From da9e307cec6e2d38ef3c42a67ebdb6ab915b09f5 Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Tue, 1 Dec 2020 07:58:53 -0800 Subject: [PATCH] feat: add common resource helpers; expose client transport --- docs/credentials_v1/types.rst | 1 + .../services/iam_credentials/async_client.py | 118 ++- .../services/iam_credentials/client.py | 357 +++++--- .../iam_credentials/transports/base.py | 79 +- .../iam_credentials/transports/grpc.py | 76 +- .../transports/grpc_asyncio.py | 65 +- noxfile.py | 2 +- scripts/fixup_credentials_v1_keywords.py | 1 + synth.metadata | 92 +- tests/unit/gapic/credentials_v1/__init__.py | 1 + .../credentials_v1/test_iam_credentials.py | 833 ++++++++++++------ 11 files changed, 1135 insertions(+), 490 deletions(-) create mode 100644 tests/unit/gapic/credentials_v1/__init__.py diff --git a/docs/credentials_v1/types.rst b/docs/credentials_v1/types.rst index a21388a..8df2cf1 100644 --- a/docs/credentials_v1/types.rst +++ b/docs/credentials_v1/types.rst @@ -3,3 +3,4 @@ Types for Google Iam Credentials v1 API .. automodule:: google.cloud.iam_credentials_v1.types :members: + :show-inheritance: diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/async_client.py b/google/cloud/iam_credentials_v1/services/iam_credentials/async_client.py index c113522..6c6dd71 100644 --- a/google/cloud/iam_credentials_v1/services/iam_credentials/async_client.py +++ b/google/cloud/iam_credentials_v1/services/iam_credentials/async_client.py @@ -32,7 +32,7 @@ from google.protobuf import duration_pb2 as duration # type: ignore from google.protobuf import timestamp_pb2 as timestamp # type: ignore -from .transports.base import IAMCredentialsTransport +from .transports.base import IAMCredentialsTransport, DEFAULT_CLIENT_INFO from .transports.grpc_asyncio import IAMCredentialsGrpcAsyncIOTransport from .client import IAMCredentialsClient @@ -55,9 +55,52 @@ class IAMCredentialsAsyncClient: DEFAULT_ENDPOINT = IAMCredentialsClient.DEFAULT_ENDPOINT DEFAULT_MTLS_ENDPOINT = IAMCredentialsClient.DEFAULT_MTLS_ENDPOINT + service_account_path = staticmethod(IAMCredentialsClient.service_account_path) + parse_service_account_path = staticmethod( + IAMCredentialsClient.parse_service_account_path + ) + + common_billing_account_path = staticmethod( + IAMCredentialsClient.common_billing_account_path + ) + parse_common_billing_account_path = staticmethod( + IAMCredentialsClient.parse_common_billing_account_path + ) + + common_folder_path = staticmethod(IAMCredentialsClient.common_folder_path) + parse_common_folder_path = staticmethod( + IAMCredentialsClient.parse_common_folder_path + ) + + common_organization_path = staticmethod( + IAMCredentialsClient.common_organization_path + ) + parse_common_organization_path = staticmethod( + IAMCredentialsClient.parse_common_organization_path + ) + + common_project_path = staticmethod(IAMCredentialsClient.common_project_path) + parse_common_project_path = staticmethod( + IAMCredentialsClient.parse_common_project_path + ) + + common_location_path = staticmethod(IAMCredentialsClient.common_location_path) + parse_common_location_path = staticmethod( + IAMCredentialsClient.parse_common_location_path + ) + from_service_account_file = IAMCredentialsClient.from_service_account_file from_service_account_json = from_service_account_file + @property + def transport(self) -> IAMCredentialsTransport: + """Return the transport used by the client instance. + + Returns: + IAMCredentialsTransport: The transport used by the client instance. + """ + return self._client.transport + get_transport_class = functools.partial( type(IAMCredentialsClient).get_transport_class, type(IAMCredentialsClient) ) @@ -68,6 +111,7 @@ def __init__( credentials: credentials.Credentials = None, transport: Union[str, IAMCredentialsTransport] = "grpc_asyncio", client_options: ClientOptions = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the iam credentials client. @@ -83,16 +127,19 @@ def __init__( client_options (ClientOptions): Custom options for the client. It won't take effect if a ``transport`` instance is provided. (1) The ``api_endpoint`` property can be used to override the - default endpoint provided by the client. GOOGLE_API_USE_MTLS + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: "always" (always use the default mTLS endpoint), "never" (always - use the default regular endpoint, this is the default value for - the environment variable) and "auto" (auto switch to the default - mTLS endpoint if client SSL credentials is present). However, - the ``api_endpoint`` property takes precedence if provided. - (2) The ``client_cert_source`` property is used to provide client - SSL credentials for mutual TLS transport. If not provided, the - default SSL credentials will be used if present. + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. Raises: google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport @@ -100,7 +147,10 @@ def __init__( """ self._client = IAMCredentialsClient( - credentials=credentials, transport=transport, client_options=client_options, + credentials=credentials, + transport=transport, + client_options=client_options, + client_info=client_info, ) async def generate_access_token( @@ -182,7 +232,8 @@ async def generate_access_token( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, scope, lifetime]): + has_flattened_params = any([name, delegates, scope, lifetime]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." @@ -195,13 +246,14 @@ async def generate_access_token( if name is not None: request.name = name - if delegates is not None: - request.delegates = delegates - if scope is not None: - request.scope = scope if lifetime is not None: request.lifetime = lifetime + if delegates: + request.delegates.extend(delegates) + if scope: + request.scope.extend(scope) + # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( @@ -215,7 +267,7 @@ async def generate_access_token( ), ), default_timeout=60.0, - client_info=_client_info, + client_info=DEFAULT_CLIENT_INFO, ) # Certain fields should be provided within the metadata header; @@ -303,7 +355,8 @@ async def generate_id_token( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, audience, include_email]): + has_flattened_params = any([name, delegates, audience, include_email]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." @@ -316,13 +369,14 @@ async def generate_id_token( if name is not None: request.name = name - if delegates is not None: - request.delegates = delegates if audience is not None: request.audience = audience if include_email is not None: request.include_email = include_email + if delegates: + request.delegates.extend(delegates) + # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( @@ -336,7 +390,7 @@ async def generate_id_token( ), ), default_timeout=60.0, - client_info=_client_info, + client_info=DEFAULT_CLIENT_INFO, ) # Certain fields should be provided within the metadata header; @@ -414,7 +468,8 @@ async def sign_blob( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, payload]): + has_flattened_params = any([name, delegates, payload]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." @@ -427,11 +482,12 @@ async def sign_blob( if name is not None: request.name = name - if delegates is not None: - request.delegates = delegates if payload is not None: request.payload = payload + if delegates: + request.delegates.extend(delegates) + # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( @@ -445,7 +501,7 @@ async def sign_blob( ), ), default_timeout=60.0, - client_info=_client_info, + client_info=DEFAULT_CLIENT_INFO, ) # Certain fields should be provided within the metadata header; @@ -525,7 +581,8 @@ async def sign_jwt( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, payload]): + has_flattened_params = any([name, delegates, payload]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." @@ -538,11 +595,12 @@ async def sign_jwt( if name is not None: request.name = name - if delegates is not None: - request.delegates = delegates if payload is not None: request.payload = payload + if delegates: + request.delegates.extend(delegates) + # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( @@ -556,7 +614,7 @@ async def sign_jwt( ), ), default_timeout=60.0, - client_info=_client_info, + client_info=DEFAULT_CLIENT_INFO, ) # Certain fields should be provided within the metadata header; @@ -573,11 +631,11 @@ async def sign_jwt( try: - _client_info = gapic_v1.client_info.ClientInfo( + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( gapic_version=pkg_resources.get_distribution("google-cloud-iam",).version, ) except pkg_resources.DistributionNotFound: - _client_info = gapic_v1.client_info.ClientInfo() + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() __all__ = ("IAMCredentialsAsyncClient",) diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/client.py b/google/cloud/iam_credentials_v1/services/iam_credentials/client.py index 169eac8..4cd94d6 100644 --- a/google/cloud/iam_credentials_v1/services/iam_credentials/client.py +++ b/google/cloud/iam_credentials_v1/services/iam_credentials/client.py @@ -16,17 +16,19 @@ # from collections import OrderedDict +from distutils import util import os import re -from typing import Callable, Dict, Sequence, Tuple, Type, Union +from typing import Callable, Dict, Optional, Sequence, Tuple, Type, Union import pkg_resources -import google.api_core.client_options as ClientOptions # type: ignore +from google.api_core import client_options as client_options_lib # type: ignore from google.api_core import exceptions # type: ignore from google.api_core import gapic_v1 # type: ignore from google.api_core import retry as retries # type: ignore from google.auth import credentials # type: ignore from google.auth.transport import mtls # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore from google.auth.exceptions import MutualTLSChannelError # type: ignore from google.oauth2 import service_account # type: ignore @@ -34,7 +36,7 @@ from google.protobuf import duration_pb2 as duration # type: ignore from google.protobuf import timestamp_pb2 as timestamp # type: ignore -from .transports.base import IAMCredentialsTransport +from .transports.base import IAMCredentialsTransport, DEFAULT_CLIENT_INFO from .transports.grpc import IAMCredentialsGrpcTransport from .transports.grpc_asyncio import IAMCredentialsGrpcAsyncIOTransport @@ -139,12 +141,97 @@ def from_service_account_file(cls, filename: str, *args, **kwargs): from_service_account_json = from_service_account_file + @property + def transport(self) -> IAMCredentialsTransport: + """Return the transport used by the client instance. + + Returns: + IAMCredentialsTransport: The transport used by the client instance. + """ + return self._transport + + @staticmethod + def service_account_path(project: str, service_account: str,) -> str: + """Return a fully-qualified service_account string.""" + return "projects/{project}/serviceAccounts/{service_account}".format( + project=project, service_account=service_account, + ) + + @staticmethod + def parse_service_account_path(path: str) -> Dict[str, str]: + """Parse a service_account path into its component segments.""" + m = re.match( + r"^projects/(?P.