From 71e5e51b8b44cd6ddf1a6c2a1a1a7b45a3326e6c Mon Sep 17 00:00:00 2001 From: Sijun Liu Date: Thu, 28 Mar 2024 00:23:13 -0700 Subject: [PATCH 1/2] fix: fix id_token iam endpoint for non-gdu service credentials --- google/auth/iam.py | 21 ++++++++++++++--- google/auth/impersonated_credentials.py | 29 ++++++------------------ google/oauth2/_client.py | 11 ++++----- google/oauth2/service_account.py | 7 +++++- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes tests/oauth2/test__client.py | 13 +++++++++-- tests/oauth2/test_service_account.py | 29 +++++++++++++++++++++++- 7 files changed, 75 insertions(+), 35 deletions(-) diff --git a/google/auth/iam.py b/google/auth/iam.py index e9df84417..e20b7a3cc 100644 --- a/google/auth/iam.py +++ b/google/auth/iam.py @@ -27,8 +27,23 @@ from google.auth import crypt from google.auth import exceptions -_IAM_API_ROOT_URI = "https://iamcredentials.googleapis.com/v1" -_SIGN_BLOB_URI = _IAM_API_ROOT_URI + "/projects/-/serviceAccounts/{}:signBlob?alt=json" + +_IAM_SCOPE = ["https://www.googleapis.com/auth/iam"] + +_IAM_ENDPOINT = ( + "https://iamcredentials.googleapis.com/v1/projects/-" + + "/serviceAccounts/{}:generateAccessToken" +) + +_IAM_SIGN_ENDPOINT = ( + "https://iamcredentials.googleapis.com/v1/projects/-" + + "/serviceAccounts/{}:signBlob" +) + +_IAM_IDTOKEN_ENDPOINT = ( + "https://iamcredentials.googleapis.com/v1/" + + "projects/-/serviceAccounts/{}:generateIdToken" +) class Signer(crypt.Signer): @@ -67,7 +82,7 @@ def _make_signing_request(self, message): message = _helpers.to_bytes(message) method = "POST" - url = _SIGN_BLOB_URI.format(self._service_account_email) + url = _IAM_SIGN_ENDPOINT.format(self._service_account_email) + "?alt=json" headers = {"Content-Type": "application/json"} body = json.dumps( {"payload": base64.b64encode(message).decode("utf-8")} diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py index d32e6eb69..3c6f8712a 100644 --- a/google/auth/impersonated_credentials.py +++ b/google/auth/impersonated_credentials.py @@ -34,32 +34,15 @@ from google.auth import _helpers from google.auth import credentials from google.auth import exceptions +from google.auth import iam from google.auth import jwt from google.auth import metrics -_IAM_SCOPE = ["https://www.googleapis.com/auth/iam"] - -_IAM_ENDPOINT = ( - "https://iamcredentials.googleapis.com/v1/projects/-" - + "/serviceAccounts/{}:generateAccessToken" -) - -_IAM_SIGN_ENDPOINT = ( - "https://iamcredentials.googleapis.com/v1/projects/-" - + "/serviceAccounts/{}:signBlob" -) - -_IAM_IDTOKEN_ENDPOINT = ( - "https://iamcredentials.googleapis.com/v1/" - + "projects/-/serviceAccounts/{}:generateIdToken" -) _REFRESH_ERROR = "Unable to acquire impersonated credentials" _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds -_DEFAULT_TOKEN_URI = "https://oauth2.googleapis.com/token" - def _make_iam_token_request( request, principal, headers, body, iam_endpoint_override=None @@ -83,7 +66,7 @@ def _make_iam_token_request( `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned """ - iam_endpoint = iam_endpoint_override or _IAM_ENDPOINT.format(principal) + iam_endpoint = iam_endpoint_override or iam._IAM_ENDPOINT.format(principal) body = json.dumps(body).encode("utf-8") @@ -225,7 +208,9 @@ def __init__( # added to refresh correctly. User credentials cannot have # their original scopes modified. if isinstance(self._source_credentials, credentials.Scoped): - self._source_credentials = self._source_credentials.with_scopes(_IAM_SCOPE) + self._source_credentials = self._source_credentials.with_scopes( + iam._IAM_SCOPE + ) # If the source credential is service account and self signed jwt # is needed, we need to create a jwt credential inside it if ( @@ -290,7 +275,7 @@ def _update_token(self, request): def sign_bytes(self, message): from google.auth.transport.requests import AuthorizedSession - iam_sign_endpoint = _IAM_SIGN_ENDPOINT.format(self._target_principal) + iam_sign_endpoint = iam._IAM_SIGN_ENDPOINT.format(self._target_principal) body = { "payload": base64.b64encode(message).decode("utf-8"), @@ -425,7 +410,7 @@ def with_quota_project(self, quota_project_id): def refresh(self, request): from google.auth.transport.requests import AuthorizedSession - iam_sign_endpoint = _IAM_IDTOKEN_ENDPOINT.format( + iam_sign_endpoint = iam._IAM_IDTOKEN_ENDPOINT.format( self._target_credentials.signer_email ) diff --git a/google/oauth2/_client.py b/google/oauth2/_client.py index d2af6c8aa..bce797b88 100644 --- a/google/oauth2/_client.py +++ b/google/oauth2/_client.py @@ -39,10 +39,6 @@ _JSON_CONTENT_TYPE = "application/json" _JWT_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer" _REFRESH_GRANT_TYPE = "refresh_token" -_IAM_IDTOKEN_ENDPOINT = ( - "https://iamcredentials.googleapis.com/v1/" - + "projects/-/serviceAccounts/{}:generateIdToken" -) def _handle_error_response(response_data, retryable_error): @@ -328,12 +324,15 @@ def jwt_grant(request, token_uri, assertion, can_retry=True): return access_token, expiry, response_data -def call_iam_generate_id_token_endpoint(request, signer_email, audience, access_token): +def call_iam_generate_id_token_endpoint( + request, iam_id_token_endpoint, signer_email, audience, access_token +): """Call iam.generateIdToken endpoint to get ID token. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. + iam_id_token_endpoint (str): The IAM ID token endpoint to use. signer_email (str): The signer email used to form the IAM generateIdToken endpoint. audience (str): The audience for the ID token. @@ -346,7 +345,7 @@ def call_iam_generate_id_token_endpoint(request, signer_email, audience, access_ response_data = _token_endpoint_request( request, - _IAM_IDTOKEN_ENDPOINT.format(signer_email), + iam_id_token_endpoint.format(signer_email), body, access_token=access_token, use_json=True, diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index 04fd7797a..0e12868f1 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -77,6 +77,7 @@ from google.auth import _service_account_info from google.auth import credentials from google.auth import exceptions +from google.auth import iam from google.auth import jwt from google.auth import metrics from google.oauth2 import _client @@ -595,8 +596,11 @@ def __init__( self._universe_domain = credentials.DEFAULT_UNIVERSE_DOMAIN else: self._universe_domain = universe_domain + self._iam_id_token_endpoint = iam._IAM_IDTOKEN_ENDPOINT.replace( + "googleapis.com", self._universe_domain + ) - if universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: + if self._universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: self._use_iam_endpoint = True if additional_claims is not None: @@ -792,6 +796,7 @@ def _refresh_with_iam_endpoint(self, request): jwt_credentials.refresh(request) self.token, self.expiry = _client.call_iam_generate_id_token_endpoint( request, + self._iam_id_token_endpoint, self.signer_email, self._target_audience, jwt_credentials.token.decode(), diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index b24ceb7fb61495587f7c6a24d886b160e339f4df..316c960e08935d476cb13cd0a1b4017b33f1eed1 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTFZ(Q~Y9CRsVm&)MHv^Cy%%(_1~;3qq)kEUEIJZcTp0mPyjE~ zv){XH0NtRu(L;-><^7v!kyS@M!cHX@<_z)0(Q}Mm0ki~R_k_naLloqPhRu5#yaBn! z)Nvq8xw5ed26FX{)awN{p!2y$F^ ztXRlO&@Q)aP;n}so_VEZ(F|BE5?