chore: sync to master (#628)

* refactor: split 'with_quota_project' into separate base class (#561)

Co-authored-by: Tres Seaver <tseaver@palladion.com>

* fix: dummy commit to trigger a auto release (#597)

* chore: release 1.21.1 (#599)

* chore: updated CHANGELOG.md [ci skip]

* chore: updated setup.cfg [ci skip]

* chore: updated setup.py

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: migrate signBlob to iamcredentials.googleapis.com (#600)

Migrate signBlob from iam.googleapis.com to iamcredentials.googleapis.com.

This API is deprecated and will be shutdown in one year.

This is used google.auth.iam.Signer.
Added a system_test to sanity check the implementation.

* chore: release 1.21.2 (#601)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: fix expiry for `to_json()` (#589)

* This patch for </issues/501> includes the following fixes:

- The access token is always set to `None`, so the fix involves using (the access) `token` from the saved JSON credentials file.
- For refresh needs, `expiry` also needs to be saved via `to_json()`.
    - DUMP: As `expiry` is a `datetime.datetime` object, serialize to `datetime.isoformat()` in the same [`oauth2client` format](https://github.com/googleapis/oauth2client/blob/master/oauth2client/client.py#L55) for consistency.
    - LOAD: Add code to restore `expiry` back to `datetime.datetime` object when imported.
    - LOAD: If `expiry` was unsaved, automatically set it as expired so refresh takes place.
- Minor `scopes` updates
    - DUMP: Add property for `scopes` so `to_json()` can grab it
    - LOAD: `scopes` may be saved as a string instead of a JSON array (Python list), so ensure it is Sequence[str] when imported.

* chore: add default CODEOWNERS (#609)

* chore: release 1.21.3 (#607)

* feat: add asyncio based auth flow (#612)

* feat: asyncio http request logic and asynchronous credentials logic  (#572)

Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>

* chore: release 1.22.0 (#615)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: move aiohttp to extra as it is currently internal surface (#619)

Fix #618. Removes aiohttp from required dependencies to lessen dependency tree for google-auth.

This will need to be looked at again as more folks use aiohttp and once the surfaces goes to public visibility.

* chore: release 1.22.1 (#620)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

* fix: remove checks for ancient versions of Cryptography (#596)

Refs #595 (comment) 

I see no point in checking whether someone is running a version of https://github.com/pyca/cryptography/ from 2014 that doesn't even compile against modern versions of OpenSSL anymore.

* chore: sync to master

Syncs to master.
Fixes broken unit tests in Python 3.6 and 3.7.
Aligns test_identity_pool.py with test_aws.py.

Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
Co-authored-by: Tres Seaver <tseaver@palladion.com>
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: wesley chun <wescpy@gmail.com>
Co-authored-by: Christopher Wilcox <crwilcox@google.com>
Co-authored-by: Anirudh Baddepudi <43104821+anibadde@users.noreply.github.com>
Co-authored-by: Aarni Koskela <akx@iki.fi>

noxfile.py

@@ -30,7 +30,7 @@
     "grpcio",
 ]
 
-ASYNC_DEPENDENCIES = ["pytest-asyncio", "aioresponses"]
+ASYNC_DEPENDENCIES = ["pytest-asyncio", "aioresponses", "asynctest"]
 
 BLACK_VERSION = "black==19.3b0"
 BLACK_PATHS = [
@@ -64,9 +64,7 @@ def lint(session):
 @nox.session(python="3.6")
 def blacken(session):
     """Run black.
-
     Format code to uniform standard.
-
     This currently uses Python 3.6 due to the automated Kokoro run of synthtool.
     That run uses an image that doesn't have 3.6 installed. Before updating this
     check the state of the `gcp_ubuntu_config` we use for that Kokoro run.

setup.py

@@ -20,15 +20,13 @@
 
 DEPENDENCIES = (
     "cachetools>=2.0.0,<5.0",
-    'enum34; python_version < "3.4"',
     "pyasn1-modules>=0.2.1",
     # rsa==4.5 is the last version to support 2.7
     # https://github.com/sybrenstuvel/python-rsa/issues/152#issuecomment-643470233
     'rsa<4.6; python_version < "3.5"',
     'rsa>=3.1.4,<5; python_version >= "3.5"',
     "setuptools>=40.3.0",
     "six>=1.9.0",
-    'aiohttp >= 3.6.2, < 4.0.0dev; python_version>="3.6"',
 )
 
 extras = {"aiohttp": "aiohttp >= 3.6.2, < 4.0.0dev; python_version>='3.6'"}

tests/test_identity_pool.py

@@ -72,19 +72,20 @@ class TestCredentials(object):
     @classmethod
     def make_mock_request(
         cls,
-        data,
-        status=http_client.OK,
-        impersonation_data=None,
+        token_status=http_client.OK,
+        token_data=None,
         impersonation_status=None,
+        impersonation_data=None,
     ):
+        responses = []
         # STS token exchange request.
         token_response = mock.create_autospec(transport.Response, instance=True)
-        token_response.status = status
-        token_response.data = json.dumps(data).encode("utf-8")
-        responses = [token_response]
+        token_response.status = token_status
+        token_response.data = json.dumps(token_data).encode("utf-8")
+        responses.append(token_response)
 
