| // Copyright 2023 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package credentials |
| |
| import ( |
| "context" |
| "encoding/base64" |
| "encoding/json" |
| "fmt" |
| "net/http" |
| "net/http/httptest" |
| "os" |
| "strings" |
| "testing" |
| "time" |
| |
| "cloud.google.com/go/auth" |
| "cloud.google.com/go/auth/credentials/internal/gdch" |
| "cloud.google.com/go/auth/internal" |
| "cloud.google.com/go/auth/internal/credsfile" |
| "cloud.google.com/go/auth/internal/jwt" |
| ) |
| |
| type tokResp struct { |
| AccessToken string `json:"access_token"` |
| TokenType string `json:"token_type"` |
| ExpiresIn int `json:"expires_in"` |
| } |
| |
| func TestDefaultCredentials_GdchServiceAccountKey(t *testing.T) { |
| ctx := context.Background() |
| aud := "http://sample-aud.com/" |
| b, err := os.ReadFile("../internal/testdata/gdch.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseGDCHServiceAccount(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| if r.Method != "POST" { |
| t.Errorf("unexpected request method: %v", r.Method) |
| } |
| if err := r.ParseForm(); err != nil { |
| t.Error(err) |
| } |
| parts := strings.Split(r.FormValue("subject_token"), ".") |
| var header jwt.Header |
| var claims jwt.Claims |
| b, err = base64.RawURLEncoding.DecodeString(parts[0]) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if err := json.Unmarshal(b, &header); err != nil { |
| t.Fatal(err) |
| } |
| b, err = base64.RawURLEncoding.DecodeString(parts[1]) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if err := json.Unmarshal(b, &claims); err != nil { |
| t.Fatal(err) |
| } |
| |
| if got := r.FormValue("audience"); got != aud { |
| t.Errorf("got audience %v, want %v", got, gdch.GrantType) |
| } |
| if want := jwt.HeaderAlgRSA256; header.Algorithm != want { |
| t.Errorf("got alg %q, want %q", header.Algorithm, want) |
| } |
| if want := jwt.HeaderType; header.Type != want { |
| t.Errorf("got typ %q, want %q", header.Type, want) |
| } |
| if want := "abcdef1234567890"; header.KeyID != want { |
| t.Errorf("got kid %q, want %q", header.KeyID, want) |
| } |
| |
| if want := "system:serviceaccount:fake_project:sa_name"; claims.Iss != want { |
| t.Errorf("got iss %q, want %q", claims.Iss, want) |
| } |
| if want := "system:serviceaccount:fake_project:sa_name"; claims.Sub != want { |
| t.Errorf("got sub %q, want %q", claims.Sub, want) |
| } |
| if want := fmt.Sprintf("http://%s", r.Host); claims.Aud != want { |
| t.Errorf("got aud %q, want %q", claims.Aud, want) |
| } |
| resp := &tokResp{ |
| AccessToken: "a_fake_token", |
| TokenType: internal.TokenTypeBearer, |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| f.TokenURL = ts.URL |
| f.CertPath = "../internal/testdata/cert.pem" |
| b, err = json.Marshal(&f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| if _, err := DetectDefault(&DetectOptions{CredentialsJSON: b}); err == nil { |
| t.Fatal("STSAudience should be required") |
| } |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| STSAudience: aud, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.ProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got AccessToken %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got TokenType %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_ImpersonatedServiceAccountKey(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/imp.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseImpersonatedServiceAccount(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| resp := &struct { |
| AccessToken string `json:"accessToken"` |
| ExpireTime string `json:"expireTime"` |
| }{ |
| AccessToken: "a_fake_token", |
| ExpireTime: "2006-01-02T15:04:05Z", |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| f.ServiceAccountImpersonationURL = ts.URL |
| b, err = json.Marshal(f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| UseSelfSignedJWT: true, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_UserCredentialsKey(t *testing.T) { |
| ctx := context.Background() |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| w.Header().Set("Content-Type", "application/json") |
| resp := &tokResp{ |
| AccessToken: "a_fake_token", |
| TokenType: internal.TokenTypeBearer, |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsFile: "../internal/testdata/user.json", |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| TokenURL: ts.URL, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.QuotaProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project2"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_UserCredentialsKey_UniverseDomain(t *testing.T) { |
| ctx := context.Background() |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| w.Header().Set("Content-Type", "application/json") |