+?)/serviceAccounts/(?P.+?)$", + path, + ) + return m.groupdict() if m else {} + + @staticmethod + def common_billing_account_path(billing_account: str,) -> str: + """Return a fully-qualified billing_account string.""" + return "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + + @staticmethod + def parse_common_billing_account_path(path: str) -> Dict[str, str]: + """Parse a billing_account path into its component segments.""" + m = re.match(r"^billingAccounts/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_folder_path(folder: str,) -> str: + """Return a fully-qualified folder string.""" + return "folders/{folder}".format(folder=folder,) + + @staticmethod + def parse_common_folder_path(path: str) -> Dict[str, str]: + """Parse a folder path into its component segments.""" + m = re.match(r"^folders/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_organization_path(organization: str,) -> str: + """Return a fully-qualified organization string.""" + return "organizations/{organization}".format(organization=organization,) + + @staticmethod + def parse_common_organization_path(path: str) -> Dict[str, str]: + """Parse a organization path into its component segments.""" + m = re.match(r"^organizations/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_project_path(project: str,) -> str: + """Return a fully-qualified project string.""" + return "projects/{project}".format(project=project,) + + @staticmethod + def parse_common_project_path(path: str) -> Dict[str, str]: + """Parse a project path into its component segments.""" + m = re.match(r"^projects/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_location_path(project: str, location: str,) -> str: + """Return a fully-qualified location string.""" + return "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + + @staticmethod + def parse_common_location_path(path: str) -> Dict[str, str]: + """Parse a location path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/locations/(?P.+?)$", path) + return m.groupdict() if m else {} + def __init__( self, *, - credentials: credentials.Credentials = None, - transport: Union[str, IAMCredentialsTransport] = None, - client_options: ClientOptions = None, + credentials: Optional[credentials.Credentials] = None, + transport: Union[str, IAMCredentialsTransport, None] = None, + client_options: Optional[client_options_lib.ClientOptions] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the iam credentials client. @@ -157,48 +244,74 @@ def __init__( transport (Union[str, ~.IAMCredentialsTransport]): The transport to use. If set to None, a transport is chosen automatically. - client_options (ClientOptions): Custom options for the client. It - won't take effect if a ``transport`` instance is provided. + client_options (client_options_lib.ClientOptions): Custom options for the + client. It won't take effect if a ``transport`` instance is provided. (1) The ``api_endpoint`` property can be used to override the - default endpoint provided by the client. GOOGLE_API_USE_MTLS + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: "always" (always use the default mTLS endpoint), "never" (always - use the default regular endpoint, this is the default value for - the environment variable) and "auto" (auto switch to the default - mTLS endpoint if client SSL credentials is present). However, - the ``api_endpoint`` property takes precedence if provided. - (2) The ``client_cert_source`` property is used to provide client - SSL credentials for mutual TLS transport. If not provided, the - default SSL credentials will be used if present. + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport creation failed for any reason. """ if isinstance(client_options, dict): - client_options = ClientOptions.from_dict(client_options) + client_options = client_options_lib.from_dict(client_options) if client_options is None: - client_options = ClientOptions.ClientOptions() + client_options = client_options_lib.ClientOptions() + + # Create SSL credentials for mutual TLS if needed. + use_client_cert = bool( + util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")) + ) + + ssl_credentials = None + is_mtls = False + if use_client_cert: + if client_options.client_cert_source: + import grpc # type: ignore + + cert, key = client_options.client_cert_source() + ssl_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + is_mtls = True + else: + creds = SslCredentials() + is_mtls = creds.is_mtls + ssl_credentials = creds.ssl_credentials if is_mtls else None - if client_options.api_endpoint is None: - use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS", "never") + # Figure out which api endpoint to use. + if client_options.api_endpoint is not None: + api_endpoint = client_options.api_endpoint + else: + use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") if use_mtls_env == "never": - client_options.api_endpoint = self.DEFAULT_ENDPOINT + api_endpoint = self.DEFAULT_ENDPOINT elif use_mtls_env == "always": - client_options.api_endpoint = self.DEFAULT_MTLS_ENDPOINT + api_endpoint = self.DEFAULT_MTLS_ENDPOINT elif use_mtls_env == "auto": - has_client_cert_source = ( - client_options.client_cert_source is not None - or mtls.has_default_client_cert_source() - ) - client_options.api_endpoint = ( - self.DEFAULT_MTLS_ENDPOINT - if has_client_cert_source - else self.DEFAULT_ENDPOINT + api_endpoint = ( + self.DEFAULT_MTLS_ENDPOINT if is_mtls else self.DEFAULT_ENDPOINT ) else: raise MutualTLSChannelError( - "Unsupported GOOGLE_API_USE_MTLS value. Accepted values: never, auto, always" + "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted values: never, auto, always" ) # Save or instantiate the transport. @@ -222,11 +335,11 @@ def __init__( self._transport = Transport( credentials=credentials, credentials_file=client_options.credentials_file, - host=client_options.api_endpoint, + host=api_endpoint, scopes=client_options.scopes, - api_mtls_endpoint=client_options.api_endpoint, - client_cert_source=client_options.client_cert_source, + ssl_channel_credentials=ssl_credentials, quota_project_id=client_options.quota_project_id, + client_info=client_info, ) def generate_access_token( @@ -308,41 +421,36 @@ def generate_access_token( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, scope, lifetime]): + has_flattened_params = any([name, delegates, scope, lifetime]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = common.GenerateAccessTokenRequest(request) + # Minor optimization to avoid making a copy if the user passes + # in a common.GenerateAccessTokenRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, common.GenerateAccessTokenRequest): + request = common.GenerateAccessTokenRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. - # If we have keyword arguments corresponding to fields on the - # request, apply these. + if name is not None: + request.name = name + if lifetime is not None: + request.lifetime = lifetime - if name is not None: - request.name = name - if delegates is not None: - request.delegates = delegates - if scope is not None: - request.scope = scope - if lifetime is not None: - request.lifetime = lifetime + if delegates: + request.delegates.extend(delegates) + if scope: + request.scope.extend(scope) # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = gapic_v1.method.wrap_method( - self._transport.generate_access_token, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, - ), - ), - default_timeout=60.0, - client_info=_client_info, - ) + rpc = self._transport._wrapped_methods[self._transport.generate_access_token] # Certain fields should be provided within the metadata header; # add these here. @@ -429,41 +537,36 @@ def generate_id_token( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, audience, include_email]): + has_flattened_params = any([name, delegates, audience, include_email]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = common.GenerateIdTokenRequest(request) + # Minor optimization to avoid making a copy if the user passes + # in a common.GenerateIdTokenRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, common.GenerateIdTokenRequest): + request = common.GenerateIdTokenRequest(request) - # If we have keyword arguments corresponding to fields on the - # request, apply these. + # If we have keyword arguments corresponding to fields on the + # request, apply these. - if name is not None: - request.name = name - if delegates is not None: - request.delegates = delegates - if audience is not None: - request.audience = audience - if include_email is not None: - request.include_email = include_email + if name is not None: + request.name = name + if audience is not None: + request.audience = audience + if include_email is not None: + request.include_email = include_email + + if delegates: + request.delegates.extend(delegates) # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = gapic_v1.method.wrap_method( - self._transport.generate_id_token, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, - ), - ), - default_timeout=60.0, - client_info=_client_info, - ) + rpc = self._transport._wrapped_methods[self._transport.generate_id_token] # Certain fields should be provided within the metadata header; # add these here. @@ -540,39 +643,34 @@ def sign_blob( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, payload]): + has_flattened_params = any([name, delegates, payload]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = common.SignBlobRequest(request) + # Minor optimization to avoid making a copy if the user passes + # in a common.SignBlobRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, common.SignBlobRequest): + request = common.SignBlobRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. - # If we have keyword arguments corresponding to fields on the - # request, apply these. + if name is not None: + request.name = name + if payload is not None: + request.payload = payload - if name is not None: - request.name = name - if delegates is not None: - request.delegates = delegates - if payload is not None: - request.payload = payload + if delegates: + request.delegates.extend(delegates) # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = gapic_v1.method.wrap_method( - self._transport.sign_blob, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, - ), - ), - default_timeout=60.0, - client_info=_client_info, - ) + rpc = self._transport._wrapped_methods[self._transport.sign_blob] # Certain fields should be provided within the metadata header; # add these here. @@ -651,39 +749,34 @@ def sign_jwt( # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - if request is not None and any([name, delegates, payload]): + has_flattened_params = any([name, delegates, payload]) + if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = common.SignJwtRequest(request) + # Minor optimization to avoid making a copy if the user passes + # in a common.SignJwtRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, common.SignJwtRequest): + request = common.SignJwtRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. - # If we have keyword arguments corresponding to fields on the - # request, apply these. + if name is not None: + request.name = name + if payload is not None: + request.payload = payload - if name is not None: - request.name = name - if delegates is not None: - request.delegates = delegates - if payload is not None: - request.payload = payload + if delegates: + request.delegates.extend(delegates) # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = gapic_v1.method.wrap_method( - self._transport.sign_jwt, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, - ), - ), - default_timeout=60.0, - client_info=_client_info, - ) + rpc = self._transport._wrapped_methods[self._transport.sign_jwt] # Certain fields should be provided within the metadata header; # add these here. @@ -699,11 +792,11 @@ def sign_jwt( try: - _client_info = gapic_v1.client_info.ClientInfo( + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( gapic_version=pkg_resources.get_distribution("google-cloud-iam",).version, ) except pkg_resources.DistributionNotFound: - _client_info = gapic_v1.client_info.ClientInfo() + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() __all__ = ("IAMCredentialsClient",) diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py index ddeacc9..9e5186e 100644 --- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py +++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py @@ -17,14 +17,25 @@ import abc import typing +import pkg_resources -from google import auth +from google import auth # type: ignore from google.api_core import exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore from google.auth import credentials # type: ignore from google.cloud.iam_credentials_v1.types import common +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution("google-cloud-iam",).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + class IAMCredentialsTransport(abc.ABC): """Abstract transport class for IAMCredentials.""" @@ -38,6 +49,7 @@ def __init__( credentials_file: typing.Optional[str] = None, scopes: typing.Optional[typing.Sequence[str]] = AUTH_SCOPES, quota_project_id: typing.Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, **kwargs, ) -> None: """Instantiate the transport. @@ -55,6 +67,11 @@ def __init__( scope (Optional[Sequence[str]]): A list of scopes. quota_project_id (Optional[str]): An optional project to use for billing and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. """ # Save the hostname. Default to port 443 (HTTPS) if none is specified. if ":" not in host: @@ -81,6 +98,66 @@ def __init__( # Save the credentials. self._credentials = credentials + # Lifted into its own function so it can be stubbed out during tests. + self._prep_wrapped_messages(client_info) + + def _prep_wrapped_messages(self, client_info): + # Precompute the wrapped methods. + self._wrapped_methods = { + self.generate_access_token: gapic_v1.method.wrap_method( + self.generate_access_token, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, + ), + ), + default_timeout=60.0, + client_info=client_info, + ), + self.generate_id_token: gapic_v1.method.wrap_method( + self.generate_id_token, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, + ), + ), + default_timeout=60.0, + client_info=client_info, + ), + self.sign_blob: gapic_v1.method.wrap_method( + self.sign_blob, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, + ), + ), + default_timeout=60.0, + client_info=client_info, + ), + self.sign_jwt: gapic_v1.method.wrap_method( + self.sign_jwt, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + exceptions.DeadlineExceeded, exceptions.ServiceUnavailable, + ), + ), + default_timeout=60.0, + client_info=client_info, + ), + } + @property def generate_access_token( self, diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py index 4efc50b..18ea54d 100644 --- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py +++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py @@ -15,19 +15,20 @@ # limitations under the License. # +import warnings from typing import Callable, Dict, Optional, Sequence, Tuple from google.api_core import grpc_helpers # type: ignore +from google.api_core import gapic_v1 # type: ignore from google import auth # type: ignore from google.auth import credentials # type: ignore from google.auth.transport.grpc import SslCredentials # type: ignore - import grpc # type: ignore from google.cloud.iam_credentials_v1.types import common -from .base import IAMCredentialsTransport +from .base import IAMCredentialsTransport, DEFAULT_CLIENT_INFO class IAMCredentialsGrpcTransport(IAMCredentialsTransport): @@ -64,7 +65,9 @@ def __init__( channel: grpc.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, - quota_project_id: Optional[str] = None + ssl_channel_credentials: grpc.ChannelCredentials = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the transport. @@ -83,16 +86,23 @@ def __init__( ignored if ``channel`` is provided. channel (Optional[grpc.Channel]): A ``Channel`` instance through which to make calls. - api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If - provided, it overrides the ``host`` argument and tries to create + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or applicatin default SSL credentials. - client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A - callback to provide client SSL certificate bytes and private key - bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` - is None. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. quota_project_id (Optional[str]): An optional project to use for billing and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport @@ -100,6 +110,8 @@ def __init__( google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` and ``credentials_file`` are passed. """ + self._ssl_channel_credentials = ssl_channel_credentials + if channel: # Sanity check: Ensure that channel and credentials are not both # provided. @@ -107,7 +119,13 @@ def __init__( # If a channel was explicitly provided, set it. self._grpc_channel = channel + self._ssl_channel_credentials = None elif api_mtls_endpoint: + warnings.warn( + "api_mtls_endpoint and client_cert_source are deprecated", + DeprecationWarning, + ) + host = ( api_mtls_endpoint if ":" in api_mtls_endpoint @@ -138,6 +156,26 @@ def __init__( scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, ) + self._ssl_channel_credentials = ssl_credentials + else: + host = host if ":" in host else host + ":443" + + if credentials is None: + credentials, _ = auth.default( + scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id + ) + + # create a new channel. The provided one is ignored. + self._grpc_channel = type(self).create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + ssl_credentials=ssl_channel_credentials, + scopes=scopes or self.AUTH_SCOPES, + quota_project_id=quota_project_id, + ) + + self._stubs = {} # type: Dict[str, Callable] # Run the base constructor. super().