+%A?5`45wmAE+x~*j3X;r8xN~%sA_y;&_fGt^wOc1&=+|Ymj>2wpDy|GpI_<#0Zo5lqjt=XK~ z1pt>;2ygD)4Lmj2MR|fIkE;=>t5brgvc%-qhFZ>c%1o1$=?UGlQRwBq=+@7nt{k1R zHrX9PM2+H7D3}LSRF9I55l6gn(zbvOJoR_xdjUeLS9aTQT4&pl?eIpNcp{1c01D1j zH_4YMm6|I(%Non1%b%r|=UE}+si{Z=BezX9K4F8o>O9o0)O$LSpk+yyd*fJ189 zAzEY+NoLwbx;~q>F zavR~1DXYu@4F(a=p|C#a=m~K=Ia%^hq7t=vZ+QMRHQ-GkZbY#};IyuYC4|x3AOM?^ zD;Ogfx>}Jqy-ze3>ve(6zy)B-{K>FZfr{J+DwTG)+??92JoPCHEDYs#u_rn$RQN${ z(|0WvJJ0mC-xeW%sGq{dmVxb2TK5ZriU@aoY^qY0J)0NoPKY3stWqALapy0czHPk@ zUWs*-H+-%{StAYFkxnLtijx_eHeIC9@$~> z&j^hezEc`~Ur$;Ra{_*%khLUh9#g|%Ljo?evYon~vKviS5m9@v)5Vi6`6O}UU^y(Q z?8bkV@r`?vEwY|fr^ZfU1Z%PGH-V=r=NlSq(Evmgkyq8;;L9A#pisXN@ z{wV*N!PEZZ%eq!j(Bo{)LGyzfR(WAw^(BZ-FpMa=cf$v1N$E=UqL74cbeZ|+8YtB} zv_#P4wL5#|^!5=*%`h4Lwv(zel}!J`AEqUFC@uP9VR(gJ@FF zYmG!`k;{5dEEMkJTtYKec=&fIFEsV5jLDBEe%4wqX3UQ@)6HyV#K#itX|1w2h?F^dFZ2Y~I{0Ko(aThb@mI*5zOr?M z5vG?N6@#SNQG?EUXo~hY!esA2@T4hIrI9ey>i>ThZo;$TS6OTvEBU!W@}e7w&f{S? z9B{{Dyz}8vN^sNV5H$>m<3Q(EKw0J3OS4Z7`+{e1(&k$4%D>iKu1~|N=56Ow2h1JA zdLtec9Q74wc7K^90gmwLW0c5vayG;?d|_63vdOL;K|ZRYpCt1Y7&~IXMXb`brIMQ0 z7A9mYTS1Gu!LThu2I>n1tj)-5y5T>VS)=&K3_QQEF;WLi@N?22Zyn@y1ts3CqUu_x zGCt%ZYOZZlqtb*?VGquuWBC4>@m8!Vzul^e(kw9C_M*}N^T0%PP> zE#a`Bcg^0_mi8coezRGomO6=B{N8!c33cTwVO}37jo$N~7)T>PHV-2dhpLQxkO4T) zm9(UvQ`mY>Q^V3xEiw)PDh(kE>_SBqzO>BK69dy?r2#OT&qYsKR;=eKN}dwURuR$! z^kKe4r=oFcL$_VpEIcdXQsZ-m0ge3Rn|SKW>`wdz(1aWhyZr^;zeGbmq6_5Y(Fwf; zIq6*EIR^sGWG?0P8U%)kBu|q0?3+1s_Ya$wnFxP_BSz7ARRyw{VkU;^m@Kk{}u~9Xw3iw(la8(_}I-tPyfee zKWd1h`|>)=v+F>~}9P(g#NRO8o zbMk`wZX}`$Qe9QLIPDF4tbHgXj$;Jwu^O4724dnYbvUU!I`ihDKa@pOl71l->WS zRqi{Gio+^mqO`mi-xH1maEf!A={PrOpQQvrT3~%W5zgc9sZ4*SAFtF<@yfdfEbCT;q-M7u}h;FC81Vhop`eDu3DY21{;TwXn18 z(Rj-ggmwiAc>pP(rUp9?+x-)j*uA_<qq>^~n-eQWQ{$6=$C^(sZ>0a0;7Gmer$?sv zpA&?{H#zT_iAB>+k2)$OBOsb0DJ7v*m|o!lN6aK3RZ3rwYCy-R)5%g;gV-4Atks~; zbYnsWUi>h}OxDx8qWFYRxqgmCqT;b58MS^x(+%hSA&}DoXR#$a$eKN1m{(Tl1+%&A zW^4_W<&?Q;*{$f{xr@9uTRx%j1B`&S!PafGlj0O9!$!$9}k00xLlcDYFo#iGjyUYNzT+pT#j+7C>Me-*NK^=6xU%jyklsfu7bBpJZIUXYpJR1 zK5(=>v=-aC9eQuV29`}nC!H$j<2a7FyYzcZ#9^uhb5oa=3^=Me)0L|Ym+6Q|aB;0X zi3u<9kEW8ZM<=6G_ouAj&eZ{Vg%5V6Hb-QGds7W?1Kj*VEG3vPB{t>6y*0H2QL_P1 zAMDy$lByaVJ)XVKR}t4FT)3GZw-PRE$N@mS!s(Tea5fb2X~d2FOc7JW@I`};T;yu}x{SY2USe-;ocDG6ZUj6Q5)*)Y0W3^&33`zT z>~-2saT=pWm2a9@r%uNcI@^$pMtG35a>>~K>rqY??hqSI#}>o!jn(p#E~V#OdxeT8 z1Jl=}P>OEK>PJ1(9*f~+Rra33v_I#}7(HXB7-#-aR@!ILqrHA`(Yf*yDN}zvV8nCN zU-~%wsc!|tO^e{)rRyQuK2#R+7%jLG9achrO8(hUfhXy==8=JZK`h?ZyV(JA^JaCd z(^>JBhGJsn2#xzyh;}Q1$^`kJ!?fM0i{mXCs6K7_uyL6tMN2Dw60_e2h~;3CE*=i< z@uJih`QvBm;23vK26g!rPuQ;oVq=5Vap;R_)PhN-jm`;mY#X*4enzYgXdQ)&So_b4 z&Bcc!FpI-vkj{+koCikF6D1M!mO$3y;#H%I2Rox#;DOS4M}`+}fO5ARLwc0XGXdn~BU?Y45?Yb`&?`z=aV3JhyU9Q_7x5Xk&r3%5;cvRQEKq6<_nMkDz>W*R%HbMg4qLn04mi?XKjL^}68Fa{T zdiuDir)5yn;ilkUM;XAj^Sg~&ZkFs`iX-Fz_D2M^?J2e4j@kpmsf5@1kR1Y!YMq~O^pxRez21kVRR+Tj!p)HL@=v&hnUOc33!z; zt~lr}IBHG;pwfX}rAG(@Z}U|z3BOaEo~C`QJ|DG+@$4vY+XFdO-8Ke5D2o^ z83QXwR#1``8LGdegX*A~dVx_SHckaX0rS;a{bo5ou^5344kj&&9ouW88k^z=ed-(z z8MLY4t5??Yee)_Mlq&k#9Hfn@!Z$J7gr`L|V308za;=d`LmRbTnEF!On5~5m8Ldys z?43Ary;jVpKb+;!h+7C#*O;-ZQ=od7>aC)1tveoLV3s7}%*QC$a+$M}JM0>!D{#YU zePZDgH6JN0cUzX};zW@j;2B0%oXI*>WN#(uUd2&A9PEKbn^raA!V0Jpq4mVcOmt}n z9lVtTq%aEv!ooB?gtAK0cmRokD@7B%Yz!y5P^Ohw)Pc6);U#VpR0nIjRruHmOGgpJ zFmUs^{*_Eg{xS8W++i~2-fRp=)2iq+>_6)?{cQ`FdT5yaOL_wU(lXfv0~P)`?zTEr zF$4j0vkEaM&XHXOY2B;x##8SYMa&9@KCjDJvVlizt{0rI-<38}xfpm!