| resp := &tokResp{ |
| AccessToken: "a_fake_token", |
| TokenType: internal.TokenTypeBearer, |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsFile: "../internal/testdata/user_universe_domain.json", |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| TokenURL: ts.URL, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.QuotaProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project2"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "example.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_ServiceAccountKey(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/sa.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseServiceAccount(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| resp := &tokResp{ |
| AccessToken: "a_fake_token", |
| TokenType: internal.TokenTypeBearer, |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| f.TokenURL = ts.URL |
| b, err = json.Marshal(f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.ProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_ServiceAccountKeySelfSigned(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/sa.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| oldNow := now |
| now = func() time.Time { return time.Date(2000, 2, 1, 12, 30, 0, 0, time.UTC) } |
| defer func() { now = oldNow }() |
| wantTok := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiY2RlZjEyMzQ1Njc4OTAifQ.eyJpc3MiOiJnb3BoZXJAZmFrZV9wcm9qZWN0LmlhbS5nc2VydmljZWFjY291bnQuY29tIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2Nsb3VkLXBsYXRmb3JtIiwiZXhwIjo5NDk0MTE4MDAsImlhdCI6OTQ5NDA4MjAwLCJhdWQiOiIiLCJzdWIiOiJnb3BoZXJAZmFrZV9wcm9qZWN0LmlhbS5nc2VydmljZWFjY291bnQuY29tIn0.n9Hggd-1Vw4WTQiWkh7q9r5eDsz-khU5vwkZl2VmgdUF3ZxDq1ARzchCNtTifeorzbp9C0i0vCr855G7FZkVCJXPVMcnxbwfMSafUYmVsmutbQiV9eTWfWM0_Ljiwa9GEbv1bN06Lz4LrelPKEaxsDbY6tU8LJUiome_gSMLfLk" |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| UseSelfSignedJWT: true, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| got, err := creds.ProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if tok.Value != wantTok { |
| t.Fatalf("got %q, want %q", tok.Value, wantTok) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_ServiceAccountKeySelfSigned_UniverseDomain(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/sa_universe_domain.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| oldNow := now |
| now = func() time.Time { return time.Date(2000, 2, 1, 12, 30, 0, 0, time.UTC) } |
| defer func() { now = oldNow }() |
| wantTok := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiY2RlZjEyMzQ1Njc4OTAifQ.eyJpc3MiOiJnb3BoZXJAZmFrZV9wcm9qZWN0LmlhbS5nc2VydmljZWFjY291bnQuY29tIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2Nsb3VkLXBsYXRmb3JtIiwiZXhwIjo5NDk0MTE4MDAsImlhdCI6OTQ5NDA4MjAwLCJhdWQiOiIiLCJzdWIiOiJnb3BoZXJAZmFrZV9wcm9qZWN0LmlhbS5nc2VydmljZWFjY291bnQuY29tIn0.n9Hggd-1Vw4WTQiWkh7q9r5eDsz-khU5vwkZl2VmgdUF3ZxDq1ARzchCNtTifeorzbp9C0i0vCr855G7FZkVCJXPVMcnxbwfMSafUYmVsmutbQiV9eTWfWM0_Ljiwa9GEbv1bN06Lz4LrelPKEaxsDbY6tU8LJUiome_gSMLfLk" |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| UseSelfSignedJWT: true, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.ProjectID(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "fake_project"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| got, err = creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "example.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if tok.Value != wantTok { |
| t.Fatalf("got %q, want %q", tok.Value, wantTok) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_ClientCredentials(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/clientcreds_installed.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseClientCredentials(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| w.Header().Set("Content-Type", "application/json") |
| resp := &tokResp{ |
| AccessToken: "a_fake_token", |
| TokenType: internal.TokenTypeBearer, |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Fatal(err) |
| } |
| })) |
| f.Installed.TokenURI = ts.URL |
| b, err = json.Marshal(f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| TokenURL: ts.URL, |
| AuthHandlerOptions: &auth.AuthorizationHandlerOptions{ |
| Handler: func(authCodeURL string) (code string, state string, err error) { |
| return "code", "state", nil |
| }, |
| State: "state", |
| PKCEOpts: &auth.PKCEOptions{ |
| Challenge: "codeChallenge", |
| ChallengeMethod: "plain", |
| Verifier: "codeChallenge", |
| }, |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| // Better coverage of all external account features tested in the sub-package. |
| func TestDefaultCredentials_ExternalAccountKey(t *testing.T) { |
| ctx := context.Background() |
