args: - request (google.auth.transport.Request): A callable used to make - HTTP requests. audience (str): The audience that this ID token is intended for. + request (Optional[google.auth.transport.Request]): A callable used to make + HTTP requests. A request object will be created if not provided. Returns: - str: The ID token. + google.auth.credentials.Credentials: The ID token credentials. Raises: ~google.auth.exceptions.DefaultCredentialsError: @@ -257,11 +265,9 @@ def fetch_id_token(request, audience): info = json.load(f) if info.get("type") == "service_account": - credentials = service_account.IDTokenCredentials.from_service_account_info( + return service_account.IDTokenCredentials.from_service_account_info( info, target_audience=audience ) - credentials.refresh(request) - return credentials.token except ValueError as caught_exc: new_exc = exceptions.DefaultCredentialsError( "GOOGLE_APPLICATION_CREDENTIALS is not valid service account credentials.", @@ -275,15 +281,60 @@ def fetch_id_token(request, audience): from google.auth import compute_engine from google.auth.compute_engine import _metadata + # Create a request object if not provided. + if not request: + request = google.auth.transport.requests.Request() + if _metadata.ping(request): - credentials = compute_engine.IDTokenCredentials( + return compute_engine.IDTokenCredentials( request, audience, use_metadata_identity_endpoint=True ) - credentials.refresh(request) - return credentials.token except (ImportError, exceptions.TransportError): pass raise exceptions.DefaultCredentialsError( "Neither metadata server or valid service account credentials are found." ) + + +def fetch_id_token(request, audience): + """Fetch the ID Token from the current environment. + + This function acquires ID token from the environment in the following order. + See https://google.aip.dev/auth/4110. + + 1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set + to the path of a valid service account JSON file, then ID token is + acquired using this service account credentials. + 2. If the application is running in Compute Engine, App Engine or Cloud Run, + then the ID token are obtained from the metadata server. + 3. If metadata server doesn't exist and no valid service account credentials + are found, :class:`~google.auth.exceptions.DefaultCredentialsError` will + be raised. + + Example:: + + import google.oauth2.id_token + import google.auth.transport.requests + + request = google.auth.transport.requests.Request() + target_audience = "https://pubsub.googleapis.com" + + id_token = google.oauth2.id_token.fetch_id_token(request, target_audience) + + Args: + request (google.auth.transport.Request): A callable used to make + HTTP requests. + audience (str): The audience that this ID token is intended for. + + Returns: + str: The ID token. + + Raises: + ~google.auth.exceptions.DefaultCredentialsError: + If metadata server doesn't exist and no valid service account + credentials are found. + """ + id_token_credentials = fetch_id_token_credentials(audience, request=request) + id_token_credentials.refresh(request) + return id_token_credentials.token diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 3f42f879f..5f20b1e4c 100644 Binary files a/system_tests/secrets.tar.enc and b/system_tests/secrets.tar.enc differ diff --git a/tests/oauth2/test_id_token.py b/tests/oauth2/test_id_token.py index a612c58fe..ccfaaaf8c 100644 --- a/tests/oauth2/test_id_token.py +++ b/tests/oauth2/test_id_token.py @@ -21,13 +21,13 @@ from google.auth import environment_vars from google.auth import exceptions from google.auth import transport -import google.auth.compute_engine._metadata from google.oauth2 import id_token from google.oauth2 import service_account SERVICE_ACCOUNT_FILE = os.path.join( os.path.dirname(__file__), "../data/service_account.json" ) +ID_TOKEN_AUDIENCE = "https://pubsub.googleapis.com" def make_request(status, data=None): @@ -201,37 +201,45 @@ def test_verify_firebase_token_clock_skew(verify_token): ) -def test_fetch_id_token_from_metadata_server(monkeypatch): +def test_fetch_id_token_credentials_optional_request(monkeypatch): monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) - def mock_init(self, request, audience, use_metadata_identity_endpoint): - assert use_metadata_identity_endpoint - self.token = "id_token" - + # Test a request object is created if not provided with mock.patch("google.auth.compute_engine._metadata.ping", return_value=True): - with mock.patch.multiple( - google.auth.compute_engine.IDTokenCredentials, - __init__=mock_init, - refresh=mock.Mock(), + with mock.patch( + "google.auth.compute_engine.IDTokenCredentials.__init__", return_value=None ): - request = mock.Mock() - token = id_token.fetch_id_token(request, "https://pubsub.googleapis.com") - assert token == "id_token" + with mock.patch( + "google.auth.transport.requests.Request.