Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity
oauth2/google/internal/externalaccount/basecredentials_test.go

260 lines
11 KiB
Go
Raw Normal View History

google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
// Copyright 2020 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package externalaccount
import (
"context"
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
"fmt"
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
"io/ioutil"
"net/http"
"net/http/httptest"
"testing"
"time"
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
"golang.org/x/oauth2"
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
)
google: Use bytes.Buffer for go 1.9 compatability Update test cases to use const test data file references. Change-Id: Ic08b6de5a84db7b2ae2c649ee676c5a2c13f4227 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/306749 Reviewed-by: Cody Oss <codyoss@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-04-01 19:22:52 -04:00
const (
textBaseCredPath = "testdata/3pi_cred.txt"
jsonBaseCredPath = "testdata/3pi_cred.json"
)
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
var testBaseCredSource = CredentialSource{
google: Use bytes.Buffer for go 1.9 compatability Update test cases to use const test data file references. Change-Id: Ic08b6de5a84db7b2ae2c649ee676c5a2c13f4227 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/306749 Reviewed-by: Cody Oss <codyoss@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-04-01 19:22:52 -04:00
File: textBaseCredPath,
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
Format: format{Type: fileTypeText},
}
var testConfig = Config{
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com>
2021-01-26 14:21:15 -05:00
Audience: "32555940559.apps.googleusercontent.com",
SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
TokenInfoURL: "http://localhost:8080/v1/tokeninfo",
ClientSecret: "notsosecret",
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
CredentialSource: testBaseCredSource,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
}
var (
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
baseCredsRequestBody = "audience=32555940559.apps.googleusercontent.com&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid_token"
baseCredsResponseBody = `{"access_token":"Sample.Access.Token","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":3600,"scope":"https://www.googleapis.com/auth/cloud-platform"}`
workforcePoolRequestBodyWithClientId = "audience=%2F%2Fiam.googleapis.com%2Flocations%2Feu%2FworkforcePools%2Fpool-id%2Fproviders%2Fprovider-id&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid_token"
workforcePoolRequestBodyWithoutClientId = "audience=%2F%2Fiam.googleapis.com%2Flocations%2Feu%2FworkforcePools%2Fpool-id%2Fproviders%2Fprovider-id&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=%7B%22userProject%22%3A%22myProject%22%7D&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control&subject_token=street123&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid_token"
correctAT = "Sample.Access.Token"
expiry int64 = 234852
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
)
var (
testNow = func() time.Time { return time.Unix(expiry, 0) }
)
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
type testExchangeTokenServer struct {
url string
authorization string
contentType string
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
metricsHeader string
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
body string
response string
}
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
func run(t *testing.T, config *Config, tets *testExchangeTokenServer) (*oauth2.Token, error) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if got, want := r.URL.String(), tets.url; got != want {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
t.Errorf("URL.String(): got %v but want %v", got, want)
}
headerAuth := r.Header.Get("Authorization")
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
if got, want := headerAuth, tets.authorization; got != want {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
t.Errorf("got %v but want %v", got, want)
}
headerContentType := r.Header.Get("Content-Type")
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
if got, want := headerContentType, tets.contentType; got != want {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
t.Errorf("got %v but want %v", got, want)
}
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
headerMetrics := r.Header.Get("x-goog-api-client")
if got, want := headerMetrics, tets.metricsHeader; got != want {
t.Errorf("got %v but want %v", got, want)
}
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
body, err := ioutil.ReadAll(r.Body)
if err != nil {
google: support service account impersonation Adds support for service account impersonation when a URL for service account impersonation is provided. Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8 GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668 GitHub-Pull-Request: golang/oauth2#468 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com>
