// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package externalaccount import ( "context" "encoding/json" "net/http" "net/http/httptest" "strings" "testing" "time" iexacc "cloud.google.com/go/auth/credentials/internal/externalaccount" ) const ( accessKeyID = "accessKeyID" secretAccessKey = "secret" sessionToken = "sessionTok" subjectTok = `%7B%22url%22%3A%22https%3A%2F%2Fsts.us-east-2.amazonaws.com%3FAction%3DGetCallerIdentity%5Cu0026Version%3D2011-06-15%22%2C%22method%22%3A%22POST%22%2C%22headers%22%3A%5B%7B%22key%22%3A%22Authorization%22%2C%22value%22%3A%22AWS4-HMAC-SHA256+Credential%3DaccessKeyID%2F20110909%2Fus-east-2%2Fsts%2Faws4_request%2C+SignedHeaders%3Dhost%3Bx-amz-date%3Bx-amz-security-token%3Bx-goog-cloud-target-resource%2C+Signature%3D19e8a661c61d39d19a9c82e272deef7784908176b82b0eb42f328d2c640f369b%22%7D%2C%7B%22key%22%3A%22Host%22%2C%22value%22%3A%22sts.us-east-2.amazonaws.com%22%7D%2C%7B%22key%22%3A%22X-Amz-Date%22%2C%22value%22%3A%2220110909T233600Z%22%7D%2C%7B%22key%22%3A%22X-Amz-Security-Token%22%2C%22value%22%3A%22sessionTok%22%7D%2C%7B%22key%22%3A%22X-Goog-Cloud-Target-Resource%22%2C%22value%22%3A%2232555940559.apps.googleusercontent.com%22%7D%5D%7D` ) var ( defaultTime = time.Date(2011, 9, 9, 23, 36, 0, 0, time.UTC) ) func TestNewCredentials_AwsSecurityCredentials(t *testing.T) { opts := &Options{ Audience: "32555940559.apps.googleusercontent.com", SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt", ClientSecret: "notsosecret", ClientID: "rbrgnognrhongo3bi4gb9ghg9g", } opts.AwsSecurityCredentialsProvider = &fakeAwsCredsProvider{ awsRegion: "us-east-2", creds: &AwsSecurityCredentials{ AccessKeyID: accessKeyID, SecretAccessKey: secretAccessKey, SessionToken: sessionToken, }, } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defer r.Body.Close() if r.URL.Path == "/sts" { r.ParseForm() if got, want := r.Form.Get("subject_token"), subjectTok; got != want { t.Errorf("got %q, want %q", got, want) } resp := &struct { AccessToken string `json:"access_token"` ExpiresIn int `json:"expires_in"` }{ AccessToken: "a_fake_token_sts", ExpiresIn: 60, } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else if r.URL.Path == "/impersonate" { if want := "a_fake_token_sts"; !strings.Contains(r.Header.Get("Authorization"), want) { t.Errorf("missing sts token: got %q, want %q", r.Header.Get("Authorization"), want) } resp := &struct { AccessToken string `json:"accessToken"` ExpireTime string `json:"expireTime"` }{ AccessToken: "a_fake_token", ExpireTime: "2006-01-02T15:04:05Z", } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else { t.Errorf("unexpected call to %q", r.URL.Path) } })) opts.ServiceAccountImpersonationURL = ts.URL + "/impersonate" opts.TokenURL = ts.URL + "/sts" oldNow := iexacc.Now defer func() { iexacc.Now = oldNow }() iexacc.Now = func() time.Time { return defaultTime } creds, err := NewCredentials(opts) if err != nil { t.Fatalf("NewCredentials() = %v", err) } if _, err := creds.Token(context.Background()); err != nil { t.Fatalf("creds.Token() = %v", err) } } func TestNewCredentials_SubjectTokenProvider(t *testing.T) { opts := &Options{ Audience: "32555940559.apps.googleusercontent.com", SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt", ClientSecret: "notsosecret", ClientID: "rbrgnognrhongo3bi4gb9ghg9g", } opts.SubjectTokenProvider = &fakeSubjectTokenProvider{ subjectToken: "fake_token", } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defer r.Body.Close() if r.URL.Path == "/sts" { r.ParseForm() if got, want := r.Form.Get("subject_token"), "fake_token"; got != want { t.Errorf("got %q, want %q", got, want) } resp := &struct { AccessToken string `json:"access_token"` ExpiresIn int `json:"expires_in"` }{ AccessToken: "a_fake_token_sts", ExpiresIn: 60, } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else if r.URL.Path == "/impersonate" { if want := "a_fake_token_sts"; !strings.Contains(r.Header.Get("Authorization"), want) { t.Errorf("missing sts token: got %q, want %q", r.Header.Get("Authorization"), want) } resp := &struct { AccessToken string `json:"accessToken"` ExpireTime string `json:"expireTime"` }{ AccessToken: "a_fake_token", ExpireTime: "2006-01-02T15:04:05Z", } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else { t.Errorf("unexpected call to %q", r.URL.Path) } })) opts.ServiceAccountImpersonationURL = ts.URL + "/impersonate" opts.TokenURL = ts.URL + "/sts" oldNow := iexacc.Now defer func() { iexacc.Now = oldNow }() iexacc.Now = func() time.Time { return defaultTime } creds, err := NewCredentials(opts) if err != nil { t.Fatalf("NewCredentials() = %v", err) } if _, err := creds.Token(context.Background()); err != nil { t.Fatalf("creds.Token() = %v", err) } } func TestNewCredentials_CredentialSourceURL(t *testing.T) { opts := &Options{ Audience: "//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID", SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt", CredentialSource: &CredentialSource{ Format: &Format{ Type: "json", SubjectTokenFieldName: "id_token", }, }, } ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defer r.Body.Close() if r.URL.Path == "/token" { resp := &struct { Token string `json:"id_token"` }{ Token: "a_fake_token_base", } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else if r.URL.Path == "/sts" { r.ParseForm() if got, want := r.Form.Get("subject_token"), "a_fake_token_base"; got != want { t.Errorf("got %q, want %q", got, want) } resp := &struct { AccessToken string `json:"access_token"` ExpiresIn int `json:"expires_in"` }{ AccessToken: "a_fake_token_sts", ExpiresIn: 60, } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else if r.URL.Path == "/impersonate" { if want := "a_fake_token_sts"; !strings.Contains(r.Header.Get("Authorization"), want) { t.Errorf("missing sts token: got %q, want %q", r.Header.Get("Authorization"), want) } resp := &struct { AccessToken string `json:"accessToken"` ExpireTime string `json:"expireTime"` }{ AccessToken: "a_fake_token", ExpireTime: "2006-01-02T15:04:05Z", } if err := json.NewEncoder(w).Encode(&resp); err != nil { t.Error(err) } } else { t.Errorf("unexpected call to %q", r.URL.Path) } })) opts.ServiceAccountImpersonationURL = ts.URL + "/impersonate" opts.TokenURL = ts.URL + "/sts" opts.CredentialSource.URL = ts.URL + "/token" creds, err := NewCredentials(opts) if err != nil { t.Fatalf("NewCredentials() = %v", err) } if _, err := creds.Token(context.Background()); err != nil { t.Fatalf("creds.Token() = %v", err) } } type fakeAwsCredsProvider struct { credsErr error regionErr error awsRegion string creds *AwsSecurityCredentials } func (acp fakeAwsCredsProvider) AwsRegion(ctx context.Context, opts *RequestOptions) (string, error) { if acp.regionErr != nil { return "", acp.regionErr } return acp.awsRegion, nil } func (acp fakeAwsCredsProvider) AwsSecurityCredentials(ctx context.Context, opts *RequestOptions) (*AwsSecurityCredentials, error) { if acp.credsErr != nil { return nil, acp.credsErr } return acp.creds, nil } type fakeSubjectTokenProvider struct { err error subjectToken string } func (p fakeSubjectTokenProvider) SubjectToken(ctx context.Context, options *RequestOptions) (string, error) { if p.err != nil { return "", p.err } return p.subjectToken, nil }