fix: read universe_domain for external account authorized user (#1450)

* chore: refresh sys test cred * fix: read universe_domain for external account authorized user * update test json file * update
googleapis · Jan 11, 2024 · 1cc7df3 · 1cc7df3
1 parent 30562b8
commit 1cc7df3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/google/auth/external_account_authorized_user.py b/google/auth/external_account_authorized_user.py
@@ -342,6 +342,7 @@ def from_info(cls, info, **kwargs):
             revoke_url=info.get("revoke_url"),
             quota_project_id=info.get("quota_project_id"),
             scopes=info.get("scopes"),
+            universe_domain=info.get("universe_domain", _DEFAULT_UNIVERSE_DOMAIN),
             **kwargs
         )
 

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/data/external_account_authorized_user_non_gdu.json b/tests/data/external_account_authorized_user_non_gdu.json
@@ -0,0 +1,10 @@
+{
+    "type": "external_account_authorized_user",
+    "audience": "//iam.fake_universe_domain/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID",
+    "refresh_token": "refreshToken",
+    "token_url": "https://sts.fake_universe_domain/v1/oauth/token",
+    "token_info_url": "https://sts.fake_universe_domain/v1/instrospect",
+    "client_id": "clientId",
+    "client_secret": "clientSecret",
+    "universe_domain": "fake_universe_domain"
+}
diff --git a/tests/test__default.py b/tests/test__default.py
@@ -157,6 +157,10 @@
     DATA_DIR, "external_account_authorized_user.json"
 )
 
+EXTERNAL_ACCOUNT_AUTHORIZED_USER_NON_GDU_FILE = os.path.join(
+    DATA_DIR, "external_account_authorized_user_non_gdu.json"
+)
+
 MOCK_CREDENTIALS = mock.Mock(spec=credentials.CredentialsWithQuotaProject)
 MOCK_CREDENTIALS.with_quota_project.return_value = MOCK_CREDENTIALS
 
@@ -576,6 +580,15 @@ def test_load_credentials_from_file_external_account_authorized_user():
     assert project_id is None
 
 
+def test_load_credentials_from_file_external_account_authorized_user_non_gdu():
+    credentials, _ = _default.load_credentials_from_file(
+        EXTERNAL_ACCOUNT_AUTHORIZED_USER_NON_GDU_FILE, request=mock.sentinel.request
+    )
+
+    assert isinstance(credentials, external_account_authorized_user.Credentials)
+    assert credentials.universe_domain == "fake_universe_domain"
+
+
 def test_load_credentials_from_file_external_account_authorized_user_bad_format(tmpdir):
     filename = tmpdir.join("external_account_authorized_user_bad.json")
     filename.write(json.dumps({"type": "external_account_authorized_user"}))