Skip to content

Commit

Permalink
fix: use gcloud creds flow (#705)
Browse files Browse the repository at this point in the history
  • Loading branch information
arithmetic1728 authored Feb 25, 2021
1 parent 3f2f3ea commit 333cb76
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 0 deletions.
13 changes: 13 additions & 0 deletions google/auth/_default.py
Original file line number Diff line number Diff line change
Expand Up @@ -198,12 +198,25 @@ def _get_gcloud_sdk_credentials():
def _get_explicit_environ_credentials():
"""Gets credentials from the GOOGLE_APPLICATION_CREDENTIALS environment
variable."""
from google.auth import _cloud_sdk

cloud_sdk_adc_path = _cloud_sdk.get_application_default_credentials_path()
explicit_file = os.environ.get(environment_vars.CREDENTIALS)

_LOGGER.debug(
"Checking %s for explicit credentials as part of auth process...", explicit_file
)

if explicit_file is not None and explicit_file == cloud_sdk_adc_path:
# Cloud sdk flow calls gcloud to fetch project id, so if the explicit
# file path is cloud sdk credentials path, then we should fall back
# to cloud sdk flow, otherwise project id cannot be obtained.
_LOGGER.debug(
"Explicit credentials path %s is the same as Cloud SDK credentials path, fall back to Cloud SDK credentials flow...",
explicit_file,
)
return _get_gcloud_sdk_credentials()

if explicit_file is not None:
credentials, project_id = load_credentials_from_file(
os.environ[environment_vars.CREDENTIALS]
Expand Down
9 changes: 9 additions & 0 deletions google/auth/_default_async.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,17 @@ def _get_gcloud_sdk_credentials():
def _get_explicit_environ_credentials():
"""Gets credentials from the GOOGLE_APPLICATION_CREDENTIALS environment
variable."""
from google.auth import _cloud_sdk

cloud_sdk_adc_path = _cloud_sdk.get_application_default_credentials_path()
explicit_file = os.environ.get(environment_vars.CREDENTIALS)

if explicit_file is not None and explicit_file == cloud_sdk_adc_path:
# Cloud sdk flow calls gcloud to fetch project id, so if the explicit
# file path is cloud sdk credentials path, then we should fall back
# to cloud sdk flow, otherwise project id cannot be obtained.
return _get_gcloud_sdk_credentials()

if explicit_file is not None:
credentials, project_id = load_credentials_from_file(
os.environ[environment_vars.CREDENTIALS]
Expand Down
18 changes: 18 additions & 0 deletions tests/test__default.py
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,24 @@ def test__get_explicit_environ_credentials_no_project_id(load, monkeypatch):
assert project_id is None


@mock.patch(
"google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True
)
@mock.patch("google.auth._default._get_gcloud_sdk_credentials", autospec=True)
def test__get_explicit_environ_credentials_fallback_to_gcloud(
get_gcloud_creds, get_adc_path, monkeypatch
):
# Set explicit credentials path to cloud sdk credentials path.
get_adc_path.return_value = "filename"
monkeypatch.setenv(environment_vars.CREDENTIALS, "filename")

_default._get_explicit_environ_credentials()

# Check we fall back to cloud sdk flow since explicit credentials path is
# cloud sdk credentials path
get_gcloud_creds.assert_called_once()


@LOAD_FILE_PATCH
@mock.patch(
"google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True
Expand Down
18 changes: 18 additions & 0 deletions tests_async/test__default_async.py
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,24 @@ def test__get_explicit_environ_credentials_no_project_id(load, monkeypatch):
assert project_id is None


@mock.patch(
"google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True
)
@mock.patch("google.auth._default_async._get_gcloud_sdk_credentials", autospec=True)
def test__get_explicit_environ_credentials_fallback_to_gcloud(
get_gcloud_creds, get_adc_path, monkeypatch
):
# Set explicit credentials path to cloud sdk credentials path.
get_adc_path.return_value = "filename"
monkeypatch.setenv(environment_vars.CREDENTIALS, "filename")

_default._get_explicit_environ_credentials()

# Check we fall back to cloud sdk flow since explicit credentials path is
# cloud sdk credentials path
get_gcloud_creds.assert_called_once()


@LOAD_FILE_PATCH
@mock.patch(
"google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True
Expand Down

0 comments on commit 333cb76

Please sign in to comment.