// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package httptransport
import (
"context"
"net/http"
"net/http/httptest"
"strings"
"testing"
"cloud.google.com/go/auth"
"cloud.google.com/go/auth/credentials"
"cloud.google.com/go/auth/internal"
"github.com/google/go-cmp/cmp"
)
func TestAddAuthorizationMiddleware(t *testing.T) {
creds := auth.NewCredentials(&auth.CredentialsOptions{
TokenProvider: staticTP("fakeToken"),
})
tests := []struct {
name string
client *http.Client
creds *auth.Credentials
wantErr bool
want string
}{
{
name: "missing both required fields",
wantErr: true,
},
{
name: "missing client field",
creds: creds,
wantErr: true,
},
{
name: "missing creds field",
client: internal.CloneDefaultClient(),
wantErr: true,
},
{
name: "works",
client: internal.CloneDefaultClient(),
creds: creds,
want: "fakeToken",
},
{
name: "works, no transport",
client: &http.Client{},
creds: creds,
want: "fakeToken",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := AddAuthorizationMiddleware(tt.client, tt.creds)
if tt.wantErr && err == nil {
t.Fatalf("AddAuthorizationMiddleware() = nil, want error")
}
if tt.wantErr {
return
}
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
got := r.Header.Get("Authorization")
if !strings.Contains(got, tt.want) {
t.Errorf("got %q, want contain %q", got, tt.want)
}
}))
defer ts.Close()
tt.client.Get(ts.URL)
})
}
}
func TestNewClient_FailsValidation(t *testing.T) {
tests := []struct {
name string
opts *Options
}{
{
name: "missing options",
},
{
name: "has creds with disable options, tp",
opts: &Options{
DisableAuthentication: true,
Credentials: auth.NewCredentials(&auth.CredentialsOptions{
TokenProvider: staticTP("fakeToken"),
}),
},
},
{
name: "has creds with disable options, cred file",
opts: &Options{
DisableAuthentication: true,
DetectOpts: &credentials.DetectOptions{
CredentialsFile: "abc.123",
},
},
},
{
name: "has creds with disable options, cred json",
opts: &Options{
DisableAuthentication: true,
DetectOpts: &credentials.DetectOptions{
CredentialsJSON: []byte(`{"foo":"bar"}`),
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, err := NewClient(tt.opts)
if err == nil {
t.Fatal("NewClient() = _, nil, want error")
}
})
}
}
func TestDial_SkipValidation(t *testing.T) {
opts := &Options{
DisableAuthentication: true,
Credentials: auth.NewCredentials(&auth.CredentialsOptions{
TokenProvider: staticTP("fakeToken"),
}),
}
t.Run("invalid opts", func(t *testing.T) {
if err := opts.validate(); err == nil {
t.Fatalf("opts.validate() = nil, want error")
}
})
t.Run("skip invalid opts", func(t *testing.T) {
opts.InternalOptions = &InternalOptions{SkipValidation: true}
if err := opts.validate(); err != nil {
t.Fatalf("opts.validate() = %v, want nil", err)
}
})
}
func TestOptions_ResolveDetectOptions(t *testing.T) {
tests := []struct {
name string
in *Options
want *credentials.DetectOptions
}{
{
name: "base",
in: &Options{
DetectOpts: &credentials.DetectOptions{
Scopes: []string{"scope"},
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Scopes: []string{"scope"},
CredentialsFile: "/path/to/a/file",
},
},
{
name: "self-signed, with scope",
in: &Options{
InternalOptions: &InternalOptions{
EnableJWTWithScope: true,
},
DetectOpts: &credentials.DetectOptions{
Scopes: []string{"scope"},
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Scopes: []string{"scope"},
CredentialsFile: "/path/to/a/file",
UseSelfSignedJWT: true,
},
},
{
name: "self-signed, with aud",
in: &Options{
DetectOpts: &credentials.DetectOptions{
Audience: "aud",
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Audience: "aud",
CredentialsFile: "/path/to/a/file",
UseSelfSignedJWT: true,
},
},
{
name: "use default scopes",
in: &Options{
InternalOptions: &InternalOptions{
DefaultScopes: []string{"default"},
DefaultAudience: "default",
},
DetectOpts: &credentials.DetectOptions{
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Scopes: []string{"default"},
CredentialsFile: "/path/to/a/file",
},
},
