feat: add token_info_url to external account credentials (#1168)

* feat: add token_info_url to external account credentials Also some minor refactoring * chore: Refresh system test creds. * Changes requested by @clundin * Changes requested by Leo * validating token info url * comment * chore: Refresh system test creds. * tests * secrets * tests * lint * 2.7 Co-authored-by: Carl Lundin <[email protected]>
googleapis · Oct 27, 2022 · 9adee75 · 9adee75
1 parent 1d278c3
commit 9adee75
Show file tree

Hide file tree

Showing 5 changed files with 695 additions and 193 deletions.
diff --git a/google/auth/external_account.py b/google/auth/external_account.py
@@ -78,6 +78,7 @@ def __init__(
         service_account_impersonation_options=None,
         client_id=None,
         client_secret=None,
+        token_info_url=None,
         quota_project_id=None,
         scopes=None,
         default_scopes=None,
@@ -94,6 +95,7 @@ def __init__(
                 impersonation generateAccessToken URL.
             client_id (Optional[str]): The optional client ID.
             client_secret (Optional[str]): The optional client secret.
+            token_info_url (str): The optional STS endpoint URL for token introspection.
             quota_project_id (Optional[str]): The optional quota project ID.
             scopes (Optional[Sequence[str]]): Optional scopes to request during the
                 authorization grant.
@@ -112,6 +114,7 @@ def __init__(
         self._audience = audience
         self._subject_token_type = subject_token_type
         self._token_url = token_url
+        self._token_info_url = token_info_url
         self._credential_source = credential_source
         self._service_account_impersonation_url = service_account_impersonation_url
         self._service_account_impersonation_options = (
@@ -125,6 +128,8 @@ def __init__(
         self._workforce_pool_user_project = workforce_pool_user_project
 
         Credentials.validate_token_url(token_url)
+        if token_info_url:
+            Credentials.validate_token_url(token_info_url, url_type="token info")
         if service_account_impersonation_url:
             Credentials.validate_service_account_impersonation_url(
                 service_account_impersonation_url
@@ -161,13 +166,25 @@ def info(self):
                 useful for serializing the current credentials so it can deserialized
                 later.
         """
-        config_info = {
-            "type": _EXTERNAL_ACCOUNT_JSON_TYPE,
+        config_info = self._constructor_args()
+        config_info.update(
+            type=_EXTERNAL_ACCOUNT_JSON_TYPE,
+            service_account_impersonation=config_info.pop(
+                "service_account_impersonation_options", None
+            ),
+        )
+        config_info.pop("scopes", None)
+        config_info.pop("default_scopes", None)
+        return {key: value for key, value in config_info.items() if value is not None}
+
+    def _constructor_args(self):
+        args = {
             "audience": self._audience,
             "subject_token_type": self._subject_token_type,
             "token_url": self._token_url,
+            "token_info_url": self._token_info_url,
             "service_account_impersonation_url": self._service_account_impersonation_url,
-            "service_account_impersonation": copy.deepcopy(
+            "service_account_impersonation_options": copy.deepcopy(
                 self._service_account_impersonation_options
             )
             or None,
@@ -176,8 +193,12 @@ def info(self):
             "client_id": self._client_id,
             "client_secret": self._client_secret,
             "workforce_pool_user_project": self._workforce_pool_user_project,
+            "scopes": self._scopes,
+            "default_scopes": self._default_scopes,
         }
-        return {key: value for key, value in config_info.items() if value is not None}
+        if not self.is_workforce_pool:
+            args.pop("workforce_pool_user_project")
+        return args
 
     @property
     def service_account_email(self):
@@ -255,25 +276,17 @@ def project_number(self):
         except ValueError:
             return None
 
+    @property
+    def token_info_url(self):
+        """Optional[str]: The STS token introspection endpoint."""
+
+        return self._token_info_url
+
     @_helpers.copy_docstring(credentials.Scoped)
     def with_scopes(self, scopes, default_scopes=None):
-        d = dict(
-            audience=self._audience,
-            subject_token_type=self._subject_token_type,
-            token_url=self._token_url,
-            credential_source=self._credential_source,
-            service_account_impersonation_url=self._service_account_impersonation_url,
-            service_account_impersonation_options=self._service_account_impersonation_options,
-            client_id=self._client_id,
-            client_secret=self._client_secret,
-            quota_project_id=self._quota_project_id,
-            scopes=scopes,
-            default_scopes=default_scopes,
-            workforce_pool_user_project=self._workforce_pool_user_project,
-        )
-        if not self.is_workforce_pool:
-            d.pop("workforce_pool_user_project")
-        return self.__class__(**d)
+        kwargs = self._constructor_args()
+        kwargs.update(scopes=scopes, default_scopes=default_scopes)
+        return self.__class__(**kwargs)
 
