From 1972c7b67cd79d14986a8a2d680f1b97481a2fac Mon Sep 17 00:00:00 2001 From: Harkamal Jot Singh Kumar Date: Fri, 17 Jan 2025 11:45:56 +0530 Subject: [PATCH 1/4] chore: improve error message in _metadata.py (#1652) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * improve error message * log last error response * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * update secret * update test case to make sure failure reason is included * update test * update secret --------- Co-authored-by: Owl Bot --- google/auth/compute_engine/_metadata.py | 12 ++++++++++-- system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes tests/compute_engine/test__metadata.py | 24 ++++++++++++++++++++++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/google/auth/compute_engine/_metadata.py b/google/auth/compute_engine/_metadata.py index 8d692972f..06f99de0e 100644 --- a/google/auth/compute_engine/_metadata.py +++ b/google/auth/compute_engine/_metadata.py @@ -201,7 +201,7 @@ def get( url = _helpers.update_query(base_url, query_params) backoff = ExponentialBackoff(total_attempts=retry_count) - + failure_reason = None for attempt in backoff: try: response = request(url=url, method="GET", headers=headers_to_use) @@ -213,6 +213,11 @@ def get( retry_count, response.status, ) + failure_reason = ( + response.data.decode("utf-8") + if hasattr(response.data, "decode") + else response.data + ) continue else: break @@ -225,10 +230,13 @@ def get( retry_count, e, ) + failure_reason = e else: raise exceptions.TransportError( "Failed to retrieve {} from the Google Compute Engine " - "metadata service. Compute Engine Metadata server unavailable".format(url) + "metadata service. Compute Engine Metadata server unavailable due to {}".format( + url, failure_reason + ) ) content = _helpers.from_bytes(response.data) diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 8c0501b3ced76a3134c0282b7b6ce1f50781ed31..feb9c5fc55768eea62d5e0c7eba1f450d9e985e6 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTE?7S+9oOK57_g(HdE<+RZW^!PSRV)4>9;{Q#2k$P-lU>D<`LzEiB>E z%$BdumDc@fkv`DVMEUEoM>#e%L`snLDCyGo?*g5qfok(>akaaPd{JP~xx5zCncYf- z7+Td>YU9ZX;shHECxh3r&$g{eZv@*O?e3QZpIQQ(5k3zew4S}tc@$8>cr%pb{&9iFGq1soN4#p04WJFV0osJ7HrgzpbUb2 zJxvpO{tI1mf4Jy7Ez3isqRP*2$qX&kj}{YYS}5kAj^RqRh5OJv7VOa{=e6VV1N%x- zv)tkQVzx|bYHnVZGXCDiq&^44p~CAOeYiyH`5wx7FrTTst zJda3wv;J>)q2WT<*HPip!jm#wgjV~vgK@AS9h7BbB-{++e{T4^6OJ?XH z0e*cG1x`To({12;1310l%8PwNwRW_D5H~uQ7ON19@J0w`p$ze2T5S`pJE%IHGd(kJ>pF-Jc-TsLh9t(ik!wOn)0HWtC>sBkThk-u*7z z=e1cW#E}jz>(X9U9FFm8EtBzH8^CC%Hs83@!Ku*%y_kLj;Hh0YAO-jgKnc13a%;B3 z@O&1#74ubLI!tj8$ILZ(S5GyTB;Y?erZq}P!qHoXlTn!3qV<$cDN|B#!|ziE0-1S@ zTamb>9i&~9iEsY*h!0jCg@ zu&ti4x@X|3W~21vvLH5LKz#&LrM~GZMrc$|@(Q3Qx(0^!og`~ld`$)++pqQ{Fzr@$ z77%8Ew5oI0-B^Ox^#^!r3y#^PlK={J#myw!eD4x?x5VpQR?Y>Nlnt_X8wL6Bn!;i0 ze_jYSUXJxK*4rsRn9BO122Py@8^6r9I|`uNhNNMXaqYL{x&Ih%8NHZTr*~gT1_pTV zVN{~jU8ePKUqzrbgO>vCZ;mD=zWv#2D6?PjAua+MJ!ebgKLEoot8+5Z7WztRYq8};xy#LzXbS--g?%5=mpRU;}5Y*ySKWhY+6 z$mBqz3=smujilHkNmbXuhO2381^nN%l-a|r=1(HIcfxFhl-*!GIS!0^q?DVM$NVzU zhKxgunM_1Z_~l@P??byJNf(-yy$<_nxxPlljQgNLZ-Ooknp4rH0bLIyZ74@Wf0?~h z-Rhyc%nktUgH;|&_`OhV?Rlth+I5EsA$|}Ork!2H?$jRmtDbdGg#cuGn|du3^_)ZD z6>iTF8$~1{dlyyxR|cfDwf2xGA~XqB zmfwpFG(c}v}eEOx_9`K2+dXBpp2%bh%9++!8kw`-jl(}{t)6^q`40s~3 z92_1b^JC3jwC#y@%q9#us^WMwK_72$I|AE@zh~d7{^5}il@akJWqLA%3q)Gv%We@+ zlYqw7zZP*1b`Rq1qJsg@%Qg`?Fa-du!J#-Unso6=kRDHylAvhI)h^-=pFWA?|2o;h zLk~#d-qps^l!+wtCfYL|3aK1U=n1N6?5Q5p<;*j^Mr>SltdeBbp#8!+nft;UL~@i& z(Jv&0w=Tt^GiW|>RNsTssDOfP`YZ$711BE1p$X3ckro!BO22K1kukHVGwMC4@iK*{ zNG^o^X##ZLja}Hl1aYY zxQ4TsGq>r`#<2TA(H}yfkR#HdRF+hDXib~!Z|+x`fKn@(Ip1*2QnZTxtdaNM)6um9 zZ?yvYpUx~AMxB}vl$NCDAw!&F5m0SLT#*)M4&`s1UZ=63{dQ*T34IjJO*FI z`L|GBvv~sng7Eh;J;LXq8UL}Een)birN)i-JiW&VCnAodvW49eL6|)OlkaYDgYoNa zVhXfCAPr4nlZ5oiye!Ey8gNW;y0W|ELqfh4+gOM6dE&cbl$}%~xk|Kskg_XR_YF{G zqZt)k-xjQ*EBZDcbQLbqxo?9sRdu`txJ@w}_Ei?&<`00lEC7XZHh_CZoA!kkNm(0% z(zls~z|-U7fxTe8Lf!fOPR+&Q{)m=l<>tPhNNw%!NSC{63?KbFotac65+xyYI#Ky< zH{#OmFZLqrE$(pD!0|DD|3otf1TkA?V7XzK1a2#}HPl{lh1%BSGSV*GB_)l`WaGoF zGPI!{AAAy0@`wP*5y$zbF*$hmrV&S$+s}9ET9wMg4`*5lDLZ|7PBctk*bsKvIw@;W zW35KXG%Fj+3)S39j`b+Vm5`iIt30VNM>&iAi22Rle_*!q^34!T5)v&SH}vxdAa55m zO@czi&c~uB34y+(6)?cQxaD5vG9vF6Ym8Ldm-e0C8ygwNF$M4iW!QwMA@>!($jCqnC}gcxY=fa`Ad6a4@ZcF)qsZ3AP@ z%S!DpP%sg(quuBA){&%%W^-l{ z0I9pEMO3mVa7(JxG-Edqe~Z1gO=n3|R0M`2@H+TJuIv9C;|$#AeNJlVf#CI!=I^%g zcpaKwHOt8qbb*V@iKJtn_<{NC{uIbN55n*lYwg+2lz~#rR$f|E&4fpDvVxP)+jw@e zW-rdJ^D-b3k%z_=f%Jya-L_LBv+&Zn&f!zxM>(M>N>=eMXyQ7|XFgtfrbNkeWa>6# zXb(WdAw`2oPL85BletbBy=4?L{oBL61X_I+{R{$CZzUvjCDpAWvbk&Wh zNzZ-dIU)Cz_b$BE+0HZh)KnkXd2j_`PqrFSN!XyNFCpoR^pIK`$mrLk+Gw^!20Uvn zgdE}~C~o~dc4%0|GEtxQd^X!k6acO#}N<<+HM= z8e;sPTfFA=_;_BV8+lBZgqEKI2j}q}$i9G8gJkP3Q&O|6NAp~1Uk?QhT~q(6O8GN~ z(2xNy=!Hkcyr+D0p_c0i{n3A=;BUSJlG$R~bN2-LCqN2aoZUa2eP}{x;=@xSpK&{l z*tIZzr{(>jG+EOInkRq$b>!`Y3j_Ro#ki?J6vWH|qnN;FgdXc@k z_&$1((OOW|;1NOsK_iAkST7?KE>d7s)w@&UiM`N|)Al9rM|j$tFu z{hETq12`3EUMX#xx%>W%^NNs+@7U&Yf`j6w@JBi^CcY(opa83R)8}%FIgDxMlV6ny z9V;k+`N1Xfue86KoUBC zr`r#MY}|#s>nG)cSNGB|ybJ_-RU~H+s-^`ACf%D+3#^|2GIW3kdcu!u4-ZB0M8p!=Zin4CX6NWJ82Jf?_46Nr~W~ zYen&;MrgQ8L#;IXPGiCB3SNdo!|LX9I4fzgiktFxY0jX;o#8NWD zJXQ1(FtJj+ZJLXgk9jD$T$Z2X@=RA)g6zEU9TDZ(R~}pgpxr$hS|+S3*xt5B?GRHc zZWub|v=~AMOYs+@07#jJ3CNs>!2`x;p?=5W)vkY6IU#`2 zXFF&w)Sku9*b%*tf#8=)G7FZkLkxwp$%NiqLAI-n`&$L%bB%~zMy8A0bw-&V7Q8-I z#7=id!I_BLfB|C7_CmVR1G}xJBzfdhab)tDKKL`!gz>}{^q@jUs&AXbkNK84>Y`XZ ziKCMsFhbRK#ZUHUK57WA4!thY_fJn_USzvSXuqQtO8DN&2f`Hb{YowZC6K?}>HHayeNquD+{n~N!iC0s54ii<4?#;*h{2(OLi?_gEJZz+y*4#E7PzR4$ggG zy@ZNAlIJ1)t6uq%Xhv0G-*d+JiJQ#F{jgWwH%!@YTqolOB6#c9vQU<)VoKy8<%9J# zWX+~bHtR95vuVv8ALV4Fq&TH4Oi!g?7#p?6lXXAk$rlHi?7_r-qQGs45~7Mrg?;w)kKUweyadvh8?v&hZ}>1u z#l3YnGs2MI3Nh;!@~o+HR+*-4mH58tZr97l`|zNy?zBMHWZ#s95aLZ&^R0qL-#Ffa z6&2;40b<@GT9Otq7mzkJRj%l@9c>AJYNl_kZkipy9JMh#V8(lTt+Cg_;_-?U15LWM z>L_oBq~JI0C*x{?%^?trwLtXv``e7UtPKK`uFyH9rx$gMtOc-PDFOxGT=#*VTQByf zk}D=NdihFEMk!wp0r}IiR9YU2fgnB6kz7#{#`h$|P%U1_7q|W4_`4I2h8Y&VO5 zX%LC=gexwSA0^Jg%uLpS{lGrSy>eTcjn5b_2a0BcwOzoKixW#x%Heu`@U6_#Zn+|v zsJOkp)DR5X-r&&nl#%j@m$=0(o#UU;nPL^rW3?i=#BjDF37C3U-vITH@Fp=d@u*^M(zWHn`7@oeRqfa%e|R@Riw9+c z?~m(vpRqQFoeU_0RbfsJDig%DRFOQ1WYWe>@jeagW%OO!9qnkJbkEwrthVegT%<994k`I0-ir09`wXxVxyb84??Lrdw-6UpJ zt2`CwxTNSs3+A?afIUDEtqqPB#wQWcV7^u14A>lL%rlAF!SF9tim_UI_d+0m5@o^s zR0ipw9(Z_9EZlEnx1$hGA)(-<@ExuYy;1pA=7Hp`B`V@1BfvVCFI>Dm7WwmHMpri@ z7>(1jF0nzUFxaU`^RA_K0+gZF?F`z?Pfksc&L8LMKq4p80GYnw9zKOuPNev;IL5H* z1oY!`KRs4wCpJP4;(8iqexw~*o)%;e9?Y6BCf+KCl95?r;LZadS7->&QbG=@*SP1 z0&BiLtY~JU*S6p5WDLxpw@&%EhY_$SMh$;|q;Jfb=N_=ih@8qKNZP0TJ;U|6w-D+K zi2le4-MRC4rM~zNzU^H>l|o=KkKRB76&ko;t_GOv3erY|pK-8x%``LQ8sA?!HXiue zYrnz$xkid*+ngkW6Lg}5S9hoo?