-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for imersonated_credentials.Sign, IDToken #348
Add support for imersonated_credentials.Sign, IDToken #348
Conversation
Any pointers on how i can mock the embedded |
@theacodes @busunkim96 |
@theacodes Could we start on the review on this? As mentioned offline, i'm unsure about how to create the testcases that compount two request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your patience @salrashid123!
I left a few comments below and will get back to you tomorrow morning on the test cases. You can disregard the current test failure in Travis; it was because of a change to pytest (#353).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more comments on raising test coverage
@busunkim96 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for all your patience @salrashid123.
@tswast, could you also take a look?
ok, i'm gonna give one more round of end-to-end testing for all the modes later today (just to be sure). Ill reply back here before final merge. thanks for the reviews! |
verified the follwoing works with the final fileset in the last commit from google.oauth2 import id_token
from google.oauth2 import service_account
from google.auth import impersonated_credentials
import json
import google.auth
from google.auth import jwt
import google.auth.transport.requests
import base64
import os
from datetime import datetime, timedelta
from google.auth.transport.requests import AuthorizedSession
from google.cloud import storage
source_credentials = service_account.Credentials.from_service_account_file(
'/path/to/svc.json')
target_scopes = ['https://www.googleapis.com/auth/cloud-platform']
target_credentials = impersonated_credentials.Credentials(
source_credentials = source_credentials,
target_principal='impersonated-account@fabled-ray-104117.iam.gserviceaccount.com',
target_scopes = target_scopes,
delegates=[],
lifetime=300)
# ===================== SignedURL
client = storage.Client("fabled-ray-104117", target_credentials )
bucket = client.get_bucket('fabled-ray-104117')
blob = bucket.get_blob('signed_url_file.txt')
s = blob.generate_signed_url(expiration=60, method="GET", version="v4")
print s
# ===================== IDToken
target_audience = 'https://myapp-6w42z6vi3q-uc.a.run.app'
id_creds = impersonated_credentials.IDTokenCredentials(
target_credentials, target_audience=target_audience, include_email=False)
url = 'https://myapp-6w42z6vi3q-uc.a.run.app'
authed_session = AuthorizedSession(id_creds)
r = authed_session.get(url)
print r.status_code
print r.text
# verify
certs_url='https://www.googleapis.com/oauth2/v1/certs'
request = google.auth.transport.requests.Request()
idt = id_creds.token
print idt
print id_token.verify_token(idt,request,certs_url=certs_url) |
Adds support for
impersonated_credentials
to sign and issue IDTokens.impersonated_credentials uses IAMCredentials api at its core which also provides interfaces to
generateIDToken()
andsignBlob()
:This PR seesk to add support for those.
Some benefits:
Singer
interface allows users to 'generate SignedURLs' too. ref: Issue: google-cloud-storage: Cannot create signed url with ImpersonatedCredentials #338The PR at the moment does not have sufficient test coverage (its a solid "C" at 75%). I'm unsure how to mock the internal request/responses since i used
AuthorizedSession()
internally withinimersonated_credentials.py
. Any tips or pointers there would let me add on coverage. I've left the anticipated responses i would like as comments in this current commitAnyway, usage would be like this to sign and genrate ID tokens (i've verified the following works)