     @abc.abstractmethod
     def retrieve_subject_token(self, request):
@@ -368,43 +381,15 @@ def refresh(self, request):
     @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject)
     def with_quota_project(self, quota_project_id):
         # Return copy of instance with the provided quota project ID.
-        d = dict(
-            audience=self._audience,
-            subject_token_type=self._subject_token_type,
-            token_url=self._token_url,
-            credential_source=self._credential_source,
-            service_account_impersonation_url=self._service_account_impersonation_url,
-            service_account_impersonation_options=self._service_account_impersonation_options,
-            client_id=self._client_id,
-            client_secret=self._client_secret,
-            quota_project_id=quota_project_id,
-            scopes=self._scopes,
-            default_scopes=self._default_scopes,
-            workforce_pool_user_project=self._workforce_pool_user_project,
-        )
-        if not self.is_workforce_pool:
-            d.pop("workforce_pool_user_project")
-        return self.__class__(**d)
+        kwargs = self._constructor_args()
+        kwargs.update(quota_project_id=quota_project_id)
+        return self.__class__(**kwargs)
 
     @_helpers.copy_docstring(credentials.CredentialsWithTokenUri)
     def with_token_uri(self, token_uri):
-        d = dict(
-            audience=self._audience,
-            subject_token_type=self._subject_token_type,
-            token_url=token_uri,
-            credential_source=self._credential_source,
-            service_account_impersonation_url=self._service_account_impersonation_url,
-            service_account_impersonation_options=self._service_account_impersonation_options,
-            client_id=self._client_id,
-            client_secret=self._client_secret,
-            quota_project_id=self._quota_project_id,
-            scopes=self._scopes,
-            default_scopes=self._default_scopes,
-            workforce_pool_user_project=self._workforce_pool_user_project,
-        )
-        if not self.is_workforce_pool:
-            d.pop("workforce_pool_user_project")
-        return self.__class__(**d)
+        kwargs = self._constructor_args()
+        kwargs.update(token_url=token_uri)
+        return self.__class__(**kwargs)
 
     def _initialize_impersonated_credentials(self):
         """Generates an impersonated credentials.
@@ -422,23 +407,12 @@ def _initialize_impersonated_credentials(self):
                 endpoint returned an error.
         """
         # Return copy of instance with no service account impersonation.
-        d = dict(
-            audience=self._audience,
-            subject_token_type=self._subject_token_type,
-            token_url=self._token_url,
-            credential_source=self._credential_source,
+        kwargs = self._constructor_args()
+        kwargs.update(
             service_account_impersonation_url=None,
             service_account_impersonation_options={},
-            client_id=self._client_id,
-            client_secret=self._client_secret,
-            quota_project_id=self._quota_project_id,
-            scopes=self._scopes,
-            default_scopes=self._default_scopes,
-            workforce_pool_user_project=self._workforce_pool_user_project,
         )
-        if not self.is_workforce_pool:
-            d.pop("workforce_pool_user_project")
-        source_credentials = self.__class__(**d)
+        source_credentials = self.__class__(**kwargs)
 
         # Determine target_principal.
         target_principal = self.service_account_email
@@ -461,7 +435,7 @@ def _initialize_impersonated_credentials(self):
         )
 
     @staticmethod
-    def validate_token_url(token_url):
+    def validate_token_url(token_url, url_type="token"):
         _TOKEN_URL_PATTERNS = [
             "^[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$",
             "^sts\\.googleapis\\.com$",
@@ -471,7 +445,7 @@ def validate_token_url(token_url):
         ]
 
         if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url):
-            raise ValueError("The provided token URL is invalid.")
+            raise ValueError("The provided {} URL is invalid.".format(url_type))
 
     @staticmethod
     def validate_service_account_impersonation_url(url):
@@ -530,6 +504,7 @@ def from_info(cls, info, **kwargs):
             audience=info.get("audience"),
             subject_token_type=info.get("subject_token_type"),
             token_url=info.get("token_url"),
+            token_info_url=info.get("token_info_url"),
             service_account_impersonation_url=info.get(
                 "service_account_impersonation_url"
             ),