*@`HP;%pAHAWV(t1T?F$ zK#S|r86lw{^_qMC1^`|n!(`X+mJl)V(EDy_G6D@N4vE{Fc7PWP)^~x;s!Os!$=LvK5FcD9tXij3M(p zCs+`DV>_U;E;oaLKL=@$R*9njgV9LI@%V@?i+;*3_9!->%-PD|vIL4#Zw0PLMFDc4 zaQ(8?RJnTG)15DYj(I8+uz}756OYgK2vO%S_h)ZN!5e+ry@XBa@ZyqAT_ zOcP`2yo9qobQM3enpp)clU>X&UjtKp~RsScSbI;gU3(G(H99^8;4(_9(Kd-2OF1NLJEsrN@I zk{#Ic-)W!hU@>U7IPRW6ignW9qZIUhS-b0eP%aw&pg(gTA*t22S&U7=FZ8KsG;?Zo zIH{PLKxECOU{-$Ch(9en4Y>`1cnC43gcispd z@Wv-Ru2Udde!)f_i3M+nfv?xkwuZlfUXE#97Fm5~AM|#sXSU0JS-IgL-<)x@=<77d zu#xW$`~Qc@XPceHPpE0SgCC7P2l&@v45TT!84Ga55SjvKW|urBMO;s-0mTYMgu7d5 zB*ZNqrPg|0N2s@QC*fdZmNWkUKrA`Di?vi8y3ZH-`dRy4O+rKxE(YJ~X_iJre7Lxe zl=1`_1?Y>8vLnBlQ5ym!HD>-`)x~RQD_Gy--jeKwFx zf(xoTeJHB(J0@rU?RvmbDC}om0MF%qhZZm3@W@CQU8jzFI-i=j-r6QozYA}7oie6# z>DW;is8 zbIh0o>|1wl^duYNwWF84EYD>~ZwW`)egc9#NTUjcn`9N|JcavkpX}d|KPY#0M`0BW z7}1*!d0UeSuQSNHSq)Zi!(;YWQO^19i($<=xAM5c#a3uiRN&J#W?g~hN_b1@rN;Q~ z9|9+76W}*{4gs$Lz*dyBF*3cf7yFdV6vTQ}DMZK&VWwYUA#p2zh&+#{Z}njNv+|Yz z?bCuW6>T(tRW!3 zyQRH*n`GT}lhN>f0$AfLjID4xk+TE|A{nV?Fy`4$n&Z;)gJsF8K1xe+rqarm5<*|9 ze`oSzp+^_F6dwz##f1Ctc|04MJ%@uV;X5g)mg43zph00vLn}?hD!E+C*yO>TVu*9g)(mFbBVkCt}WvJ3uDJ;#hpi7H{?#EQNi^a=#>4NOjDK zn>rN52zuSvur&FcP_AvwFgC@Bn?0}>e2f>vv`h^SvXccQk#(aN^DxYhul$X1#~N-R zEr)K(u{#|yV%}NB>kzZDWYGG%&eLah)V5H^H5bNF%!}(avP}PYVi5w>&=A!3GwMEm zKGTPc@(~T1-})Lefq5Q$+HyLgR?}vg#S*IPGPVP?RvD5x?SgsXUu_tb3Yh>Pn4ohD z#&%+$dp^d+hAIzW)dPfR10-Wx94tHX#j_`VMI3t!yn*V$wml#`u~{WpYg0n}AQ#VI17e~em z?jbshEb;k9w)u+n>kYa&k|Tu>@l?_mJJ_bl>L&Nbl-h)7ddKV2zg^wzrpvVnpJzj8N9=k; zkM2QpPHoY7kTNj*f6V4bt6t?j3@rY0BnmNwg%K)s!KzfyRcv^0@#>(k3>^{sV2MRs zhRi_GC6}qJl1OM_G`v6#)%q3VW$<~aC@>{%CX(pEkNDfEJm=K?rD@gOqH8_N`Q>!3 zKoQChc)!eYQin(k>9XO9XGnz0@}4jQ+W)i2#WgGyG_hY@(-onX4MkY5ER+`qIDyiv zCvt#l@`YZ#k03V}k|M@K1LNl0&tO!(hLat3PQqTGo7@K@6rdoY@Sr(fi)&H5+ z#VPC|_W*@#xNKs-fSe`E#c<7!C(4{7?4&*Hhiw8}w5J1|U+FkmX1_^rHgM|vSgQWe z$>lc3RE@^h3?JE4R8xZqqtZ29M_P{t_$thJEDkTRanwvaD*#CUe0fWM-7A!20Sm4S z&!3b|2@W603mO9sEhR#0j^M(|nIWAFF1yoP_f8K^8!F^ct(iN_XO3uVn;zJa$(tEcCs9{uW8gJMa&EIC|#)%6a-hmgTEgj36u(d-=44aAQ)mo90yTaY?2ZFyYQ z&nBigrRKr@CTEJCj9u;FZWBCrH#uETc@*CwqY`nBaPC@62b`L(^GG;TVsTAcgvviPCAL3@@5UTlw{xyWjI3UDW}tl6aDY-HW@Yl zE8UmO?+M;vbGe7S#h_@NhpKw!Dz7t5XgE~qs%lty{r(|IKoaxYBrtNX8M>F@&V7Cp zcz4StMZ8Y+*W^U1VqZNeDZx!|~%T?{W?*BuXhd6gmPKCdz)ct5QiU^x%N_~89ID+;O{`f)C z`KPy>ADdbFp!DSaQZfyJh`@kgw7#q@uHOQjO zb{|Nwh$Y`;!3>$6BbQ+jz^0j%qjV86FoNy<;0YtI?FlG2Gv9Tea#j!^ zX*qvV2Z#k1b1e0mXV~>Oj?fCOiOv;?^cn#85!E8v#%JaIPWRf7mKy7ay91?T(UGgw zUWCHi;NHaQV;v{u%B(oqKz0WeyEt#gP$(3ep}f9T;i?BIAEP$TdaI=2`jh$FhR4I2 zeU;YkR+{M|Jbk0b{(A+kt&Dw@Oy{`fLKvA2Jk1EnL?oW^Kli%JSjClpKjHssPdYn0 zY@kdYp4Mu1*0~EmI$8Vfb}t;jpmOf)OfTdHCT+7E2ljdsJ0E958*_9XU1+_@MSl)0 zr~P{)dBDz3;zl-+sv^>tFcc{kd}fEbO%W=yv?9vFnoo`-bKKxMh7X;9Zl0OJGlp61 z1HB(6DER^F#=NR^$-tkc&XZ*Se6SS7J8Z7gPm~FD-fg2CW&ImfS~Imnf{bFj1Cp!X zCJN;Y9ND|XX93*(Z-zxGljhPVEvxs)0fG4^`0k6a=iB-H9wH>g_Jg&Z;bA0Kb8h;B z-47_~LuD^t5zAIVU&%S5kNn_gu3(*GxTtf(t!xE%PYiCF9iz7E%`FE|*^Gp=5ZaFB zn;i2$7)^^Qit564z|HJh(amgt=BjMBi$VYVLMxp--E)6SJ7g0&@HT)u83q%9Fy0lg zsOna2a>JH2{1aJW2D5x#?0#}3CMfAOv!^nEugk8(oeK~lL$eB2s(|%zQ}NoMbU2

yz;`mge$0jUT;J2`9CKeyo}$_OghWB- zJK@`h-d{}3an`kFdMg@eB(56e;kP2goW{1Gb~?5ucle`bNHI3d%F2I{ff{l3Qj88E zUZw}iCB|>BibDOFvjUAkXE)Qm8x07v3P-4y5m09&;5%2oB4E~Xy?SWYnq}~S3oZ8F zoX0>W&{CPl4B*tZIr~yh*Zg4z6^|niB}=Y2m6urb-Kyd+70!JiwfDldY9EpG^}=+Z zbSagG<~Ke!QBK~Cf<2ccgi!_pd-B!w$#-B)87G_0H#u8HC@*D!i)*LFX$XPze;1~l z`QL2pyyT(j3_XqwG$lEFHY1>dQ@a z08pCKUo4-q`|YlsNUQ8M^F6mW0ORue-lAQJgozanS??Mc0xYYbht2IQZ|pl%j;?h{ z2Xwpz2_4*~V^s_`7l-=wNhFR9RIte>`DvmWAoK8!viJ6;|^@>_{IVY z_r;!HHsVB8RU#bO+(-PWBN#LQs)KnDgtr*RH`RHirRmV zu@7lz@%0M5rB^@5npsSQ_K;1H0Dp_5I4H|AJB`lhS}seuUlfxShNf1UC^&d0EHzC> zuZe>Q`sP1{p%niQ2te5i$-J@As+noG6Mxg`4T@QQ=!uNe^zQ=6MeWTOy8>=*{}bsd!Glj9!20UE>m9Bs(rOLd&Lr{suU0d*x5hva)NCLSIm_?nq=vYI?9Kb7%ejBOSGZg1xo+}Li+X$R zAK1C$cq2I9m4iQW82|r`g59I!gkV|DPur#?twvDl9)|s+mqnwFoQdz+Nwyw8%Mgum zF}-8F!?}PxRebp`8wuhk!@Lc;rzRf#MjZTAO)!o?FV(Hu-E_WFE)$ ztdaUXJ}Ijg^`Maknwg$4io9}U`r{lWpZzuvG^8(43lG&PozK|xwxez0OC?-<-Hyqe zsGoE+cQ265k)SsHw~@60DQX;GZ-tw)LHv4-u)yBoWrtj0=>qG&8{W+w#g mbOeBrQZgGJ=!2A!B9BDjX6?mKRV}lJDKKl@k^082gV}R&-z(z) literal 10324 zcmV-aD67{BB>?tKRTB!(&JG)RP-uQH%*@a>xV#pnuEqYsa6>T2Kv4DZ22&EMPyk9` zv-iDkgnO=)I}mRUZs)r$n5)a-s|r=j7GnQl8gexM#}KcnCXU~-*Oba~13(SK-p_}w7h}t6>bL~* zJz4ESIwVZj-4$VCW+TTM{52EKOF7Tz4GX}q^{;PYWD0t zjnOe>+`M^ygB#%a8;<%>K+t2A)jv^!UqJYuUq_b$rIiZaXgjEa(=mGL+$Jsix&`?b z%>9fTQUktvRx_}}7>g8w!((|56kdC#hWvX@If3%zJfmm)?0A@;z2pt=l}g`xIZ8%Ek+$XC_;HV^&<)zJ936EFcl;mBg=H?f~mBYTEfPTC&4fU+SwW+qvvXB!)XI~jOlngb{{fn3AB37dLE~+IgFFY8sqWK!2j>Kwn#NrNQlrj62=X0|il}rkSq5rJIHh zLkoVPD&{AI>6JK~OWwN0R)$q#mhs`<;6@f9o&7MJ{Y0Y41uY@e=cEY!?5 zqbr=6ojaZuwGT9b#t+;5E*?;Y*^*2_@_#`%w7QVt<#21Rg;=1o>b>6GwFe~Tj#!2S z1#a30R5--4rDFVljj>_DL{*%OV{0mBdPGr5gB&-|;eRMZ17nfsfrLvx$a!f!ZL%AZ zg>E>}zH*mZVr+s7uhVD#CLyrYI&Kz)FOH8ICjzuk7S*rW?nnP}f%NBz)SDy2V`c|U zQQVQDJ&`AmrX!Rj&yhsv=Y*}N{YXEov;Xs~-11`eCOel&2~(kk0@XSe5HnJhfpr*H z;x|nx<$!fK20w<2aGzb>7gidp{19WqdX}Q>CX~)rjJ;rsifLkY)KTKkJn+j<(xQGJ zRZ;|3Uez={G5WtJnJ!nITgl1B@3Z&cl5TU%Mtb0gw_AyH6?TGOx^qWs=*$+m151mn zR@>+UFvGIc*#9d6IaxZg_QP3xCZ($qDVffe^I=g8ZpbEASdBPp&<>2nYGOlZ^$myi zi3d?*%p(yHW{RBvNqc8f(&H)P!d}nuH(@w`c-p1`F;QN?s49P5>(C$67H|ls3UW?h z5A4vQwsX7GJ8so;RLI&n=6ak?*hijoUT(#NjI`BQUqtz%9|>xo%UzPg;qrQK)=(bPvQv6!LcY?LS(NBj-!C-XLYMu{ zKLXHCn0SS_t>t(%?p!bFfN`I13;&sEL!;V;-V+vp0#k)M7$~{7AKY!nZU-@!R2W}`Z{_S5v4puy;R0k-qWPs!z--e_iJq(wuphG% zAh#ym*2H=Ss9{7DodLFr0q3n{GluxYsh~`P=vIwk{0K*gAQYvQ!*5o`7UO#d!x)l} zpv9>2IcwWMQP;Kpyc_PTFu(7dCx22D)Yci(Y-+gz<# z(5FSHbxw=t>9P79>b{v})^ZOR;UT3<$toQ<#`gq+=pBnOz-B`mlc^Pq?RDMqJf;nf z36cOkW=sD$9;Ro&4#b_Ybqr;>k^@pfLBGyUL!;kLKevC#mNnPS%AH7Cl@m0h9{BE}MG~N@?c;!IC&cFcf6s5Jn+xx7lePc*t3`^e*u=N) zfx{X-Mm$Zb&{-DQU%eJr=bST~k?VW*PcQ*5SC@?zF#4cf%*zN ze&HkhaRdT6J=a`RLVGix0xk?Vt^ZSb% zP(ml=&bgXNqeW#NG{yseRfzF|rgi0RE>w@K0?4=9GH32q^}dNM)wN6B=FDQp0A3Z3 zaHpUY&lE#1F3@iB;LmFsrCE|Rkm4wv%onXM3bkDvBEOkBV|hx6E5eQ?MtToq@4$a1 zflzzyZ1W@uigfjxhH^8L4;63uOUs9@X#QmNOiMqNu#ic48?DCTcwEZKtOJ@J9f^~A z4Q|d{eUeTnBTGt&Mr?v)111hi@C-;Vw;T;IRZJ-)kAaazXR1D}u-JlJ{aB4%Cbknh zdA0#}g?$ZPH8VRL*NuGb&^x%<2I;_ zi;KiL1;GHc25qrm{#CvIap<11XI&9yklVc?!4nj{i7tjGwo7Q-H5Uu$$_zZzWB{Vu z&h!`;cE%TxVZsV0Ie?40SV2CTC101N-!iXy&d|8iC8|xK(Z#@`=v_@u3Ef2p6@Zb_ zJdFP;+K>ni#K;iuZ)|ylYNZ5O4xP#A~+HNQjPGj)iVBY?z9B-T?i8=q!;R zl4rpHbPM~+ceHXgb54?_$DzVpZ~?*M3x7Fg&%opd8zg`>|y9sHVM%2jjz$FnA@F4qMVUZMj}b z{4D7^9eWx%T&rD~CP~OT_J(RPaLgfNO#?tQu&;WuX-Aw#blK{zhy8WqtWEq$Q;YDh zt1V9|ejk3;eNPr?|C13#!*vjOWSYPYe@^SYdysHFE2?jINL2{1&#Pe|qk=9bmI&N3EnLlF zhip0MHLfbzwm}m~H<@;WTvwK$=lN5q&41Sn%#Aj|Gtd|vObBm+d|F{Ema)a$B&7Iq zb7%p9<{T*Jm)ahI7cDk?Ydix*8aF3(B7`&_dh;~t>BxEshD*I^qqG8G&PE`=wA+gfzn(}(x_>MAp z&%E8t%+Z$au@H}FcSJXd%qAtZ)amMMA$k_{*?cS`3|#T}%GbA?LT{`Qxng{B`~b5& z>ud>H!XkL2+GxS=O?