-k`%$y;&Qo z!i*cSb+#X(N7iO?dI4%4JBT`D6Mo#Pj`ja3^@LtkwF9xM$3O<)yE|}E@CoyhE2qB> zl3^{k5&8oTR|eLng;E(k=_4FgKiW6m-^e7qCg`IK=Y8#x1jGqRCgdL_MT6HtKTLYK zc_mJgx~fs!lXt;VHB8-;wjv~**F2-SICzW&q2AMK9m{5gK?^+yXs>qmH;fB+0SZxT zO@AK2Sw`MJ5TKei_{px%i9QZ`&BoC_eD&N*Vr%46Ap!-oxp*~$dr}pfIYu;w?|Ctc z8Ysn)05P&PI?CguBSw#g7LZ*f`2a<%4(l~$Wuw77KFV>*PCXpwg5%g1OTFK~ETSKU zJWzoxhCz zZ57*ZlR8KVmQH4?vyE5(FDk7J2m{ssM%p$t)(hcaAiM)yONZt`+e4#_ zFRisqd02G5Q@Ab9#y3`1CBJM)tEN6YRmj&Qy0k$W7j~wB3D8B!7=g&r71l;$yseW` zMgJQnDb&WB+#IO50fz!nn0yOgV_}v4;~d8=W{wk#yxUnZu73dRMGYgd_(I!+z2!m(M}_m zK&cpXZ=kwQPGDMkHr6QXzYM%XvH17?*zwb*tS)-4rsdVrApGmB0G+KL@m8{McEr}u z?m$^#Lw1}lS1et~rFs4oOK)MV3|tx&tc)NR9M;FA9}Qx5kGF*9MfGN(DD?c<%BO!Y`8dXCWL% zh#m{=PfZ5RgL?G56dX1LV&ML>U$T>hrYf=r1O!46m80CFOD~@$Y~?=Kp$lhpTSY_9 ztI~=EZCmm95;ouqOsj))8wiDR$C#YMpmieK=bCZq1iW7+So{Ni7&;=PLKY%&kH${4 z%T6o!=8l?;YtC2%!<^Zj|NAd|x0$t8hbYYm78QjsIJ0+yEgvu^Ob`%lN)$@~3pbrC zE+00_tVSU&OFRLNSg~?2OjT`^kV1?(>Oc>-!VkY#95z2j`wGlZbJgIFOR_eiaE_)* z-=y&g0JC3`NpqY(YROkHVzW78N6b|MbQ^;;GN;_G*cxjBp<#;s%@cDihE+90$K<44 zJCU09T=T!9S?xC~;mvUsGPyj4!Ye0WM&0KGB}%$lZCK_6cVA1X+=VUyTThxoc z!6c-_ksq6FD?T)DY+9(Yaep?N{A2~DHnT{7IGohEL8C?97(ic|iV%CEATF69tIJB1 zjKG4!^Hdw=d~3Tkszw%eLs06N^9dQJE-o*lzLC##oxW>PyNX?VH!u!?alW2(sGNP+ zN1F0Ob9K9jy1ckMLf&4<0>>S|C?guOMG>i_4-van)ifk8F-3^tpMiJm{W&yFFZ4MQ zEx>f@qPXjw4FpYp{c?qe5gvHehj$j|n4k$xypAwHZ#b)KzFPpZEUgd;j@-)d!d`)4 z|J#9%5`WUGvh?9Z2N~8Bl!0*LfyIRR?GGi9uTl!^CNrl_XmuvG-S(#2>=HFH=*Z69 z9;gawiDbAONvodLRKtZPhGu^f_9{o7CNe~3a4MyxylPo)d$XwM8>u~kRlEWtOQ`pfmANx=m>zXVei)*qpLoig=0nhU9a)g}maiD6)vd0Mc|u zXmg}E&hVu6#h7D#LYP_ItmUvorg7eJb=YjXb!=vR^1LtXS&d`fL$yj8#%W0~K*B}E z!T}kom>?2EPrl_w)8A_)b&A+rv6j?=b>`m!nH~VS@ZYG^`khH5uoSffppyE`1Pn2wefn?3`wu$C@C=5n;WNKz3Ch@F zmGC4i&{As++DE}#8hg#iNl@@tvsEmr69KOD;)?djiX%HzDMBL?EFR;p!`m#f256JR zU11|)sx^8=rFA^Sl4egQ@N8f>{BfvKY$Rew(Eoj5YLY0td?+GrgkhePe7QR9GH%1$Y` zP#;R57GN|}RtavFG6Ze-QegUEhl=A!Z^31c)xz{QGUlZ~xx6~t(I;AQI!PO+ zHpdgm-Q;NIn$sYl6;$spir{$|fv(17@1{$~)J7on3*SpBD|@bZqa@`>Y_-5>r);8$ zEh%WiSZS5&Qeipi4vvK}A*MWm3YLX9no?*v&Q9tMh5U#f?@1v~gWm09uUN6lFhQf# zPs*wA$Ea{tLij~O!M8*^bu)LhJizh;LM{k!!+9jZE_cB7tuF03te{XhEZCtP?7c+S z{WymoFRa$dDS^7Hdt5077A-kV90;fw_N4}1rN%Z|oB_`6m+R5+4 zlj05a!btCXb*^IAFD^Stq@XcNU7jj70CdiZ>wHxYgO7G^B^Dg^09t%c#<{IdnGY*s z`~lAvxK&YrC^Y*>1z|)cV3(1Olk4@>ZQy@eNBIYXD+)adaVLf)R9xrXkClh>vn>X> zvH5$>n1tL>k#fgw+YZItdN%nx1=Zk9O4zC#8RG}1D5J+x< zkMDUrO54nTMYq8Xy>96ySOQ`|`n!+KT~2{2Ov5s4Dad8E^%Do>#gRkT23r69N+Smh zZtAr4D6+$Kqx{Ic10?4zPDh;s$Q*YB2~6j=?Z#4@iL#$N*IxF1G~x;u(q z0oGNDkxC|C*r-h|VZI{`n{6uja!6sot(&x%VYuNqs)JG;f|!)}Hcd!Xw*PfOvgd$V;Zk!H<5p3F&@k|%CbCB)+tPbv4bB{xa&{W%>B%2(0 z+V25TCOa=X>QZ$X0Kq$DAM;kAZvVUfmWrD!6w}n-tM+z!w7Z?soU6P^!6@5d45*sF z+gRIMCbgbyQMC_s_ulNUtVydMH_fIA!~57clw$Z66Jajgt>`RlZ@Q zT|1YrVp`80Yeyf;5y(S1OV_%5SGjCQTf`1EC461LHW;lq^>SDjoZcg}aD3LvpgT(! zl#3fw&H(^@+q&aaEDdB%=8Hl8E_u*H;$5C~(Zjk$M6<^!2ti={+!-w-MAbX!vOr!E zoW`K;;!?xgsc@HP##WD&kFhMBN#(VsNALLQP*Ura#YOKVV?Nl|`ENY9Y)eNf(szF| zBrNjeQh+TLer*tZTaKqWGiX1M{wpn{f8FzkWWE(%vh3Tv|7CvEkV>xh*dGC#f^G-4dDk?%arYSwpoa%=DXvCxrtRcEO5 z>TN*I<{3$1>b1<$DQ|Hm1433m>1;W6UL>hhudlz^w1lzvDFZS=pZ|**frfRcZ>FV) z1sA6u)y*KoDGL-4+RD^FgLwu%PW5AId9L?5jTOhWdDPA6)e2cxE?CDo*Qf)7wDA`2 zlm18ZrmRq>P&mtzNmbVe>ZVuCQoOb@XmnVCeAh~^t2l-%x~^&sv0`KDq;T{6g1b=~ zEU}^|m7e^~__?rt21mhPz-cY(wopVv#aF_gJ&3aepUVgY%o-><2y*z}CQ=t|_w-Db z+|2>)&8=X%kPUs`rTUau6(#t8ahw)1yQ~ohn1IAT))#^tx>?xbb7Xlexs)c`_(qD1*rK%r1&pKpR3|vD$J< zZH7sEQU=R)-Cq9vCCfyh3j*pxLc4hJ@pLV$xG{nEUBpJMM#<2PjVsC@Q6tNn0;lq# z2k2;gMH)mw3Nc({bCq~;r)*~&-%+$+^XL&u#=wPL_%iaNLKhvts{#sc^6xtTR%+W) z?#J6GE!cS8$M1VXZ`#%Z9h~sT6rCf=S)%Ln0L2nlxa)r|V&h;isn&A6w=kaFfL1k- z2IG?