diff --git a/.github/.OwlBot.lock.yaml b/.github/.OwlBot.lock.yaml index fccaa8e84..894fb6bc9 100644 --- a/.github/.OwlBot.lock.yaml +++ b/.github/.OwlBot.lock.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,4 +13,4 @@ # limitations under the License. docker: image: gcr.io/cloud-devrel-public-resources/owlbot-python:latest - digest: sha256:3bf87e47c2173d7eed42714589dc4da2c07c3268610f1e47f8e1a30decbfc7f1 + digest: sha256:f62c53736eccb0c4934a3ea9316e0d57696bb49c1a7c86c726e9bb8a2f87dadf diff --git a/.kokoro/requirements.txt b/.kokoro/requirements.txt index 05dc4672e..096e4800a 100644 --- a/.kokoro/requirements.txt +++ b/.kokoro/requirements.txt @@ -113,33 +113,28 @@ commonmark==0.9.1 \ --hash=sha256:452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60 \ --hash=sha256:da2f38c92590f83de410ba1a3cbceafbc74fee9def35f9251ba9a971d6d66fd9 # via rich -cryptography==38.0.3 \ - --hash=sha256:068147f32fa662c81aebab95c74679b401b12b57494872886eb5c1139250ec5d \ - --hash=sha256:06fc3cc7b6f6cca87bd56ec80a580c88f1da5306f505876a71c8cfa7050257dd \ - --hash=sha256:25c1d1f19729fb09d42e06b4bf9895212292cb27bb50229f5aa64d039ab29146 \ - --hash=sha256:402852a0aea73833d982cabb6d0c3bb582c15483d29fb7085ef2c42bfa7e38d7 \ - --hash=sha256:4e269dcd9b102c5a3d72be3c45d8ce20377b8076a43cbed6f660a1afe365e436 \ - --hash=sha256:5419a127426084933076132d317911e3c6eb77568a1ce23c3ac1e12d111e61e0 \ - --hash=sha256:554bec92ee7d1e9d10ded2f7e92a5d70c1f74ba9524947c0ba0c850c7b011828 \ - --hash=sha256:5e89468fbd2fcd733b5899333bc54d0d06c80e04cd23d8c6f3e0542358c6060b \ - --hash=sha256:65535bc550b70bd6271984d9863a37741352b4aad6fb1b3344a54e6950249b55 \ - --hash=sha256:6ab9516b85bebe7aa83f309bacc5f44a61eeb90d0b4ec125d2d003ce41932d36 \ - --hash=sha256:6addc3b6d593cd980989261dc1cce38263c76954d758c3c94de51f1e010c9a50 \ - --hash=sha256:728f2694fa743a996d7784a6194da430f197d5c58e2f4e278612b359f455e4a2 \ - --hash=sha256:785e4056b5a8b28f05a533fab69febf5004458e20dad7e2e13a3120d8ecec75a \ - --hash=sha256:78cf5eefac2b52c10398a42765bfa981ce2372cbc0457e6bf9658f41ec3c41d8 \ - --hash=sha256:7f836217000342d448e1c9a342e9163149e45d5b5eca76a30e84503a5a96cab0 \ - --hash=sha256:8d41a46251bf0634e21fac50ffd643216ccecfaf3701a063257fe0b2be1b6548 \ - --hash=sha256:984fe150f350a3c91e84de405fe49e688aa6092b3525f407a18b9646f6612320 \ - --hash=sha256:9b24bcff7853ed18a63cfb0c2b008936a9554af24af2fb146e16d8e1aed75748 \ - --hash=sha256:b1b35d9d3a65542ed2e9d90115dfd16bbc027b3f07ee3304fc83580f26e43249 \ - --hash=sha256:b1b52c9e5f8aa2b802d48bd693190341fae201ea51c7a167d69fc48b60e8a959 \ - --hash=sha256:bbf203f1a814007ce24bd4d51362991d5cb90ba0c177a9c08825f2cc304d871f \ - --hash=sha256:be243c7e2bfcf6cc4cb350c0d5cdf15ca6383bbcb2a8ef51d3c9411a9d4386f0 \ - --hash=sha256:bfbe6ee19615b07a98b1d2287d6a6073f734735b49ee45b11324d85efc4d5cbd \ - --hash=sha256:c46837ea467ed1efea562bbeb543994c2d1f6e800785bd5a2c98bc096f5cb220 \ - --hash=sha256:dfb4f4dd568de1b6af9f4cda334adf7d72cf5bc052516e1b2608b683375dd95c \ - --hash=sha256:ed7b00096790213e09eb11c97cc6e2b757f15f3d2f85833cd2d3ec3fe37c1722 +cryptography==39.0.1 \ + --hash=sha256:0f8da300b5c8af9f98111ffd512910bc792b4c77392a9523624680f7956a99d4 \ + --hash=sha256:35f7c7d015d474f4011e859e93e789c87d21f6f4880ebdc29896a60403328f1f \ + --hash=sha256:5aa67414fcdfa22cf052e640cb5ddc461924a045cacf325cd164e65312d99502 \ + --hash=sha256:5d2d8b87a490bfcd407ed9d49093793d0f75198a35e6eb1a923ce1ee86c62b41 \ + --hash=sha256:6687ef6d0a6497e2b58e7c5b852b53f62142cfa7cd1555795758934da363a965 \ + --hash=sha256:6f8ba7f0328b79f08bdacc3e4e66fb4d7aab0c3584e0bd41328dce5262e26b2e \ + --hash=sha256:706843b48f9a3f9b9911979761c91541e3d90db1ca905fd63fee540a217698bc \ + --hash=sha256:807ce09d4434881ca3a7594733669bd834f5b2c6d5c7e36f8c00f691887042ad \ + --hash=sha256:83e17b26de248c33f3acffb922748151d71827d6021d98c70e6c1a25ddd78505 \ + --hash=sha256:96f1157a7c08b5b189b16b47bc9db2332269d6680a196341bf30046330d15388 \ + --hash=sha256:aec5a6c9864be7df2240c382740fcf3b96928c46604eaa7f3091f58b878c0bb6 \ + --hash=sha256:b0afd054cd42f3d213bf82c629efb1ee5f22eba35bf0eec88ea9ea7304f511a2 \ + --hash=sha256:ced4e447ae29ca194449a3f1ce132ded8fcab06971ef5f618605aacaa612beac \ + --hash=sha256:d1f6198ee6d9148405e49887803907fe8962a23e6c6f83ea7d98f1c0de375695 \ + --hash=sha256:e124352fd3db36a9d4a21c1aa27fd5d051e621845cb87fb851c08f4f75ce8be6 \ + --hash=sha256:e422abdec8b5fa8462aa016786680720d78bdce7a30c652b7fadf83a4ba35336 \ + --hash=sha256:ef8b72fa70b348724ff1218267e7f7375b8de4e8194d1636ee60510aae104cd0 \ + --hash=sha256:f0c64d1bd842ca2633e74a1a28033d139368ad959872533b1bab8c80e8240a0c \ + --hash=sha256:f24077a3b5298a5a06a8e0536e3ea9ec60e4c7ac486755e5fb6e6ea9b3500106 \ + --hash=sha256:fdd188c8a6ef8769f148f88f859884507b954cc64db6b52f66ef199bb9ad660a \ + --hash=sha256:fe913f20024eb2cb2f323e42a64bdf2911bb9738a15dba7d3cce48151034e3a8 # via # gcp-releasetool # secretstorage diff --git a/CHANGELOG.md b/CHANGELOG.md index b3c2aee94..e97486714 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ [1]: https://pypi.org/project/google-auth/#history +## [2.16.1](https://github.com/googleapis/google-auth-library-python/compare/v2.16.0...v2.16.1) (2023-02-17) + + +### Bug Fixes + +* Add support for python 3.11 ([#1212](https://github.com/googleapis/google-auth-library-python/issues/1212)) ([1fc95e3](https://github.com/googleapis/google-auth-library-python/commit/1fc95e3c3ecfbceb16c1be28725e8bc9eefe8bb0)) +* Remove 3PI config url validation ([#1220](https://github.com/googleapis/google-auth-library-python/issues/1220)) ([8b95515](https://github.com/googleapis/google-auth-library-python/commit/8b95515718d50b028c43ea9d6a7220489ffb5da0)) +* Update the docs generator interpreter to unblock documentation build ([#1218](https://github.com/googleapis/google-auth-library-python/issues/1218)) ([9d36c2f](https://github.com/googleapis/google-auth-library-python/commit/9d36c2f1f9e1eac8fbff4be504986dff5e7d4da2)) + ## [2.16.0](https://github.com/googleapis/google-auth-library-python/compare/v2.15.0...v2.16.0) (2023-01-09) diff --git a/README.rst b/README.rst index 1f6b9affb..d8f28b39a 100644 --- a/README.rst +++ b/README.rst @@ -52,7 +52,7 @@ Google Auth Python Library has usage and reference documentation at https://goog Current Maintainers ------------------- -- `@busunkim96 `_ (Bu Sun Kim) +- googleapis-auth@google.com Authors ------- @@ -60,6 +60,7 @@ Authors - `@theacodes `_ (Thea Flowers) - `@dhermes `_ (Danny Hermes) - `@lukesneeringer `_ (Luke Sneeringer) +- `@busunkim96 `_ (Bu Sun Kim) Contributing ------------ diff --git a/docs/user-guide.rst b/docs/user-guide.rst index 682b58a76..0cb119127 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -548,6 +548,16 @@ For AWS providers, use :meth:`aws.Credentials.from_info ['https://www.googleapis.com/auth/cloud-platform']) +Security considerations +~~~~~~~~~~~~~~~~~~~~~~~ + +Note that this library does not perform any