+z3!(-9Z;!D~#xN&81;VK=Q%$>CE{FmfNRlB-Ozl}QeUI(3^ znDknt7<=e;ziVXBH5~S~dzDU++>b&a>gsIPTrB*nqX1rG^UfGNLp3{9H<(=s6v;{sMc7kj)VYm4!i(YyB z(rVlSDmQ-pU!lfcBb%cjWnOsT3DSs<0;g7%J&K4NK6+$F^TkuRP4@c<*-vZ6d&Yjf zD1k8Lo!x8R%B@`MEmW4)*EoSQK_UWO1_pXKt^#~js`E90JCvx5?N{k1?Q#rC98Gxz zQz#nqtW^FdgGai^-TnpI=!^3AmJ8>|BzO9aU6O1AG`BLr@&5?FIS$OkTV2+rWkWXd zJd8iFl<*cHF2+H8hUd6%OIg9|a+RVCPWB`K`{b{pAnBTU_WBF7qel2RVB32QWPmvo z&lh{^1w&pY{EL;PGv*JTe+f<=AedD~LFVJ0g9*njh|$Q*Zj%@y%ON(5OOj4q^9mCP z(4yX#G(w^LmElpMaoO+AkFxgg+vZewMCdOLoby3yaL-W`oR7O<^ME2-X>Prgz<<6z zEMOZG&XLnkb_St269ouKzjfy+*r5Anw--&NOkOw~ggKecS!Ej-bi(%3dpTfV=&F#0YCk3b1Dof8%JQ~95vrUh{ zDS*xD9HXOO_FF&42#4BXalS~y+Vbz9EbD&z5up-uWR?whd>L(<_5zZdfetOxgp61a zpq%j3OK9?b0?5s33RCJ>Jy)`R`zJcah!>W@EIGq=S-n{4kZ@S-v2;YgBS(*xr_C$CcUg-~lsad7_Z>nQb{1X~9TYW!1UcRhU$ItL)}| zB&v~zB#)uszdqiOG|%q;QxV?U1hD(6Q2h%i8Ohsj!R~QcHA@UW+;X(6)$+s>yiUU8yy{ z7I;6MxydW_Be?Z;6t}G~v0VJ>`C(NZ1{ZUm<1E=nNb#;> zGc#DtzX0+S3oY$z6EI@$eF3JDjT-toPyWKcX{q5a85d)xU{1NZ77!Q2#_1xCLyudZJmEykuRbZ3= zQpGyGG*ff1;G#NA|0>T%1a!T+x(4X_i1>&`s5IFEvbUUz^l8e>@!fAYfnduBTh}q% zx5_-D{+}B!R*E?gNkz=kRuKjK^-*Pm_2@b(TG9GljLs!JO4U24VTq*|w5B*75JElE z{sW8v&jvN7H>~ozv9THGt}xdP_Dv^f2&g|3Nm})xz7bpn8mgPesp5MyqhZ~Hzvtb&|3 z)mx-B{WlC6z~t(=1UaL|f%3!dr7NE8s5~ciyH?^Xr7%%+AoCn1h4rXc}Z>EohdQ7cg6Xg^4N3iQ<`TcL02e?@PuHx3{p_f^DYzf!D}nlkHV+jV zgjGKN5vE6K9N@0un#9Be5O=2+wE5LBh6ns7E(Xcs?HT2iL^GnGAoZ37a0LLV@1NsD zKU@dpE`%zO+*EJhra8Y=9@X=^8@FFcw5M_;bQMj54tbPs2kxnm-rLX0?~D00;hj+p$U6*gbT zIBUb7FJ&?PS1V(b5NKnbTeWz0{`oZ)=^;7BdQC1Ex14B|^u^DY7Vd}Pd^mtF)$SRc zxUO0_h>if3!yG#sy<LXC4k48kIAC61%6=`Lf?sp7#*lKK2H~Eg4)OP59BSN@lAYhXW6(1NS7G z*NIF>i}G9Td~1F(+fY*T2|gVX{QKQB2w3>sQPYrl`PV$NCmKqN&ZCtlc~^0p!bA6J4i?j0;1mTrJc z5wQ=e0mFl?^hZo{7%$x(y{s3i(g00Id=$Z)Lr+pcjt7t?pwQ333JqugS6Irp1`gLl zTH_*SBnC^oTKhSnQpRyf*y?eyg1}*^lPGf?vCB5!QP9_UO7VxdTZeIb14p+Hc7Pyt zkALWU2H>2S?7l=7V8S$D&D6_<4jFyCXo#0r{F^aon@wWG)%3#{ub~J@W%ZM zhaVDF^oJKGs31cV2bx-H{%_49JiK16AL&aAZE%7<6SO@z^~k)ye~)f3EhCGYLNmzd z!z#FoD#UTl6Je$S&_e$m+@s!|TyX1C(JZ*bT+flODDsojwqmfYKN8?aJM+(^QkH2* zn@hqWmPk(fNPSZjFw%HD#}y4C%=&wxb6qLlr9Saov9#^@K-cm`)vOL!6Qd)ZOaZT z36(nfXQXF_1Iq42VwkrU#4iX#9aQlQ(H-HFGAl>d5i&!RHB$o-ySiV=55`5X!vyE= zacKlQ=k>C5j25L+NE@M|o8lig2T&ba6vm)v6_Nt-|JsygNjHjKb7}ekAjE4Y0YS%G zb$mIA0Ns(+V3!paS|?tGXW2dJtND1|);;o5Z;zRy4tP|yddy>6y>d6tGjT3U&zwqe zbL{!A%gWGc3(gBlHZF#YHNy8l*IFwlJ&(`$CIt(^B=2_6$6%;PNiyHhJ%_wmoW^56xx5M5^Sdy?<&iY=cX}T zG`yMjH`V=Yr(BhMQ2ngUz&&^3+1|Q~7X+v7TRCa(iXT0@*ptphmpCs_9jTh=F?8#a z8+1vq4bZf+FI`ig*gFY(T>})`grk)M186`f^UY&ml`j`CA03n@;ekPt(;ft#_ zyEv3?Nbb?^o^GFZj!O%7oXt0;xg{KCX&@pYJi@({kq+o61iF8T7+;bSx#Np%08LjD zc^aQ9(g5-t))~LB^h_U+h_;?Jlw=no<|x+}>|@GH&@-XjS$lozxAdf)LgWGG%`tJ@=nE0nx!|?ZAex5UGbN}7 z$pf&%FqVwM-Z506&&BNlPm&Ul48y*$^3YE2;*?%T-Kjd4C^(fACW}#t%DI#=3G&#Z zP^2eagU1pb)2kog`kPK`s+4nx<}^f${9P2ot#4)&MllNd;|7?~ zENx|g#ID7Gfa{Z?b3l@k-_S~gKlSN-m=M$S`Mh+^7Gfg zo6UPxraU)f)}paH?N^J#kOYgdhy-TkyyCq)nn3@iCP2@m z!oEfyfrUMRISzD;{z-^y$vH9`qgb}Ket|bK3_xoOQjdIv1^FH8mqx}10?~57w#b<} zPdXg*BWzkOHx>)Gfkxe42M1-8=tC-?zl#*cOMvX|iPE(5WC$&iJe1^Udekh)GAf_~ zF2IIF+xLS=^|zB!9`|UsiB>#+)f{Wd%9Eft>CZAU9^`x0v0|u$T@(i8QlMgUk74&1 zK7PV1=TXJl-o;&HL!kcOIc6q4_}&Jb$Yldu zIyFTw?dbM`DZ70qNgE22j_BZNWNAJ5d=)_HbJtaM}$9P zLS)vL=fU{ssG|`O(jY5w?c<#)`uy4?7aBLiu>_p>@8$+9{csI%U&S8K!86mZo<9bR zkbw@hE7wC=K!LhWH?eLtds&u;Nd_gWFdywj=tFIq{HJ0SPsGJotO+=~iZ@9XBRCw2Kjo)>c-@xGE#iTIA6 zCny!Htq@-FpN2WqxoDQOj8;F=Y$PIHE?LL1{_Qt1-)wFTFH8Z^VmK|`Q}Wl_GwuX) z@|>q)q(-GTS(xv?tb@7Yz(bMeUy;l2372(Y{H)HOL)DuO5t8pKmq5K%Zhd9Ak`!vC zePEzsBU=lJq|E`}9Lz8;06;u}GGj9+bl;Cji7WEPX)*B6Ws zHb-))!9tS-vTG4WY&gSYDR{0x&qI*OWaO6*8n{y}zg9#k3Kt}Oey|sXq}6`n{8t8{ zP&hRN4uzg6C%E2Ms?3elKkPbq)jMIlWOI?{VN~PLB?&YLE#djYnZ-WJ&z? zU@rE+>}*ozJzo%g`}s{f0{4-9EfS%y+HRPQBVV4-T}C{juaKmNQg-)ZUn7)2p)u_M zv=iPs*D*|TqIEMakcZ8O%2npSbhV@Cg)Sx+2W1rFxp!IY}k7@)~}+&8bjYTXm867upa6?*$v|#Ei*f_D?AkSGn-=S7=j|$gcFY5~ zbYyXB2|U@VZ(AhPtN^{7q%~XoaFq>*knqQ8QO&fM?-v&PNQHO!QKE5vyjakZ6`a_T zhKXZ6#H9jwxfZ=8;MZvT(>V;^>GJ&P@%tmMY|y)}hl}k+!SZ#@rkGq)vZW}1xUy8I zVmG-EY@G$+-2i@Jc#uB{fqAeylk zsfm=p?;oJI{$MrPmO(cX>C({CHCZscrJ`F90?!HFMkU@~icuWn6Di(>nA=uCVlKV| zntRlCN1C#|WZ$p^b7mIadJXD#w>afL9@z1hy;<3*F={Y-?EtusSZDmrxMw??ri8u$ zhl9VMVZwUT2yR?-!5nL%xM+~8u3<*V);jkOCgWuPNU=KvoZ?|H?F8=YrTmUT4{leu0EMe5tRZ! zmP@Ln38*&5-CUymvSR-KAkHp-y*xN z$P-o{r)QOb+|OyL1gN-J&;t}b_uLo-#JY=6>d;hcg?2)K3}%gO?-m!lj6_TmHG7S6 zSA&^wO!!}8HvkycbNF9na@cH~>kHI0v78JAFehbxA2QBF$)csBoBK!Sc5w^-_-lGk z*xbdUJ9*}VGBb)Uj={`|o{igRLJKiWkg6mY1AG22cjzKj(w7W`u#%sCjb zE5sJN&8P8n$#89S@jI%!mf3lM5*7{p2ZVFSC5*etC3C*d={hoMB6<8UXSq5T6-84% zevg&9A~4hSbO9{#ztp+S&N#{_&zt`Z(T^APti%GL&;i+M*pYNt^iA%GoUMhDg?=^W zf@C~WXqHgxhKr!V0l~YJ>-X4$|Akbw9@^_(mQmd1?FO;i`WjV~gn@7!T)E(zfxsnK z1QGt(0aTb$J~9XdroHuYjq_Ri^jXd3iMC+~pmR(E=)u#lz@InMbPh8J75Dw}*UNnH zj|<=J{x8Y_86KEXmErheLS>sqj)hq|k*@PFY0E*t+hYMunJ8{qjwMfPzdHTW`%Ti@~1FJ3-}0xvhnVUFP8Llv>mx}99bS=#)DYG ze&9P>wZ1twD!!4G{UB3L_HN-hh?7cfy0sU;>f)UferY022(w`cwzlU|FTa!5tpV4# zijJpLM~VNiEy|E~1g#kyVDD#;mh?#<_5KNPX_AZa-)et~3xwdFVo^I_?3c+a=I5ipyuP8#4 z_7STfR!i{XRK0JUh$^R5v1kq_XrH{HO|&K`w4h7v3y=@=ll$u mF(4}$9ULXN^iInW!+xecs9&82H->8O#L5|UrX=*SdGDl1zSU#^ diff --git a/tests/compute_engine/test__metadata.py b/tests/compute_engine/test__metadata.py index c5f80d897..7c028eb62 100644 --- a/tests/compute_engine/test__metadata.py +++ b/tests/compute_engine/test__metadata.py @@ -344,12 +344,32 @@ def test_get_return_none_for_not_found_error(): @mock.patch("time.sleep", return_value=None) def test_get_failure_connection_failed(mock_sleep): request = make_request("") - request.side_effect = exceptions.TransportError() + request.side_effect = exceptions.TransportError("failure message") with pytest.raises(exceptions.TransportError) as excinfo: _metadata.get(request, PATH) - assert excinfo.match(r"Compute Engine Metadata server unavailable") + assert excinfo.match( + r"Compute Engine Metadata server unavailable due to failure message" + ) + + request.assert_called_with( + method="GET", + url=_metadata._METADATA_ROOT + PATH, + headers=_metadata._METADATA_HEADERS, + ) + assert request.call_count == 5 + + +def test_get_too_many_requests_retryable_error_failure(): + request = make_request("too many requests", status=http_client.TOO_MANY_REQUESTS) + + with pytest.raises(exceptions.TransportError) as excinfo: + _metadata.get(request, PATH) + + assert excinfo.match( + r"Compute Engine Metadata server unavailable due to too many requests" + ) request.assert_called_with( method="GET", From 34ee3fef8cba6a1bbaa46fa16b43af0d89b60b0f Mon Sep 17 00:00:00 2001 From: Brian Jung <65934595+brianhmj@users.noreply.github.com> Date: Fri, 17 Jan 2025 03:34:30 -0500 Subject: [PATCH 2/4] feat: adding domain-wide delegation flow in impersonated credential (#1624) * Adding a flow in impersonated credentials to check if a subject is specificed for domain-wide delegation auth. * Adding a flow in impersonated credentials to check if a subject is specificed for domain-wide delegation auth. * Minor fixes to dwd flow in impersonation * Adding a flow in impersonated credentials to check if a subject is specificed for domain-wide delegation auth. * deleted repeated * delete repeated code * Fixing where source credentials authentication header info is, and target scopes. * Formatted code to uniform standard * Fixing lint and coverage failures from kokoro tests --------- Co-authored-by: Brian Jung Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> --- google/auth/iam.py | 5 + google/auth/impersonated_credentials.py | 101 +++++++++++++++++++- tests/test_impersonated_credentials.py | 120 ++++++++++++++++++++++++ 3 files changed, 225 insertions(+), 1 deletion(-) diff --git a/google/auth/iam.py b/google/auth/iam.py index dcf0dbf9d..1e4cdffec 100644 --- a/google/auth/iam.py +++ b/google/auth/iam.py @@ -48,6 +48,11 @@ + "/serviceAccounts/{}:signBlob" ) +_IAM_SIGNJWT_ENDPOINT = ( + "https://iamcredentials.googleapis.com/v1/projects/-" + + "/serviceAccounts/{}:signJwt" +) + _IAM_IDTOKEN_ENDPOINT = ( "https://iamcredentials.googleapis.com/v1/" + "projects/-/serviceAccounts/{}:generateIdToken" diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py index d51c8ef1e..ed7e3f00b 100644 --- a/google/auth/impersonated_credentials.py +++ b/google/auth/impersonated_credentials.py @@ -38,12 +38,15 @@ from google.auth import iam from google.auth import jwt from google.auth import metrics +from google.oauth2 import _client _REFRESH_ERROR = "Unable to acquire impersonated credentials" _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds +_GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token" + def _make_iam_token_request( request, @@ -177,6 +180,7 @@ def __init__( target_principal, target_scopes, delegates=None, + subject=None, lifetime=_DEFAULT_TOKEN_LIFETIME_SECS, quota_project_id=None, iam_endpoint_override=None, @@ -204,9 +208,12 @@ def __init__( quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. - iam_endpoint_override (Optiona[str]): The full IAM endpoint override + iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. + subject (Optional[str]): sub field of a JWT. This field should only be set + if you wish to impersonate as a user. This feature is useful when + using domain wide delegation. """ super(Credentials, self).__init__() @@ -231,6 +238,7 @@ def __init__( self._target_principal = target_principal self._target_scopes = target_scopes self._delegates = delegates + self._subject = subject self._lifetime = lifetime or _DEFAULT_TOKEN_LIFETIME_SECS self.token = None self.expiry = _helpers.utcnow() @@ -275,6 +283,39 @@ def _update_token(self, request): # Apply the source credentials authentication info. self._source_credentials.apply(headers) + # If a subject is specified a domain-wide delegation auth-flow is initiated + # to impersonate as the provided subject (user). + if self._subject: + if self.universe_domain != credentials.DEFAULT_UNIVERSE_DOMAIN: + raise exceptions.GoogleAuthError( + "Domain-wide delegation is not supported in universes other " + + "than googleapis.com" + ) + + now = _helpers.utcnow() + payload = { + "iss": self._target_principal, + "scope": _helpers.scopes_to_string(self._target_scopes or ()), + "sub": self._subject, + "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, + "iat": _helpers.datetime_to_secs(now), + "exp": _helpers.datetime_to_secs(now) + _DEFAULT_TOKEN_LIFETIME_SECS, + } + + assertion = _sign_jwt_request( + request=request, + principal=self._target_principal, + headers=headers, + payload=payload, + delegates=self._delegates, + ) + + self.token, self.expiry, _ = _client.jwt_grant( + request, _GOOGLE_OAUTH2_TOKEN_ENDPOINT, assertion + ) + + return + self.token, self.expiry = _make_iam_token_request( request=request, principal=self._target_principal, @@ -478,3 +519,61 @@ def refresh(self, request): self.expiry = datetime.utcfromtimestamp( jwt.decode(id_token, verify=False)["exp"] ) + + +def _sign_jwt_request(request, principal, headers, payload, delegates=[]): + """Makes a request to the Google Cloud IAM service to sign a JWT using a + service account's system-managed private key. + Args: + request (Request): The Request object to use. + principal (str): The principal to request an access token for. + headers (Mapping[str, str]): Map of headers to transmit. + payload (Mapping[str, str]): The JWT payload to sign. Must be a + serialized JSON object that contains a JWT Claims Set. + delegates (Sequence[str]): The chained list of delegates required + to grant the final access_token. If set, the sequence of + identities must have "Service Account Token Creator" capability + granted to the prceeding identity. For example, if set to + [serviceAccountB, serviceAccountC], the source_credential + must have the Token Creator role on serviceAccountB. + serviceAccountB must have the Token Creator on + serviceAccountC. + Finally, C must have Token Creator on target_principal. + If left unset, source_credential must have that role on + target_principal. + + Raises: + google.auth.exceptions.TransportError: Raised if there is an underlying + HTTP connection error + google.auth.exceptions.RefreshError: Raised if the impersonated + credentials are not available. Common reasons are + `iamcredentials.googleapis.com` is not enabled or the + `Service Account Token Creator` is not assigned + """ + iam_endpoint = iam._IAM_SIGNJWT_ENDPOINT.format(principal) + + body = {"delegates": delegates, "payload": json.dumps(payload)} + body = json.dumps(body).encode("utf-8") + + response = request(url=iam_endpoint, method="POST", headers=headers, body=body) + + # support both string and bytes type response.data + response_body = ( + response.data.decode("utf-8") + if hasattr(response.data, "decode") + else response.data + ) + + if response.status != http_client.OK: + raise exceptions.RefreshError(_REFRESH_ERROR, response_body) + + try: + jwt_response = json.loads(response_body) + signed_jwt = jwt_response["signedJwt"] + return signed_jwt + + except (KeyError, ValueError) as caught_exc: + new_exc = exceptions.RefreshError( + "{}: No signed JWT in response.".format(_REFRESH_ERROR), response_body + ) + raise new_exc from caught_exc diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py index 0fe6e2329..8f6b22670 100644 --- a/tests/test_impersonated_credentials.py +++ b/tests/test_impersonated_credentials.py @@ -71,6 +71,17 @@ def mock_donor_credentials(): yield grant +@pytest.fixture +def mock_dwd_credentials(): + with mock.patch("google.oauth2._client.jwt_grant", autospec=True) as grant: + grant.return_value = ( + "1/fFAGRNJasdfz70BzhT3Zg", + _helpers.utcnow() + datetime.timedelta(seconds=500), + {}, + ) + yield grant + + class MockResponse: def __init__(self, json_data, status_code): self.json_data = json_data @@ -123,6 +134,7 @@ def make_credentials( source_credentials=SOURCE_CREDENTIALS, lifetime=LIFETIME, target_principal=TARGET_PRINCIPAL, + subject=None, iam_endpoint_override=None, ): @@ -132,6 +144,7 @@ def make_credentials( target_scopes=self.TARGET_SCOPES, delegates=self.DELEGATES, lifetime=lifetime, + subject=subject, iam_endpoint_override=iam_endpoint_override, ) @@ -238,6 +251,28 @@ def test_refresh_success(self, use_data_bytes, mock_donor_credentials): == ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE ) + @pytest.mark.parametrize("use_data_bytes", [True, False]) + def test_refresh_with_subject_success(self, use_data_bytes, mock_dwd_credentials): + credentials = self.make_credentials(subject="test@email.com", lifetime=None) + + response_body = {"signedJwt": "example_signed_jwt"} + + request = self.make_request( + data=json.dumps(response_body), + status=http_client.OK, + use_data_bytes=use_data_bytes, + ) + + with mock.patch( + "google.auth.metrics.token_request_access_token_impersonate", + return_value=ACCESS_TOKEN_REQUEST_METRICS_HEADER_VALUE, + ): + credentials.refresh(request) + + assert credentials.valid + assert not credentials.expired + assert credentials.token == "1/fFAGRNJasdfz70BzhT3Zg" + @pytest.mark.parametrize("use_data_bytes", [True, False]) def test_refresh_success_nonGdu(self, use_data_bytes, mock_donor_credentials): source_credentials = service_account.Credentials( @@ -418,6 +453,33 @@ def test_refresh_failure_http_error(self, mock_donor_credentials): assert not credentials.valid assert credentials.expired + def test_refresh_failure_subject_with_nondefault_domain( + self, mock_donor_credentials + ): + source_credentials = service_account.Credentials( + SIGNER, "some@email.com", TOKEN_URI, universe_domain="foo.bar" + ) + credentials = self.make_credentials( + source_credentials=source_credentials, subject="test@email.com" + ) + + expire_time = (_helpers.utcnow().replace(microsecond=0)).isoformat("T") + "Z" + response_body = {"accessToken": "token", "expireTime": expire_time} + request = self.make_request( + data=json.dumps(response_body), status=http_client.OK + ) + + with pytest.raises(exceptions.GoogleAuthError) as excinfo: + credentials.refresh(request) + + assert excinfo.match( + "Domain-wide delegation is not supported in universes other " + + "than googleapis.com" + ) + + assert not credentials.valid + assert credentials.expired + def test_expired(self): credentials = self.make_credentials(lifetime=None) assert credentials.expired @@ -810,3 +872,61 @@ def test_id_token_with_quota_project( id_creds.refresh(request) assert id_creds.quota_project_id == "project-foo" + + def test_sign_jwt_request_success(self): + principal = "foo@example.com" + expected_signed_jwt = "correct_signed_jwt" + + response_body = {"keyId": "1", "signedJwt": expected_signed_jwt} + request = self.make_request( + data=json.dumps(response_body), status=http_client.OK + ) + + signed_jwt = impersonated_credentials._sign_jwt_request( + request=request, principal=principal, headers={}, payload={} + ) + + assert signed_jwt == expected_signed_jwt + request.assert_called_once_with( + url="https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/foo@example.com:signJwt", + method="POST", + headers={}, + body=json.dumps({"delegates": [], "payload": json.dumps({})}).encode( + "utf-8" + ), + ) + + def test_sign_jwt_request_http_error(self): + principal = "foo@example.com" + + request = self.make_request( + data="error_message", status=http_client.BAD_REQUEST + ) + + with pytest.raises(exceptions.RefreshError) as excinfo: + _ = impersonated_credentials._sign_jwt_request( + request=request, principal=principal, headers={}, payload={} + ) + + assert excinfo.match(impersonated_credentials._REFRESH_ERROR) + + assert excinfo.value.args[0] == "Unable to acquire impersonated credentials" + assert excinfo.value.args[1] == "error_message" + + def test_sign_jwt_request_invalid_response_error(self): + principal = "foo@example.com" + + request = self.make_request(data="invalid_data", status=http_client.OK) + + with pytest.raises(exceptions.RefreshError) as excinfo: + _ = impersonated_credentials._sign_jwt_request( + request=request, principal=principal, headers={}, payload={} + ) + + assert excinfo.match(impersonated_credentials._REFRESH_ERROR) + + assert ( + excinfo.value.args[0] + == "Unable to acquire impersonated credentials: No signed JWT in response." + ) + assert excinfo.value.args[1] == "invalid_data" From d049370d266b50db0e09d7b292dbf33052b27853 Mon Sep 17 00:00:00 2001 From: sai-sunder-s <4540365+sai-sunder-s@users.noreply.github.com> Date: Wed, 22 Jan 2025 23:15:50 +0000 Subject: [PATCH 3/4] chore: Add warnings regarding consuming externally sourced credentials (#1655) * chore: Add warnings regarding consuming externally sourced credential configurations * update syntax * remove in ADC * period * make it warning * update warning syntax * update secret after rebase --- docs/user-guide.rst | 11 +++++++++++ google/auth/_default.py | 22 ++++++++++++++++++++++ system_tests/secrets.tar.enc | Bin 10324 -> 10324 bytes 3 files changed, 33 insertions(+) diff --git a/docs/user-guide.rst b/docs/user-guide.rst index 3545a8a31..04dffaf89 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -29,6 +29,17 @@ that supports OpenID Connect (OIDC). Obtaining credentials --------------------- +.. warning:: + Important: If you accept a credential configuration (credential JSON/File/Stream) + from an external source for authentication to Google Cloud Platform, you must + validate it before providing it to any Google API or client library. Providing an + unvalidated credential configuration to Google APIs or libraries can compromise + the security of your systems and data. For more information, refer to + `Validate credential configurations from external sources`_. + +.. _Validate