{>*HZhQRXxqJ@ZrkWCP{VvSBVagzKESoxl8M z1D@^3-uD@hv6j?txa&41;%mM^>nlMBBgH_s^0w6xT6>1}y(LrETHbBHM_BFVh}A0$ z+rFb##&+W$LR9WHhW+(FidXmXcT4wa&g=1*QTt(N&^thZ;*MC->d~@3^>BGJlx+8l z)yqe45tw@-WD6vupy+%QsOXbuO;x3DdKYtfwaff9Sp4$oFI8G>LRR#3?)jy=iqrT8I=nQ6wN9Kcc*UD@Z0R5 zEMi7W9n2BUN_7{RUzodOPtpiorMme%yyh~>`NgEiz{q;?1YzI}u_%*e3l%WaR(zA# zqF4XQTl&k<$?xF(#2as$I4$HP*U(3MNv6+O+27Oz(%(ae zhUEdi_Mqpw=$=B9*jhV{gswxGLgzDj|MdEwiVb~zLwY?*y@!4>sD+F;S$|h48r7*! z$}t()NM*C=f9xl+u(eJGNGEdfIgD3EcuNw=+)I-#OZ55m@Dnw8A~zj@R{&XvcVg`g zxCTFOxbSodgsP{$eU<#&NKP2%OgsVvpH(Ndc@7tz28>l!lALV+-}1ST!@?>gioU^L zX0JTo9SK6C6X;t>V`ws}#%EDzOXim}wq8R9QOG>5qh2O~r!*5Da|~}+ne?3^w#+Dj zug-BR2R_@Hms7r6oAHX$!NchyQ+hZ$oMviMju(sRBV>MfDk|1@T((P?S;Ly0&fj*} z?eY~rF2`}eFHSh+l|AFoRZSygU{+_nvv8nyui_P zJV{$FJiF?8e~i@iv^_bhY!$)M@Y}v{b-V)$HorSc%Nyg(9W1EO9yd}n*;jSd0&XN_ zMUHCwQoshN*4h!6@xK*9SU_tT-t zF60uWCa(D+*=Bz*fb|*T){5K4yi!}ZqhA*pq@f{LsxO7wU?qwyip_L41Z6HN1Cl==ln z*G5+i$+@Mdk6x_E*H5m!0e<3vA!AKe{*am`E9C@|CxC4o;fIe_@I%IYhbgJ92j_j` z%>^83*_G{J>pgQ@0a9oLBE6@uYYZFJ<_)KggM9lGgwLV_nZunB+vhORcJ>h}&gP&TSHM30ms1G_C-`cy}OUOd)CD;GV{Y4X`sJlR=by?tKRTIieWtHs^drWP{Q8Es+UyQv#jk*df^Rt^8+cGO*cg_;3PyjE~ zv)@hlhz^@PYfu@deDg}-qZ}IdwY%h%oVnA{RWMhZIZBWouOvtLwo6_S0g&XU=D#?G zuHidI^P4Z(toW^$FrSlHk)q1-1lb_p8uxDI|=jCtuHFm1i1-2x?E%8itEG^rkj^(ga#Wf zgmp+g(Mr`)F8uOi7V0HOP3NmS>LBUvJv*tnL5U0CzjN0RF|H4wmF~%y3w!2E&8d## zHHqab*?FU+ ze3TA>K$$?xC`*<3!1*SqziRQrKyk8jpZqP8N;{oy%ien`oSrG+MF(YN206-DAn+GQm$aN!h^tRJ+TxG~JB8SA*}dn5lQs>#o@0QJ2s$-Q6vbaZKfXoe?{{(JIDR&l8M5l^ za@_EEG*@Qk8LC7K?z**nXc0=5SsIP!8CSlm^AtW1wN;#I|4dPWX+%9^!U_!o#5pXV zapj%To@15Yl*qznO8yt>I@B;4`m1`Egc_jom`mD1ss-^2hkk@V$Zh#I*szN-4`H_R z(qs6~Srg|1NC1iIcw%BsP&2n28^u*yE0e`TbDQErFoM3}fCA4WffG+sdT>df?@bn-K5+h<1KcX zXJ~&*S8R&3&G#f%vD4!DdS`por>82%D=BT&abl{+lRSmE|1MdQQc}d6 zfECdl?WdJ>I2;Ml?qqkgBu0|T1okD1fFwu@$H_Bb4gHg-!#u92L+F6n{suiNCT*d2 z*J-VGgwzbZsxFWF!v&83!dr`SPMl2D~(B7o?N@Xdm8)PYLw_~lLj_E ziZ{khIyqRxN0gq(Bgc+gx%G$uZ17m9j;IzZuza%B?lNVm2Czubb`zR<6ZFI+%X>A7!))J-07BG zX$pa{%$O!*8j>hOCZvJrPa7qDZ3)MvFmyR?aY6Rm1z?26wJi}Ldz zDKl2m>k=cm4A6o@&=y~?uMpB|(7cr!lClQM%YBAK6pp6>&B<%0UXP2G!LLF!uP=Z{ z)c^cQ?@{J&u}EQxOxje}o5{Yq{&$KmOVEZZY5Kwhj3dnQ8{6!?AeXJo(Z($aReoYND7#eE{y?zt-|n$i*Uo!6>p zhkE^)qQBO^HynUuPYz)C+>0H1^i~b|P%4J}WS&MW?28S6F4 zhN(N3IFxd1lRCzZ{M%%VzEZNX!rvP#XzmP!uZ@g`WqHozbW6)WlwVX8g2@Ez`!7HS zblhaKPciqJSnov}7=p-MQ0(gZ`MyKrLnvW`rwu<}4qrrLHko_CEU}>3$tm6?tf+VK zg?AMtnxK}X8GoyB(%#Z;*ahlNcnE9=<_A_^s5wb!0iw%XwbQHbxeCoLwpt+dtyt zN@^KrLs6k?zLpZ;r6pck>qazs>NL|kHVdz@rKmlqh$J3W+SiyI`yJSeP8fiJ*t zw`>CUS_zVRyQKKwpxCU&SwC`F`TBbm&>JRm`hlwvJQ?9A^r5U?Y@!Z4t&uLifm#@0 zslL;9nh{embYl%@=FH1B=&-R|`+iGXzJO*9Hc5VgW&J_mqG`&SsvCd3X3O_iFRK+P z-r8$DwAq|U*3VmURfw%;do*}K!sDE~`CjNu9wx`nrobt{SKu-ZIY;d4$Uag+mr*(4 z>8S<1-sxg#oLBcn$u7$3k-SQG>ex&O|J?w32sjditkQx9m*Xgtgd{Usc4v-jF4y4l zy6iaFgC)jkc&Jj=m}gn<_c(%?Q6f8kugwf1;WG$}TbBC>b->@x3Khjm{0H72PL z8xdLyx6j^Rlw=V2#JFDEnX=%7Hb?2x0M;iy0CAV22O>pJPj}vi(aFbYMFQyvj~Nz4W@h6bilX zc-&*0#kf46MKbs&poMIhkW39ob+17~Taxj??*q!Jgc0`25HHy)qvZ$?pz+3JRb&0R z*dj0s4n3jI7h15A9S5@3E+LhOwqJUR$9*qvT9GE#==KZbyb_|N0}YP_mk|jz@9}`f zbKxB<352#8C!NnV%$YJrXY1B9Bf0MkwTd~C|1sY^Z4Z$EaAF6#AxcX*wt_fh*ePvn zgfR1o+xLDg{#A?WEUy!fmv|=w0qR6GZBqnGdm{#HSR}nDQ*~;__^mI=9qn9c zVfppFw;?Uqn*Q<-*PwH4fb38!r3667FTr<(I|{x0QObM(ov;OnGU!yVBreGx?R~Hq zGEne<>^m>P10yCDQS?^rh6RZO@;opV4*3C(;9OAF7N~hv>WS6!V?m0Z)BGWOAQkR* z(T7o@J=?anVmuuRu&vVcGcvv%5DGfI&*vN-RyXL8w7v4X>iB5I1UCFBsiiVC%?J96 zj_Zhq-f~R`J&r&ox^fL!!V==$ec|YA0eoCn)`p~ZANtxi&u3Ei^yVXGZgdDf-dWC7 z7=0>O*y!zX^pYBxAXAAgdOMKL<5TXU^&JjpcA~bPiy%ATk84WqpCHtK7~*{W>Aq0p z{~ON%IauadoO#3xqkqV|0<^GT!B^6pIO(E9qv36918gJ$<|!rT?FU)u*SiBC{&MAk z<3h&{;(29^NEK@2rAc-W($Z*`cw!v^v4j6ADd?eUygDaRx4JEqIqLHIyM8W50!