         # If service account impersonation is requested, mock the expected response.
-        if impersonation_status and impersonation_status:
+        if impersonation_status:
             impersonation_response = mock.create_autospec(
                 transport.Response, instance=True
             )
@@ -169,8 +170,6 @@ def assert_underlying_credentials_refresh(
             "subject_token": subject_token,
             "subject_token_type": subject_token_type,
         }
-        if token_scopes == "":
-            token_request_data.pop("scope", None)
         # Service account impersonation request/response.
         impersonation_response = {
             "accessToken": "SA_ACCESS_TOKEN",
@@ -180,8 +179,6 @@ def assert_underlying_credentials_refresh(
             "Content-Type": "application/json",
             "authorization": "Bearer {}".format(token_response["access_token"]),
         }
-        if quota_project_id:
-            impersonation_headers["x-goog-user-project"] = quota_project_id
         impersonation_request_data = {
             "delegates": None,
             "scope": scopes,
@@ -190,8 +187,8 @@ def assert_underlying_credentials_refresh(
         # Initialize mock request to handle token exchange and service account
         # impersonation request.
         request = cls.make_mock_request(
-            status=http_client.OK,
-            data=token_response,
+            token_status=http_client.OK,
+            token_data=token_response,
             impersonation_status=impersonation_status,
             impersonation_data=impersonation_response,
         )
@@ -243,7 +240,8 @@ def make_credentials(
             scopes=scopes,
         )
 
-    def test_from_info_full_options(self):
+    @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
+    def test_from_info_full_options(self, mock_init):
         credentials = identity_pool.Credentials.from_info(
             {
                 "audience": AUDIENCE,
@@ -259,18 +257,19 @@ def test_from_info_full_options(self):
 
         # Confirm identity_pool.Credentials instantiated with expected attributes.
         assert isinstance(credentials, identity_pool.Credentials)
-        self.assert_underlying_credentials_refresh(
-            credentials=credentials,
+        mock_init.assert_called_once_with(
             audience=AUDIENCE,
-            subject_token=TEXT_FILE_SUBJECT_TOKEN,
             subject_token_type=SUBJECT_TOKEN_TYPE,
             token_url=TOKEN_URL,
             service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-            basic_auth_encoding=BASIC_AUTH_ENCODING,
+            client_id=CLIENT_ID,
+            client_secret=CLIENT_SECRET,
+            credential_source=self.CREDENTIAL_SOURCE_TEXT,
             quota_project_id=QUOTA_PROJECT_ID,
         )
 
-    def test_from_info_required_options_only(self):
+    @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
+    def test_from_info_required_options_only(self, mock_init):
         credentials = identity_pool.Credentials.from_info(
             {
                 "audience": AUDIENCE,
@@ -282,15 +281,19 @@ def test_from_info_required_options_only(self):
 
         # Confirm identity_pool.Credentials instantiated with expected attributes.
         assert isinstance(credentials, identity_pool.Credentials)
-        self.assert_underlying_credentials_refresh(
-            credentials=credentials,
+        mock_init.assert_called_once_with(
             audience=AUDIENCE,
-            subject_token=TEXT_FILE_SUBJECT_TOKEN,
             subject_token_type=SUBJECT_TOKEN_TYPE,
             token_url=TOKEN_URL,
+            service_account_impersonation_url=None,
+            client_id=None,
+            client_secret=None,
+            credential_source=self.CREDENTIAL_SOURCE_TEXT,
+            quota_project_id=None,
         )
 
-    def test_from_file_full_options(self, tmpdir):
+    @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
+    def test_from_file_full_options(self, mock_init, tmpdir):
         info = {
             "audience": AUDIENCE,
             "subject_token_type": SUBJECT_TOKEN_TYPE,
@@ -307,18 +310,19 @@ def test_from_file_full_options(self, tmpdir):
 
         # Confirm identity_pool.Credentials instantiated with expected attributes.
         assert isinstance(credentials, identity_pool.Credentials)
-        self.assert_underlying_credentials_refresh(
-            credentials=credentials,
+        mock_init.assert_called_once_with(
             audience=AUDIENCE,
-            subject_token=TEXT_FILE_SUBJECT_TOKEN,
             subject_token_type=SUBJECT_TOKEN_TYPE,
             token_url=TOKEN_URL,
             service_account_impersonation_url=SERVICE_ACCOUNT_IMPERSONATION_URL,
-            basic_auth_encoding=BASIC_AUTH_ENCODING,
+            client_id=CLIENT_ID,
+            client_secret=CLIENT_SECRET,
+            credential_source=self.CREDENTIAL_SOURCE_TEXT,
             quota_project_id=QUOTA_PROJECT_ID,
         )
 
-    def test_from_file_required_options_only(self, tmpdir):
+    @mock.patch.object(identity_pool.Credentials, "__init__", return_value=None)
+    def test_from_file_required_options_only(self, mock_init, tmpdir):
         info = {
             "audience": AUDIENCE,
             "subject_token_type": SUBJECT_TOKEN_TYPE,
@@ -331,12 +335,15 @@ def test_from_file_required_options_only(self, tmpdir):
 
         # Confirm identity_pool.Credentials instantiated with expected attributes.
         assert isinstance(credentials, identity_pool.Credentials)
-        self.assert_underlying_credentials_refresh(
-            credentials=credentials,
+        mock_init.assert_called_once_with(
             audience=AUDIENCE,
-            subject_token=TEXT_FILE_SUBJECT_TOKEN,
             subject_token_type=SUBJECT_TOKEN_TYPE,
             token_url=TOKEN_URL,
+            service_account_impersonation_url=None,
+            client_id=None,
+            client_secret=None,
+            credential_source=self.CREDENTIAL_SOURCE_TEXT,
+            quota_project_id=None,
         )
 
     def test_constructor_invalid_options(self):