| #!/usr/bin/python2.4 |
| # |
| # Copyright 2014 Google Inc. All rights reserved. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| |
| """Oauth2client tests. |
| |
| Unit tests for service account credentials implemented using RSA. |
| """ |
| |
| import json |
| import os |
| import rsa |
| import time |
| import unittest |
| |
| from .http_mock import HttpMockSequence |
| from oauth2client.service_account import _ServiceAccountCredentials |
| |
| |
| def datafile(filename): |
| # TODO(orestica): Refactor this using pkgutil.get_data |
| f = open(os.path.join(os.path.dirname(__file__), 'data', filename), 'rb') |
| data = f.read() |
| f.close() |
| return data |
| |
| |
| class ServiceAccountCredentialsTests(unittest.TestCase): |
| def setUp(self): |
| self.service_account_id = '123' |
| self.service_account_email = 'dummy@google.com' |
| self.private_key_id = 'ABCDEF' |
| self.private_key = datafile('pem_from_pkcs12.pem') |
| self.scopes = ['dummy_scope'] |
| self.credentials = _ServiceAccountCredentials(self.service_account_id, |
| self.service_account_email, |
| self.private_key_id, |
| self.private_key, |
| []) |
| |
| def test_sign_blob(self): |
| private_key_id, signature = self.credentials.sign_blob('Google') |
| self.assertEqual( self.private_key_id, private_key_id) |
| |
| pub_key = rsa.PublicKey.load_pkcs1_openssl_pem( |
| datafile('publickey_openssl.pem')) |
| |
| self.assertTrue(rsa.pkcs1.verify(b'Google', signature, pub_key)) |
| |
| try: |
| rsa.pkcs1.verify(b'Orest', signature, pub_key) |
| self.fail('Verification should have failed!') |
| except rsa.pkcs1.VerificationError: |
| pass # Expected |
| |
| try: |
| rsa.pkcs1.verify(b'Google', b'bad signature', pub_key) |
| self.fail('Verification should have failed!') |
| except rsa.pkcs1.VerificationError: |
| pass # Expected |
| |
| def test_service_account_email(self): |
| self.assertEqual(self.service_account_email, |
| self.credentials.service_account_email) |
| |
| def test_create_scoped_required_without_scopes(self): |
| self.assertTrue(self.credentials.create_scoped_required()) |
| |
| def test_create_scoped_required_with_scopes(self): |
| self.credentials = _ServiceAccountCredentials(self.service_account_id, |
| self.service_account_email, |
| self.private_key_id, |
| self.private_key, |
| self.scopes) |
| self.assertFalse(self.credentials.create_scoped_required()) |
| |
| def test_create_scoped(self): |
| new_credentials = self.credentials.create_scoped(self.scopes) |
| self.assertNotEqual(self.credentials, new_credentials) |
| self.assertTrue(isinstance(new_credentials, _ServiceAccountCredentials)) |
| self.assertEqual('dummy_scope', new_credentials._scopes) |
| |
| def test_access_token(self): |
| S = 2 # number of seconds in which the token expires |
| token_response_first = {'access_token': 'first_token', 'expires_in': S} |
| token_response_second = {'access_token': 'second_token', 'expires_in': S} |
| http = HttpMockSequence([ |
| ({'status': '200'}, json.dumps(token_response_first).encode('utf-8')), |
| ({'status': '200'}, json.dumps(token_response_second).encode('utf-8')), |
| ]) |
| |
| token = self.credentials.get_access_token(http=http) |
| self.assertEqual('first_token', token.access_token) |
| self.assertEqual(S - 1, token.expires_in) |
| self.assertFalse(self.credentials.access_token_expired) |
| self.assertEqual(token_response_first, self.credentials.token_response) |
| |
| token = self.credentials.get_access_token(http=http) |
| self.assertEqual('first_token', token.access_token) |
| self.assertEqual(S - 1, token.expires_in) |
| self.assertFalse(self.credentials.access_token_expired) |
| self.assertEqual(token_response_first, self.credentials.token_response) |
| |
| time.sleep(S + 0.5) # some margin to avoid flakiness |
| self.assertTrue(self.credentials.access_token_expired) |
| |
| token = self.credentials.get_access_token(http=http) |
| self.assertEqual('second_token', token.access_token) |
| self.assertEqual(S - 1, token.expires_in) |
| self.assertFalse(self.credentials.access_token_expired) |
| self.assertEqual(token_response_second, self.credentials.token_response) |