validation on the token_url, +token_info_url, or service_account_impersonation_url fields of the credential +configuration. It is not recommended to use a credential configuration that you +did not generate with the gcloud CLI unless you verify that the URL fields point +to a googleapis.com domain. + + External credentials (Workforce identity federation) ++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -793,6 +803,13 @@ Cloud resources from an OIDC or SAML provider. https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project +Note that this library does not perform any validation on the token_url, +token_info_url, or service_account_impersonation_url fields of the credential +configuration. It is not recommended to use a credential configuration that you +did not generate with the gcloud CLI unless you verify that the URL fields point +to a googleapis.com domain. + + Impersonated credentials ++++++++++++++++++++++++ diff --git a/google/auth/external_account.py b/google/auth/external_account.py index d24b22837..646e31340 100644 --- a/google/auth/external_account.py +++ b/google/auth/external_account.py @@ -35,7 +35,6 @@ import re import six -from urllib3.util import parse_url from google.auth import _helpers from google.auth import credentials @@ -127,14 +126,6 @@ def __init__( self._default_scopes = default_scopes self._workforce_pool_user_project = workforce_pool_user_project - Credentials.validate_token_url(token_url) - if token_info_url: - Credentials.validate_token_url(token_info_url, url_type="token info") - if service_account_impersonation_url: - Credentials.validate_service_account_impersonation_url( - service_account_impersonation_url - ) - if self._client_id: self._client_auth = utils.ClientAuthentication( utils.ClientAuthType.basic, self._client_id, self._client_secret @@ -434,58 +425,6 @@ def _initialize_impersonated_credentials(self): ), ) - @staticmethod - def validate_token_url(token_url, url_type="token"): - _TOKEN_URL_PATTERNS = [ - "^[^\\.\\s\\/\\\\]+\\.sts(?:\\.mtls)?\\.googleapis\\.com$", - "^sts(?:\\.mtls)?\\.googleapis\\.com$", - "^sts\\.[^\\.\\s\\/\\\\]+(?:\\.mtls)?\\.googleapis\\.com$", - "^[^\\.\\s\\/\\\\]+\\-sts(?:\\.mtls)?\\.googleapis\\.com$", - "^sts\\-[^\\.\\s\\/\\\\]+\\.p(?:\\.mtls)?\\.googleapis\\.com$", - ] - - if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url): - raise exceptions.InvalidResource( - "The provided {} URL is invalid.".format(url_type) - ) - - @staticmethod - def validate_service_account_impersonation_url(url): - _SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS = [ - "^[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com$", - "^iamcredentials\\.googleapis\\.com$", - "^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$", - "^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$", - "^iamcredentials\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$", - ] - - if not Credentials.is_valid_url( - _SERVICE_ACCOUNT_IMPERSONATION_URL_PATTERNS, url - ): - raise exceptions.InvalidResource( - "The provided service account impersonation URL is invalid." - ) - - @staticmethod - def is_valid_url(patterns, url): - """ - Returns True if the provided URL's scheme is HTTPS and the host comforms to at least one of the provided patterns. - """ - # Check specifically for whitespcaces: - # Some python3.6 will parse the space character into %20 and pass the regex check which shouldn't be passed - if not url