Skip to content

fix: Do not create new JWT credentials if they make the same claims as the existing. #1267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 5, 2023
Merged

fix: Do not create new JWT credentials if they make the same claims as the existing. #1267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
40d44eb
fix: Do not create new JWT credentials if they make the same claims a…
clundin25 Apr 4, 2023
fccf42c
chore: Refresh system test creds.
clundin25 Apr 4, 2023
ec5a9f6
Fix CI error.
clundin25 Apr 4, 2023
236f7fb
Fix coverage test.
clundin25 Apr 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions google/auth/jwt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -590,6 +590,11 @@ def signer_email(self):
def signer(self):
return self._signer

@property # type: ignore
def additional_claims(self):
""" Additional claims the JWT object was created with."""
return self._additional_claims


class OnDemandCredentials(
google.auth.credentials.Signing, google.auth.credentials.CredentialsWithQuotaProject
Expand Down
35 changes: 24 additions & 11 deletions google/oauth2/service_account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,19 +441,32 @@ def _create_self_signed_jwt(self, audience):
# https://google.aip.dev/auth/4111
if self._always_use_jwt_access:
if self._scopes:
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, None, additional_claims={"scope": " ".join(self._scopes)}
)
additional_claims = {"scope": " ".join(self._scopes)}
if (
self._jwt_credentials is None
or self._jwt_credentials.additional_claims != additional_claims
):
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, None, additional_claims=additional_claims
)
elif audience:
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, audience
)
if (
self._jwt_credentials is None
or self._jwt_credentials._audience != audience
):

self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, audience
)
elif self._default_scopes:
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self,
None,
additional_claims={"scope": " ".join(self._default_scopes)},
)
additional_claims = {"scope": " ".join(self._default_scopes)}
if (
self._jwt_credentials is None
or additional_claims != self._jwt_credentials.additional_claims
):
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, None, additional_claims=additional_claims
)
elif not self._scopes and audience:
self._jwt_credentials = jwt.Credentials.from_signing_credentials(
self, audience
Expand Down
Binary file modified system_tests/secrets.tar.enc
View file
Open in desktop
Binary file not shown.
57 changes: 57 additions & 0 deletions tests/oauth2/test_service_account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,24 @@ def test__create_self_signed_jwt_always_use_jwt_access_with_audience(self, jwt):
credentials._create_self_signed_jwt(audience)
jwt.from_signing_credentials.assert_called_once_with(credentials, audience)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access_with_audience_similar_jwt_is_reused(
self, jwt
):
credentials = service_account.Credentials(
SIGNER,
self.SERVICE_ACCOUNT_EMAIL,
self.TOKEN_URI,
default_scopes=["bar", "foo"],
always_use_jwt_access=True,
)

audience = "https://pubsub.googleapis.com"
credentials._create_self_signed_jwt(audience)
credentials._jwt_credentials._audience = audience
credentials._create_self_signed_jwt(audience)
jwt.from_signing_credentials.assert_called_once_with(credentials, audience)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access_with_scopes(self, jwt):
credentials = service_account.Credentials(
Expand All @@ -269,6 +287,26 @@ def test__create_self_signed_jwt_always_use_jwt_access_with_scopes(self, jwt):
credentials, None, additional_claims={"scope": "bar foo"}
)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access_with_scopes_similar_jwt_is_reused(
self, jwt
):
credentials = service_account.Credentials(
SIGNER,
self.SERVICE_ACCOUNT_EMAIL,
self.TOKEN_URI,
scopes=["bar", "foo"],
always_use_jwt_access=True,
)

audience = "https://pubsub.googleapis.com"
credentials._create_self_signed_jwt(audience)
credentials._jwt_credentials.additional_claims = {"scope": "bar foo"}
credentials._create_self_signed_jwt(audience)
jwt.from_signing_credentials.assert_called_once_with(
credentials, None, additional_claims={"scope": "bar foo"}
)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access_with_default_scopes(
self, jwt
Expand All @@ -286,6 +324,25 @@ def test__create_self_signed_jwt_always_use_jwt_access_with_default_scopes(
credentials, None, additional_claims={"scope": "bar foo"}
)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access_with_default_scopes_similar_jwt_is_reused(
self, jwt
):
credentials = service_account.Credentials(
SIGNER,
self.SERVICE_ACCOUNT_EMAIL,
self.TOKEN_URI,
default_scopes=["bar", "foo"],
always_use_jwt_access=True,
)

credentials._create_self_signed_jwt(None)
credentials._jwt_credentials.additional_claims = {"scope": "bar foo"}
credentials._create_self_signed_jwt(None)
jwt.from_signing_credentials.assert_called_once_with(
credentials, None, additional_claims={"scope": "bar foo"}
)

@mock.patch("google.auth.jwt.Credentials", instance=True, autospec=True)
def test__create_self_signed_jwt_always_use_jwt_access(self, jwt):
credentials = service_account.Credentials(
Expand Down
1 change: 1 addition & 0 deletions tests/test_jwt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,7 @@ def test_with_quota_project(self):
assert new_credentials._subject == self.credentials._subject
assert new_credentials._audience == self.credentials._audience
assert new_credentials._additional_claims == self.credentials._additional_claims
assert new_credentials.additional_claims == self.credentials._additional_claims
assert new_credentials._quota_project_id == quota_project_id

def test_sign_bytes(self):
Expand Down
3 changes: 3 additions & 0 deletions tests/transport/test_urllib3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@ def urlopen(self, method, url, body=None, headers=None, **kwargs):
self.requests.append((method, url, body, headers, kwargs))
return self.responses.pop(0)

def clear(self):
pass


class ResponseStub(object):
def __init__(self, status=http_client.OK, data=None):
Expand Down