__init__( @@ -146,10 +184,9 @@ def __init__( credentials_file=credentials_file, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, + client_info=client_info, ) - self._stubs = {} # type: Dict[str, Callable] - @classmethod def create_channel( cls, @@ -158,7 +195,7 @@ def create_channel( credentials_file: str = None, scopes: Optional[Sequence[str]] = None, quota_project_id: Optional[str] = None, - **kwargs + **kwargs, ) -> grpc.Channel: """Create and return a gRPC channel object. Args: @@ -192,24 +229,13 @@ def create_channel( credentials_file=credentials_file, scopes=scopes, quota_project_id=quota_project_id, - **kwargs + **kwargs, ) @property def grpc_channel(self) -> grpc.Channel: - """Create the channel designed to connect to this service. - - This property caches on the instance; repeated calls return - the same channel. + """Return the channel designed to connect to this service. """ - # Sanity check: Only create a new channel if we do not already - # have one. - if not hasattr(self, "_grpc_channel"): - self._grpc_channel = self.create_channel( - self._host, credentials=self._credentials, - ) - - # Return the channel from cache. return self._grpc_channel @property diff --git a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py index 2a79974..9fc3519 100644 --- a/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py +++ b/google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py @@ -15,9 +15,12 @@ # limitations under the License. # +import warnings from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple +from google.api_core import gapic_v1 # type: ignore from google.api_core import grpc_helpers_async # type: ignore +from google import auth # type: ignore from google.auth import credentials # type: ignore from google.auth.transport.grpc import SslCredentials # type: ignore @@ -26,7 +29,7 @@ from google.cloud.iam_credentials_v1.types import common -from .base import IAMCredentialsTransport +from .base import IAMCredentialsTransport, DEFAULT_CLIENT_INFO from .grpc import IAMCredentialsGrpcTransport @@ -106,7 +109,9 @@ def __init__( channel: aio.Channel = None, api_mtls_endpoint: str = None, client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, quota_project_id=None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiate the transport. @@ -126,16 +131,23 @@ def __init__( are passed to :func:`google.auth.default`. channel (Optional[aio.Channel]): A ``Channel`` instance through which to make calls. - api_mtls_endpoint (Optional[str]): The mutual TLS endpoint. If - provided, it overrides the ``host`` argument and tries to create + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create a mutual TLS channel with client SSL credentials from ``client_cert_source`` or applicatin default SSL credentials. - client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): A - callback to provide client SSL certificate bytes and private key - bytes, both in PEM format. It is ignored if ``api_mtls_endpoint`` - is None. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. quota_project_id (Optional[str]): An optional project to use for billing and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. Raises: google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport @@ -143,6 +155,8 @@ def __init__( google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` and ``credentials_file`` are passed. """ + self._ssl_channel_credentials = ssl_channel_credentials + if channel: # Sanity check: Ensure that channel and credentials are not both # provided. @@ -150,13 +164,24 @@ def __init__( # If a channel was explicitly provided, set it. self._grpc_channel = channel + self._ssl_channel_credentials = None elif api_mtls_endpoint: + warnings.warn( + "api_mtls_endpoint and client_cert_source are deprecated", + DeprecationWarning, + ) + host = ( api_mtls_endpoint if ":" in api_mtls_endpoint else api_mtls_endpoint + ":443" ) + if credentials is None: + credentials, _ = auth.default( + scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id + ) + # Create SSL credentials with client_cert_source or application # default SSL credentials. if client_cert_source: @@ -176,6 +201,24 @@ def __init__( scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, ) + self._ssl_channel_credentials = ssl_credentials + else: + host = host if ":" in host else host + ":443" + + if credentials is None: + credentials, _ = auth.default( + scopes=self.AUTH_SCOPES, quota_project_id=quota_project_id + ) + + # create a new channel. The provided one is ignored. + self._grpc_channel = type(self).create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + ssl_credentials=ssl_channel_credentials, + scopes=scopes or self.AUTH_SCOPES, + quota_project_id=quota_project_id, + ) # Run the base constructor. super().__init__( @@ -184,6 +227,7 @@ def __init__( credentials_file=credentials_file, scopes=scopes or self.AUTH_SCOPES, quota_project_id=quota_project_id, + client_info=client_info, ) self._stubs = {} @@ -195,13 +239,6 @@ def grpc_channel(self) -> aio.Channel: This property caches on the instance; repeated calls return the same channel. """ - # Sanity check: Only create a new channel if we do not already - # have one. - if not hasattr(self, "_grpc_channel"): - self._grpc_channel = self.create_channel( - self._host, credentials=self._credentials, - ) - # Return the channel from cache. return self._grpc_channel diff --git a/noxfile.py b/noxfile.py index 3a6dc54..ad99de3 100644 --- a/noxfile.py +++ b/noxfile.py @@ -28,7 +28,7 @@ DEFAULT_PYTHON_VERSION = "3.8" SYSTEM_TEST_PYTHON_VERSIONS = ["3.8"] -UNIT_TEST_PYTHON_VERSIONS = ["3.6", "3.7", "3.8"] +UNIT_TEST_PYTHON_VERSIONS = ["3.6", "3.7", "3.8", "3.9"] @nox.session(python=DEFAULT_PYTHON_VERSION) diff --git a/scripts/fixup_credentials_v1_keywords.py b/scripts/fixup_credentials_v1_keywords.py index 5c0c330..acac0cb 100644 --- a/scripts/fixup_credentials_v1_keywords.py +++ b/scripts/fixup_credentials_v1_keywords.py @@ -1,3 +1,4 @@ +#! /usr/bin/env python3 # -*- coding: utf-8 -*- # Copyright 2020 Google LLC diff --git a/synth.metadata b/synth.metadata index 7fdcf2e..ee476fb 100644 --- a/synth.metadata +++ b/synth.metadata @@ -4,7 +4,15 @@ "git": { "name": ".", "remote": "https://github.com/googleapis/python-iam.git", - "sha": "fb57fe375bf121ffd2e16e4cd6c8cc432624e271" + "sha": "e185ed16bc47b4fd13bda5a43c0948133e91e96c" + } + }, + { + "git": { + "name": "googleapis", + "remote": "https://github.com/googleapis/googleapis.git", + "sha": "14adde91e90011702483e943edf1044549252bd9", + "internalRef": "344906237" } }, { @@ -25,5 +33,87 @@ "generator": "bazel" } } + ], + "generatedFiles": [ + ".flake8", + ".github/CONTRIBUTING.md", + ".github/ISSUE_TEMPLATE/bug_report.md", + ".github/ISSUE_TEMPLATE/feature_request.md", + ".github/ISSUE_TEMPLATE/support_request.md", + ".github/PULL_REQUEST_TEMPLATE.md", + ".github/release-please.yml", + ".gitignore", + ".kokoro/build.sh", + ".kokoro/continuous/common.cfg", + ".kokoro/continuous/continuous.cfg", + ".kokoro/docs/common.cfg", + ".kokoro/docs/docs.cfg", + ".kokoro/presubmit/common.cfg", + ".kokoro/presubmit/presubmit.cfg", + ".kokoro/publish-docs.sh", + ".kokoro/release.sh", + ".kokoro/release/common.cfg", + ".kokoro/release/release.cfg", + ".kokoro/samples/lint/common.cfg", + ".kokoro/samples/lint/continuous.cfg", + ".kokoro/samples/lint/periodic.cfg", + ".kokoro/samples/lint/presubmit.cfg", + ".kokoro/samples/python3.6/common.cfg", + ".kokoro/samples/python3.6/continuous.cfg", + ".kokoro/samples/python3.6/periodic.cfg", + ".kokoro/samples/python3.6/presubmit.cfg", + ".kokoro/samples/python3.7/common.cfg", + ".kokoro/samples/python3.7/continuous.cfg", + ".kokoro/samples/python3.7/periodic.cfg", + ".kokoro/samples/python3.7/presubmit.cfg", + ".kokoro/samples/python3.8/common.cfg", + ".kokoro/samples/python3.8/continuous.cfg", + ".kokoro/samples/python3.8/periodic.cfg", + ".kokoro/samples/python3.8/presubmit.cfg", + ".kokoro/test-samples.sh", + ".kokoro/trampoline.sh", + "CODE_OF_CONDUCT.md", + "CONTRIBUTING.rst", + "LICENSE", + "MANIFEST.in", + "docs/_static/custom.css", + "docs/_templates/layout.html", + "docs/conf.py", + "docs/credentials_v1/services.rst", + "docs/credentials_v1/types.rst", + "docs/multiprocessing.rst", + "google/cloud/iam_credentials/__init__.py", + "google/cloud/iam_credentials/py.typed", + "google/cloud/iam_credentials_v1/__init__.py", + "google/cloud/iam_credentials_v1/proto/common.proto", + "google/cloud/iam_credentials_v1/proto/iamcredentials.proto", + "google/cloud/iam_credentials_v1/py.typed", + "google/cloud/iam_credentials_v1/services/__init__.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/__init__.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/async_client.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/client.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/transports/__init__.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/transports/base.