or len(str(url).split()) > 1: - return False - - try: - uri = parse_url(url) - except Exception: - return False - - if not uri.scheme or uri.scheme != "https" or not uri.hostname: - return False - - return any(re.compile(p).match(uri.hostname.lower()) for p in patterns) - @classmethod def from_info(cls, info, **kwargs): """Creates a Credentials instance from parsed external account info. diff --git a/google/auth/version.py b/google/auth/version.py index 6ab5ecc4c..a982b4bb6 100644 --- a/google/auth/version.py +++ b/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.16.0" +__version__ = "2.16.1" diff --git a/noxfile.py b/noxfile.py index 18a7232e4..417a66500 100644 --- a/noxfile.py +++ b/noxfile.py @@ -85,7 +85,7 @@ def mypy(session): session.run("mypy", "google/", "tests/", "tests_async/") -@nox.session(python=["3.6", "3.7", "3.8", "3.9", "3.10"]) +@nox.session(python=["3.6", "3.7", "3.8", "3.9", "3.10", "3.11"]) def unit(session): constraints_path = str( CURRENT_DIRECTORY / "testing" / f"constraints-{session.python}.txt" @@ -140,7 +140,7 @@ def cover(session): session.run("coverage", "report", "--show-missing", "--fail-under=100") -@nox.session(python="3.8") +@nox.session(python="3.9") def docs(session): """Build the docs for this library.""" diff --git a/setup.py b/setup.py index c89b05d1d..50ac473ba 100644 --- a/setup.py +++ b/setup.py @@ -76,6 +76,7 @@ "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Development Status :: 5 - Production/Stable", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 7323421d0..1e7949e8e 100644 Binary files a/system_tests/secrets.tar.enc and b/system_tests/secrets.tar.enc differ diff --git a/tests/test_aws.py b/tests/test_aws.py index 400412660..7d87bdba2 100644 --- a/tests/test_aws.py +++ b/tests/test_aws.py @@ -1085,16 +1085,6 @@ def test_token_info_url_custom(self): assert credentials.token_info_url == (url + "/introspect") - def test_token_info_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE.copy(), - token_info_url=(url + "/introspect"), - ) - - assert excinfo.match(r"The provided token info URL is invalid\.") - def test_token_info_url_negative(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=None @@ -1111,16 +1101,6 @@ def test_token_url_custom(self): assert credentials._token_url == (url + "/token") - def test_token_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE.copy(), - token_url=(url + "/token"), - ) - - assert excinfo.match(r"The provided token URL is invalid\.") - def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_credentials( @@ -1134,20 +1114,6 @@ def test_service_account_impersonation_url_custom(self): url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) - def test_service_account_impersonation_url_bad(self): - for url in INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE.copy(), - service_account_impersonation_url=( - url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE - ), - ) - - assert excinfo.match( - r"The provided service account impersonation URL is invalid\." - ) - def test_retrieve_subject_token_missing_region_url(self): # When AWS_REGION envvar is not available, region_url is required for # determining the current AWS region. diff --git a/tests/test_external_account.py b/tests/test_external_account.py index 78a272b6a..c8900a493 100644 --- a/tests/test_external_account.py +++ b/tests/test_external_account.py @@ -65,101 +65,6 @@ "//iam.googleapis.com/locations//workforcePool/pool-id/providers/provider-id", ] -VALID_TOKEN_URLS = [ - "https://sts.googleapis.com", - "https://sts.mtls.googleapis.com", - "https://us-east-1.sts.googleapis.com", - "https://us-east-1.sts.mtls.googleapis.com", - "https://US-EAST-1.sts.googleapis.com", - "https://sts.us-east-1.googleapis.com", - "https://sts.US-WEST-1.googleapis.com", - "https://us-east-1-sts.googleapis.com", - "https://US-WEST-1-sts.googleapis.com", - "https://US-WEST-1-sts.mtls.googleapis.com", - "https://us-west-1-sts.googleapis.com/path?query", - "https://sts-us-east-1.p.googleapis.com", - "https://sts-us-east-1.p.mtls.googleapis.com", -] -INVALID_TOKEN_URLS = [ - "https://iamcredentials.googleapis.com", - "https://mtls.iamcredentials.googleapis.com", - "sts.googleapis.com", - "mtls.sts.googleapis.com", - "mtls.googleapis.com", - "https://", - "http://sts.googleapis.com", - "https://st.s.googleapis.com", - "https://us-eas\t-1.sts.googleapis.com", - "https:/us-east-1.sts.googleapis.com", - "https:/us-east-1.mtls.sts.googleapis.com", - "https://US-WE/ST-1-sts.googleapis.com", - "https://sts-us-east-1.googleapis.com", - "https://sts-US-WEST-1.googleapis.com", - "testhttps://us-east-1.sts.googleapis.com", - "https://us-east-1.sts.googleapis.comevil.com", - "https://us-east-1.us-east-1.sts.googleapis.com", - "https://us-ea.s.t.sts.googleapis.com", - "https://sts.googleapis.comevil.com", - "hhttps://us-east-1.sts.googleapis.com", - "https://us- -1.sts.googleapis.com", - "https://-sts.googleapis.com", - "https://-mtls.googleapis.com", - "https://us-east-1.sts.googleapis.com.evil.com", - "https://sts.pgoogleapis.com", - "https://p.googleapis.com", - "https://sts.p.com", - "https://sts.p.mtls.com", - "http://sts.p.googleapis.com", - "https://xyz-sts.p.googleapis.com", - "https://sts-xyz.123.p.googleapis.com", - "https://sts-xyz.p1.googleapis.com", - "https://sts-xyz.p.foo.com", - "https://sts-xyz.p.foo.googleapis.com", - "https://sts-xyz.mtls.p.foo.googleapis.com", - "https://sts-xyz.p.mtls.foo.googleapis.com", -] -VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ - "https://iamcredentials.googleapis.com", - "https://us-east-1.iamcredentials.googleapis.com", - "https://US-EAST-1.iamcredentials.googleapis.com", - "https://iamcredentials.us-east-1.googleapis.com", - "https://iamcredentials.US-WEST-1.googleapis.com", - "https://us-east-1-iamcredentials.googleapis.com", - "https://US-WEST-1-iamcredentials.googleapis.com", - "https://us-west-1-iamcredentials.googleapis.com/path?query", - "https://iamcredentials-us-east-1.p.googleapis.com", -] -INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS = [ - "https://sts.googleapis.com", - "iamcredentials.googleapis.com", - "https://", - "http://iamcredentials.googleapis.com", - "https://iamcre.dentials.googleapis.com", - "https://us-eas\t-1.iamcredentials.googleapis.com", - "https:/us-east-1.iamcredentials.googleapis.com", - "https://US-WE/ST-1-iamcredentials.googleapis.com", - "https://iamcredentials-us-east-1.googleapis.com", - "https://iamcredentials-US-WEST-1.googleapis.com", - "testhttps://us-east-1.iamcredentials.googleapis.com", - "https://us-east-1.iamcredentials.googleapis.comevil.com", - "https://us-east-1.us-east-1.iamcredentials.googleapis.com", - "https://us-ea.s.t.iamcredentials.googleapis.com", - "https://iamcredentials.googleapis.comevil.com", - "hhttps://us-east-1.iamcredentials.googleapis.com", - "https://us- -1.iamcredentials