public async Task FromComputeCredential_FetchesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var computeCredential = new ComputeCredential(initializer);
var googleCredential = GoogleCredential.FromComputeCredential(computeCredential);
var oidcToken = await googleCredential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
}
public async Task FetchesOidcToken_WithDefaultOptions()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience"));
await oidcToken.GetAccessTokenAsync();
Assert.Equal("?audience=any_audience&format=full", messageHandler.LatestRequest.RequestUri.Query);
}
public async Task FromServiceAccountCredential_FetchesOicdToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ServiceAccountCredential.Initializer("MyId", "http://will.be.ignored")
{
Clock = clock,
ProjectId = "a_project_id",
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var serviceAccountCredential = new ServiceAccountCredential(initializer.FromPrivateKey(ServiceAccountCredentialTests.PrivateKey));
var googleCredential = GoogleCredential.FromServiceAccountCredential(serviceAccountCredential);
var oidcToken = await googleCredential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
}
public async Task RefreshesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Move the clock so that the token expires.
clock.UtcNow = clock.UtcNow.AddHours(2);
Assert.Equal("very_fake_access_token_2", await oidcToken.GetAccessTokenAsync());
// Two calls, because the second time we tried to get the token, the first one had expired.
Assert.Equal(2, messageHandler.Calls);
}
public async Task FetchesOidcToken()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ComputeCredential.Initializer("http://will.be.ignored", "http://will.be.ignored")
{
Clock = clock,
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ComputeCredential(initializer);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("audience"));
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Move the clock some but not enough that the token expires.
clock.UtcNow = clock.UtcNow.AddMinutes(20);
Assert.Equal("very_fake_access_token_1", await oidcToken.GetAccessTokenAsync());
// Only the first call should have resulted in a request. The second time the token hadn't expired.
Assert.Equal(1, messageHandler.Calls);
}
public async Task FetchesOidcToken_CorrectPayloadSent()
{
var clock = new MockClock {
UtcNow = new DateTime(2020, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)
};
var messageHandler = new OidcTokenSuccessMessageHandler(clock);
var initializer = new ServiceAccountCredential.Initializer("MyId", "http://will.be.ignored")
{
Clock = clock,
ProjectId = "a_project_id",
HttpClientFactory = new MockHttpClientFactory(messageHandler)
};
var credential = new ServiceAccountCredential(initializer.FromPrivateKey(PrivateKey));
var expectedPayload = new JsonWebSignature.Payload
{
Issuer = "MyId",
Subject = "MyId",
Audience = GoogleAuthConsts.OidcAuthorizationUrl,
IssuedAtTimeSeconds = (long)(clock.UtcNow - UnixEpoch).TotalSeconds,
ExpirationTimeSeconds = (long)(clock.UtcNow.Add(JwtLifetime) - UnixEpoch).TotalSeconds,
TargetAudience = "any_audience"
};
var serializedExpectedPayload = NewtonsoftJsonSerializer.Instance.Serialize(expectedPayload);
var urlSafeEncodedExpectedPayload = UrlSafeBase64Encode(serializedExpectedPayload);
var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience"));
await oidcToken.GetAccessTokenAsync();
var requestFormDict = messageHandler.LatestRequestContent.Split('&')
.ToDictionary(entry => entry.Split('=')[0], entry => entry.Split('=')[1]);
var assertion = requestFormDict["assertion"];
// Assertion format shoould be headers.payload.signature
var encodedPayload = assertion.Split('.')[1];
Assert.Contains(urlSafeEncodedExpectedPayload, encodedPayload);
}