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc.py", + "google/cloud/iam_credentials_v1/services/iam_credentials/transports/grpc_asyncio.py", + "google/cloud/iam_credentials_v1/types/__init__.py", + "google/cloud/iam_credentials_v1/types/common.py", + "google/cloud/iam_credentials_v1/types/iamcredentials.py", + "noxfile.py", + "renovate.json", + "samples/AUTHORING_GUIDE.md", + "samples/CONTRIBUTING.md", + "scripts/decrypt-secrets.sh", + "scripts/fixup_credentials_v1_keywords.py", + "scripts/readme-gen/readme_gen.py", + "scripts/readme-gen/templates/README.tmpl.rst", + "scripts/readme-gen/templates/auth.tmpl.rst", + "scripts/readme-gen/templates/auth_api_key.tmpl.rst", + "scripts/readme-gen/templates/install_deps.tmpl.rst", + "scripts/readme-gen/templates/install_portaudio.tmpl.rst", + "setup.cfg", + "testing/.gitignore", + "tests/unit/gapic/credentials_v1/__init__.py", + "tests/unit/gapic/credentials_v1/test_iam_credentials.py" ] } \ No newline at end of file diff --git a/tests/unit/gapic/credentials_v1/__init__.py b/tests/unit/gapic/credentials_v1/__init__.py new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/tests/unit/gapic/credentials_v1/__init__.py @@ -0,0 +1 @@ + diff --git a/tests/unit/gapic/credentials_v1/test_iam_credentials.py b/tests/unit/gapic/credentials_v1/test_iam_credentials.py index f01b0aa..4a999d2 100644 --- a/tests/unit/gapic/credentials_v1/test_iam_credentials.py +++ b/tests/unit/gapic/credentials_v1/test_iam_credentials.py @@ -27,6 +27,7 @@ from google import auth from google.api_core import client_options from google.api_core import exceptions +from google.api_core import gapic_v1 from google.api_core import grpc_helpers from google.api_core import grpc_helpers_async from google.auth import credentials @@ -48,6 +49,17 @@ def client_cert_source_callback(): return b"cert bytes", b"key bytes" +# If default endpoint is localhost, then default mtls endpoint will be the same. +# This method modifies the default endpoint so the client can produce a different +# mtls endpoint for endpoint testing purposes. +def modify_default_endpoint(client): + return ( + "foo.googleapis.com" + if ("localhost" in client.DEFAULT_ENDPOINT) + else client.DEFAULT_ENDPOINT + ) + + def test__get_default_mtls_endpoint(): api_endpoint = "example.googleapis.com" api_mtls_endpoint = "example.mtls.googleapis.com" @@ -87,12 +99,12 @@ def test_iam_credentials_client_from_service_account_file(client_class): ) as factory: factory.return_value = creds client = client_class.from_service_account_file("dummy/file/path.json") - assert client._transport._credentials == creds + assert client.transport._credentials == creds client = client_class.from_service_account_json("dummy/file/path.json") - assert client._transport._credentials == creds + assert client.transport._credentials == creds - assert client._transport._host == "iamcredentials.googleapis.com:443" + assert client.transport._host == "iamcredentials.googleapis.com:443" def test_iam_credentials_client_get_transport_class(): @@ -114,6 +126,16 @@ def test_iam_credentials_client_get_transport_class(): ), ], ) +@mock.patch.object( + IAMCredentialsClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(IAMCredentialsClient), +) +@mock.patch.object( + IAMCredentialsAsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(IAMCredentialsAsyncClient), +) def test_iam_credentials_client_client_options( client_class, transport_class, transport_name ): @@ -138,14 +160,14 @@ def test_iam_credentials_client_client_options( credentials_file=None, host="squid.clam.whelk", scopes=None, - api_mtls_endpoint="squid.clam.whelk", - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) - # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS is + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is # "never". - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "never"}): + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "never"}): with mock.patch.object(transport_class, "__init__") as patched: patched.return_value = None client = client_class() @@ -154,14 +176,14 @@ def test_iam_credentials_client_client_options( credentials_file=None, host=client.DEFAULT_ENDPOINT, scopes=None, - api_mtls_endpoint=client.DEFAULT_ENDPOINT, - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) - # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS is + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is # "always". - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "always"}): + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "always"}): with mock.patch.object(transport_class, "__init__") as patched: patched.return_value = None client = client_class() @@ -170,90 +192,175 @@ def test_iam_credentials_client_client_options( credentials_file=None, host=client.DEFAULT_MTLS_ENDPOINT, scopes=None, - api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT, - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) - # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is - # "auto", and client_cert_source is provided. - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}): + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has + # unsupported value. + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "Unsupported"}): + with pytest.raises(MutualTLSChannelError): + client = client_class() + + # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"} + ): + with pytest.raises(ValueError): + client = client_class() + + # Check the case quota_project_id is provided + options = client_options.ClientOptions(quota_project_id="octopus") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + ssl_channel_credentials=None, + quota_project_id="octopus", + client_info=transports.base.DEFAULT_CLIENT_INFO, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name,use_client_cert_env", + [ + (IAMCredentialsClient, transports.IAMCredentialsGrpcTransport, "grpc", "true"), + ( + IAMCredentialsAsyncClient, + transports.IAMCredentialsGrpcAsyncIOTransport, + "grpc_asyncio", + "true", + ), + (IAMCredentialsClient, transports.IAMCredentialsGrpcTransport, "grpc", "false"), + ( + IAMCredentialsAsyncClient, + transports.IAMCredentialsGrpcAsyncIOTransport, + "grpc_asyncio", + "false", + ), + ], +) +@mock.patch.object( + IAMCredentialsClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(IAMCredentialsClient), +) +@mock.patch.object( + IAMCredentialsAsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(IAMCredentialsAsyncClient), +) +@mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "auto"}) +def test_iam_credentials_client_mtls_env_auto( + client_class, transport_class, transport_name, use_client_cert_env +): + # This tests the endpoint autoswitch behavior. Endpoint is autoswitched to the default + # mtls endpoint, if GOOGLE_API_USE_CLIENT_CERTIFICATE is "true" and client cert exists. + + # Check the case client_cert_source is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): options = client_options.ClientOptions( client_cert_source=client_cert_source_callback ) with mock.patch.object(transport_class, "__init__") as patched: - patched.return_value = None - client = client_class(client_options=options) - patched.assert_called_once_with( - credentials=None, - credentials_file=None, - host=client.DEFAULT_MTLS_ENDPOINT, - scopes=None, - api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT, - client_cert_source=client_cert_source_callback, - quota_project_id=None, - ) - - # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is - # "auto", and default_client_cert_source is provided. - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}): - with mock.patch.object(transport_class, "__init__") as patched: + ssl_channel_creds = mock.Mock() with mock.patch( - "google.auth.transport.mtls.has_default_client_cert_source", - return_value=True, + "grpc.ssl_channel_credentials", return_value=ssl_channel_creds ): patched.return_value = None - client = client_class() + client = client_class(client_options=options) + + if use_client_cert_env == "false": + expected_ssl_channel_creds = None + expected_host = client.DEFAULT_ENDPOINT + else: + expected_ssl_channel_creds = ssl_channel_creds + expected_host = client.DEFAULT_MTLS_ENDPOINT + patched.assert_called_once_with( credentials=None, credentials_file=None, - host=client.DEFAULT_MTLS_ENDPOINT, + host=expected_host, scopes=None, - api_mtls_endpoint=client.DEFAULT_MTLS_ENDPOINT, - client_cert_source=None, + ssl_channel_credentials=expected_ssl_channel_creds, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) - # Check the case api_endpoint is not provided, GOOGLE_API_USE_MTLS is - # "auto", but client_cert_source and default_client_cert_source are None. - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "auto"}): + # Check the case ADC client cert is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): with mock.patch.object(transport_class, "__init__") as patched: with mock.patch( - "google.auth.transport.mtls.has_default_client_cert_source", - return_value=False, + "google.auth.transport.grpc.SslCredentials.__init__", return_value=None ): - patched.return_value = None - client = client_class() - patched.assert_called_once_with( - credentials=None, - credentials_file=None, - host=client.DEFAULT_ENDPOINT, - scopes=None, - api_mtls_endpoint=client.DEFAULT_ENDPOINT, - client_cert_source=None, - quota_project_id=None, - ) - - # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS has - # unsupported value. - with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS": "Unsupported"}): - with pytest.raises(MutualTLSChannelError): - client = client_class() - - # Check the case quota_project_id is provided - options = client_options.ClientOptions(quota_project_id="octopus") - with mock.patch.object(transport_class, "__init__") as patched: - patched.return_value = None - client = client_class(client_options=options) - patched.assert_called_once_with( - credentials=None, - credentials_file=None, - host=client.DEFAULT_ENDPOINT, - scopes=None, - api_mtls_endpoint=client.DEFAULT_ENDPOINT, - client_cert_source=None, - quota_project_id="octopus", - ) + with mock.patch( + "google.auth.transport.grpc.SslCredentials.is_mtls", + new_callable=mock.PropertyMock, + ) as is_mtls_mock: + with mock.patch( + "google.auth.transport.grpc.SslCredentials.ssl_credentials", + new_callable=mock.PropertyMock, + ) as ssl_credentials_mock: + if use_client_cert_env == "false": + is_mtls_mock.return_value = False + ssl_credentials_mock.return_value = None + expected_host = client.DEFAULT_ENDPOINT + expected_ssl_channel_creds = None + else: + is_mtls_mock.return_value = True + ssl_credentials_mock.return_value = mock.Mock() + expected_host = client.DEFAULT_MTLS_ENDPOINT + expected_ssl_channel_creds = ( + ssl_credentials_mock.return_value + ) + + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + ssl_channel_credentials=expected_ssl_channel_creds, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + ) + + # Check the case client_cert_source and ADC client cert are not provided. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.grpc.SslCredentials.__init__", return_value=None + ): + with mock.patch( + "google.auth.transport.grpc.SslCredentials.is_mtls", + new_callable=mock.PropertyMock, + ) as is_mtls_mock: + is_mtls_mock.return_value = False + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + ssl_channel_credentials=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + ) @pytest.mark.parametrize( @@ -280,9 +387,9 @@ def test_iam_credentials_client_client_options_scopes( credentials_file=None, host=client.DEFAULT_ENDPOINT, scopes=["1", "2"], - api_mtls_endpoint=client.DEFAULT_ENDPOINT, - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) @@ -310,9 +417,9 @@ def test_iam_credentials_client_client_options_credentials_file( credentials_file="credentials.json", host=client.DEFAULT_ENDPOINT, scopes=None, - api_mtls_endpoint=client.DEFAULT_ENDPOINT, - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) @@ -329,24 +436,26 @@ def test_iam_credentials_client_client_options_from_dict(): credentials_file=None, host="squid.clam.whelk", scopes=None, - api_mtls_endpoint="squid.clam.whelk", - client_cert_source=None, + ssl_channel_credentials=None, quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, ) -def test_generate_access_token(transport: str = "grpc"): +def test_generate_access_token( + transport: str = "grpc", request_type=common.GenerateAccessTokenRequest +): client = IAMCredentialsClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.GenerateAccessTokenRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateAccessTokenResponse( @@ -359,27 +468,34 @@ def test_generate_access_token(transport: str = "grpc"): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.GenerateAccessTokenRequest() # Establish that the response is the type that we expect. + assert isinstance(response, common.GenerateAccessTokenResponse) assert response.access_token == "access_token_value" +def test_generate_access_token_from_dict(): + test_generate_access_token(request_type=dict) + + @pytest.mark.asyncio -async def test_generate_access_token_async(transport: str = "grpc_asyncio"): +async def test_generate_access_token_async( + transport: str = "grpc_asyncio", request_type=common.GenerateAccessTokenRequest +): client = IAMCredentialsAsyncClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.GenerateAccessTokenRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( @@ -392,7 +508,7 @@ async def test_generate_access_token_async(transport: str = "grpc_asyncio"): assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.GenerateAccessTokenRequest() # Establish that the response is the type that we expect. assert isinstance(response, common.GenerateAccessTokenResponse) @@ -400,6 +516,11 @@ async def test_generate_access_token_async(transport: str = "grpc_asyncio"): assert response.access_token == "access_token_value" +@pytest.mark.asyncio +async def test_generate_access_token_async_from_dict(): + await test_generate_access_token_async(request_type=dict) + + def test_generate_access_token_field_headers(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) @@ -410,7 +531,7 @@ def test_generate_access_token_field_headers(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: call.return_value = common.GenerateAccessTokenResponse() @@ -437,7 +558,7 @@ async def test_generate_access_token_field_headers_async(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.GenerateAccessTokenResponse() @@ -460,7 +581,7 @@ def test_generate_access_token_flattened(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateAccessTokenResponse() @@ -511,7 +632,7 @@ async def test_generate_access_token_flattened_async(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_access_token), "__call__" + type(client.transport.generate_access_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateAccessTokenResponse() @@ -560,18 +681,20 @@ async def test_generate_access_token_flattened_error_async(): ) -def test_generate_id_token(transport: str = "grpc"): +def test_generate_id_token( + transport: str = "grpc", request_type=common.GenerateIdTokenRequest +): client = IAMCredentialsClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.GenerateIdTokenRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateIdTokenResponse(token="token_value",) @@ -582,27 +705,34 @@ def test_generate_id_token(transport: str = "grpc"): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.GenerateIdTokenRequest() # Establish that the response is the type that we expect. + assert isinstance(response, common.GenerateIdTokenResponse) assert response.token == "token_value" +def test_generate_id_token_from_dict(): + test_generate_id_token(request_type=dict) + + @pytest.mark.asyncio -async def test_generate_id_token_async(transport: str = "grpc_asyncio"): +async def test_generate_id_token_async( + transport: str = "grpc_asyncio", request_type=common.GenerateIdTokenRequest +): client = IAMCredentialsAsyncClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.GenerateIdTokenRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( @@ -615,7 +745,7 @@ async def test_generate_id_token_async(transport: str = "grpc_asyncio"): assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.GenerateIdTokenRequest() # Establish that the response is the type that we expect. assert isinstance(response, common.GenerateIdTokenResponse) @@ -623,6 +753,11 @@ async def test_generate_id_token_async(transport: str = "grpc_asyncio"): assert response.token == "token_value" +@pytest.mark.asyncio +async def test_generate_id_token_async_from_dict(): + await test_generate_id_token_async(request_type=dict) + + def test_generate_id_token_field_headers(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) @@ -633,7 +768,7 @@ def test_generate_id_token_field_headers(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: call.return_value = common.GenerateIdTokenResponse() @@ -660,7 +795,7 @@ async def test_generate_id_token_field_headers_async(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.GenerateIdTokenResponse() @@ -683,7 +818,7 @@ def test_generate_id_token_flattened(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateIdTokenResponse() @@ -732,7 +867,7 @@ async def test_generate_id_token_flattened_async(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client._client._transport.generate_id_token), "__call__" + type(client.transport.generate_id_token), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = common.GenerateIdTokenResponse() @@ -779,17 +914,17 @@ async def test_generate_id_token_flattened_error_async(): ) -def test_sign_blob(transport: str = "grpc"): +def test_sign_blob(transport: str = "grpc", request_type=common.SignBlobRequest): client = IAMCredentialsClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.SignBlobRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_blob), "__call__") as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignBlobResponse( key_id="key_id_value", signed_blob=b"signed_blob_blob", @@ -801,9 +936,10 @@ def test_sign_blob(transport: str = "grpc"): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.SignBlobRequest() # Establish that the response is the type that we expect. + assert isinstance(response, common.SignBlobResponse) assert response.key_id == "key_id_value" @@ -811,20 +947,24 @@ def test_sign_blob(transport: str = "grpc"): assert response.signed_blob == b"signed_blob_blob" +def test_sign_blob_from_dict(): + test_sign_blob(request_type=dict) + + @pytest.mark.asyncio -async def test_sign_blob_async(transport: str = "grpc_asyncio"): +async def test_sign_blob_async( + transport: str = "grpc_asyncio", request_type=common.SignBlobRequest +): client = IAMCredentialsAsyncClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.SignBlobRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_blob), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.SignBlobResponse( @@ -838,7 +978,7 @@ async def test_sign_blob_async(transport: str = "grpc_asyncio"): assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.SignBlobRequest() # Establish that the response is the type that we expect. assert isinstance(response, common.SignBlobResponse) @@ -848,6 +988,11 @@ async def test_sign_blob_async(transport: str = "grpc_asyncio"): assert response.signed_blob == b"signed_blob_blob" +@pytest.mark.asyncio +async def test_sign_blob_async_from_dict(): + await test_sign_blob_async(request_type=dict) + + def test_sign_blob_field_headers(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) @@ -857,7 +1002,7 @@ def test_sign_blob_field_headers(): request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_blob), "__call__") as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: call.return_value = common.SignBlobResponse() client.sign_blob(request) @@ -882,9 +1027,7 @@ async def test_sign_blob_field_headers_async(): request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_blob), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.SignBlobResponse() ) @@ -905,7 +1048,7 @@ def test_sign_blob_flattened(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_blob), "__call__") as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignBlobResponse() @@ -946,9 +1089,7 @@ async def test_sign_blob_flattened_async(): client = IAMCredentialsAsyncClient(credentials=credentials.AnonymousCredentials(),) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_blob), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_blob), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignBlobResponse() @@ -988,17 +1129,17 @@ async def test_sign_blob_flattened_error_async(): ) -def