2021-01-26 14:21:15 -05:00
t.Fatalf("Failed reading request body: %s.", err)
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
}
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
if got, want := string(body), tets.body; got != want {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
t.Errorf("Unexpected exchange payload: got %v but want %v", got, want)
}
w.Header().Set("Content-Type", "application/json")
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
w.Write([]byte(tets.response))
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
}))
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
defer server.Close()
config.TokenURL = server.URL
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
oldNow := now
defer func() { now = oldNow }()
now = testNow
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
ts := tokenSource{
ctx: context.Background(),
conf: config,
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
}
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
return ts.Token()
}
func validateToken(t *testing.T, tok *oauth2.Token) {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
if got, want := tok.AccessToken, correctAT; got != want {
t.Errorf("Unexpected access token: got %v, but wanted %v", got, want)
}
if got, want := tok.TokenType, "Bearer"; got != want {
t.Errorf("Unexpected TokenType: got %v, but wanted %v", got, want)
}
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
if got, want := tok.Expiry, testNow().Add(time.Duration(3600)*time.Second); got != want {
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
t.Errorf("Unexpected Expiry: got %v, but wanted %v", got, want)
}
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
}
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
func getExpectedMetricsHeader(source string, saImpersonation bool, configLifetime bool) string {
return fmt.Sprintf("gl-go/%s auth/unknown google-byoid-sdk source/%s sa-impersonation/%t config-lifetime/%t", goVersion(), source, saImpersonation, configLifetime)
}
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
func TestToken(t *testing.T) {
config := Config{
Audience: "32555940559.apps.googleusercontent.com",
SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
ClientSecret: "notsosecret",
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
CredentialSource: testBaseCredSource,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
}
server := testExchangeTokenServer{
url: "/",
authorization: "Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ=",
contentType: "application/x-www-form-urlencoded",
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
metricsHeader: getExpectedMetricsHeader("file", false, false),
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
body: baseCredsRequestBody,
response: baseCredsResponseBody,
}
tok, err := run(t, &config, &server)
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
if err != nil {
t.Fatalf("Unexpected error: %e", err)
}
validateToken(t, tok)
}
func TestWorkforcePoolTokenWithClientID(t *testing.T) {
config := Config{
Audience: "//iam.googleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id",
SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
ClientSecret: "notsosecret",
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
CredentialSource: testBaseCredSource,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
WorkforcePoolUserProject: "myProject",
}
server := testExchangeTokenServer{
url: "/",
authorization: "Basic cmJyZ25vZ25yaG9uZ28zYmk0Z2I5Z2hnOWc6bm90c29zZWNyZXQ=",
contentType: "application/x-www-form-urlencoded",
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
metricsHeader: getExpectedMetricsHeader("file", false, false),
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
body: workforcePoolRequestBodyWithClientId,
response: baseCredsResponseBody,
}
tok, err := run(t, &config, &server)
if err != nil {
t.Fatalf("Unexpected error: %e", err)
}
validateToken(t, tok)
}
func TestWorkforcePoolTokenWithoutClientID(t *testing.T) {
config := Config{
Audience: "//iam.googleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id",
SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
ClientSecret: "notsosecret",
CredentialSource: testBaseCredSource,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
WorkforcePoolUserProject: "myProject",
}
server := testExchangeTokenServer{
url: "/",
authorization: "",
contentType: "application/x-www-form-urlencoded",
google/internal/externalaccount: adding BYOID Metrics Adds framework for sending BYOID metrics via the x-goog-api-client header on outgoing sts requests. Also adds a header file for getting the current version of GoLang Change-Id: Id5431def96f4cfc03e4ada01d5fb8cac8cfa56a9 GitHub-Last-Rev: c93cd478e5fade98bcf846164b9b56f89b442f6b GitHub-Pull-Request: golang/oauth2#661 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/523595 Reviewed-by: Leo Siracusa <leosiracusa@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cody Oss <codyoss@google.com>
