Age | Commit message (Collapse) | Author |
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
Path normalization for the canonical_uri was broken in windows.
This is because we were using `os.path.normpath`.
This normalizes "/" paths to "\\" in Windows OS.
Confirmed the fix is working in Windows.
|
|
* chore: release 2.0.0
* Update CHANGELOG.md
* chore: set version number to 2.0.0
Follow up to #829
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
:robot: I have created a release \*beep\* \*boop\*
---
## [2.0.0](https://www.github.com/googleapis/google-auth-library-python/compare/v2.0.0-b1...v2.0.0) (2021-08-16)
### ⚠ BREAKING CHANGES
* drop support for Python 2.7 ([#778](https://www.github.com/googleapis/google-auth-library-python/issues/778)) ([560cf1e](https://www.github.com/googleapis/google-auth-library-python/commit/560cf1ed02a900436c5d9e0a0fb3f94b5fd98c55))
### Features
* service account is able to use a private token endpoint ([#835](https://www.github.com/googleapis/google-auth-library-python/issues/835)) ([20b817a](https://www.github.com/googleapis/google-auth-library-python/commit/20b817af8e202b0331998e5abde4e2a5aab51f9a))
### Bug Fixes
* downscoping documentation bugs ([#830](https://www.github.com/googleapis/google-auth-library-python/issues/830)) ([da8bb13](https://www.github.com/googleapis/google-auth-library-python/commit/da8bb13c1349e771ffc2e125256030495c53d956))
* Fix missing space in error message. ([#821](https://www.github.com/googleapis/google-auth-library-python/issues/821)) ([7b03988](https://www.github.com/googleapis/google-auth-library-python/commit/7b039888aeb6ec7691d91c9afce182b17f02b1a6))
### Documentation
* update user guide/references for downscoped creds ([#827](https://www.github.com/googleapis/google-auth-library-python/issues/827)) ([d1840dc](https://www.github.com/googleapis/google-auth-library-python/commit/d1840dcdcd03dfd7fdfa81d08da68402f6f8b658))
---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
|
|
Addresses all comments from:
https://github.com/googleapis/google-auth-library-python/pull/837
Co-authored-by: Tres Seaver <tseaver@palladion.com>
|
|
Co-authored-by: Dan Lee <71398022+dandhlee@users.noreply.github.com>
|
|
This tests creates a temporary bucket and 2 objects in it.
A downscoped token is then created to access only one of the objects (readonly).
The test would then check:
- Read access to accessible object is successful.
- Write access to that object is unsuccessful.
- Read access to the inaccessible object is not successful.
|
|
* chore: split systests into their own Kokoro build
Closes #832.
* chore: docs builds no longer need systest resource
* chore: remove hacks to get 'gcloud'/'gfile_resource' installed for docs
|
|
We don't have a 'docfx' session in our noxfile (see #822).
Further tweak '.kokoro' configuration to get 'Kokoro docs-presubmit' running:
- Set up additional 'gfile_resource' in '.kokoro/docs/common.cfg'.
- Get 'gcloud' installed in '.kokoro/docker/docs/Dockerfile'
- Run 'docs' session with Python 3.8.
Closes #797.
|
|
|
|
Fixes the following issues:
- Change `google.oauth2.Credentials` to `google.oauth2.credentials.Credentials`
- Replace deprecated `blob.download_as_string()` with `blob.download_as_bytes()`
|
|
Updates user guide to document using downscoping with
Credential Access Boundaries.
Regenerates references for all classes and utilities related
to this feature.
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
|
|
|
|
Added missing space in the log message.
|
|
|
|
Drop use of 'six' wrapper library.
Drop 'u"' prefixes.
Drop support for app_engine 'classic' mode (Python 2.7-only).
Release-As: 2.0.0b1
Closes #777.
|
|
I've filed a question against internal the team that manages
test accounts to ask what the recommended way to refresh these tokens are,
but have not yet gotten a response. Manually refresh the token
to unblock CI.
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
* fix: do not use the GAE APIs on gen2+ runtimes
Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard
In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() must never return an
app_engine.Credental on GAE gen2+.Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard
In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() should not return an
app_engine.Credental on GAE gen2+.
* blacken
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
|
|
Source-Link: https://github.com/googleapis/synthtool/commit/dd05f9d12f134871c9e45282349c9856fbebecdd
Post-Processor: gcr.io/repo-automation-bots/owlbot-python:latest@sha256:aea14a583128771ae8aefa364e1652f3c56070168ef31beb203534222d842b8b
Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
|
|
This is an optional parameter that can be set via the constructor.
It is used to provide the credentials with new tokens and their
expiration time on `refresh()` call.
```
def refresh_handler(request, scopes):
# Generate a new token for the requested scopes by calling
# an external process.
return (
"ACCESS_TOKEN",
_helpers.utcnow() + datetime.timedelta(seconds=3600))
creds = google.oauth2.credentials.Credentials(
scopes=scopes,
refresh_handler=refresh_handler)
creds.refresh(request)
```
It is useful in the following cases:
- Useful in general when tokens are obtained by calling some
external process on demand.
- Useful in particular for retrieving downscoped tokens from a
token broker.
This should have no impact on existing behavior. Refresh tokens
will still have higher priority over refresh handlers.
A getter and setter is exposed to make it easy to set the callable
on unpickled credentials as the callable may not be easily serialized.