test_sign_jwt(transport: str = "grpc"): +def test_sign_jwt(transport: str = "grpc", request_type=common.SignJwtRequest): client = IAMCredentialsClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.SignJwtRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_jwt), "__call__") as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignJwtResponse( key_id="key_id_value", signed_jwt="signed_jwt_value", @@ -1010,9 +1151,10 @@ def test_sign_jwt(transport: str = "grpc"): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.SignJwtRequest() # Establish that the response is the type that we expect. + assert isinstance(response, common.SignJwtResponse) assert response.key_id == "key_id_value" @@ -1020,20 +1162,24 @@ def test_sign_jwt(transport: str = "grpc"): assert response.signed_jwt == "signed_jwt_value" +def test_sign_jwt_from_dict(): + test_sign_jwt(request_type=dict) + + @pytest.mark.asyncio -async def test_sign_jwt_async(transport: str = "grpc_asyncio"): +async def test_sign_jwt_async( + transport: str = "grpc_asyncio", request_type=common.SignJwtRequest +): client = IAMCredentialsAsyncClient( credentials=credentials.AnonymousCredentials(), transport=transport, ) # Everything is optional in proto3 as far as the runtime is concerned, # and we are mocking out the actual API, so just send an empty request. - request = common.SignJwtRequest() + request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_jwt), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.SignJwtResponse( @@ -1047,7 +1193,7 @@ async def test_sign_jwt_async(transport: str = "grpc_asyncio"): assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == request + assert args[0] == common.SignJwtRequest() # Establish that the response is the type that we expect. assert isinstance(response, common.SignJwtResponse) @@ -1057,6 +1203,11 @@ async def test_sign_jwt_async(transport: str = "grpc_asyncio"): assert response.signed_jwt == "signed_jwt_value" +@pytest.mark.asyncio +async def test_sign_jwt_async_from_dict(): + await test_sign_jwt_async(request_type=dict) + + def test_sign_jwt_field_headers(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) @@ -1066,7 +1217,7 @@ def test_sign_jwt_field_headers(): request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_jwt), "__call__") as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: call.return_value = common.SignJwtResponse() client.sign_jwt(request) @@ -1091,9 +1242,7 @@ async def test_sign_jwt_field_headers_async(): request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_jwt), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( common.SignJwtResponse() ) @@ -1114,7 +1263,7 @@ def test_sign_jwt_flattened(): client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client._transport.sign_jwt), "__call__") as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignJwtResponse() @@ -1155,9 +1304,7 @@ async def test_sign_jwt_flattened_async(): client = IAMCredentialsAsyncClient(credentials=credentials.AnonymousCredentials(),) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client._client._transport.sign_jwt), "__call__" - ) as call: + with mock.patch.object(type(client.transport.sign_jwt), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = common.SignJwtResponse() @@ -1233,7 +1380,7 @@ def test_transport_instance(): credentials=credentials.AnonymousCredentials(), ) client = IAMCredentialsClient(transport=transport) - assert client._transport is transport + assert client.transport is transport def test_transport_get_channel(): @@ -1251,10 +1398,25 @@ def test_transport_get_channel(): assert channel +@pytest.mark.parametrize( + "transport_class", + [ + transports.IAMCredentialsGrpcTransport, + transports.IAMCredentialsGrpcAsyncIOTransport, + ], +) +def test_transport_adc(transport_class): + # Test default credentials are used if not provided. + with mock.patch.object(auth, "default") as adc: + adc.return_value = (credentials.AnonymousCredentials(), None) + transport_class() + adc.assert_called_once() + + def test_transport_grpc_default(): # A client should use the gRPC transport by default. client = IAMCredentialsClient(credentials=credentials.AnonymousCredentials(),) - assert isinstance(client._transport, transports.IAMCredentialsGrpcTransport,) + assert isinstance(client.transport, transports.IAMCredentialsGrpcTransport,) def test_iam_credentials_base_transport_error(): @@ -1268,9 +1430,13 @@ def test_iam_credentials_base_transport_error(): def test_iam_credentials_base_transport(): # Instantiate the base transport. - transport = transports.IAMCredentialsTransport( - credentials=credentials.AnonymousCredentials(), - ) + with mock.patch( + "google.cloud.iam_credentials_v1.services.iam_credentials.transports.IAMCredentialsTransport.__init__" + ) as Transport: + Transport.return_value = None + transport = transports.IAMCredentialsTransport( + credentials=credentials.AnonymousCredentials(), + ) # Every method on the transport should just blindly # raise NotImplementedError. @@ -1287,7 +1453,12 @@ def test_iam_credentials_base_transport(): def test_iam_credentials_base_transport_with_credentials_file(): # Instantiate the base transport with a credentials file - with mock.patch.object(auth, "load_credentials_from_file") as load_creds: + with mock.patch.object( + auth, "load_credentials_from_file" + ) as load_creds, mock.patch( + "google.cloud.iam_credentials_v1.services.iam_credentials.transports.IAMCredentialsTransport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None load_creds.return_value = (credentials.AnonymousCredentials(), None) transport = transports.IAMCredentialsTransport( credentials_file="credentials.json", quota_project_id="octopus", @@ -1299,6 +1470,17 @@ def test_iam_credentials_base_transport_with_credentials_file(): ) +def test_iam_credentials_base_transport_with_adc(): + # Test the default credentials are used if credentials and credentials_file are None. + with mock.patch.object(auth, "default") as adc, mock.patch( + "google.cloud.iam_credentials_v1.services.iam_credentials.transports.IAMCredentialsTransport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + adc.return_value = (credentials.AnonymousCredentials(), None) + transport = transports.IAMCredentialsTransport() + adc.assert_called_once() + + def test_iam_credentials_auth_adc(): # If no credentials are provided, we should use ADC credentials. with mock.patch.object(auth, "default") as adc: @@ -1331,7 +1513,7 @@ def test_iam_credentials_host_no_port(): api_endpoint="iamcredentials.googleapis.com" ), ) - assert client._transport._host == "iamcredentials.googleapis.com:443" + assert client.transport._host == "iamcredentials.googleapis.com:443" def test_iam_credentials_host_with_port(): @@ -1341,182 +1523,261 @@ def test_iam_credentials_host_with_port(): api_endpoint="iamcredentials.googleapis.com:8000" ), ) - assert client._transport._host == "iamcredentials.googleapis.com:8000" + assert client.transport._host == "iamcredentials.googleapis.com:8000" def test_iam_credentials_grpc_transport_channel(): channel = grpc.insecure_channel("http://localhost/") - # Check that if channel is provided, mtls endpoint and client_cert_source - # won't be used. - callback = mock.MagicMock() + # Check that channel is used if provided. transport = transports.IAMCredentialsGrpcTransport( - host="squid.clam.whelk", - channel=channel, - api_mtls_endpoint="mtls.squid.clam.whelk", - client_cert_source=callback, + host="squid.clam.whelk", channel=channel, ) assert transport.grpc_channel == channel assert transport._host == "squid.clam.whelk:443" - assert not callback.called + assert transport._ssl_channel_credentials == None def test_iam_credentials_grpc_asyncio_transport_channel(): channel = aio.insecure_channel("http://localhost/") - # Check that if channel is provided, mtls endpoint and client_cert_source - # won't be used. - callback = mock.MagicMock() + # Check that channel is used if provided. transport = transports.IAMCredentialsGrpcAsyncIOTransport( - host="squid.clam.whelk", - channel=channel, - api_mtls_endpoint="mtls.squid.clam.whelk", - client_cert_source=callback, + host="squid.clam.whelk", channel=channel, ) assert transport.grpc_channel == channel assert transport._host == "squid.clam.whelk:443" - assert not callback.called + assert transport._ssl_channel_credentials == None -@mock.patch("grpc.ssl_channel_credentials", autospec=True) -@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True) -def test_iam_credentials_grpc_transport_channel_mtls_with_client_cert_source( - grpc_create_channel, grpc_ssl_channel_cred +@pytest.mark.parametrize( + "transport_class", + [ + transports.IAMCredentialsGrpcTransport, + transports.IAMCredentialsGrpcAsyncIOTransport, + ], +) +def test_iam_credentials_transport_channel_mtls_with_client_cert_source( + transport_class, ): - # Check that if channel is None, but api_mtls_endpoint and client_cert_source - # are provided, then a mTLS channel will be created. - mock_cred = mock.Mock() + with mock.patch( + "grpc.ssl_channel_credentials", autospec=True + ) as grpc_ssl_channel_cred: + with mock.patch.object( + transport_class, "create_channel", autospec=True + ) as grpc_create_channel: + mock_ssl_cred = mock.Mock() + grpc_ssl_channel_cred.return_value = mock_ssl_cred + + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + cred = credentials.AnonymousCredentials() + with pytest.warns(DeprecationWarning): + with mock.patch.object(auth, "default") as adc: + adc.return_value = (cred, None) + transport = transport_class( + host="squid.clam.whelk", + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=client_cert_source_callback, + ) + adc.assert_called_once() + + grpc_ssl_channel_cred.assert_called_once_with( + certificate_chain=b"cert bytes", private_key=b"key