credential configurations from external sources: + https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + .. _application-default: Application default credentials diff --git a/google/auth/_default.py b/google/auth/_default.py index cdc8b7a64..1234fb25d 100644 --- a/google/auth/_default.py +++ b/google/auth/_default.py @@ -85,6 +85,17 @@ def load_credentials_from_file( user credentials, external account credentials, or impersonated service account credentials. + .. warning:: + Important: If you accept a credential configuration (credential JSON/File/Stream) + from an external source for authentication to Google Cloud Platform, you must + validate it before providing it to any Google API or client library. Providing an + unvalidated credential configuration to Google APIs or libraries can compromise + the security of your systems and data. For more information, refer to + `Validate credential configurations from external sources`_. + + .. _Validate credential configurations from external sources: + https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + Args: filename (str): The full path to the credentials file. scopes (Optional[Sequence[str]]): The list of scopes for the credentials. If @@ -137,6 +148,17 @@ def load_credentials_from_dict( user credentials, external account credentials, or impersonated service account credentials. + .. warning:: + Important: If you accept a credential configuration (credential JSON/File/Stream) + from an external source for authentication to Google Cloud Platform, you must + validate it before providing it to any Google API or client library. Providing an + unvalidated credential configuration to Google APIs or libraries can compromise + the security of your systems and data. For more information, refer to + `Validate credential configurations from external sources`_. + + .. _Validate credential configurations from external sources: + https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + Args: info (Dict[str, Any]): A dict object containing the credentials scopes (Optional[Sequence[str]]): The list of scopes for the credentials. If diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index feb9c5fc55768eea62d5e0c7eba1f450d9e985e6..3f239d76ba8e0d9d20e3782b10fda01fa851f9f8 100644 GIT binary patch literal 10324 zcmV-aD67{BB>?tKRTDkFJZid&T1Rkq+JJ3q$7LERkB5H=BJZ0looT;3~UtdvIH^NwB8UDnR;Qw88dYnFW?s}o@% z?;(S_o9EBc6lB!ji2Fi};Ax5G z3K$uJWnYEi^j98@Z4N)*s_st*a5^)UZLA%_& z2o0LlxzTQL%RyaQPmvZjY-SpAPh_z*Ri6F$BL|)gkgwsMTVQ8N$3&Z9a}Dc%g>$Bt z$w}ie1>nmCHV%0M_P_rz6PPuS&nsB5nRveWAilbj<4FXX(%FRc ze{SWnhrJ+>`h+-B9fQ<%a?l&e5tpX9fXFa!1YNp#D}wzLG#A#;ZPI`)G)v-ley2-3uKMJ_KszoNnK#PGk@QPESoC8YD-`2Pv!y>!Hx6 zcu*}Td@aG;tkE=P_F`kyjd}Rieg)+cS~kesH)X3zD#@p5k!whbS}rrI=v4FfrV^5 zf(q5=j#Dq-t;q_tm}(&tYjJ&=5rtUQQ%mIX<I<)z2c(&!-DcrO#`=_z6PiOASxX`;+Pztspbxk!G-K8LgH!$@PzLuAQ z#bf#*OvhEGmc?|DYe+ZNMBX~<6%E%8WAw4PfC)aF-rU4VgQLm-jCAdS5Of_mL_UTy zuq>&FXaRD_d#eP1IiduKsO@x^joOBi10@d5?@}-#O!Zahm}K~si|m&k?8?NxZTW6y zj)LAQNYydYx^2_m{CiKRR`;eeDI>2*=H3XGNcwaish^{8oo zrUZw7OyUm;*3aE(^AL5d;!MqJ(K{T6w9o+)Bb6gD1HmvpKq3A#Gh-fCt*{u@85kgx zfWQQ6gwyCTH3%A3q_0n#gOw_kEHyTJN*$JG2ZMAkgHqX5f1}qnAJLDuAD>$*(m)TTq28ugrPMas1ps($Ov&H(G#0L(OJzNR=bmQ1c|9qa16}m(~m0}&H z)7>6zik%_TQp74mN3)Vzgf(UE2VI*9ID5XX#g;-mvOQO6O^OVdt<32-W&qwX{_exK z!D;NRHJaI0dR)Ox3fE19A<@qe9BLirbd6+pu@R_G8ZNoXxC;q}&C+jBV{)wBa5&ZF zW#x&^6JJJ8Z0drmEB!jCmEq+|;>%~!HyA!9lQ5RG8Bi6UZeCpwl}JEIaHZ>>J|qwi zOtMTjELJ(A$e16k67$LkL||tW^g$>vTbGIJoN7>hdNVY>C=V8Lq!aSxuMF20(DL4= z>|wOBd3~~2BI!cSP+E}=qNbge-C*zL-L40D?QZNLAU#C>Mf2h&|8;N42-(Fu?jqzi z!RXnQ>WZ$BOe7vQ_z_8TrJVM5Inpt_U;tG+i)nWsmbFYA5cY)@F#BI32?IfA;25%& z5Tb^ygW-ThoZdD$K%R@jxE|=^xma1XxMby)E6D!e&USz&@mVebAA)V9vgsw*j<*qG{@O&P&84}8x#n!_| zbm;+8!vA+vz+E;B4Smj}CpE!6s$S5H489u4Il?K3_eRPUU_se-DBbc!&BHaWXntKe z6eK*Lehf=$%aR(UrY(xFPT@eJXwTI9jLa+>$(NoG@UgGSL$l~C{nmZwb*U1=$7e{6CH3uzS=2Z{ikE~HMnhh zbg(hOK#6fqrGVYCeu3WF-b=~k^~{5KU`Nz>SE(MOA|8S*zir* zM0*2}VALvG@#nJ$(8xwuf_o#ji|v@q@#U)(hm{HX=R&_8H%GYGvMU%g%J34Icwo?z z3>oAXd)n$`m>(PY=}Sg6Gf^*E7!9z2UY%}mU*V=@ZsY!`HxM2a*TY1&^oXeG37-O~ z(9nk)ZJHm}!SidlZE(J+#T+?PY2x)g^`1R;)mdl0hSn^>HvrOb=$R`NEWPT;Wh!=3 z&4OT~-u@nbjUkiSppQ=YH_s+;$jidF zA~AM}36o}h79TsXD`Uko9y^thCts0wH)@CuCh3d$D3Q${2w9dg?tVrKeMR(MJGEX- zz_m4l2}gq-ZdtXC+rP-1OY3Vnq_PWK=L)*kWmpoiAEd5f47HV)lk+U{#~|Rc*NQ89 z&hSB$dF?!O7%d3lIXSaUHzc7{1A@iteLCUepZ&v><_yjn(YN}9PhbZQyK)`$eRZee zeHDXOeIac~!%s{eaBXss68I`D%@*h9xuT@uQ zf%VA*v>pYUS(Ag9ZR3_88GV>;AB=eQqC(u}9=jvHW|;b$;ZA%-1eq**+6&4EHMRD^ zX>7Q!^M0lsS?ldK8_dr!D}yVL+!sh$8|MOEDgN!zCkLm4|5Fx&-SVc_J{xiwr6%7+ zx4>L#u}gG^37I7`sGn&C;94J*SmBFG915E7infU`97Y&l%Ec05s~v{E_0m#HJeED) zQ54%pT6NhR$^v0sph^D%YRm&PeSvytwRVU2eU7TNt-e(aNwqA0;0^V$3_l&2>rWE( zveVJ4WTLW3^&-M0JBwR@9EB|dcr_VkPyB405@}o8H}Wc$S)ZQpn=WZI&6K@30=flO zc{_T)6`0EX5i}9PxI6d>(&A0eS=Iw1K68~QKRC+eXCxl>b2V@deCU`HGpkXTxjr7( zQnep(+Zn`!_|^b)ak}=CE=UdcUz!d<^r3BL=D;*6CO<6f)Dwk%d3~5eTrPZKFu_)c zsL6efutVH%5l-Iad1ef@N~19!hH#rHW|WsHa0jsvn1ouiq=&PLc|C1^4RH#UoREC_ ztR;^Af!(Ze8odb7+h5y;9< zRC%)-`ck8-d(3Xh6Af#s-5EV7N+9h4Vu~CL3W%N={z}F&6qU}MBu_>_otJ|uyz+9dUuOK#IpLt;ma~YQeFPARb z)dXQ&*yF_k1*l9U?FyIbFI(=cyTAMM#3=`p9$AM=j+&YL=c|Ri&+rp<04g!v=!X7) zyv(pYkEB=}1gbwS23yo(Hf$69k7Iq-B=PRgMg^_j1x7b*U|N#&?bh3gx-Y@l@R>VYw)ItnM_ zLCR&Tu#wCN0PepQ*X7>Ppcw#gQArGs56>;T?luA;Zats_7(e#%E#c0N+eyx;dg_nV zDxzZ|w=!CPr`s@~OrBCpupNmMeYaMVm771R`ywnC1~)AhQBL z)TBlP-&y8JzsVhzvL<~%!t%oe-5}sDVz6n@5%kG0wjLu2w)w`^9uoNZ4;*~&$)y>x zp?(O4c6NafD>EpJ0N=y#-YG_^hXw0jN>YU7@tKTU3|PYJ5`%W;>l`pBJ*S>5vCiL? zFf2!zvRpMg4s(FO(E&9;o9qD487X7jgY>>cFbnEWmV13hN6$q*m+$a)A7z6Md2*4OD%9O>nY%Upr-VGCAle_P190!2qXWn`*M zW^Zx_*8=biNDy=rPm#awzN$+oMM??Sa|L)<(;MU@z+^gvP->96>pS~NmB8{>X0jj2 z03aW0WFqraOtE)gXf@Wz+i99fNi9svK&0(|L~!sArwGIqa+78SZl^p#reOl`O_*$h zwJvtiEw#>;-uzfkO~jMd+`35u)UDa{l2;z9Xlc34PeS)%lDzxYwvV)X+9|NruEns+ zY|r{5k%O*q9gEXO+qLyznc<}|cVEE4Do6Kcp?Hexim^W04K z>inK~Ri7A(&TVAd)|)C(?(-^a6Iq-AT&BspBw^uf{50;D${!}_X^hq9A|jKNaWKy} zRi5vC6{4@+9wO7EOr0K|MNy$Fo5H%@XOCtTOib+Ut0#5^r1z20Eh8ODA#`Q3&ZQg) zYm-4xNIsyg{$ znEoDj-ZUNvgIjY?-}63cKCvE;0BvB_Ee`zBVjp^5aj#?*bu9LWDrfN2DN54$AM8_G zRSf}Qko4KAYL*A2AOu@56*06euEb5qC=&O)Pqp#tu<0rJItZ1fM+ji$haWHy<0x(l zbjc9Q95#WBudUH>1u4i0JGD{tRyZL8-!r|&IYu?_sxO~s+sH?NMh+N`Rga&@0F!j> zmwnqmYsfC4rC8RHDYEy^jSW@o9`ZC?uJQfX7`@sK8p2^kq5rscSua6mVp<34=%!Fn z4IJUQ4xekoFv9LYoly))*V$vRuw;c>emHR@J=YDVvg;ESFWd62Gn};uQ=!SAOZ)Fk z@6kAfzK^w-MqoC`6CG@P;j*d_^AmO~ zYBvs0K8Rf}{g9uLkSQ|$!l{nTu$eSj=Xt&9cXfXe8FbIZR#Jd-;lC}fH2iR6R3nm` z!^>@TKTknx+kYgJ%|AuXtVPcEV-GntsI?fBwrjcWIS1LWcJvat*jSHDsIm#TH$;ZC zM@PFPCw|sH z=ei?nX3twNsW@XE&0PST{*Mhzoa~M)ZBfI8sECMPRM7&UZfvizR6kI)m9IG4*uPrwSLo^y;Ry;aW*eZG*afM(?