.googleapis.com", - "https://-iamcredentials.googleapis.com", - "https://us-east-1.iamcredentials.googleapis.com.evil.com", - "https://iamcredentials.pgoogleapis.com", - "https://p.googleapis.com", - "https://iamcredentials.p.com", - "http://iamcredentials.p.googleapis.com", - "https://xyz-iamcredentials.p.googleapis.com", - "https://iamcredentials-xyz.123.p.googleapis.com", - "https://iamcredentials-xyz.p1.googleapis.com", - "https://iamcredentials-xyz.p.foo.com", - "https://iamcredentials-xyz.p.foo.googleapis.com", -] - class CredentialsImpl(external_account.Credentials): def __init__(self, **kwargs): @@ -350,44 +255,6 @@ def assert_resource_manager_request_kwargs( assert request_kwargs["headers"] == headers assert "body" not in request_kwargs - def test_valid_token_url_shall_pass_validation(self): - valid_urls = VALID_TOKEN_URLS - - for url in valid_urls: - # A valid url shouldn't throw exception and a None value should be returned - external_account.Credentials.validate_token_url(url) - - def test_invalid_token_url_shall_throw_exceptions(self): - invalid_urls = INVALID_TOKEN_URLS - - for url in invalid_urls: - # An invalid url should throw a ValueError exception - with pytest.raises(ValueError) as excinfo: - external_account.Credentials.validate_token_url(url) - - assert excinfo.match("The provided token URL is invalid.") - - def test_valid_service_account_impersonation_url_shall_pass_validation(self): - valid_urls = VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS - - for url in valid_urls: - # A valid url shouldn't throw exception and a None value should be returned - external_account.Credentials.validate_service_account_impersonation_url(url) - - def test_invalid_service_account_impersonate_url_shall_throw_exceptions(self): - invalid_urls = INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS - - for url in invalid_urls: - # An invalid url should throw a ValueError exception - with pytest.raises(ValueError) as excinfo: - external_account.Credentials.validate_service_account_impersonation_url( - url - ) - - assert excinfo.match( - "The provided service account impersonation URL is invalid." - ) - def test_default_state(self): credentials = self.make_credentials( service_account_impersonation_url=self.SERVICE_ACCOUNT_IMPERSONATION_URL @@ -409,31 +276,6 @@ def test_default_state(self): # Token info url not set yet assert not credentials.token_info_url - def test_invalid_token_url(self): - with pytest.raises(ValueError) as excinfo: - CredentialsImpl( - audience=self.AUDIENCE, - subject_token_type=self.SUBJECT_TOKEN_TYPE, - token_url="https:///v1/token", - credential_source=self.CREDENTIAL_SOURCE, - ) - - assert excinfo.match("The provided token URL is invalid.") - - def test_invalid_service_account_impersonate_url(self): - with pytest.raises(ValueError) as excinfo: - CredentialsImpl( - audience=self.AUDIENCE, - subject_token_type=self.SUBJECT_TOKEN_TYPE, - token_url=self.TOKEN_URL, - credential_source=self.CREDENTIAL_SOURCE, - service_account_impersonation_url=12345, # create an exception by sending to parse url - ) - - assert excinfo.match( - "The provided service account impersonation URL is invalid." - ) - def test_nonworkforce_with_workforce_pool_user_project(self): with pytest.raises(ValueError) as excinfo: CredentialsImpl( diff --git a/tests/test_identity_pool.py b/tests/test_identity_pool.py index 0b0156eb0..6651f0b5c 100644 --- a/tests/test_identity_pool.py +++ b/tests/test_identity_pool.py @@ -759,16 +759,6 @@ def test_token_info_url_custom(self): assert credentials.token_info_url == url + "/introspect" - def test_token_info_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), - token_info_url=(url + "/introspect"), - ) - - assert excinfo.match(r"The provided token info URL is invalid.") - def test_token_info_url_negative(self): credentials = self.make_credentials( credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), token_info_url=None @@ -785,16 +775,6 @@ def test_token_url_custom(self): assert credentials._token_url == (url + "/token") - def test_token_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), - token_url=(url + "/token"), - ) - - assert excinfo.match(r"The provided token URL is invalid\.") - def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_credentials( @@ -808,20 +788,6 @@ def test_service_account_impersonation_url_custom(self): url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) - def test_service_account_impersonation_url_bad(self): - for url in INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_credentials( - credential_source=self.CREDENTIAL_SOURCE_JSON.copy(), - service_account_impersonation_url=( - url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE - ), - ) - - assert excinfo.match( - r"The provided service account impersonation URL is invalid\." - ) - def test_refresh_text_file_success_without_impersonation_ignore_default_scopes( self, ): diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py index cd553da83..e9b3d9a86 100644 --- a/tests/test_pluggable.py +++ b/tests/test_pluggable.py @@ -413,16 +413,6 @@ def test_token_info_url_custom(self): assert credentials.token_info_url == url + "/introspect" - def test_token_info_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_pluggable( - credential_source=self.CREDENTIAL_SOURCE.copy(), - token_info_url=(url + "/introspect"), - ) - - assert excinfo.match(r"The provided token info URL is invalid.") - def test_token_info_url_negative(self): credentials = self.make_pluggable( credential_source=self.CREDENTIAL_SOURCE.copy(), token_info_url=None @@ -439,16 +429,6 @@ def test_token_url_custom(self): assert credentials._token_url == (url + "/token") - def test_token_url_bad(self): - for url in INVALID_TOKEN_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_pluggable( - credential_source=self.CREDENTIAL_SOURCE.copy(), - token_url=(url + "/token"), - ) - - assert excinfo.match(r"The provided token URL is invalid\.") - def test_service_account_impersonation_url_custom(self): for url in VALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: credentials = self.make_pluggable( @@ -462,20 +442,6 @@ def test_service_account_impersonation_url_custom(self): url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE ) - def test_service_account_impersonation_url_bad(self): - for url in INVALID_SERVICE_ACCOUNT_IMPERSONATION_URLS: - with pytest.raises(ValueError) as excinfo: - self.make_pluggable( - credential_source=self.CREDENTIAL_SOURCE.copy(), - service_account_impersonation_url=( - url + SERVICE_ACCOUNT_IMPERSONATION_URL_ROUTE - ), - ) - - assert excinfo.match( - r"The provided service account impersonation URL is invalid\." - ) - @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"}) def test_retrieve_subject_token_successfully(self, tmpdir): ACTUAL_CREDENTIAL_SOURCE_EXECUTABLE_OUTPUT_FILE = tmpdir.join(