<&P zc+H*?$}_jj;YQ9*dlehoT?jU-d-A)pkD%RQ(qy1#0v1T^aWf*n9ECmy+)B1$hUgBoRQoM+0U|S^F$Up@Ai3s(3>)jy0r@LbPE7h z+}4xc1R#)f`=3(Q(#TuMo`5zFKFA~m1{qWeTp|4K>loku&*CM6S%BDpV~r8U5~G3Zse?1OhO9Bk|P_G_t#Y~@Pf?? zgkBLay{v*{&vS#08t&LUT#-3`<2K1_&B0a4H-^E^P+b@glY&u#vHurA_YM(s*QDbd zWnMpfs=A96yZ)j+sg*M`@Rbh|m2#nsh(Q86k>4!d)g@%H7?VEe>N-w6J0=h)QX%`E zcj#A1qc8TDPfbH_fV7m3qCyMt&AXPV68?ql#Nn50?{3uI@0qcHsE2tMxgs44hgaY# z363l>Qp#+#k?r_+<=`VPZnR-m_MU8~AK$$f2WWt|$b4a9yN|kx5}T=v@-l0u<$q%1 zkqAWA1F#blkQwQxxFm4zuVC*B1$O~aa}Fw6N4s2n%Qn?kXE>Qg^Yl% zu>nke80tLZmFHb6O6{xGXYrX7*LO@o)#>iCQ_Jua1E4wYF@uspItRzcTk6oWmC~g< zJUR8Vivy6w(aH(uX|#ui6n@M(V=>6M6jT+y{`-p4i*)_-Cqm{zU0jHFjVa#`vzq8L zD7cKx3tk(w`;gSmoycK_p|`}R{N&uq(t*v!fcTaQPZTsvTK{V!td&=_lt;e3YKesb zX_0}SH>71;e%R{AZG;`q0U$6t6e2r`XEA+x#8P7=kOC$2Dl^>Q0kN-I2ha`(Ul3n| z;Ltn82Vu$tjV#^}^qwBSnyYJ2$XDlN5}7B2jK{kI!l;CybGNU#`?}b&l2|C%)P*%Z z{xfJPZnL6@`d^zR&w?ZtgvhKJFt6xVtP!sA zW6XXD1~)zis`ibjihX-fA>*+`dsrq^KxDKTbS_cyCX&JC6!jf;L<4+EWwRsIKnKaPo4^F5p+ zpGOReKZABZWv!?2O@ixm5sDCNXo1?udCcAg6@}6>FD0T8P(i?>29!+60R-2L;X_L6 zdfTUlj!bxUj>lS+Ka+yW87iYq1YMGKZJk$`B!-%rW0mN$B@%D^9++dSdVHM4$4|R@ z;IkWbJa0!j&m>Sz4=>(+zm}LDPHqzp_}B*d3LTk_cmy#A@%tom%AA4%xss!5O3}<# zkJ>JaZ%u|37vI$;n#vQd)4MOm2)Ky*1gT#()xpHjk=PHCBO2bv1Bbd>R(qKO}3Vo6%P|BTF&tWIfOH#@QtB95PZerM=X3=_q9h zwdU}z=ToylU6^T^#GJg(HNLgZ!#_OEf>>R6!Ps`mm%1znv&mP#xYSaUk(Bv{V&Y1a zHC@pp;P)hP8EZU+x2mKCQfN$8oiv4@)E3=l`>P6bKEn|NstwIlEu`4I8KV_|OAo-| zwCz1yO6_MN%jSa(LpH^)k${w+g0TS0ssDX9$O5@0g&8n88S?`UbdF@1%YWp8PCr&_(Q zO3zMEpKOZ^RANN@9%aDk_AU;^9_05R-RMp+lqEoLQW;A(rd?Y{5F=&#o1R%iD>!QM zS*qo4T}E%OzBuQ%|0KZ<5hYatjQn72F@c;E&S5l>76GnaaImZjwLJ^ES&!dV&a?0B z1tZ6yGuiv&gK5O{KjTIcrF3z=IpDA?dqG?yQwRn@bEFk;=!BAuQK&obHNbm3c3{F) z&W(BOHat>&#i;2|7~%q2_Ya8a>nUBjWE#T6C=S8mmG4A zl_qi1FpX(xVmCvob{1qhv>|_;=PyL5D?kqw0ks-p!Ft0#ouCd;LGT&HnJUw(bSJqQ zKf`wHUr0ngoxH02oW_O@<(#;=9!7W@Joc+NS3H&SL>aimzt*8!$U@s7S(??qrzkU# z2(IhC-RWFIF!WOS(YsEGid!ERR2uEpLY%!66oa8IF%*fHC~*#_;tn>f!q}6#X9V&d z#1!axN0AwL-ow=N$W+B-gx(33UwjH-2)JaaR?rw7eb35a@Z!I0uA0c{*k^#q zGXcc&n>zR(+v96s3CSKB%f%$exLBRd{VwB!qNo5y7>I%mif$}J=s-AQIU5;Mv#UTm zES|t#@&=e&_;j~yo}OkpZ1vL#LDcnR*R(k88Uhq3SUvQYH`7gdW5kv0+>#J;#}8mL z#;wycr3A;OKo&hE51jdFw2WL=&K}8V(4mC>%!BW0I-RWe7_mzle%Yq^POU`V`+ZPU zLMj<^a}tubIu-g1N@_xga5H*{HPIG2g>B=h;@=Ef9sJ@*j`jaKm47@iBv0e`66s1C zhl&?Ozc zi>$?mC0KIRadKS&w<)yfAPc z)!L|)u~dDuD<=e(ZlD4e;Im@!`5esAC^=4Od`8)826ZVv${iJ-b{{ppM1xnTX4P5S z)9|Z-`Wy&Kj{3AiYJi+lxy9yK$c~VsXBr~&ccODq`(PR(}S6xXW7h$G%y~Qz2ts04@B|ApfY|>zw>eE&~G6DuNpAje_!KUv>osD9@x$e`N zzJ=ozlVy=~-u8k3xU0&7evP*lBxQ9@5QFN(aJFC<7hi->wd2 z4^Q>+QAXh2l6xd9Tkm%=X=imw^+3~%PSU-+_@$UG#5)-CEUlOG!PTRfz8Lwx6XXPO zc#h$Tee3T%7|Kt*-CD_s8J2?04h3op{6uzd(p5k4Rqz!>F$9|-d3g3>#`w_s#0LJ)XD7gL(Qng&M_giHl`bz7Uh7&bi0jlGUo8a!O=|dPD)3r&5`+1 zth(`$9sW!Jhu7ATf5`=F+Jy(eZ)F>vBSak~a~R`#xTz;1i9t*H)Y;T`rG& zM3yzzaEKqCJ0wGVhX%WWellJWS+&E0+Z-jWi(%w8_qUmW|M|Du~L5 z2W@ssIRlSF4$rl>6uzZQ+KlQ~tq|Hh=s+UVX{tp51kC)ysPFSykh`!@EvQM?fzCay zE6%#iN-Q6YxZaqq19Z8iA>+!EZ3dr{>@`?a!Lp4R)VyjUsDm04$G_csVbmv^vbl>9 zYnpj1*Ya0!eF=oZ{oB#igtr+2c5!qOGnWwxfw5r>zE^BbKJ6~iy?nga?X>p`tiea@ zWpqz=k}Dif%klC#1v7p|Gg+HT7(>}rs8v}l_qZ|UA>NU*Rt;n>!7ozxh3{=3ySNQ~ z-|lUxE?m!PvDy5gvrI<)1@-&)IMiXCTHDqLLnWZF41HY43?C}R*2wG8^i;8-en4r?bwi(U6}M9q2it(s&w%SR-RsnJ=3 zqtC`!Z3jBe2d(T*0vyWod8`X?AWlA;vihNR#WpV(V*LSb6?$w$-?GjcKis&i)%AVC zRKli)rQhYgsbgDsPM;&jX?y3%4E$NE7UHKW0Z5p`L{TB<5^F0l;+d{o5GC93UB1Hh zTDHW$6b%#qkP4prlbn%WAShlI3mM*~{Y2SI+6+6_DVhj9uqB(yZ{ zp)7Zi0q!WP637r0@JkUlEH|xYnJ&y)O~90n`V$4=&D7&j3~vo;m>vhai$?