oauth2/google/internal/externalaccount/basecredentials_test.go

// Copyright 2020 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package externalaccount

import (
	"context"
	"io/ioutil"
	"net/http"
	"net/http/httptest"
	"testing"
	"time"
)

var testBaseCredSource = CredentialSource{
	File:   "./testdata/3pi_cred.txt",
	Format: format{Type: fileTypeText},
}

var testConfig = Config{
	Audience:         "32555940559.apps.googleusercontent.com",
	SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
	TokenInfoURL:     "http://localhost:8080/v1/tokeninfo",
	ClientSecret:     "notsosecret",
	ClientID:         "rbrgnognrhongo3bi4gb9ghg9g",
	CredentialSource: testBaseCredSource,
	Scopes:           []string{"https://www.googleapis.com/auth/devstorage.full_control"},
}

var (
	baseCredsRequestBody        = "audience=32555940559.apps.googleusercontent.com&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=null&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt"
	baseCredsResponseBody       = `{"access_token":"Sample.Access.Token","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":3600,"scope":"https://www.googleapis.com/auth/cloud-platform"}`
	correctAT                   = "Sample.Access.Token"
	expiry                int64 = 234852
)
var (
	testNow = func() time.Time { return time.Unix(expiry, 0) }
)

func TestToken(t *testing.T) {

	targetServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if got, want := r.URL.String(), "/"; got != want {
			t.Errorf("URL.String(): got %v but want %v", got, want)
		}
		headerAuth := r.Header.Get("Authorization")
		if got, want := headerAuth, "Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ="; got != want {
			t.Errorf("got %v but want %v", got, want)
		}
		headerContentType := r.Header.Get("Content-Type")
		if got, want := headerContentType, "application/x-www-form-urlencoded"; got != want {
			t.Errorf("got %v but want %v", got, want)
		}
		body, err := ioutil.ReadAll(r.Body)
		if err != nil {
			t.Fatalf("Failed reading request body: %s.", err)
		}
		if got, want := string(body), baseCredsRequestBody; got != want {
			t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)
		}
		w.Header().Set("Content-Type", "application/json")
		w.Write([]byte(baseCredsResponseBody))
	}))
	defer targetServer.Close()

	testConfig.TokenURL = targetServer.URL
	ourTS := tokenSource{
		ctx:  context.Background(),
		conf: &testConfig,
	}

	oldNow := now
	defer func() { now = oldNow }()
	now = testNow

	tok, err := ourTS.Token()
	if err != nil {
		t.Fatalf("Unexpected error: %e", err)
	}
	if got, want := tok.AccessToken, correctAT; got != want {
		t.Errorf("Unexpected access token: got %v, but wanted %v", got, want)
	}
	if got, want := tok.TokenType, "Bearer"; got != want {
		t.Errorf("Unexpected TokenType: got %v, but wanted %v", got, want)
	}

	if got, want := tok.Expiry, now().Add(time.Duration(3600)*time.Second); got != want {
		t.Errorf("Unexpected Expiry: got %v, but wanted %v", got, want)
	}

}
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org> 2021-01-12 14:45:47 -05:00			`// Copyright 2020 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package externalaccount`

			`import (`
			`"context"`
			`"io/ioutil"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`
			`"time"`
			`)`

			`var testBaseCredSource = CredentialSource{`
			`File: "./testdata/3pi_cred.txt",`
			`Format: format{Type: fileTypeText},`
			`}`

			`var testConfig = Config{`
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-26 14:21:15 -05:00			`Audience: "32555940559.apps.googleusercontent.com",`
			`SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",`
			`TokenInfoURL: "http://localhost:8080/v1/tokeninfo",`
			`ClientSecret: "notsosecret",`
			`ClientID: "rbrgnognrhongo3bi4gb9ghg9g",`
			`CredentialSource: testBaseCredSource,`
			`Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},`
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org> 2021-01-12 14:45:47 -05:00			`}`

			`var (`
			`baseCredsRequestBody = "audience=32555940559.apps.googleusercontent.com&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=null&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt"`
			baseCredsResponseBody = `{"access_token":"Sample.Access.Token","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":3600,"scope":"https://www.googleapis.com/auth/cloud-platform"}`
			`correctAT = "Sample.Access.Token"`
			`expiry int64 = 234852`
			`)`
			`var (`
			`testNow = func() time.Time { return time.Unix(expiry, 0) }`
			`)`

			`func TestToken(t *testing.T) {`

			`targetServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if got, want := r.URL.String(), "/"; got != want {`
			`t.Errorf("URL.String(): got %v but want %v", got, want)`
			`}`
			`headerAuth := r.Header.Get("Authorization")`
			`if got, want := headerAuth, "Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ="; got != want {`
			`t.Errorf("got %v but want %v", got, want)`
			`}`
			`headerContentType := r.Header.Get("Content-Type")`
			`if got, want := headerContentType, "application/x-www-form-urlencoded"; got != want {`
			`t.Errorf("got %v but want %v", got, want)`
			`}`
			`body, err := ioutil.ReadAll(r.Body)`
			`if err != nil {`
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-26 14:21:15 -05:00			`t.Fatalf("Failed reading request body: %s.", err)`
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org> 2021-01-12 14:45:47 -05:00			`}`
			`if got, want := string(body), baseCredsRequestBody; got != want {`
			`t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)`
			`}`
			`w.Header().Set("Content-Type", "application/json")`
			`w.Write([]byte(baseCredsResponseBody))`
			`}))`
			`defer targetServer.Close()`

			`testConfig.TokenURL = targetServer.URL`
			`ourTS := tokenSource{`
			`ctx: context.Background(),`
			`conf: &testConfig,`
			`}`

			`oldNow := now`
			`defer func() { now = oldNow }()`
			`now = testNow`

			`tok, err := ourTS.Token()`
			`if err != nil {`
			`t.Fatalf("Unexpected error: %e", err)`
			`}`
			`if got, want := tok.AccessToken, correctAT; got != want {`
			`t.Errorf("Unexpected access token: got %v, but wanted %v", got, want)`
			`}`
			`if got, want := tok.TokenType, "Bearer"; got != want {`
			`t.Errorf("Unexpected TokenType: got %v, but wanted %v", got, want)`
			`}`

			`if got, want := tok.Expiry, now().Add(time.Duration(3600)*time.Second); got != want {`
			`t.Errorf("Unexpected Expiry: got %v, but wanted %v", got, want)`
			`}`

			`}`