diff options
author | Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> | 2020-09-08 15:28:08 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-08 15:28:08 -0600 |
commit | 694d83fd23c0e8c2fde27136d1b3f8f6db6338a6 (patch) | |
tree | 4251ff84604868179be0857bff052d8e1005282a | |
parent | 892dc37ea7941c716171372be89ee3387b6c2715 (diff) | |
download | google-auth-library-python-694d83fd23c0e8c2fde27136d1b3f8f6db6338a6.tar.gz |
fix: migrate signBlob to iamcredentials.googleapis.com (#600)
Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.
This API is deprecated and will be shutdown in one year.
This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | google/auth/iam.py | 6 | ||||
-rw-r--r-- | system_tests/test_service_account.py | 17 | ||||
-rw-r--r-- | tests/compute_engine/test_credentials.py | 12 | ||||
-rw-r--r-- | tests/test_iam.py | 2 |
5 files changed, 30 insertions, 10 deletions
@@ -41,3 +41,6 @@ pylintrc.test pytype_output/ .python-version +.DS_Store +cert_path +key_path
\ No newline at end of file diff --git a/google/auth/iam.py b/google/auth/iam.py index d83b251..5e88a04 100644 --- a/google/auth/iam.py +++ b/google/auth/iam.py @@ -28,7 +28,7 @@ from google.auth import _helpers from google.auth import crypt from google.auth import exceptions -_IAM_API_ROOT_URI = "https://iam.googleapis.com/v1" +_IAM_API_ROOT_URI = "https://iamcredentials.googleapis.com/v1" _SIGN_BLOB_URI = _IAM_API_ROOT_URI + "/projects/-/serviceAccounts/{}:signBlob?alt=json" @@ -71,7 +71,7 @@ class Signer(crypt.Signer): url = _SIGN_BLOB_URI.format(self._service_account_email) headers = {"Content-Type": "application/json"} body = json.dumps( - {"bytesToSign": base64.b64encode(message).decode("utf-8")} + {"payload": base64.b64encode(message).decode("utf-8")} ).encode("utf-8") self._credentials.before_request(self._request, method, url, headers) @@ -97,4 +97,4 @@ class Signer(crypt.Signer): @_helpers.copy_docstring(crypt.Signer) def sign(self, message): response = self._make_signing_request(message) - return base64.b64decode(response["signature"]) + return base64.b64decode(response["signedBlob"]) diff --git a/system_tests/test_service_account.py b/system_tests/test_service_account.py index 262ce84..498b75b 100644 --- a/system_tests/test_service_account.py +++ b/system_tests/test_service_account.py @@ -16,6 +16,7 @@ import pytest from google.auth import _helpers from google.auth import exceptions +from google.auth import iam from google.oauth2 import service_account @@ -46,3 +47,19 @@ def test_refresh_success(http_request, credentials, token_info): "https://www.googleapis.com/auth/userinfo.profile", ] ) + +def test_iam_signer(http_request, credentials): + credentials = credentials.with_scopes( + ["https://www.googleapis.com/auth/iam"] + ) + + # Verify iamcredentials signer. + signer = iam.Signer( + http_request, + credentials, + credentials.service_account_email + ) + + signed_blob = signer.sign("message") + + assert isinstance(signed_blob, bytes) diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py index 8c95e24..4ee6536 100644 --- a/tests/compute_engine/test_credentials.py +++ b/tests/compute_engine/test_credentials.py @@ -363,11 +363,11 @@ class TestIDTokenCredentials(object): signature = base64.b64encode(b"some-signature").decode("utf-8") responses.add( responses.POST, - "https://iam.googleapis.com/v1/projects/-/serviceAccounts/" - "service-account@example.com:signBlob?alt=json", + "https://iamcredentials.googleapis.com/v1/projects/-/" + "serviceAccounts/service-account@example.com:signBlob?alt=json", status=200, content_type="application/json", - json={"keyId": "some-key-id", "signature": signature}, + json={"keyId": "some-key-id", "signedBlob": signature}, ) id_token = "{}.{}.{}".format( @@ -477,11 +477,11 @@ class TestIDTokenCredentials(object): signature = base64.b64encode(b"some-signature").decode("utf-8") responses.add( responses.POST, - "https://iam.googleapis.com/v1/projects/-/serviceAccounts/" - "service-account@example.com:signBlob?alt=json", + "https://iamcredentials.googleapis.com/v1/projects/-/" + "serviceAccounts/service-account@example.com:signBlob?alt=json", status=200, content_type="application/json", - json={"keyId": "some-key-id", "signature": signature}, + json={"keyId": "some-key-id", "signedBlob": signature}, ) id_token = "{}.{}.{}".format( diff --git a/tests/test_iam.py b/tests/test_iam.py index cb2c26f..fbd3e41 100644 --- a/tests/test_iam.py +++ b/tests/test_iam.py @@ -81,7 +81,7 @@ class TestSigner(object): def test_sign_bytes(self): signature = b"DEADBEEF" encoded_signature = base64.b64encode(signature).decode("utf-8") - request = make_request(http_client.OK, data={"signature": encoded_signature}) + request = make_request(http_client.OK, data={"signedBlob": encoded_signature}) credentials = make_credentials() signer = iam.Signer(request, credentials, mock.sentinel.service_account_email) |