feat: adding support for url-based credential files #645
Conversation
google-cla
bot
added
the
cla: yes
ScruffyProdigy
force-pushed
the
url-support
branch
from
4141291 to
6d9efce
Compare
ScruffyProdigy
changed the title
ScruffyProdigy
changed the title
bojeil-google
left a comment
bojeil-google
left a comment
There was a problem hiding this comment.
Thanks for making the changes.
Summary of feedback:
headersneed to be honored.urllibnot needed.requestcan be used instead and is provided in theretrieve_subject_token()- More test coverage.
google/auth/identity_pool.py
Outdated
| client_secret=None, | ||
| quota_project_id=None, | ||
| scopes=None, | ||
| success_codes=(http_client.OK,), |
There was a problem hiding this comment.
Why do you need this? This can be hardcoded below. Since this is publicly available, we don't want to expose it.
google/auth/identity_pool.py
Outdated
| return file_obj.read(), filename | ||
|
|
||
| def _get_url_data(self, url): | ||
| response = urllib.request.urlopen(url) |
There was a problem hiding this comment.
You need to also honor the headers field when sending the request.
google/auth/identity_pool.py
Outdated
| return file_obj.read(), filename | ||
|
|
||
| def _get_url_data(self, url): | ||
| response = urllib.request.urlopen(url) |
There was a problem hiding this comment.
You don't need to use urllib. You already have an instance of request in retrieve_subject_token(). Pass it through.
def _get_token_url(self, request, url, headers):
response = request(
url=url,
method="GET",
headers=headers
)
# support both string and bytes type response.data
response_body = (
response.data.decode("utf-8")
if hasattr(response.data, "decode")
else response.data
)
if response.status != 200:
raise exceptions.RefreshError(
"Unable to retrieve Identity Pool subject token",
response_body
)
return response_body
google/auth/identity_pool.py
Outdated
| from google.auth import exceptions | ||
| from google.auth import external_account | ||
| from six.moves import http_client | ||
| from six.moves import urllib |
There was a problem hiding this comment.
Check below. You don't need urllib or http_client.
tests/test_identity_pool.py
Outdated
| ) | ||
| ) | ||
|
|
||
| @mock.patch.object(urllib.request, "urlopen", return_value=FakeResponse( |
There was a problem hiding this comment.
We need more tests. We will need to cover the following test cases (some you already covered):
test_from_info_full_optionsbut with url sourcedcredential_sourcetest_from_file_full_optionsbut with url sourcedcredential_sourcetest_retrieve_subject_tokenbut from url with raw text formattest_retrieve_subject_tokenbut from url with json formattest_retrieve_subject_tokenbut from url with invalid field nametest_retrieve_subject_tokenbut from url with invalid json responsetest_retrieve_subject_tokenbut with url error (non-200 response)test_refreshwith url-sourced cred without service account impersonationtest_refreshwith url-sourced cred with service account impersonationtest_refreshwith url-sourced cred error such as non-200 response.
bojeil-google
left a comment
bojeil-google
left a comment
There was a problem hiding this comment.
Forgot to mention, the file description and public function comments need to be updated to cover url-source credentials.
bojeil-google
left a comment
bojeil-google
left a comment
There was a problem hiding this comment.
Thanks for making the changes! This is looking really good. Just a few nits and minor change requests. Should be easy to resolve.
google/auth/identity_pool.py
Outdated
| ID tokens) retrieved from a file location, typical for K8s workloads | ||
| registered with Hub with Hub workload identity enabled. | ||
| registered with Hub with Hub workload identity enabled, or retrieved from an | ||
| url, typical for AWS and Azure based workflows. |
There was a problem hiding this comment.
Since we have a dedicated credentials class for AWS, let's exclude AWS:
url, typical for Azure based workflows.
| subject_token = credentials.retrieve_subject_token( | ||
| self.make_mock_request(token_data=JSON_FILE_CONTENT)) | ||
|
|
||
| assert subject_token == JSON_FILE_SUBJECT_TOKEN |
There was a problem hiding this comment.
Can you also assert the request was sent with the expected parameters? eg. the expected URL, GET method and headers and no body? We don't have any coverage for this at the moment.
tests/test_identity_pool.py
Outdated
| with pytest.raises(exceptions.RefreshError) as excinfo: | ||
| credentials.retrieve_subject_token( | ||
| self.make_mock_request( | ||
| token_status=500, |
There was a problem hiding this comment.
nit: since this is a not found error, maybe we can use 404?
| "url": "http://fakeurl.com", | ||
| } | ||
| credentials = self.make_credentials(credential_source=credential_source) | ||
| with pytest.raises(exceptions.RefreshError) as excinfo: |
There was a problem hiding this comment.
Can you assert the error message too?
tests/test_identity_pool.py
Outdated
| ): | ||
| assert request_kwargs["url"] == url | ||
| assert request_kwargs["method"] == "GET" | ||
| assert request_kwargs["headers"] is None |
There was a problem hiding this comment.
We still need a test with non-none headers. eg:
"credential_source": {
"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=...",
"headers": {
"Metadata": "True"
},
"format": {
"type": "json",
"subject_token_field_name": "access_token"
}
}
busunkim96
left a comment
busunkim96
left a comment
There was a problem hiding this comment.
Mostly LGTM, just left a few docs-related asks.
busunkim96
added
automerge
yoshi-kokoro
removed
the
kokoro:force-run
|
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
gcf-merge-on-green
bot
removed
the
automerge
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
|
@ScruffyProdigy If you join the |
4 participants
No description provided.