2023-09-22 16:09:05 -04:00
metricsHeader: getExpectedMetricsHeader("file", false, false),
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
body: workforcePoolRequestBodyWithoutClientId,
response: baseCredsResponseBody,
}
tok, err := run(t, &config, &server)
if err != nil {
t.Fatalf("Unexpected error: %e", err)
}
validateToken(t, tok)
}
func TestNonworkforceWithWorkforcePoolUserProject(t *testing.T) {
config := Config{
Audience: "32555940559.apps.googleusercontent.com",
SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
TokenURL: "https://sts.googleapis.com",
ClientSecret: "notsosecret",
ClientID: "rbrgnognrhongo3bi4gb9ghg9g",
CredentialSource: testBaseCredSource,
Scopes: []string{"https://www.googleapis.com/auth/devstorage.full_control"},
WorkforcePoolUserProject: "myProject",
}
_, err := config.TokenSource(context.Background())
if err == nil {
t.Fatalf("Expected error but found none")
}
if got, want := err.Error(), "oauth2/google: workforce_pool_user_project should not be set for non-workforce pool credentials"; got != want {
t.Errorf("Incorrect error received.\nExpected: %s\nRecieved: %s", want, got)
}
google: base account credentials with file-sourcing Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials. Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7 GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b GitHub-Pull-Request: golang/oauth2#462 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312 Reviewed-by: Tyler Bui-Palsulich <tbp@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Tyler Bui-Palsulich <tbp@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 14:45:47 -05:00
}
google/externalaccount: validate tokenURL and ServiceAccountImpersonationURL Change-Id: Iab70cc967fd97ac8e349a14760df0f8b02ddf074 GitHub-Last-Rev: ddf4dbd0b7096a0d34677047b9c3992bb6ed359b GitHub-Pull-Request: golang/oauth2#514 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/340569 Reviewed-by: Patrick Jones <ithuriel@google.com> Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Chris Broadfoot <cbro@golang.org> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-08-12 18:59:38 -04:00
google/externalaccount: add support for workforce pool credentials Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed. "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application." The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens. Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project. As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored. Note that this feature is not usable yet publicly. Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0 GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4 GitHub-Pull-Request: golang/oauth2#520 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393 Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Bassam Ojeil <bojeil@google.com> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 10:39:06 -04:00
func TestWorkforcePoolCreation(t *testing.T) {
var audienceValidatyTests = []struct {
audience string
expectSuccess bool
}{
{"//iam.googleapis.com/locations/global/workforcePools/pool-id/providers/provider-id", true},
{"//iam.googleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id", true},
{"//iam.googleapis.com/locations/eu/workforcePools/workloadIdentityPools/providers/provider-id", true},
{"identitynamespace:1f12345:my_provider", false},
{"//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/pool-id/providers/provider-id", false},
{"//iam.googleapis.com/projects/123456/locations/eu/workloadIdentityPools/pool-id/providers/provider-id", false},
{"//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/workforcePools/providers/provider-id", false},
{"//iamgoogleapis.com/locations/eu/workforcePools/pool-id/providers/provider-id", false},
{"//iam.googleapiscom/locations/eu/workforcePools/pool-id/providers/provider-id", false},
{"//iam.googleapis.com/locations/workforcePools/pool-id/providers/provider-id", false},
{"//iam.googleapis.com/locations/eu/workforcePool/pool-id/providers/provider-id", false},
{"//iam.googleapis.com/locations//workforcePool/pool-id/providers/provider-id", false},
}
ctx := context.Background()
for _, tt := range audienceValidatyTests {
t.Run(" "+tt.audience, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
config := testConfig
config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
config.ServiceAccountImpersonationURL = "https://iamcredentials.googleapis.com"
config.Audience = tt.audience
config.WorkforcePoolUserProject = "myProject"
_, err := config.TokenSource(ctx)
if tt.expectSuccess && err != nil {
t.Errorf("got %v but want nil", err)
} else if !tt.expectSuccess && err == nil {
t.Errorf("got nil but expected an error")
}
})
}
}