| b, err := os.ReadFile("../internal/testdata/exaccount_url.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseExternalAccount(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| defer r.Body.Close() |
| if r.URL.Path == "/token" { |
| resp := &struct { |
| Token string `json:"id_token"` |
| }{ |
| Token: "a_fake_token_base", |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Error(err) |
| } |
| } else if r.URL.Path == "/sts" { |
| r.ParseForm() |
| if got, want := r.Form.Get("subject_token"), "a_fake_token_base"; got != want { |
| t.Errorf("got %q, want %q", got, want) |
| } |
| |
| resp := &struct { |
| AccessToken string `json:"access_token"` |
| ExpiresIn int `json:"expires_in"` |
| }{ |
| AccessToken: "a_fake_token_sts", |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Error(err) |
| } |
| } else if r.URL.Path == "/impersonate" { |
| if want := "a_fake_token_sts"; !strings.Contains(r.Header.Get("Authorization"), want) { |
| t.Errorf("missing sts token: got %q, want %q", r.Header.Get("Authorization"), want) |
| } |
| |
| resp := &struct { |
| AccessToken string `json:"accessToken"` |
| ExpireTime string `json:"expireTime"` |
| }{ |
| AccessToken: "a_fake_token", |
| ExpireTime: "2006-01-02T15:04:05Z", |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Error(err) |
| } |
| } else { |
| t.Errorf("unexpected call to %q", r.URL.Path) |
| } |
| })) |
| f.ServiceAccountImpersonationURL = ts.URL + "/impersonate" |
| f.CredentialSource.URL = ts.URL + "/token" |
| f.TokenURL = ts.URL + "/sts" |
| b, err = json.Marshal(f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| UseSelfSignedJWT: true, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| got, err := creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if want := "googleapis.com"; got != want { |
| t.Fatalf("got %q, want %q", got, want) |
| } |
| tok, err := creds.Token(ctx) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| func TestDefaultCredentials_ExternalAccountAuthorizedUserKey(t *testing.T) { |
| b, err := os.ReadFile("../internal/testdata/exaccount_user.json") |
| if err != nil { |
| t.Fatal(err) |
| } |
| f, err := credsfile.ParseExternalAccountAuthorizedUser(b) |
| if err != nil { |
| t.Fatal(err) |
| } |
| ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| defer r.Body.Close() |
| if got, want := r.URL.Path, "/sts"; got != want { |
| t.Errorf("got %q, want %q", got, want) |
| } |
| r.ParseForm() |
| if got, want := r.Form.Get("refresh_token"), "refreshing"; got != want { |
| t.Errorf("got %q, want %q", got, want) |
| } |
| if got, want := r.Form.Get("grant_type"), "refresh_token"; got != want { |
| t.Errorf("got %q, want %q", got, want) |
| } |
| |
| resp := &struct { |
| AccessToken string `json:"access_token"` |
| ExpiresIn int `json:"expires_in"` |
| }{ |
| AccessToken: "a_fake_token", |
| ExpiresIn: 60, |
| } |
| if err := json.NewEncoder(w).Encode(&resp); err != nil { |
| t.Error(err) |
| } |
| })) |
| f.TokenURL = ts.URL + "/sts" |
| b, err = json.Marshal(f) |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| creds, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: b, |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| UseSelfSignedJWT: true, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| tok, err := creds.Token(context.Background()) |
| if err != nil { |
| t.Fatalf("creds.Token() = %v", err) |
| } |
| if want := "a_fake_token"; tok.Value != want { |
| t.Fatalf("got %q, want %q", tok.Value, want) |
| } |
| if want := internal.TokenTypeBearer; tok.Type != want { |
| t.Fatalf("got %q, want %q", tok.Type, want) |
| } |
| } |
| |
| func TestDefaultCredentials_Fails(t *testing.T) { |
| t.Setenv(credsfile.GoogleAppCredsEnvVar, "nothingToSeeHere") |
| t.Setenv("HOME", "nothingToSeeHere") |
| t.Setenv("APPDATA", "nothingToSeeHere") |
| allowOnGCECheck = false |
| defer func() { allowOnGCECheck = true }() |
| if _, err := DetectDefault(&DetectOptions{ |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| }); !strings.Contains(err.Error(), adcSetupURL) { |
| t.Fatalf("got %v, wanted to contain %v", err, adcSetupURL) |
| } |
| } |
| |
| func TestDefaultCredentials_BadFiletype(t *testing.T) { |
| if _, err := DetectDefault(&DetectOptions{ |
| CredentialsJSON: []byte(`{"type":"42"}`), |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| }); err == nil { |
| t.Fatal("got nil, want non-nil err") |
| } |
| } |
| |
| func TestDefaultCredentials_BadFileName(t *testing.T) { |
| if _, err := DetectDefault(&DetectOptions{ |
| CredentialsFile: "a/bad/filepath", |
| Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, |
| }); err == nil { |
| t.Fatal("got nil, want non-nil err") |
| } |
| } |
| |
| func TestDefaultCredentials_Validate(t *testing.T) { |
