Implementing App Default and Refresh Token Credential Types (#6)

hiranya911 · web-flow · commit 9b679d002e98 · 2017-03-28T09:21:50.000-07:00
* Implementing app default and refresh token credential types

* Added properties to refresh token class

* Adding error handling; Removing the old exception wrapping syntax since it does not work on python 3.

* Updated docstring

* Updated comments and docstrings
diff --git a/firebase_admin/credentials.py b/firebase_admin/credentials.py
@@ -1,6 +1,5 @@
 """Firebase credentials module."""
 import json
-import sys
 
 import httplib2
 
@@ -41,24 +40,28 @@ def __init__(self, file_path):
 
         Raises:
           IOError: If the specified file doesn't exist or cannot be read.
-          ValueError: If an error occurs while parsing the file content.
+          ValueError: If the certificate file is invalid.
         """
         super(Certificate, self).__init__()
         # TODO(hkj): Clean this up once we are able to take a dependency
         # TODO(hkj): on latest oauth2client.
         with open(file_path) as json_keyfile:
             json_data = json.load(json_keyfile)
+        if json_data.get('type') != client.SERVICE_ACCOUNT:
+            raise ValueError('Invalid certificate file. File must contain a '
+                             '"type" field set to "{0}".'.format(client.SERVICE_ACCOUNT))
         self._project_id = json_data.get('project_id')
+        self._service_account_email = json_data.get('client_email')
         try:
-            self._signer = crypt.Signer.from_string(
-                json_data.get('private_key'))
+            self._signer = crypt.Signer.from_string(json_data.get('private_key'))
         except Exception as error:
-            err_type, err_value, err_traceback = sys.exc_info()
-            err_message = 'Failed to parse the private key string: {0}'.format(
-                error)
-            raise ValueError, (err_message, err_type, err_value), err_traceback
-        self._service_account_email = json_data.get('client_email')
-        self._g_credential = client.GoogleCredentials.from_stream(file_path)
+            raise ValueError('Failed to parse the private key string or initialize an '
+                             'RSA signer. Caused by: "{0}".'.format(error))
+        try:
+            self._g_credential = client.GoogleCredentials.from_stream(file_path)
+        except client.ApplicationDefaultCredentialsError as error:
+            raise ValueError('Failed to initialize a certificate credential from file "{0}". '
+                             'Caused by: "{1}"'.format(file_path, error))
 
     @property
     def project_id(self):
@@ -77,3 +80,70 @@ def get_access_token(self):
 
     def get_credential(self):
         return self._g_credential
+
+
+class ApplicationDefault(Base):
+    """A Google Application Default credential."""
+
+    def __init__(self):
+        """Initializes the Application Default credentials for the current environment.
+
+        Raises:
+          oauth2client.client.ApplicationDefaultCredentialsError: If Application Default
+          credentials cannot be initialized in the current environment.
+        """
+        super(ApplicationDefault, self).__init__()
+        self._g_credential = client.GoogleCredentials.get_application_default()
+
+    def get_access_token(self):
+        return self._g_credential.get_access_token(_http)
+
+    def get_credential(self):
+        return self._g_credential
+
+
+class RefreshToken(Base):
+    """A credential initialized from an existing refresh token."""
+
+    def __init__(self, file_path):
+        """Initializes a refresh token credential from the specified JSON file.
+
+        Args:
+          file_path: File path to a refresh token JSON file.
+
+        Raises:
+          IOError: If the specified file doesn't exist or cannot be read.
+          ValueError: If the refresh token file is invalid.
+        """
+        super(RefreshToken, self).__init__()
+        with open(file_path) as json_keyfile:
+            json_data = json.load(json_keyfile)
+        if json_data.get('type') != client.AUTHORIZED_USER:
+            raise ValueError('Invalid refresh token file. File must contain a '
+                             '"type" field set to "{0}".'.format(client.AUTHORIZED_USER))
+        self._client_id = json_data.get('client_id')
+        self._client_secret = json_data.get('client_secret')
+        self._refresh_token = json_data.get('refresh_token')
+        try:
+            self._g_credential = client.GoogleCredentials.from_stream(file_path)
+        except client.ApplicationDefaultCredentialsError as error:
+            raise ValueError('Failed to initialize a refresh token credential from file "{0}". '
+                             'Caused by: "{1}".'.format(file_path, error))
+
+    @property
+    def client_id(self):
+        return self._client_id
+
+    @property
+    def client_secret(self):
+        return self._client_secret
+
+    @property
+    def refresh_token(self):
+        return self._refresh_token
+
+    def get_access_token(self):
+        return self._g_credential.get_access_token(_http)
+
+    def get_credential(self):
+        return self._g_credential
diff --git a/tests/data/refresh_token.json b/tests/data/refresh_token.json
@@ -0,0 +1,6 @@
+{
+  "type": "authorized_user",
+  "client_id": "mock.apps.googleusercontent.com",
+  "client_secret": "mock-secret",
+  "refresh_token": "mock-refresh-token"
+}
diff --git a/tests/test_credentials.py b/tests/test_credentials.py
@@ -1,4 +1,7 @@
 """Tests for firebase_admin.credentials module."""
+import json
+import os
+
 from firebase_admin import credentials
 from oauth2client import client
 from oauth2client import crypt
@@ -20,14 +23,84 @@ def test_init_from_file(self):
         assert isinstance(g_credential, client.GoogleCredentials)
         assert g_credential.access_token is None
 
