From 14e77652ec6d49fc8b60808f9322004899b04cf3 Mon Sep 17 00:00:00 2001
From: nicain <nicain.seattle@gmail.com>
Date: Wed, 1 Sep 2021 05:14:20 -0700
Subject: [PATCH] fix(v1beta2): enable self signed jwt for grpc (#191)

* fix: Remove Owlbot  v1beta2 customization that passes default scopes as user scopes, so that the auth library does not use the self-signed JWT flow.

* run owlbot locally

* remove replacements for v1beta2 in owlbot.py

Co-authored-by: Nick Cain <nicholascain@google.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>
---
 .../transports/base.py                        | 10 +-------
 owlbot.py                                     | 23 -------------------
 .../test_document_understanding_service.py    |  4 ++--
 3 files changed, 3 insertions(+), 34 deletions(-)

diff --git a/google/cloud/documentai_v1beta2/services/document_understanding_service/transports/base.py b/google/cloud/documentai_v1beta2/services/document_understanding_service/transports/base.py
index 4468ab91..e016c306 100644
--- a/google/cloud/documentai_v1beta2/services/document_understanding_service/transports/base.py
+++ b/google/cloud/documentai_v1beta2/services/document_understanding_service/transports/base.py
@@ -148,15 +148,7 @@ def _get_scopes_kwargs(
             packaging.version.parse(_GOOGLE_AUTH_VERSION)
             >= packaging.version.parse("1.25.0")
         ):
-            # Documentai uses a regional host (us-documentai.googleapis.com) as the default
-            # so self-signed JWT cannot be used.
-            # Intentionally pass default scopes as user scopes so the auth library
-            # does not use the self-signed JWT flow.
-            # https://github.com/googleapis/python-documentai/issues/174
-            scopes_kwargs = {
-                "scopes": scopes or cls.AUTH_SCOPES,
-                "default_scopes": cls.AUTH_SCOPES,
-            }
+            scopes_kwargs = {"scopes": scopes, "default_scopes": cls.AUTH_SCOPES}
         else:
             scopes_kwargs = {"scopes": scopes or cls.AUTH_SCOPES}
 
diff --git a/owlbot.py b/owlbot.py
index ef72a19c..40550c3a 100644
--- a/owlbot.py
+++ b/owlbot.py
@@ -30,34 +30,11 @@
 for library in s.get_staging_dirs(default_version):
     excludes = [
         "README.rst",
-        "nox.py",
         "docs/index.rst",
         "setup.py",
         "scripts/fixup_documentai_v*",  # this library was always generated with the microgenerator
     ]
 
-    s.replace(library / "google/cloud/documentai_v1beta2/**/base.py",
-        """scopes_kwargs = \{"scopes": scopes, "default_scopes": cls\.AUTH_SCOPES\}""",
-        """# Documentai uses a regional host (us-documentai.googleapis.com) as the default
-            # so self-signed JWT cannot be used.
-            # Intentionally pass default scopes as user scopes so the auth library
-            # does not use the self-signed JWT flow.
-            # https://github.com/googleapis/python-documentai/issues/174
-            scopes_kwargs = {"scopes": scopes or cls.AUTH_SCOPES, "default_scopes": cls.AUTH_SCOPES}""")
-
-    s.replace(library / "tests/**/documentai_v1beta2/*.py",
-    """(@requires_google_auth_gte_1_25_0
-def test_document_.*?_service_base_transport_with_credentials_file.*?)scopes=None,""",
-    """\g<1>scopes=("https://www.googleapis.com/auth/cloud-platform",),""",
-        flags=re.MULTILINE | re.DOTALL,
-        )
-
-    s.replace(library / "tests/**/documentai_v1beta2/*.py",
-    """(@requires_google_auth_gte_1_25_0
-def test_document_.*?_service_auth_adc.*?)scopes=None,""",
-    """\g<1>scopes=("https://www.googleapis.com/auth/cloud-platform",),""",
-        flags=re.MULTILINE | re.DOTALL,
-        )
     s.move(library, excludes=excludes)
 
 s.remove_staging_dirs()
diff --git a/tests/unit/gapic/documentai_v1beta2/test_document_understanding_service.py b/tests/unit/gapic/documentai_v1beta2/test_document_understanding_service.py
index 84996907..d2edb50c 100644
--- a/tests/unit/gapic/documentai_v1beta2/test_document_understanding_service.py
+++ b/tests/unit/gapic/documentai_v1beta2/test_document_understanding_service.py
@@ -1045,7 +1045,7 @@ def test_document_understanding_service_base_transport_with_credentials_file():
         )
         load_creds.assert_called_once_with(
             "credentials.json",
-            scopes=("https://www.googleapis.com/auth/cloud-platform",),
+            scopes=None,
             default_scopes=("https://www.googleapis.com/auth/cloud-platform",),
             quota_project_id="octopus",
         )
@@ -1089,7 +1089,7 @@ def test_document_understanding_service_auth_adc():
         adc.return_value = (ga_credentials.AnonymousCredentials(), None)
         DocumentUnderstandingServiceClient()
         adc.assert_called_once_with(
-            scopes=("https://www.googleapis.com/auth/cloud-platform",),
+            scopes=None,
             default_scopes=("https://www.googleapis.com/auth/cloud-platform",),
             quota_project_id=None,
         )