| tests := []struct { |
| name string |
| opts *DetectOptions |
| }{ |
| { |
| name: "missing options", |
| }, |
| { |
| name: "scope and audience provided", |
| opts: &DetectOptions{ |
| Scopes: []string{"scope"}, |
| Audience: "aud", |
| }, |
| }, |
| { |
| name: "file and json provided", |
| opts: &DetectOptions{ |
| Scopes: []string{"scope"}, |
| CredentialsFile: "path", |
| CredentialsJSON: []byte(`{"some":"json"}`), |
| }, |
| }, |
| } |
| for _, tt := range tests { |
| t.Run(tt.name, func(t *testing.T) { |
| if _, err := DetectDefault(tt.opts); err == nil { |
| t.Error("got nil, want an error") |
| } |
| }) |
| } |
| } |
| |
| func TestDefaultCredentials_UniverseDomain(t *testing.T) { |
| ctx := context.Background() |
| tests := []struct { |
| name string |
| opts *DetectOptions |
| want string |
| }{ |
| { |
| name: "service account json", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/sa.json", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "service account json with file universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/sa_universe_domain.json", |
| UseSelfSignedJWT: true, |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "service account json with options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/sa.json", |
| UseSelfSignedJWT: true, |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| { |
| name: "service account json with file and options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/sa_universe_domain.json", |
| UseSelfSignedJWT: true, |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| { |
| name: "user json", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/user.json", |
| TokenURL: "example.com", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "user json with options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/user.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "user json with file universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/user_universe_domain.json", |
| TokenURL: "example.com", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "user json with file and options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/user_universe_domain.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "external account json", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_url.json", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "external account json with file universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_url_universe_domain.json", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "external account json with options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_url.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| { |
| name: "external account json with file and options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_url_universe_domain.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| { |
| name: "external account user json", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_user.json", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "external account user json with file universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_user_universe_domain.json", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "external account user json with options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_user.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "external account user json with file and options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/exaccount_user_universe_domain.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "impersonated service account json", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/imp.json", |
| UseSelfSignedJWT: true, |
| }, |
| want: "googleapis.com", |
| }, |
| { |
| name: "impersonated service account json with file universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/imp_universe_domain.json", |
| }, |
| want: "example.com", |
| }, |
| { |
| name: "impersonated service account json with options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/imp.json", |
| UseSelfSignedJWT: true, |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| { |
| name: "impersonated service account json with file and options universe domain", |
| opts: &DetectOptions{ |
| CredentialsFile: "../internal/testdata/imp_universe_domain.json", |
| UniverseDomain: "foo.com", |
| }, |
| want: "foo.com", |
| }, |
| } |
| for _, tt := range tests { |
| t.Run(tt.name, func(t *testing.T) { |
| creds, err := DetectDefault(tt.opts) |
| if err != nil { |
| t.Fatalf("%v", err) |
| } |
| ud, err := creds.UniverseDomain(ctx) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if ud != tt.want { |
| t.Fatalf("got %q, want %q", ud, tt.want) |
| } |
| }) |
| } |
| } |