^GxOPO2K9c6 z0*l+bQs3tBsQBxQQk`S%)Wg$GF8)r>8HI|sK8~aLHsv3DFW-0ot%!2tAG%_}@-lan68hEdY= z@6wK}_S7;;TEK+INFL;qUBSD?h<9B%?BHX1RMvO!nt%2K?WT#sKDkW?q*!KVQk#9b zQ@fitzM%_86&K#KOvx3cuh2$RXaA9(6S#1ZEiA-i+d>x$3&beBOs*+A)fQGiZ_WrJ)u{p%l4Dl(rFqlF#27sOg#fC(mo0-e z66)Z8GY?OaE_=Qo+O-HO{PvW;P_Z@%d$qMa4-qdG5vyfT)h)ZxY@y;a3qQWUYxJ1O z#ZaXIN!h;T#PpYAO8iF$a8m=Bkm6YNGI<+jX2uOJ0WtYg(EM;Rdnb}BJPKW9{r{Bd z)qkeTcT=N;;A#4eB?xf~GpCZ&FcM9mjb98m+#ahKn z@Z19!XKEhJLYSU7vJjc(lVnVj@;V%`S5SLu;1@(%wGFrSqjBS@#72E(sE>q0d-HGz`C=?wu!GIGaEBr=c_ItBKTS2`^9l$v$ZIEL>*8$K zGu5t+uK9>)oe-6a0HnuqVl+4C0$PZ6+;tv->>1-L%UU6ouug~)9M@cG^&do}wTDeC z=3Q%AV?K%q6P(0d2AHGRd!6thi9cwtqTBXXL-UgxJD~Coor<1wP%AiZSF|(t@}Yrm z-Cm5cp_4Qh?(wl+c1ZL(GKH;LAkl!Cv(BYQ+x16i4e{Wfb%ALsdz|TPW-YO7z z+c96`{O5Ffi-8c|v$ViMR)a60#qAP^{=;&AVY;0WJhX)XXy?c~)=J+anf8T=`BraY zor|`U?b`n|{w=-BWJC+kNL`iDo^{Uy+oof`O5kU>Y^aIFTVa?ouTUh;2^sPU22!do z0%w#Fz+)*cfA#NC@Z|=O5k`6 z{jKC``h(fir6LH=Hsyb1v6}l-jpH$ekI8}XA0NY{H9!wJ=3b&g4GlV!9%W+T z$4(rvnkm}<+H`5tGios3z@hyLN=cE&ss@@Q=W=b2lp>r(-S5L$rE$vf4R#IGRT_gg zRDqnbqDC-G4}o#Z1Ce1nCr0Dn^U;tln}7;OQVFJiAtE|+X%W^`9oi^XbX-aHH8`n~ z32miI<9e4LF6_2NzH4%4CiYC+kM|=!!w=+H^9=uXO63Q`~68(&^zw zpfY_rWI*)Rhpc^1!@5K}S!zug(#vZ*#gCVAKP6=jfV?HgI5%){gEZCO=3oh2=| z6-snQaGlsEDgEsnNMe35#E^x@^(frx+b-$pB3(Gj<|YpxX}Lo)*E$y5jPtfP^96;T zv+X=hh1(YR*ciUGCl>IFjnXC7gVqt|iBDu=fH2?aJ!L0ibYUu*lwJ}il#~AaBg1(T z^bl&2Sw$PzE@%W_Qy13qegr9Iw}dHT)_6J=>RUpZ#$p4Eagx16ckAcc>)|@oCn7PL zSxfYW)WN%7*2$dmC;ujvDny2t<2r3UC57gqu^4DZGmaE^{@NxVUY5#U#M#b z!u?g-VK-f#wn&)qg)2;8jN53cRx{QuY}xG z%9-i<`Mge*U(lVw1Sq-2rvonU(a^T$hbn#kk0Inazzo+yyqmI%fq`wkr^vG~R0qnY zT>Bqq9*!(e4B8{1nTxfhONl`<2lK+xU)!mb15|aHI+q9GBJG5J3K+tx-lJSdp*m%<~P5ZqY|56@sxjJX_KO#!{8v{kJF-E_^>IS)|Y+Laf9LzzR$KMpGs3VNbUjUi3{0FkDtSZF(>u7M9GyO)EAtIcr-6$%;ZUh~i# zzm~3oq7M97#5swhGTIQjL)xElAvJF&Bn{f>3;c$X%$4OkmNa6dF_s9dbbN%(x~EPz zt(S4fH%hQ39AXNnN!0kWf?SNBrdy7P!9I&MKfD_Pq~DIbLgZF@mhF`Ff|*dNjG7Te zzJ|>iB8y>ZZL{X@?M@I|QHRxJ+CPQDrivXRV5d5glzH4`j^0~!jeu1^$O$hwLlLtp zS54QRwaBvAIN$Y6GH_&J>=c790=@qSa{Rqj*DjtYlA5;k7Gpf(TFdjcTEb-@_V9c0 zY+#eh9kusizslM#;H3e2D)uH5XXq(9B63vI5LCf!q+*<>Q3=#Ux-}Q)!CuHCHpneSq9j`yF9Km&r-3dALrct`NwgfP7nzeLN}!{?u);-v?8tGsejHrZ>`nnlqm$k&U;H2o&*>9>rn# z1{{VNluXZYS1eiQ7U%pkE*~!IM%DA_M87YArD&@5O`2rMhGr-$G61EXr%Zhu_9&B& zVU{8hu9uHiT{)Td5{5qRYh(}29k1v%bGsvjl?uWu)o#&tJxPiOX85p4~5afrfO&Glq(WB9az$pBPglQ(tzkfb4V}K9GM!wZ6ICW!-G28UCAHj53`{jOwix4I8-R@$&wPT2`RbWX(QL!^zN2MF3jcAcW%{$ za!i|_g12DLVK}266eaaByesm8BIkMc>Jb%**3YH_Y=MMXLIaXOVlN*qw2D()3_;0Y zW?h{9YSAlbj2`ZW5&;a;u4p7!BRDw%VPUMP)(=HoqvK4g=4G>qWl36U2yk9U0DW!8 zyF-KHG=k&(XDLsj-8+&`xVCT%5#b?hrtLqtY#6*FqAd7kw>QI)?2b$NWHI5H3$ z9e{dP3zKWWI{vS$<}@Lz$0y_QXyabaW0MZk5<^(p1v+vQKvAZVYM^zh07O5yrk+gc`75VXn-JFKLds!ALkPW$spe>D&o zlGoySo0s;okvfU^pRmCDkgzFs7O@y2C@ zci@tZ3pXF5cdzRAt5tN@0Ri9LZ$p@kZkU83kJGr}~NPQs! zfqbqOR3do(H)~z&n9g;LrM@c}o}=LFYhpdR11-RPoG{fo*CglNh#^?Gi$Bk*!1Dra zBKIhV1tFj?60C4YLV@`sUDDsWOZPJHWZHVi?dSILzT-j{Wr8~P0@N1?4oNa^j|A~I z{9d}*=xsE43E__8+t7Tk?a+MB_{|s(=)H%=9ixyLY2Bf5cJTo1ZIHJOlSQ5Hs8WL& zQ+pG-`M2a$e7GNkpLVuv?KF0PS$k?Zx*Hm+pg{!J;~;99WQXu4*{xM*AUGSLx5aS3jgIvgXk(#*yvOzeCXV`OFdYpG6o2Y86@l literal 10324 zcmV-aD67{BB>?tKRTE?7S+9oOK57_g(HdE<+RZW^!PSRV)4>9;{Q#2k$P-lU>D<`LzEiB>E z%$BdumDc@fkv`DVMEUEoM>#e%L`snLDCyGo?*g5qfok(>akaaPd{JP~xx5zCncYf- z7+Td>YU9ZX;shHECxh3r&$g{eZv@*O?e3QZpIQQ(5k3zew4S}tc@$8>cr%pb{&9iFGq1soN4#p04WJFV0osJ7HrgzpbUb2 zJxvpO{tI1mf4Jy7Ez3isqRP*2$qX&kj}{YYS}5kAj^RqRh5OJv7VOa{=e6VV1N%x- zv)tkQVzx|bYHnVZGXCDiq&^44p~CAOeYiyH`5wx7FrTTst zJda3wv;J>)q2WT<*HPip!jm#wgjV~vgK@AS9h7BbB-{++e{T4^6OJ?XH z0e*cG1x`To({12;1310l%8PwNwRW_D5H~uQ7ON19@J0w`p$ze2T5S`pJE%IHGd(kJ>pF-Jc-TsLh9t(ik!wOn)0HWtC>sBkThk-u*7z z=e1cW#E}jz>(X9U9FFm8EtBzH8^CC%Hs83@!Ku*%y_kLj;Hh0YAO-jgKnc13a%;B3 z@O&1#74ubLI!tj8$ILZ(S5GyTB;Y?erZq}P!qHoXlTn!3qV<$cDN|B#!|ziE0-1S@ zTamb>9i&~9iEsY*h!0jCg@ zu&ti4x@X|3W~21vvLH5LKz#&LrM~GZMrc$|@(Q3Qx(0^!og`~ld`$)++pqQ{Fzr@$ z77%8Ew5oI0-B^Ox^#^!r3y#^PlK={J#myw!eD4x?x5VpQR?Y>Nlnt_X8wL6Bn!;i0 ze_jYSUXJxK*4rsRn9BO122Py@8^6r9I|`uNhNNMXaqYL{x&Ih%8NHZTr*~gT1_pTV zVN{~jU8ePKUqzrbgO>vCZ;mD=zWv#2D6?PjAua+MJ!ebgKLEoot8+5Z7WztRYq8};xy#LzXbS--g?%5=mpRU;}5Y*ySKWhY+6 z$mBqz3=smujilHkNmbXuhO2381^nN%l-a|r=1(HIcfxFhl-*!GIS!0^q?DVM$NVzU zhKxgunM_1Z_~l@P??byJNf(-yy$<_nxxPlljQgNLZ-Ooknp4rH0bLIyZ74@Wf0?~h z-Rhyc%nktUgH;|&_`OhV?Rlth+I5EsA$|}Ork!2H?$jRmtDbdGg#cuGn|du3^_)ZD z6>iTF8$~1{dlyyxR|cfDwf2xGA~XqB zmfwpFG(c}v}eEOx_9`K2+dXBpp2%bh%9++!8kw`-jl(}{t)6^q`40s~3 z92_1b^JC3jwC#y@%q9#us^WMwK_72$I|AE@zh~d7{^5}il@akJWqLA%3q)Gv%We@+ zlYqw7zZP*1b`Rq1qJsg@%Qg`?Fa-du!J#-Unso6=kRDHylAvhI)h^-=pFWA?|2o;h zLk~#d-qps^l!+wtCfYL|3aK1U=n1N6?5Q5p<;*j^Mr>SltdeBbp#8!+nft;UL~@i& z(Jv&0w=Tt^GiW|>RNsTssDOfP`YZ$711BE1p$X3ckro!BO22K1kukHVGwMC4@iK*{ zNG^o^X##ZLja}Hl1aYY zxQ4TsGq>r`#<2TA(H}yfkR#HdRF+hDXib~!Z|+x`fKn@(Ip1*2QnZTxtdaNM)6um9 zZ?yvYpUx~AMxB}vl$NCDAw!&F5m0SLT#*)M4&`s1UZ=63{dQ*T34IjJO*FI z`L|GBvv~sng7Eh;J;LXq8UL}Een)birN)i-JiW&VCnAodvW49eL6|)OlkaYDgYoNa zVhXfCAPr4nlZ5oiye!Ey8gNW;y0W|ELqfh4+gOM6dE&cbl$}%~xk|Kskg_XR_YF{G zqZt)k-xjQ*EBZDcbQLbqxo?9sRdu`txJ@w}_Ei?&<`00lEC7XZHh_CZoA!kkNm(0% z(zls~z|-U7fxTe8Lf!fOPR+&Q{)m=l<>tPhNNw%!NSC{63?KbFotac65+xyYI#Ky< zH{#OmFZLqrE$(pD!0|DD|3otf1TkA?V7XzK1a2#}HPl{lh1%BSGSV*GB_)l`WaGoF zGPI!{AAAy0@`wP*5y$zbF*$hmrV&S$+s}9ET9wMg4`*5lDLZ|7PBctk*bsKvIw@;W zW35KXG%Fj+3)S39j`b+Vm5`iIt30VNM>&iAi22Rle_*!q^34!T5)v&SH}vxdAa55m zO@czi&c~uB34y+(6)?cQxaD5vG9vF6Ym8Ldm-e0C8ygwNF$M4iW!QwMA@>!($jCqnC}gcxY=fa`Ad6a4@ZcF)qsZ3AP@ z%S!DpP%sg(quuBA){&%%W^-l{ z0I9pEMO3mVa7(JxG-Edqe~Z1gO=n3|R0M`2@H+TJuIv9C;|$#AeNJlVf#CI!=I^%g zcpaKwHOt8qbb*V@iKJtn_<{NC{uIbN55n*lYwg+2lz~#rR$f|E&4fpDvVxP)+jw@e zW-rdJ^D-b3k%z_=f%Jya-L_LBv+&Zn&f!zxM>(M>N>=eMXyQ7|XFgtfrbNkeWa>6# zXb(WdAw`2oPL85BletbBy=4?L{oBL61X_I+{R{$CZzUvjCDpAWvbk&Wh zNzZ-dIU)Cz_b$BE+0HZh)KnkXd2j_`PqrFSN!XyNFCpoR^pIK`$mrLk+Gw^!20Uvn zgdE}~C~o~dc4%0|GEtxQd^X!k6acO#}N<<+HM= z8e;sPTfFA=_;_BV8+lBZgqEKI2j}q}$i9G8gJkP3Q&O|6NAp~1Uk?QhT~q(6O8GN~ z(2xNy=!Hkcyr+D0p_c0i{n3A=;BUSJlG$R~bN2-LCqN2aoZUa2eP}{x;=@xSpK&{l z*tIZzr{(>jG+EOInkRq$b>!`Y3j_Ro#ki?J6vWH|qnN;FgdXc@k z_&$1((OOW|;1NOsK_iAkST7?KE>d7s)w@&UiM`N|)Al9rM|j$tFu z{hETq12`3EUMX#xx%>W%^NNs+@7U&Yf`j6w@JBi^CcY(opa83R)8}%FIgDxMlV6ny z9V;k+`N1Xfue86KoUBC zr`r#MY}|#s>nG)cSNGB|ybJ_-RU~H+s-^`ACf%D+3#^|2GIW3kdcu!u4-ZB0M8p!=Zin4CX6NWJ82Jf?_46Nr~W~ zYen&;MrgQ8L#;IXPGiCB3SNdo!|LX9I4fzgiktFxY0jX;o#8NWD zJXQ1(FtJj+ZJLXgk9jD$T$Z2X@=RA)g6zEU9TDZ(R~}pgpxr$hS|+S3*xt5B?GRHc zZWub|v=~AMOYs+@07#jJ3CNs>!2`x;p?=5W)vkY6IU#`2 zXFF&w)Sku9*b%*tf#8=)G7FZkLkxwp$%NiqLAI-n`&$L%bB%~zMy8A0bw-&V7Q8-I z#7=id!I_BLfB|C7_CmVR1G}xJBzfdhab)tDKKL`!gz>}{^q@jUs&AXbkNK84>Y`XZ ziKCMsFhbRK#ZUHUK57WA4!thY_fJn_USzvSXuqQtO8DN&2f`Hb{YowZC6K?}>HHayeNquD+{n~N!iC0s54ii<4?#;*h{2(OLi?