fix: adding sanity check for expiration time when using output file

googleapis · Jul 27, 2022 · 135e161 · 135e161
1 parent 427aa85
commit 135e161
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 2 deletions.
diff --git a/google/auth/pluggable.py b/google/auth/pluggable.py
@@ -301,6 +301,13 @@ def _parse_subject_token(self, response):
                     response["code"], response["message"]
                 )
             )
+        if (
+            "expiration_time" not in response
+            and self._credential_source_executable_output_file
+        ):
+            raise ValueError(
+                "Expiration_time must be specified while using output file"
+            )
         if "expiration_time" in response and response["expiration_time"] < time.time():
             raise exceptions.RefreshError(
                 "The token returned by the executable is expired."

diff --git a/tests/test_pluggable.py b/tests/test_pluggable.py
@@ -630,14 +630,48 @@ def test_retrieve_subject_token_missing_error_code_message(self):
             )
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
-    def test_retrieve_subject_token_missing_expiration_time_should_pass(self):
+    def test_retrieve_subject_token_without_expiration_time_should_fail_when_using_output_file(
+        self
+    ):
+        EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
+            "version": 1,
+            "success": True,
+            "token_type": "urn:ietf:params:oauth:token-type:id_token",
+            "id_token": self.EXECUTABLE_OIDC_TOKEN,
+        }
+
+        with mock.patch(
+            "subprocess.run",
+            return_value=subprocess.CompletedProcess(
+                args=[],
+                stdout=json.dumps(EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE).encode("UTF-8"),
+                returncode=0,
+            ),
+        ):
+            credentials = self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+
+            with pytest.raises(ValueError) as excinfo:
+                _ = credentials.retrieve_subject_token(None)
+
+            assert excinfo.match(
+                r"Expiration_time must be specified while using output file"
+            )
+
+    @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
+    def test_retrieve_subject_token_without_expiration_time_should_pass_when_not_using_output_file(
+        self
+    ):
         EXECUTABLE_SUCCESSFUL_OIDC_RESPONSE = {
             "version": 1,
             "success": True,
             "token_type": "urn:ietf:params:oauth:token-type:id_token",
             "id_token": self.EXECUTABLE_OIDC_TOKEN,
         }
 
+        CREDENTIAL_SOURCE = {
+            "executable": {"command": "command", "timeout_millis": 30000}
+        }
+
         with mock.patch(
             "subprocess.run",
             return_value=subprocess.CompletedProcess(
@@ -646,7 +680,8 @@ def test_retrieve_subject_token_missing_expiration_time_should_pass(self):
                 returncode=0,
             ),
         ):
-            self.make_pluggable(credential_source=self.CREDENTIAL_SOURCE)
+            credentials = self.make_pluggable(credential_source=CREDENTIAL_SOURCE)
+            credentials.retrieve_subject_token(None)
 
     @mock.patch.dict(os.environ, {"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES": "1"})
     def test_retrieve_subject_token_missing_token_type(self):