__init__", return_value=None + ) as mock_request: + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) + mock_request.assert_called() -def test_fetch_id_token_from_explicit_cred_json_file(monkeypatch): - monkeypatch.setenv(environment_vars.CREDENTIALS, SERVICE_ACCOUNT_FILE) +def test_fetch_id_token_credentials_from_metadata_server(monkeypatch): + monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) + + mock_req = mock.Mock() + + with mock.patch("google.auth.compute_engine._metadata.ping", return_value=True): + with mock.patch( + "google.auth.compute_engine.IDTokenCredentials.__init__", return_value=None + ) as mock_init: + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE, request=mock_req) + mock_init.assert_called_once_with( + mock_req, ID_TOKEN_AUDIENCE, use_metadata_identity_endpoint=True + ) - def mock_refresh(self, request): - self.token = "id_token" - with mock.patch.object(service_account.IDTokenCredentials, "refresh", mock_refresh): - request = mock.Mock() - token = id_token.fetch_id_token(request, "https://pubsub.googleapis.com") - assert token == "id_token" +def test_fetch_id_token_credentials_from_explicit_cred_json_file(monkeypatch): + monkeypatch.setenv(environment_vars.CREDENTIALS, SERVICE_ACCOUNT_FILE) + + cred = id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) + assert isinstance(cred, service_account.IDTokenCredentials) + assert cred._target_audience == ID_TOKEN_AUDIENCE -def test_fetch_id_token_no_cred_exists(monkeypatch): +def test_fetch_id_token_credentials_no_cred_exists(monkeypatch): monkeypatch.delenv(environment_vars.CREDENTIALS, raising=False) with mock.patch( @@ -239,22 +247,20 @@ def test_fetch_id_token_no_cred_exists(monkeypatch): side_effect=exceptions.TransportError(), ): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: - request = mock.Mock() - id_token.fetch_id_token(request, "https://pubsub.googleapis.com") + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) with mock.patch("google.auth.compute_engine._metadata.ping", return_value=False): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: - request = mock.Mock() - id_token.fetch_id_token(request, "https://pubsub.googleapis.com") + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) -def test_fetch_id_token_invalid_cred_file_type(monkeypatch): +def test_fetch_id_token_credentials_invalid_cred_file_type(monkeypatch): user_credentials_file = os.path.join( os.path.dirname(__file__), "../data/authorized_user.json" ) @@ -262,32 +268,44 @@ def test_fetch_id_token_invalid_cred_file_type(monkeypatch): with mock.patch("google.auth.compute_engine._metadata.ping", return_value=False): with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: - request = mock.Mock() - id_token.fetch_id_token(request, "https://pubsub.googleapis.com") + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"Neither metadata server or valid service account credentials are found." ) -def test_fetch_id_token_invalid_json(monkeypatch): +def test_fetch_id_token_credentials_invalid_json(monkeypatch): not_json_file = os.path.join(os.path.dirname(__file__), "../data/public_cert.pem") monkeypatch.setenv(environment_vars.CREDENTIALS, not_json_file) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: - request = mock.Mock() - id_token.fetch_id_token(request, "https://pubsub.googleapis.com") + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"GOOGLE_APPLICATION_CREDENTIALS is not valid service account credentials." ) -def test_fetch_id_token_invalid_cred_path(monkeypatch): +def test_fetch_id_token_credentials_invalid_cred_path(monkeypatch): not_json_file = os.path.join(os.path.dirname(__file__), "../data/not_exists.json") monkeypatch.setenv(environment_vars.CREDENTIALS, not_json_file) with pytest.raises(exceptions.DefaultCredentialsError) as excinfo: - request = mock.Mock() - id_token.fetch_id_token(request, "https://pubsub.googleapis.com") + id_token.fetch_id_token_credentials(ID_TOKEN_AUDIENCE) assert excinfo.match( r"GOOGLE_APPLICATION_CREDENTIALS path is either not found or invalid." ) + + +def test_fetch_id_token(monkeypatch): + mock_cred = mock.MagicMock() + mock_cred.token = "token" + + mock_req = mock.Mock() + + with mock.patch( + "google.oauth2.id_token.fetch_id_token_credentials", return_value=mock_cred + ) as mock_fetch: + token = id_token.fetch_id_token(mock_req, ID_TOKEN_AUDIENCE) + mock_fetch.assert_called_once_with(ID_TOKEN_AUDIENCE, request=mock_req) + mock_cred.refresh.assert_called_once_with(mock_req) + assert token == "token" diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py index bceaebaa5..bc404e36b 100644 --- a/tests/test_impersonated_credentials.py +++ b/tests/test_impersonated_credentials.py @@ -345,6 +345,19 @@ def test_sign_bytes(self, mock_donor_credentials, mock_authorizedsession_sign): signature = credentials.sign_bytes(b"signed bytes") assert signature == b"signature" + def test_sign_bytes_failure(self): + credentials = self.make_credentials(lifetime=None) + + with mock.patch( + "google.auth.transport.requests.AuthorizedSession.request", autospec=True + ) as auth_session: + data = {"error": {"code": 403, "message": "unauthorized"}} + auth_session.return_value = MockResponse(data, http_client.FORBIDDEN) + + with pytest.raises(exceptions.TransportError) as excinfo: + credentials.sign_bytes(b"foo") + assert excinfo.match("'code': 403") + def test_with_quota_project(self): credentials = self.make_credentials()