_gEJZz+y*4#E7PzR4$ggG zy@ZNAlIJ1)t6uq%Xhv0G-*d+JiJQ#F{jgWwH%!@YTqolOB6#c9vQU<)VoKy8<%9J# zWX+~bHtR95vuVv8ALV4Fq&TH4Oi!g?7#p?6lXXAk$rlHi?7_r-qQGs45~7Mrg?;w)kKUweyadvh8?v&hZ}>1u z#l3YnGs2MI3Nh;!@~o+HR+*-4mH58tZr97l`|zNy?zBMHWZ#s95aLZ&^R0qL-#Ffa z6&2;40b<@GT9Otq7mzkJRj%l@9c>AJYNl_kZkipy9JMh#V8(lTt+Cg_;_-?U15LWM z>L_oBq~JI0C*x{?%^?trwLtXv``e7UtPKK`uFyH9rx$gMtOc-PDFOxGT=#*VTQByf zk}D=NdihFEMk!wp0r}IiR9YU2fgnB6kz7#{#`h$|P%U1_7q|W4_`4I2h8Y&VO5 zX%LC=gexwSA0^Jg%uLpS{lGrSy>eTcjn5b_2a0BcwOzoKixW#x%Heu`@U6_#Zn+|v zsJOkp)DR5X-r&&nl#%j@m$=0(o#UU;nPL^rW3?i=#BjDF37C3U-vITH@Fp=d@u*^M(zWHn`7@oeRqfa%e|R@Riw9+c z?~m(vpRqQFoeU_0RbfsJDig%DRFOQ1WYWe>@jeagW%OO!9qnkJbkEwrthVegT%<994k`I0-ir09`wXxVxyb84??Lrdw-6UpJ zt2`CwxTNSs3+A?afIUDEtqqPB#wQWcV7^u14A>lL%rlAF!SF9tim_UI_d+0m5@o^s zR0ipw9(Z_9EZlEnx1$hGA)(-<@ExuYy;1pA=7Hp`B`V@1BfvVCFI>Dm7WwmHMpri@ z7>(1jF0nzUFxaU`^RA_K0+gZF?F`z?Pfksc&L8LMKq4p80GYnw9zKOuPNev;IL5H* z1oY!`KRs4wCpJP4;(8iqexw~*o)%;e9?Y6BCf+KCl95?r;LZadS7->&QbG=@*SP1 z0&BiLtY~JU*S6p5WDLxpw@&%EhY_$SMh$;|q;Jfb=N_=ih@8qKNZP0TJ;U|6w-D+K zi2le4-MRC4rM~zNzU^H>l|o=KkKRB76&ko;t_GOv3erY|pK-8x%``LQ8sA?!HXiue zYrnz$xkid*+ngkW6Lg}5S9hoo?*@`HP;%pAHAWV(t1T?F$ zK#S|r86lw{^_qMC1^`|n!(`X+mJl)V(EDy_G6D@N4vE{Fc7PWP)^~x;s!Os!$=LvK5FcD9tXij3M(p zCs+`DV>_U;E;oaLKL=@$R*9njgV9LI@%V@?i+;*3_9!->%-PD|vIL4#Zw0PLMFDc4 zaQ(8?RJnTG)15DYj(I8+uz}756OYgK2vO%S_h)ZN!5e+ry@XBa@ZyqAT_ zOcP`2yo9qobQM3enpp)clU>X&UjtKp~RsScSbI;gU3(G(H99^8;4(_9(Kd-2OF1NLJEsrN@I zk{#Ic-)W!hU@>U7IPRW6ignW9qZIUhS-b0eP%aw&pg(gTA*t22S&U7=FZ8KsG;?Zo zIH{PLKxECOU{-$Ch(9en4Y>`1cnC43gcispd z@Wv-Ru2Udde!)f_i3M+nfv?xkwuZlfUXE#97Fm5~AM|#sXSU0JS-IgL-<)x@=<77d zu#xW$`~Qc@XPceHPpE0SgCC7P2l&@v45TT!84Ga55SjvKW|urBMO;s-0mTYMgu7d5 zB*ZNqrPg|0N2s@QC*fdZmNWkUKrA`Di?vi8y3ZH-`dRy4O+rKxE(YJ~X_iJre7Lxe zl=1`_1?Y>8vLnBlQ5ym!HD>-`)x~RQD_Gy--jeKwFx zf(xoTeJHB(J0@rU?RvmbDC}om0MF%qhZZm3@W@CQU8jzFI-i=j-r6QozYA}7oie6# z>DW;is8 zbIh0o>|1wl^duYNwWF84EYD>~ZwW`)egc9#NTUjcn`9N|JcavkpX}d|KPY#0M`0BW z7}1*!d0UeSuQSNHSq)Zi!(;YWQO^19i($<=xAM5c#a3uiRN&J#W?g~hN_b1@rN;Q~ z9|9+76W}*{4gs$Lz*dyBF*3cf7yFdV6vTQ}DMZK&VWwYUA#p2zh&+#{Z}njNv+|Yz z?bCuW6>T(tRW!3 zyQRH*n`GT}lhN>f0$AfLjID4xk+TE|A{nV?Fy`4$n&Z;)gJsF8K1xe+rqarm5<*|9 ze`oSzp+^_F6dwz##f1Ctc|04MJ%@uV;X5g)mg43zph00vLn}?hD!E+C*yO>TVu*9g)(mFbBVkCt}WvJ3uDJ;#hpi7H{?#EQNi^a=#>4NOjDK zn>rN52zuSvur&FcP_AvwFgC@Bn?0}>e2f>vv`h^SvXccQk#(aN^DxYhul$X1#~N-R zEr)K(u{#|yV%}NB>kzZDWYGG%&eLah)V5H^H5bNF%!}(avP}PYVi5w>&=A!3GwMEm zKGTPc@(~T1-})Lefq5Q$+HyLgR?}vg#S*IPGPVP?RvD5x?SgsXUu_tb3Yh>Pn4ohD z#&%+$dp^d+hAIzW)dPfR10-Wx94tHX#j_`VMI3t!yn*V$wml#`u~{WpYg0n}AQ#VI17e~em z?jbshEb;k9w)u+n>kYa&k|Tu>@l?_mJJ_bl>L&Nbl-h)7ddKV2zg^wzrpvVnpJzj8N9=k; zkM2QpPHoY7kTNj*f6V4bt6t?j3@rY0BnmNwg%K)s!KzfyRcv^0@#>(k3>^{sV2MRs zhRi_GC6}qJl1OM_G`v6#)%q3VW$<~aC@>{%CX(pEkNDfEJm=K?rD@gOqH8_N`Q>!3 zKoQChc)!eYQin(k>9XO9XGnz0@}4jQ+W)i2#WgGyG_hY@(-onX4MkY5ER+`qIDyiv zCvt#l@`YZ#k03V}k|M@K1LNl0&tO!(hLat3PQqTGo7@K@6rdoY@Sr(fi)&H5+ z#VPC|_W*@#xNKs-fSe`E#c<7!C(4{7?4&*Hhiw8}w5J1|U+FkmX1_^rHgM|vSgQWe z$>lc3RE@^h3?JE4R8xZqqtZ29M_P{t_$thJEDkTRanwvaD*#CUe0fWM-7A!20Sm4S z&!3b|2@W603mO9sEhR#0j^M(|nIWAFF1yoP_f8K^8!F^ct(iN_XO3uVn;zJa$(tEcCs9{uW8gJMa&EIC|#)%6a-hmgTEgj36u(d-=44aAQ)mo90yTaY?2ZFyYQ z&nBigrRKr@CTEJCj9u;FZWBCrH#uETc@*CwqY`nBaPC@62b`L(^GG;TVsTAcgvviPCAL3@@5UTlw{xyWjI3UDW}tl6aDY-HW@Yl zE8UmO?+M;vbGe7S#h_@NhpKw!Dz7t5XgE~qs%lty{r(|IKoaxYBrtNX8M>F@&V7Cp zcz4StMZ8Y+*W^U1VqZNeDZx!|~%T?{W?*BuXhd6gmPKCdz)ct5QiU^x%N_~89ID+;O{`f)C z`KPy>ADdbFp!DSaQZfyJh`@kgw7#q@uHOQjO zb{|Nwh$Y`;!3>$6BbQ+jz^0j%qjV86FoNy<;0YtI?FlG2Gv9Tea#j!^ zX*qvV2Z#k1b1e0mXV~>Oj?fCOiOv;?^cn#85!E8v#%JaIPWRf7mKy7ay91?T(UGgw zUWCHi;NHaQV;v{u%B(oqKz0WeyEt#gP$(3ep}f9T;i?BIAEP$TdaI=2`jh$FhR4I2 zeU;YkR+{M|Jbk0b{(A+kt&Dw@Oy{`fLKvA2Jk1EnL?oW^Kli%JSjClpKjHssPdYn0 zY@kdYp4Mu1*0~EmI$8Vfb}t;jpmOf)OfTdHCT+7E2ljdsJ0E958*_9XU1+_@MSl)0 zr~P{)dBDz3;zl-+sv^>tFcc{kd}fEbO%W=yv?9vFnoo`-bKKxMh7X;9Zl0OJGlp61 z1HB(6DER^F#=NR^$-tkc&XZ*Se6SS7J8Z7gPm~FD-fg2CW&ImfS~Imnf{bFj1Cp!X zCJN;Y9ND|XX93*(Z-zxGljhPVEvxs)0fG4^`0k6a=iB-H9wH>g_Jg&Z;bA0Kb8h;B z-47_~LuD^t5zAIVU&%S5kNn_gu3(*GxTtf(t!xE%PYiCF9iz7E%`FE|*^Gp=5ZaFB zn;i2$7)^^Qit564z|HJh(amgt=BjMBi$VYVLMxp--E)6SJ7g0&@HT)u83q%9Fy0lg zsOna2a>JH2{1aJW2D5x#?0#}3CMfAOv!^nEugk8(oeK~lL$eB2s(|%zQ}NoMbU2

yz;`mge$0jUT;J2`9CKeyo}$_OghWB- zJK@`h-d{}3an`kFdMg@eB(56e;kP2goW{1Gb~?5ucle`bNHI3d%F2I{ff{l3Qj88E zUZw}iCB|>BibDOFvjUAkXE)Qm8x07v3P-4y5m09&;5%2oB4E~Xy?SWYnq}~S3oZ8F zoX0>W&{CPl4B*tZIr~yh*Zg4z6^|niB}=Y2m6urb-Kyd+70!JiwfDldY9EpG^}=+Z zbSagG<~Ke!QBK~Cf<2ccgi!_pd-B!w$#-B)87G_0H#u8HC@*D!i)*LFX$XPze;1~l z`QL2pyyT(j3_XqwG$lEFHY1>dQ@a z08pCKUo4-q`|YlsNUQ8M^F6mW0ORue-lAQJgozanS??Mc0xYYbht2IQZ|pl%j;?h{ z2Xwpz2_4*~V^s_`7l-=wNhFR9RIte>`DvmWAoK8!viJ6;|^@>_{IVY z_r;!HHsVB8RU#bO+(-PWBN#LQs)KnDgtr*RH`RHirRmV zu@7lz@%0M5rB^@5npsSQ_K;1H0Dp_5I4H|AJB`lhS}seuUlfxShNf1UC^&d0EHzC> zuZe>Q`sP1{p%niQ2te5i$-J@As+noG6Mxg`4T@QQ=!uNe^zQ=6MeWTOy8>=*{}bsd!Glj9!20UE>m9Bs(rOLd&Lr{suU0d*x5hva)NCLSIm_?nq=vYI?9Kb7%ejBOSGZg1xo+}Li+X$R zAK1C$cq2I9m4iQW82|r`g59I!gkV|DPur#?twvDl9)|s+mqnwFoQdz+Nwyw8%Mgum zF}-8F!?}PxRebp`8wuhk!@Lc;rzRf#MjZTAO)!o?FV(Hu-E_WFE)$ ztdaUXJ}Ijg^`Maknwg$4io9}U`r{lWpZzuvG^8(43lG&PozK|xwxez0OC?-<-Hyqe zsGoE+cQ265k)SsHw~@60DQX;GZ-tw)LHv4-u)yBoWrtj0=>qG&8{W+w#g mbOeBrQZgGJ=!2A!B9BDjX6?mKRV}lJDKKl@k^082gV}R&-z(z) From ca82184ba50191a8d6b24293161dbc8117cc4ff0 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 00:58:09 +0000 Subject: [PATCH 4/4] chore(main): release 2.38.0 (#1657) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 12 ++++++++++++ google/auth/version.py | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7f8e51ce..cb6a41358 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ [1]: https://pypi.org/project/google-auth/#history +## [2.38.0](https://github.com/googleapis/google-auth-library-python/compare/v2.37.0...v2.38.0) (2025-01-23) + + +### Features + +* Adding domain-wide delegation flow in impersonated credential ([#1624](https://github.com/googleapis/google-auth-library-python/issues/1624)) ([34ee3fe](https://github.com/googleapis/google-auth-library-python/commit/34ee3fef8cba6a1bbaa46fa16b43af0d89b60b0f)) + + +### Documentation + +* Add warnings regarding consuming externally sourced credentials ([d049370](https://github.com/googleapis/google-auth-library-python/commit/d049370d266b50db0e09d7b292dbf33052b27853)) + ## [2.37.0](https://github.com/googleapis/google-auth-library-python/compare/v2.36.1...v2.37.0) (2024-12-11) diff --git a/google/auth/version.py b/google/auth/version.py index 06ec7e7fb..41a80e6c6 100644 --- a/google/auth/version.py +++ b/google/auth/version.py @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.37.0" +__version__ = "2.38.0"