^5CU@xcyybmiz|#vXT9SYf$h z5X^w>J$A6u5l=S-R37i?j$w;<&~6114oyYhelnOV-!d~+6#^+^Nggg?BGOwg^vbF* zONbDbyxP;O)ZZJH)n+!~(Fv!$2=<<+zNH8)MBPQuH&70>Lr_1 z662UF(&K2Q7*-cKFY)&aCG`|C=;N2JN(0A(TnB`8S-WV*Y^p6nfRk-6GrqC)%!xw4 zdD~#CliO)qP=Rj{3n6zZ4%<{v!WJ-kL<(>}kf<>a*#EOf!{KQX>!Yx2o?>9&0Ja@wm z(O*0<`i#KAq>OpC=xC(Rw_JY5-8c58_?TPA56U2g{*ZUG^07R`bn7)_K>A?~B$&QY zC}!lRO=m!z)=?4oMA0F8MUtZ1(dogF`l8|_fylPGNsZimwl;xcrhOy_X2jmSEOTi6 zQBxpPKv)Dvo7(zV^`XI2CtmhV#h=7vquElAdDXSa2ywH6u^0$N*}k`~hBI-MY8I!k znl>OD>SX#IEP6`Mg?c>MieQjHK>?94qU5XhmU@GD@>g-t2-9*&JC#+So|oc^M#sf3z<5Z#Aa zk5meO{RtY+w3&A7Fn=u>NYdS}1ftaJ`=i|AK}ps_u)lcc+2Ys-5KTm*Tkr_NFkc0p zJ3LPN0mUVBit}JJ_kG@&OuXDK&r&y?AO8p@oN$UgPUi@vJ^Nd#)_Pp-JVF69%^OMv-L`k#Ck9GfV)E?kHYaNP=_RePhA$Iy?z;tQ@~8N+~yr?$YH*+z8?AJ6b@ zU0yj}dkFD~eRlDL=9huJ%m(&w9n&-EPXGg;MR8@oN2TFPc+HL~gfsn};-BI9aV05? zh*c5yH)*J;_8LG3_8Lp;4Aq`0C3@Ei-ZaV46MO<(MT&#j)35O@7rBW2PoWbq$80Op;Lu(FQ6!mT_jPoj$KPYr zbd=Oom{SUQ=fd;t5qC#hQ=}A@-m}{J+IS$P_!Q{U)w7C3EkTgXCwr~!;|*Zb^@P5n z;fwyG5)P>59i3@gvS0 zq&2?nP%uyt!&05(lB9+ZRzSDK(GODbMlfn9?lPi}*GnO{T%cJ5unj#a0k>)8!(G#s zHy&!)blZTg20_K;d3^ntEQR!QJP>2v8Nq*iAj7`#WnDa>?7>r&)qxA+tMagtj1`z_ z$Wg3*ZPQ7ou*b*;iX4iKqJi-3Y}n``ypixNgJE; zL~(eXDY;P`D&oV@V6vST&U~sZ1jr2O_5Bs#i@f5(8ZJYn%Y=pu<5E^X zPg8Y+5i@v?UQ0U!BrBGE#tbD}mF6JNa=0%&48M`aN6D3<$z>a$W?m3)3`yH3+$vE# zX{Q?E?IxZO{QW`>a&pOVFkt{%jmak+j0X*uInLFS!BMgh6cl`;6iH?vS;4;_@>9T1 ztg||*<$!i1xGF`!bE?~7>`E7$TKF9XfU9sM_EI_TKHd;o?A>Xwr}|D||DXLG=)pQu zaVaICs)?s|0FI08N!zNL z&`Qrmsx4lsFAo*_(V`#j^*sqg+G$z63exHhM$B$tKt zy@k%5Qu|Q=zP|kw)IH?G`+`~11J;{`nVcHNg<3z2gJoF6{c;TT_nkpM76V!L+NMC_ z5PF^^a^$BO>tC4nc3**0V?R2l(``2lb6Z7%eiH{U_s5h%B5X8Zz%Iim>|a*6-lo*P zbQVd`2>xZVlaJM^l0}-=BVN8jH`EVR`@-py8X~{;<-Jj4`H50-NUUGBhG;q#%bq;} zIm+OUP3F)6{5HgUQ$F;KiR`nctX^5eZ?*!6`dsx27QRp&3|{sb9C=*X#6V zj@|P#s39aBjhqz*R7#ZsexP9-mpD8BMoEtZh{lwaFp@ZYZMT4bgb{GqLQ*_8Hl+N& zLmir4w9eA*Hzv2GKd@7dejFZ`Ml$C3DI3=yCk%yC2aH@Pa;Wj!YLvuCX>!GOpPsHB zgP=rGEv^%j#P}%eXJ(Wm?x9#5bHbg(0Z5d_J{+unG2BSL3=xQmKhN`U)j&EXsb=_u zH)qT)zMfd-pp4J2d>)Vz*JYATgB}bA*4N#`>|wO6^F>0{Pbd$8_CDw%)6v_#rhIPW z>U=)%sH!m7Jt9kMfpSSm^cjuMV%E%ZqD}4pT~2t}44+A#wzb*8@^`p5x`5UgO{OKa zmC*&Dr+S*^n*3=?PLZ(RuBWaf&WMeq^shu}3re4oTJclbm zCloS|VG}>3N$IZLHI>T~7~DSO>%B7EDr3lKG4{lbXv>SsE3)K(BYu@54Xc{7Mm!4~ z1Q1Qm~ z7~GMjT9^T5N*TR7WQ%LeV~>wjw5D5xj2UdW3KGftrGawl{rnWMeT2l?J(}_C5}%K+5<}rgpr>j~+Y# diff --git a/tests/oauth2/test__client.py b/tests/oauth2/test__client.py index 4cbd3a8ad..ab079ac5b 100644 --- a/tests/oauth2/test__client.py +++ b/tests/oauth2/test__client.py @@ -24,6 +24,7 @@ from google.auth import _helpers from google.auth import crypt from google.auth import exceptions +from google.auth import iam from google.auth import jwt from google.auth import transport from google.oauth2 import _client @@ -318,7 +319,11 @@ def test_call_iam_generate_id_token_endpoint(): request = make_request({"token": id_token}) token, expiry = _client.call_iam_generate_id_token_endpoint( - request, "fake_email", "fake_audience", "fake_access_token" + request, + iam._IAM_IDTOKEN_ENDPOINT, + "fake_email", + "fake_audience", + "fake_access_token", ) assert ( @@ -351,7 +356,11 @@ def test_call_iam_generate_id_token_endpoint_no_id_token(): with pytest.raises(exceptions.RefreshError) as excinfo: _client.call_iam_generate_id_token_endpoint( - request, "fake_email", "fake_audience", "fake_access_token" + request, + iam._IAM_IDTOKEN_ENDPOINT, + "fake_email", + "fake_audience", + "fake_access_token", ) assert excinfo.match("No ID token in response") diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py index b0adf8d00..f16a43fb9 100644 --- a/tests/oauth2/test_service_account.py +++ b/tests/oauth2/test_service_account.py @@ -22,6 +22,7 @@ from google.auth import _helpers from google.auth import crypt from google.auth import exceptions +from google.auth import iam from google.auth import jwt from google.auth import transport from google.auth.credentials import DEFAULT_UNIVERSE_DOMAIN @@ -771,10 +772,36 @@ def test_refresh_iam_flow(self, call_iam_generate_id_token_endpoint): ) request = mock.Mock() credentials.refresh(request) - req, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ + req, iam_endpoint, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ 0 ] assert req == request + assert iam_endpoint == iam._IAM_IDTOKEN_ENDPOINT + assert signer_email == "service-account@example.com" + assert target_audience == "https://example.com" + decoded_access_token = jwt.decode(access_token, verify=False) + assert decoded_access_token["scope"] == "https://www.googleapis.com/auth/iam" + + @mock.patch( + "google.oauth2._client.call_iam_generate_id_token_endpoint", autospec=True + ) + def test_refresh_iam_flow_non_gdu(self, call_iam_generate_id_token_endpoint): + credentials = self.make_credentials(universe_domain="fake-universe") + token = "id_token" + call_iam_generate_id_token_endpoint.return_value = ( + token, + _helpers.utcnow() + datetime.timedelta(seconds=500), + ) + request = mock.Mock() + credentials.refresh(request) + req, iam_endpoint, signer_email, target_audience, access_token = call_iam_generate_id_token_endpoint.call_args[ + 0 + ] + assert req == request + assert ( + iam_endpoint + == "https://iamcredentials.fake-universe/v1/projects/-/serviceAccounts/{}:generateIdToken" + ) assert signer_email == "service-account@example.com" assert target_audience == "https://example.com" decoded_access_token = jwt.decode(access_token, verify=False) From 0ca0e02ac9907f50868c0946cd1f5043938d8e1c Mon Sep 17 00:00:00 2001 From: Sijun Liu Date: Thu, 28 Mar 2024 10:55:11 -0700 Subject: [PATCH 2/2] chore: address comments --- google/auth/iam.py | 2 +- tests/compute_engine/test_credentials.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/google/auth/iam.py b/google/auth/iam.py index e20b7a3cc..bba1624c1 100644 --- a/google/auth/iam.py +++ b/google/auth/iam.py @@ -82,7 +82,7 @@ def _make_signing_request(self, message): message = _helpers.to_bytes(message) method = "POST" - url = _IAM_SIGN_ENDPOINT.format(self._service_account_email) + "?alt=json" + url = _IAM_SIGN_ENDPOINT.format(self._service_account_email) headers = {"Content-Type": "application/json"} body = json.dumps( {"payload": base64.b64encode(message).decode("utf-8")} diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py index 9cca31792..bb29f8c6e 100644 --- a/tests/compute_engine/test_credentials.py +++ b/tests/compute_engine/test_credentials.py @@ -499,7 +499,7 @@ def test_with_target_audience_integration(self): responses.add( responses.POST, "https://iamcredentials.googleapis.com/v1/projects/-/" - "serviceAccounts/service-account@example.com:signBlob?alt=json", + "serviceAccounts/service-account@example.com:signBlob", status=200, content_type="application/json", json={"keyId": "some-key-id", "signedBlob": signature}, @@ -657,7 +657,7 @@ def test_with_quota_project_integration(self): responses.add( responses.POST, "https://iamcredentials.googleapis.com/v1/projects/-/" - "serviceAccounts/service-account@example.com:signBlob?alt=json", + "serviceAccounts/service-account@example.com:signBlob", status=200, content_type="application/json", json={"keyId": "some-key-id", "signedBlob": signature},