public async Task SignBlobAsync_UnsupportedCredential()
{
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored");
var computeCredential = new ComputeCredential(initializer);
var googleCredential = GoogleCredential.FromComputeCredential(computeCredential);
await Assert.ThrowsAsync <InvalidOperationException>(() => googleCredential.SignBlobAsync(Encoding.ASCII.GetBytes("toSign")));
}
public async Task RefreshesOidcToken()
{
// A little bit after the tokens returned from OidcTokenFakes were issued.
var clock = new MockClock(new DateTime(2020, 5, 21, 9, 20, 0, 0, DateTimeKind.Utc));
var messageHandler = new OidcComputeSuccessMessageHandler();
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
// The fake Oidc server returns valid tokens (expired in the real world for safty)
// but with a set audience that lets us know if the token was refreshed or not.
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("will.be.ignored"));
var signedToken = SignedToken <Header, Payload> .FromSignedToken(await oidcToken.GetAccessTokenAsync());
Assert.Equal("https://first_call.test", signedToken.Payload.Audience);
// Move the clock so that the token expires.
clock.UtcNow = clock.UtcNow.AddHours(2);
signedToken = SignedToken <Header, Payload> .FromSignedToken(await oidcToken.GetAccessTokenAsync());
Assert.Equal("https://subsequent_calls.test", signedToken.Payload.Audience);
// Two calls, because the second time we tried to get the token, the first one had expired.
Assert.Equal(2, messageHandler.Calls);
}
public async Task FetchesOidcToken_WithDefaultOptions()
{
// A little bit after the tokens returned from OidcTokenFakes were issued.
var clock = new MockClock(new DateTime(2020, 5, 21, 9, 20, 0, 0, DateTimeKind.Utc));
var messageHandler = new OidcComputeSuccessMessageHandler();
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience"));
await oidcToken.GetAccessTokenAsync();
Assert.Equal("?audience=any_audience&format=full", messageHandler.LatestRequest.RequestUri.Query);
}
public async Task FromComputeCredential_FetchesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var computeCredential = new ComputeCredential(initializer);
var googleCredential = GoogleCredential.FromComputeCredential(computeCredential);
var oidcToken = await googleCredential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
}
public async Task FetchesOidcToken_WithDefaultOptions()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience"));
await oidcToken.GetAccessTokenAsync();
Assert.Equal("?audience=any_audience&format=full", messageHandler.LatestRequest.RequestUri.Query);
}
public async Task FromComputeCredential_FetchesOidcToken()
{
// A little bit after the tokens returned from OidcTokenFakes were issued.
var clock = new MockClock(new DateTime(2020, 5, 21, 9, 20, 0, 0, DateTimeKind.Utc));
var messageHandler = new OidcComputeSuccessMessageHandler();
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var computeCredential = new ComputeCredential(initializer);
var googleCredential = GoogleCredential.FromComputeCredential(computeCredential);
// The fake Oidc server returns valid tokens (expired in the real world for safty)
// but with a set audience that lets us know if the token was refreshed or not.
var oidcToken = await googleCredential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("will.be.ignored"));
var signedToken = SignedToken <Header, Payload> .FromSignedToken(await oidcToken.GetAccessTokenAsync());
Assert.Equal("https://first_call.test", signedToken.Payload.Audience);
}
public async Task RefreshesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Move the clock so that the token expires.
clock.UtcNow = clock.UtcNow.AddHours(2);
Assert.Equal("very_fake_access_token_2", await oidcToken.GetAccessTokenAsync());
// Two calls, because the second time we tried to get the token, the first one had expired.
Assert.Equal(2, messageHandler.Calls);
}
public async Task FetchesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Move the clock some but not enough that the token expires.
clock.UtcNow = clock.UtcNow.AddMinutes(20);
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Only the first call should have resulted in a request. The second time the token hadn't expired.
Assert.Equal(1, messageHandler.Calls);
}
