8bSrSSKrSSKrSSKrSSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SS K J r SSKrSS KJrJr \"\"S S S 55 SS KJr SrSr\R,"SS\"\5S.5r"SS\R25r"SS\5r"SS\ R:5rg)z!Tests for wrapped_credentials.py.N)aws)external_account) external_account_authorized_user) identity_pool) pluggable)testcase)WrappedCredentials)add_move MovedModulemockz unittest.mock)r foocontentz text/plain200)z content-typestatuszcontent-lengthc2^\rSrSrSU4SjjrSrSrU=r$)MockCredentials,c>^^[TT]"U0UD6 STlUTlSTlUU4Sjn[ R "US9Tlg)Nc>AATTlgNtoken)argskwargsselfrs 7platform/gsutil/gslib/tests/test_wrapped_credentials.py side_effect-MockCredentials.__init__..side_effect4s djr)super__init__ _audienceexpiryrr Mockrefresh)rrr$rrr __class__s`` rr"MockCredentials.__init__.sA Gd%f%DNDKDJ995DLrcgrr*rrretrieve_subject_token&MockCredentials.retrieve_subject_token:sr)r#r$r&r)NN)__name__ __module__ __qualname____firstlineno__r"r+__static_attributes__ __classcell__)r's@rrr,s 6  rrc$\rSrSrSrSrSrSrg)HeadersWithAuth>zUA utility class to use to make sure a set of headers includes specific authenticationc$U=(d SUlg)Nr)rrs rr"HeadersWithAuth.__init__As "DJrc@US[SUR-S5:H$)Ns AuthorizationzBearer zutf-8)bytesr)rheaderss r__eq__HeadersWithAuth.__eq__Ds# # $i$**.Dg(N NNrrN)r-r.r/r0__doc__r"r<r1r*rrr4r4>s]Orr4c\rSrSrSr\R R\SSS9S5r Sr Sr \R R\SSS9S 5r S r S rS rS rSrSrg)TestWrappedCredentialsHzRTest logic for interacting with Wrapped Credentials the way we intend to use them.HttpT)autospecc :[[4URRlURRn[ [ [ SSSSS95n[RR5nURU5 URSS9upEURU[5 URRR[R 5 URSS[#[ 5S[R [R S 9 g) Nr barhttps://sts.googleapis.comqux)raudiencesubject_token_type token_urlcredential_source google.comuriGETmethodr;bodyconnection_type redirections)RESPONSECONTENT return_valuerequestr r ACCESS_TOKEN oauth2client transportget_http_object authorize assertEqual_baser&assert_called_once_withr ANYr4)rhttpreqcreds_rs rtestWrappedCredentialUsage1TestWrappedCredentials.testWrappedCredentialUsageKs.6-@D*    # #C l!&+0">*/  1 2E  ! ! 1 1 3D OOD,/JAWg& KK//9 ',(7 (E%)04-1XX  7rc [[R"SSSSS0S95n[Ul[ R "SSS S S 5UlUR5n[R"U5nURUS S5 URUS [5 URUS S5 URUSSS5 URUSSS5 URUSSS5 URUSSSS5 [R"U5nURU[5 URUR[R5 URURS5 URUR[5 URUR UR 5 g)QTest logic for converting Wrapped Credentials to and from JSON for serialization.r rErFurlrL)rHrIrJrK r client_id access_token token_expiry2001-12-05T00:00:00Zr_rHrIrJrKN)r r CredentialsrYrodatetimerpto_jsonjsonloadsr^ from_jsonassertIsInstancer_rn)rrd creds_json json_valuescreds2s r"testWrappedCredentialSerialization9TestWrappedCredentials.testWrappedCredentialSerializationes !!55:,H5:L4I K LE &E!**4Q1=EJ**Z(K[-u5[0,?[02HI[)*5u=[)*>?G[)+613[)*=>uE!# ) )* 5F&"45&,, (A(ABV%%u-V((,7V((%*<*<=rc[R"[R"S[SSSSSSSS.S .S .55nUR U[5 UR UR [R5 g ) zdTest logic for creating a Wrapped Credentials using keywords that exist in IdentityPool but not AWS.r rqrrErFrL 1234567890)rjworkforce_pool_user_project)typerHrIrJrK)rnrorpr_N) r rwrudumpsrYrxr_rrrrrds r1testWrappedCredentialSerializationMissingKeywordsHTestWrappedCredentials.testWrappedCredentialSerializationMissingKeywordssu  ( ( (2*!&+9'3?