```
unpickled = pickle.loads(pickle.dumps(oauth_creds))
unpickled.refresh_handler = refresh_handler
```
|
|
This ensures they are automatically tagged in PRs for reviews.
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
endpoint (#784)" (#808)
revert "feat: service account is able to use a private token endpoint (#784)" until b/194191737 is fixed.
This reverts commit 0e264092e35ac02ad68d5d91424ecba5397daa41.
|
|
For downscoping CAB flow, the STS endpoint may not return the expiration
field for certain source credentials. The generated downscoped token
should always have the same expiration time as the source credentials.
When no `expires_in` field is returned in the response, we can just get
the expiration time from the source credentials.
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
|
|
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
* fix: fix fetch_id_token credential lookup order to match adc
* fix tests
* fix linter
* update
* update
* add comments
|
|
Source-Link: https://github.com/googleapis/synthtool/commit/e44dc0c742b1230887a73552357e0c18dcc30b92
Post-Processor: gcr.io/repo-automation-bots/owlbot-python:latest@sha256:5ff7446edeaede81c3ed58b23a4e76a5403fba1350ce28478045657303b6479d
|
|
Source-Link: https://github.com/googleapis/synthtool/commit/53ea3896a52f87c758e79b5a19fa338c83925a98
Post-Processor: gcr.io/repo-automation-bots/owlbot-python:latest@sha256:e1793a23ae0ee9aafb2e3a53b564a351f74790dbe3c2d75f8fc3b8c43e5c036c
|
|
In [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect), users can use an endpoint which is private to their VPC network. The request is eventually routed to the oauth2.googleapis.com/token so the "aud" in the assertion still should be oauth2.googleapis.com/token.
After this change, service account can send requests to the private endpoint (if configured) and still use the oauth2.googleapis.com/token in the assertion.
|
|
* feat: define `google.auth.downscoped.Credentials` class
This is based on [Downscoping with Credential Access Boundaries](https://cloud.google.com/iam/docs/downscoping-short-lived-credentials).
The new credentials are initialized mainly using elevated source
credentials and a `google.auth.downscoped.CredentialAccessBoundary`
instance.
The credentials will then get access tokens from the source
credentials and exchange them via the GCP STS token exchange
endpoint using the provided credentials access boundary rules
for downscoped access tokens.
The new credentials will inherit the source credentials' scopes
but the scopes are not exposed as we cannot always determine the
scopes form the source credentials.
* Fixes typos in comments.
* Addresses review comments.
* Moves all constants in the test file to module scope.
|
|
* tests: pass '*session.posargs' for systests
Permits running single tests, debugging on errors, etc.
* fix: typos
|
|
Defines the following classes:
- `google.auth.downscoped.CredentialAccessBoundary`
- `google.auth.downscoped.AccessBoundaryRule`
- `google.auth.downscoped.AvailabilityCondition`
This is based on
[Downscoping with Credential Access Boundaries](https://cloud.google.com/iam/docs/downscoping-short-lived-credentials).
These classes help define the list of access boundary rules,
each of which contains information on the resource that the rule
applies to, the upper bound of the permissions that are available
on that resource and an optional condition to further restrict
permissions.
|
|
|
|
Closes #795
|
|
:robot: I have created a release \*beep\* \*boop\*
---
### [1.32.1](https://www.github.com/googleapis/google-auth-library-python/compare/v1.32.0...v1.32.1) (2021-06-30)
### Bug Fixes
* avoid leaking sub-session created for '_auth_request' ([#789](https://www.github.com/googleapis/google-auth-library-python/issues/789)) ([2079ab5](https://www.github.com/googleapis/google-auth-library-python/commit/2079ab5e1db464f502248ae4f9e424deeef87fb2))
---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
|
|
Closes #658.
|
|
Source-Link: https://github.com/googleapis/synthtool/commit/b0eb8a8b30b46a3c98d23c23107acb748c6601a1
Post-Processor: gcr.io/repo-automation-bots/owlbot-python:latest@sha256:df50e8d462f86d6bcb42f27ecad55bb12c404f1c65de9c6fe4c4d25120080bd6
|
|
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
* feat: allow scopes for self signed jwt
* Update service_account.py
* add http changes
* Update google/auth/jwt.py
|
|
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
Updates `google.auth.external_account.Credentials#info` to not delete items in the dictionary while iterating.
|
|
(#770)
This includes the following properties:
- `info`: This is the reverse of `from_info` defined on subclasses and useful to
serialize external account credentials.
- `service_account_email`: This is the corresponding service account email if impersonation is used.
- `is_user`: This is `False` for workload identity pools and `True` for workforce pools (not yet supported).
This can be mainly determined from the STS audience.
While the properties will primarily facilitate integration with gcloud, they are publicly useful for other contexts.
|
|
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
|
|
* fix: session object was never used in aiohttp request (#700)
* fixup! fix: session object was never used in aiohttp request (#700)
* fixup! fixup! fix: session object was never used in aiohttp request (#700)
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
|
|
* chore: migrate to owl bot
* run the post processor
|
|
Drop explicit pin / constraint on 'urllib3': specific 'requests'
versions have very narrow pins, and ours is only likely to create
conflicts.
Bump the 'requests' lower bound to '2.20.0', the lowest version for
which our tests pass once constraints are being checked.
Closes #759
|