+        # The HTTP client should not be used or referenced.
+        credentials._http = 'unused'
+        access_token = credential.get_access_token()
+        assert isinstance(access_token.access_token, basestring)
+        assert isinstance(access_token.expires_in, int)
+
+    def test_init_from_nonexisting_file(self):
+        with pytest.raises(IOError):
+            credentials.Certificate(
+                testutils.resource_filename('non_existing.json'))
+
+    def test_init_from_invalid_file(self):
+        with pytest.raises(ValueError):
+            credentials.Certificate(
+                testutils.resource_filename('refresh_token.json'))
+
+
+@pytest.fixture
+def app_default(request):
+    file_path = os.environ.get('GOOGLE_APPLICATION_CREDENTIALS')
+    os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = request.param
+    yield
+    if file_path:
+        os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = file_path
+
+
+class TestApplicationDefault(object):
+
+    @pytest.mark.parametrize('app_default', [testutils.resource_filename('service_account.json')],
+                             indirect=True)
+    def test_init(self, app_default): # pylint: disable=unused-argument
+        credential = credentials.ApplicationDefault()
+        g_credential = credential.get_credential()
+        assert isinstance(g_credential, client.GoogleCredentials)
+        assert g_credential.access_token is None
+
         # The HTTP client should not be used.
-        credential._http = None
+        credentials._http = 'unused'
         access_token = credential.get_access_token()
         assert isinstance(access_token.access_token, basestring)
         assert isinstance(access_token.expires_in, int)
 
+    @pytest.mark.parametrize('app_default', [testutils.resource_filename('non_existing.json')],
+                             indirect=True)
+    def test_nonexisting_path(self, app_default): # pylint: disable=unused-argument
+        with pytest.raises(client.ApplicationDefaultCredentialsError):
+            credentials.ApplicationDefault()
+
+
+class TestRefreshToken(object):
+
+    def test_init_from_file(self):
+        credential = credentials.RefreshToken(
+            testutils.resource_filename('refresh_token.json'))
+        assert credential.client_id == 'mock.apps.googleusercontent.com'
+        assert credential.client_secret == 'mock-secret'
+        assert credential.refresh_token == 'mock-refresh-token'
+
+        g_credential = credential.get_credential()
+        assert isinstance(g_credential, client.GoogleCredentials)
+        assert g_credential.access_token is None
+
+        mock_response = {
+            'access_token': 'mock_access_token',
+            'expires_in': 1234
+        }
+        credentials._http = testutils.HttpMock(200, json.dumps(mock_response))
+        access_token = credential.get_access_token()
+        assert access_token.access_token == 'mock_access_token'
+        # GoogleCredentials class recalculates the expires_in property before returning.
+        assert access_token.expires_in <= 1234
 
     def test_init_from_nonexisting_file(self):
         with pytest.raises(IOError):
-            credentials.Certificate(
+            credentials.RefreshToken(
                 testutils.resource_filename('non_existing.json'))
+
+    def test_init_from_invalid_file(self):
+        with pytest.raises(ValueError):
+            credentials.RefreshToken(
+                testutils.resource_filename('service_account.json'))