&     E" %!34%++}'@'@Arc ^[[4URRlURRn[ [ R "SSSSSSS95mU4Sjn[R"US 9TRl [RR5nTRU5 URS S 9upEURU[5 TRRR![R"5 UR!S S [%[&5S[R"[R"S 9 g)N^//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID refreshToken)https://sts.googleapis.com/v1/oauth/token)https://sts.googleapis.com/v1/instrospectclientId clientSecretrH refresh_tokenrJtoken_info_urlrn client_secretc4>AA[TRlgr)rYr_r)rrrds r_refresh_token_side_effectrTestWrappedCredentials.testWrappedCredentialUsageExternalAccountAuthorizedUser.._refresh_token_side_effects &ekkrr rLrMrOrP)rUrVrWrXr rrrr r%r_r&rZr[r\r]r^r`rar4rY)rrbrcrrerrds @r7testWrappedCredentialUsageExternalAccountAuthorizedUserNTestWrappedCredentials.testWrappedCredentialUsageExternalAccountAuthorizedUsers.6-@D*    # #C (44 l(AF ( * +E'))0JKEKK  ! ! 1 1 3D OOD,/JAWg& KK//9 ',(7 (E%)04-1XX  7rc ~[[R"SSSSSSS95n[Ul[ R "SS S S S 5UlUR5n[R"U5n0S S _SS_SS_S[_SS_SS_SS_SS_SS_SS_SS_S/_SS_SS_SS_S S_S!S"S[SSSSSSS#S$. _nURX45 [R"U5nURU[5 URUR[R5 URURS5 g)%rirrrrrrrrkrlrmr_classr _modulezgslib.utils.wrapped_credentialsrnrorprqrrid_tokenN id_token_jwtinvalidF revoke_uriscopestoken_info_uritoken_response token_uri user_agentr_rzgoogleapis.com) rrHrr$rJrrrnruniverse_domain)r rrrrYrorsrprtrurvr^rwrxr_rn)rrdryrzexpected_json_valuesr{s r?testWrappedCredentialSerializationExternalAccountAuthorizedUserVTestWrappedCredentials.testWrappedCredentialSerializationExternalAccountAuthorizedUsers (44 l(AF ( * +E&E!**4Q1=EJ**Z(K'&'4' Z'  ' . '  ' ' D' ' 5' d' "' $' $' T' d!'" 2p&;; ) #'P [7  ) )* 5F&"45&,,:FFHV%%z2rc H[R"[R"SSSSSSS.SS S S S .055nUR U[5 UR UR [ R5 UR UR [R5 g) Nr_i//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_IDaws1zChttp://169.254.169.254/latest/meta-data/placement/availability-zonezNhttps://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15z@http://169.254.169.254/latest/meta-data/iam/security-credentials)environment_id region_urlregional_cred_verification_urlrjhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-1234@service-name.iam.gserviceaccount.com:generateAccessTokenz+urn:ietf:params:aws:token-type:aws4_request#https://sts.googleapis.com/v1/tokenrrHrK!service_account_impersonation_urlrIrJr) r rwrurrxr_rrrrrs rtestFromJsonAWSCredentials1TestWrappedCredentials.testFromJsonAWSCredentialss  ( ( ]hZ &`A9&)   E4 %!34%++'7'C'CD%++s7rc B[R"[R"SSSS0SSSSS .055nUR U[5 UR UR [ R5 UR UR [R5 g) Nr_rfilez/var/run/secrets/goog.id/tokenr$urn:ietf:params:oauth:token-type:jwtrrr) r rwrurrxr_rrrrrs r testFromJsonFileBasedCredentials7TestWrappedCredentials.testFromJsonFileBasedCredentialss  ( ( <&`:9&   E& %!34%++'7'C'CD%++}'@'@Arc F[R"[R"SSSSS00SSSS S .055nUR U[5 UR UR [ R5 UR UR [R5 g) Nr_r executablecommandz/path/to/command.shrrrrr) r rwrurrxr_rrrrrs r testFromJsonPluggableCredentials7TestWrappedCredentials.testFromJsonPluggableCredentials0s  ( (  !#8#& `:9&   E* %!34%++'7'C'CD%++y'<'<=rc [R"[R"SSSSSSSSS .055nUR U[5 UR UR [ R5 g) Nr_rrrrrrr)rrHrrJrrnr)r rwrurrxr_rrrrs r4testFromJsonExternalAccountAuthorizedUserCredentialsKTestWrappedCredentials.testFromJsonExternalAccountAuthorizedUserCredentialsJsq  ( ( 6t"??"   E( %!34%++:FFHrr*N)r-r.r/r0r>r patchobjecthttplib2rfr|rrrrrrrr1r*rrr@r@HsZ::Xv57672>8B,::Xv5 76 7D=3~8>B0>4Hrr@)r>rsrur google.authrrrrr gslib.testsrgslib.utils.wrapped_credentialsr rZsixr r six.movesr rYrVResponselenrUrrrdictr4GsUtilUnitTestCaser@r*rrrs( (8%! >%VV_ 56     'l  &22 $OdOYHX88YHr