{
name: "don't use default scopes, scope provided",
in: &Options{
InternalOptions: &InternalOptions{
DefaultScopes: []string{"default"},
DefaultAudience: "default",
},
DetectOpts: &credentials.DetectOptions{
Scopes: []string{"non-default"},
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Scopes: []string{"non-default"},
CredentialsFile: "/path/to/a/file",
},
},
{
name: "don't use default scopes, aud provided",
in: &Options{
InternalOptions: &InternalOptions{
DefaultScopes: []string{"default"},
DefaultAudience: "default",
},
DetectOpts: &credentials.DetectOptions{
Audience: "non-default",
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Audience: "non-default",
CredentialsFile: "/path/to/a/file",
UseSelfSignedJWT: true,
},
},
{
name: "use default aud",
in: &Options{
InternalOptions: &InternalOptions{
DefaultAudience: "default",
},
DetectOpts: &credentials.DetectOptions{
CredentialsFile: "/path/to/a/file",
},
},
want: &credentials.DetectOptions{
Audience: "default",
CredentialsFile: "/path/to/a/file",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := tt.in.resolveDetectOptions()
if diff := cmp.Diff(tt.want, got); diff != "" {
t.Errorf("mismatch (-want +got):\n%s", diff)
}
})
}
}
func TestNewClient_DetectedServiceAccount(t *testing.T) {
testQuota := "testquota"
wantHeader := "bar"
t.Setenv(internal.QuotaProjectEnvVar, testQuota)
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if got := r.Header.Get("Authorization"); got == "" {
t.Errorf(`got "", want an auth token`)
}
if got := r.Header.Get("Foo"); got != wantHeader {
t.Errorf("got %q, want %q", got, wantHeader)
}
if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
t.Errorf("got %q, want %q", got, testQuota)
}
}))
defer ts.Close()
client, err := NewClient(&Options{
Headers: http.Header{"Foo": []string{wantHeader}},
InternalOptions: &InternalOptions{
DefaultEndpointTemplate: ts.URL,
},
DetectOpts: &credentials.DetectOptions{
Audience: ts.URL,
CredentialsFile: "../internal/testdata/sa.json",
UseSelfSignedJWT: true,
},
})
if err != nil {
t.Fatalf("NewClient() = %v", err)
}
req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
if err != nil {
t.Fatal(err)
}
if _, err := client.Do(req); err != nil {
t.Fatalf("client.Get() = %v", err)
}
}
func TestNewClient_APIKey(t *testing.T) {
testQuota := "testquota"
apiKey := "thereisnospoon"
wantHeader := "bar"
t.Setenv(internal.QuotaProjectEnvVar, testQuota)
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
got := r.URL.Query().Get("key")
if got != apiKey {
t.Errorf("got %q, want %q", got, apiKey)
}
if got := r.Header.Get("Foo"); got != wantHeader {
t.Errorf("got %q, want %q", got, wantHeader)
}
if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
t.Errorf("got %q, want %q", got, testQuota)
}
}))
defer ts.Close()
client, err := NewClient(&Options{
APIKey: apiKey,
Headers: http.Header{"Foo": []string{wantHeader}},
})
if err != nil {
t.Fatalf("NewClient() = %v", err)
}
if _, err := client.Get(ts.URL); err != nil {
t.Fatalf("client.Get() = %v", err)
}
}
func TestNewClient_BaseRoundTripper(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
got := r.Header.Get("Foo")
if want := "foo"; got != want {
t.Errorf("got %q, want %q", got, want)
}
got = r.Header.Get("Bar")
if want := "bar"; got != want {
t.Errorf("got %q, want %q", got, want)
}
}))
defer ts.Close()
client, err := NewClient(&Options{
BaseRoundTripper: &rt{key: "Bar", value: "bar"},
Headers: http.Header{"Foo": []string{"foo"}},
APIKey: "key",
})
if err != nil {
t.Fatalf("NewClient() = %v", err)
}
if _, err := client.Get(ts.URL); err != nil {
t.Fatalf("client.Get() = %v", err)
}
}
type staticTP string
func (tp staticTP) Token(context.Context) (*auth.Token, error) {
return &auth.Token{
Value: string(tp),
}, nil
}
type rt struct {
key string
value string
}
func (r *rt) RoundTrip(req *http.Request) (*http.Response, error) {
req2 := req.Clone(req.Context())
req2.Header.Add(r.key, r.value)
return http.DefaultTransport.RoundTrip(req2)
}