bytes" + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=("https://www.googleapis.com/auth/cloud-platform",), + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + ) + assert transport.grpc_channel == mock_grpc_channel + assert transport._ssl_channel_credentials == mock_ssl_cred + +@pytest.mark.parametrize( + "transport_class", + [ + transports.IAMCredentialsGrpcTransport, + transports.IAMCredentialsGrpcAsyncIOTransport, + ], +) +def test_iam_credentials_transport_channel_mtls_with_adc(transport_class): mock_ssl_cred = mock.Mock() - grpc_ssl_channel_cred.return_value = mock_ssl_cred + with mock.patch.multiple( + "google.auth.transport.grpc.SslCredentials", + __init__=mock.Mock(return_value=None), + ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), + ): + with mock.patch.object( + transport_class, "create_channel", autospec=True + ) as grpc_create_channel: + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + mock_cred = mock.Mock() + + with pytest.warns(DeprecationWarning): + transport = transport_class( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=None, + ) - mock_grpc_channel = mock.Mock() - grpc_create_channel.return_value = mock_grpc_channel + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + credentials_file=None, + scopes=("https://www.googleapis.com/auth/cloud-platform",), + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + ) + assert transport.grpc_channel == mock_grpc_channel - transport = transports.IAMCredentialsGrpcTransport( - host="squid.clam.whelk", - credentials=mock_cred, - api_mtls_endpoint="mtls.squid.clam.whelk", - client_cert_source=client_cert_source_callback, - ) - grpc_ssl_channel_cred.assert_called_once_with( - certificate_chain=b"cert bytes", private_key=b"key bytes" - ) - grpc_create_channel.assert_called_once_with( - "mtls.squid.clam.whelk:443", - credentials=mock_cred, - credentials_file=None, - scopes=("https://www.googleapis.com/auth/cloud-platform",), - ssl_credentials=mock_ssl_cred, - quota_project_id=None, + +def test_service_account_path(): + project = "squid" + service_account = "clam" + + expected = "projects/{project}/serviceAccounts/{service_account}".format( + project=project, service_account=service_account, ) - assert transport.grpc_channel == mock_grpc_channel + actual = IAMCredentialsClient.service_account_path(project, service_account) + assert expected == actual -@mock.patch("grpc.ssl_channel_credentials", autospec=True) -@mock.patch("google.api_core.grpc_helpers_async.create_channel", autospec=True) -def test_iam_credentials_grpc_asyncio_transport_channel_mtls_with_client_cert_source( - grpc_create_channel, grpc_ssl_channel_cred -): - # Check that if channel is None, but api_mtls_endpoint and client_cert_source - # are provided, then a mTLS channel will be created. - mock_cred = mock.Mock() +def test_parse_service_account_path(): + expected = { + "project": "whelk", + "service_account": "octopus", + } + path = IAMCredentialsClient.service_account_path(**expected) - mock_ssl_cred = mock.Mock() - grpc_ssl_channel_cred.return_value = mock_ssl_cred + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_service_account_path(path) + assert expected == actual - mock_grpc_channel = mock.Mock() - grpc_create_channel.return_value = mock_grpc_channel - transport = transports.IAMCredentialsGrpcAsyncIOTransport( - host="squid.clam.whelk", - credentials=mock_cred, - api_mtls_endpoint="mtls.squid.clam.whelk", - client_cert_source=client_cert_source_callback, - ) - grpc_ssl_channel_cred.assert_called_once_with( - certificate_chain=b"cert bytes", private_key=b"key bytes" +def test_common_billing_account_path(): + billing_account = "oyster" + + expected = "billingAccounts/{billing_account}".format( + billing_account=billing_account, ) - grpc_create_channel.assert_called_once_with( - "mtls.squid.clam.whelk:443", - credentials=mock_cred, - credentials_file=None, - scopes=("https://www.googleapis.com/auth/cloud-platform",), - ssl_credentials=mock_ssl_cred, - quota_project_id=None, + actual = IAMCredentialsClient.common_billing_account_path(billing_account) + assert expected == actual + + +def test_parse_common_billing_account_path(): + expected = { + "billing_account": "nudibranch", + } + path = IAMCredentialsClient.common_billing_account_path(**expected) + + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_common_billing_account_path(path) + assert expected == actual + + +def test_common_folder_path(): + folder = "cuttlefish" + + expected = "folders/{folder}".format(folder=folder,) + actual = IAMCredentialsClient.common_folder_path(folder) + assert expected == actual + + +def test_parse_common_folder_path(): + expected = { + "folder": "mussel", + } + path = IAMCredentialsClient.common_folder_path(**expected) + + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_common_folder_path(path) + assert expected == actual + + +def test_common_organization_path(): + organization = "winkle" + + expected = "organizations/{organization}".format(organization=organization,) + actual = IAMCredentialsClient.common_organization_path(organization) + assert expected == actual + + +def test_parse_common_organization_path(): + expected = { + "organization": "nautilus", + } + path = IAMCredentialsClient.common_organization_path(**expected) + + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_common_organization_path(path) + assert expected == actual + + +def test_common_project_path(): + project = "scallop" + + expected = "projects/{project}".format(project=project,) + actual = IAMCredentialsClient.common_project_path(project) + assert expected == actual + + +def test_parse_common_project_path(): + expected = { + "project": "abalone", + } + path = IAMCredentialsClient.common_project_path(**expected) + + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_common_project_path(path) + assert expected == actual + + +def test_common_location_path(): + project = "squid" + location = "clam" + + expected = "projects/{project}/locations/{location}".format( + project=project, location=location, ) - assert transport.grpc_channel == mock_grpc_channel + actual = IAMCredentialsClient.common_location_path(project, location) + assert expected == actual -@pytest.mark.parametrize( - "api_mtls_endpoint", ["mtls.squid.clam.whelk", "mtls.squid.clam.whelk:443"] -) -@mock.patch("google.api_core.grpc_helpers.create_channel", autospec=True) -def test_iam_credentials_grpc_transport_channel_mtls_with_adc( - grpc_create_channel, api_mtls_endpoint -): - # Check that if channel and client_cert_source are None, but api_mtls_endpoint - # is provided, then a mTLS channel will be created with SSL ADC. - mock_grpc_channel = mock.Mock() - grpc_create_channel.return_value = mock_grpc_channel +def test_parse_common_location_path(): + expected = { + "project": "whelk", + "location": "octopus", + } + path = IAMCredentialsClient.common_location_path(**expected) - # Mock google.auth.transport.grpc.SslCredentials class. - mock_ssl_cred = mock.Mock() - with mock.patch.multiple( - "google.auth.transport.grpc.SslCredentials", - __init__=mock.Mock(return_value=None), - ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), - ): - mock_cred = mock.Mock() - transport = transports.IAMCredentialsGrpcTransport( - host="squid.clam.whelk", - credentials=mock_cred, - api_mtls_endpoint=api_mtls_endpoint, - client_cert_source=None, - ) - grpc_create_channel.assert_called_once_with( - "mtls.squid.clam.whelk:443", - credentials=mock_cred, - credentials_file=None, - scopes=("https://www.googleapis.com/auth/cloud-platform",), - ssl_credentials=mock_ssl_cred, - quota_project_id=None, - ) - assert transport.grpc_channel == mock_grpc_channel + # Check that the path construction is reversible. + actual = IAMCredentialsClient.parse_common_location_path(path) + assert expected == actual -@pytest.mark.parametrize( - "api_mtls_endpoint", ["mtls.squid.clam.whelk", "mtls.squid.clam.whelk:443"] -) -@mock.patch("google.api_core.grpc_helpers_async.create_channel", autospec=True) -def test_iam_credentials_grpc_asyncio_transport_channel_mtls_with_adc( - grpc_create_channel, api_mtls_endpoint -): - # Check that if channel and client_cert_source are None, but api_mtls_endpoint - # is provided, then a mTLS channel will be created with SSL ADC. - mock_grpc_channel = mock.Mock() - grpc_create_channel.return_value = mock_grpc_channel +def test_client_withDEFAULT_CLIENT_INFO(): + client_info = gapic_v1.client_info.ClientInfo() - # Mock google.auth.transport.grpc.SslCredentials class. - mock_ssl_cred = mock.Mock() - with mock.patch.multiple( - "google.auth.transport.grpc.SslCredentials", - __init__=mock.Mock(return_value=None), - ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), - ): - mock_cred = mock.Mock() - transport = transports.IAMCredentialsGrpcAsyncIOTransport( - host="squid.clam.whelk", - credentials=mock_cred, - api_mtls_endpoint=api_mtls_endpoint, - client_cert_source=None, + with mock.patch.object( + transports.IAMCredentialsTransport, "_prep_wrapped_messages" + ) as prep: + client = IAMCredentialsClient( + credentials=credentials.AnonymousCredentials(), client_info=client_info, ) - grpc_create_channel.assert_called_once_with( - "mtls.squid.clam.whelk:443", - credentials=mock_cred, - credentials_file=None, - scopes=("https://www.googleapis.com/auth/cloud-platform",), - ssl_credentials=mock_ssl_cred, - quota_project_id=None, + prep.assert_called_once_with(client_info) + + with mock.patch.object( + transports.IAMCredentialsTransport, "_prep_wrapped_messages" + ) as prep: + transport_class = IAMCredentialsClient.get_transport_class() + transport = transport_class( + credentials=credentials.AnonymousCredentials(), client_info=client_info, ) - assert transport.grpc_channel == mock_grpc_channel + prep.assert_called_once_with(client_info)