diff --git a/google/auth/_default.py b/google/auth/_default.py index 6e5b9736e..2e5ac72d3 100644 --- a/google/auth/_default.py +++ b/google/auth/_default.py @@ -36,7 +36,7 @@ _SERVICE_ACCOUNT_TYPE = "service_account" _EXTERNAL_ACCOUNT_TYPE = "external_account" _IMPERSONATED_SERVICE_ACCOUNT_TYPE = "impersonated_service_account" -_GDCH_TYPE = "gdch" +_GDCH_SERVICE_ACCOUNT_TYPE = "gdch_service_account" _VALID_TYPES = ( _AUTHORIZED_USER_TYPE, _SERVICE_ACCOUNT_TYPE, @@ -159,8 +159,8 @@ def _load_credentials_from_info( credentials, project_id = _get_impersonated_service_account_credentials( filename, info, scopes ) - elif credential_type == _GDCH_TYPE: - credentials, project_id = _get_gdch_credentials(info) + elif credential_type == _GDCH_SERVICE_ACCOUNT_TYPE: + credentials, project_id = _get_gdch_service_account_credentials(info) else: raise exceptions.DefaultCredentialsError( "The file {file} does not have a valid type. " @@ -424,7 +424,7 @@ def _get_impersonated_service_account_credentials(filename, info, scopes): return credentials, None -def _get_gdch_credentials(info): +def _get_gdch_service_account_credentials(info): from google.oauth2 import gdch_credentials k8s_ca_cert_path = info.get("k8s_ca_cert_path") @@ -435,7 +435,7 @@ def _get_gdch_credentials(info): ais_token_endpoint = info.get("ais_token_endpoint") return ( - gdch_credentials.Credentials( + gdch_credentials.ServiceAccountCredentials( k8s_ca_cert_path, k8s_cert_path, k8s_key_path, @@ -484,10 +484,10 @@ def default(scopes=None, request=None, quota_project_id=None, default_scopes=Non The project ID returned in this case is the one corresponding to the underlying workload identity pool resource if determinable. - If the environment variable is set to the path of a valid GDCH JSON - file (`Google Distributed Cloud Hosted`_), then a GDCH credential will - be returned. The project ID returned is None unless it is set via - `GOOGLE_CLOUD_PROJECT` environment variable. + If the environment variable is set to the path of a valid GDCH service + account JSON file (`Google Distributed Cloud Hosted`_), then a GDCH + credential will be returned. The project ID returned is None unless it + is set via `GOOGLE_CLOUD_PROJECT` environment variable. 2. If the `Google Cloud SDK`_ is installed and has application default credentials set they are loaded and returned. diff --git a/google/oauth2/gdch_credentials.py b/google/oauth2/gdch_credentials.py index fa2300c2c..495590576 100644 --- a/google/oauth2/gdch_credentials.py +++ b/google/oauth2/gdch_credentials.py @@ -30,8 +30,9 @@ SERVICE_ACCOUNT_TOKEN_TYPE = "urn:k8s:params:oauth:token-type:serviceaccount" -class Credentials(credentials.CredentialsWithQuotaProject): - """Credentials for GDCH (`Google Distributed Cloud Hosted`_). +class ServiceAccountCredentials(credentials.CredentialsWithQuotaProject): + """Credentials for GDCH (`Google Distributed Cloud Hosted`_) for service + account users. .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics/hybrid-cloud/\ @@ -44,7 +45,7 @@ class Credentials(credentials.CredentialsWithQuotaProject): following format:: { - "type":"gdch", + "type":"gdch_service_account", "k8s_ca_cert_path":"", "k8s_cert_path":"", "k8s_key_path":"", @@ -106,7 +107,7 @@ def __init__( and billing. This project may be different from the project used to create the credentials. """ - super(Credentials, self).__init__() + super(ServiceAccountCredentials, self).__init__() self._k8s_ca_cert_path = k8s_ca_cert_path self._k8s_cert_path = k8s_cert_path self._k8s_key_path = k8s_key_path diff --git a/tests/data/gdch.json b/tests/data/gdch_service_account.json similarity index 90% rename from tests/data/gdch.json rename to tests/data/gdch_service_account.json index fc64621a5..92b13fea4 100644 --- a/tests/data/gdch.json +++ b/tests/data/gdch_service_account.json @@ -1,5 +1,5 @@ { - "type":"gdch", + "type":"gdch_service_account", "k8s_ca_cert_path":"./k8s_ca_cert.pem", "k8s_cert_path":"./k8s_cert.pem", "k8s_key_path":"./k8s_key.pem", diff --git a/tests/oauth2/test_gdch_credentials.py b/tests/oauth2/test_gdch_credentials.py index b422245e8..6d5b94578 100644 --- a/tests/oauth2/test_gdch_credentials.py +++ b/tests/oauth2/test_gdch_credentials.py @@ -34,7 +34,7 @@ class TestCredentials(object): @classmethod def make_credentials(cls): - return gdch_credentials.Credentials( + return gdch_credentials.ServiceAccountCredentials( cls.K8S_CA_CERT_PATH, cls.K8S_CERT_PATH, cls.K8S_KEY_PATH, @@ -130,11 +130,11 @@ def test__make_ais_token_request(self, utcnow, token_endpoint_request): ) @mock.patch( - "google.oauth2.gdch_credentials.Credentials._make_k8s_token_request", + "google.oauth2.gdch_credentials.ServiceAccountCredentials._make_k8s_token_request", autospec=True, ) @mock.patch( - "google.oauth2.gdch_credentials.Credentials._make_ais_token_request", + "google.oauth2.gdch_credentials.ServiceAccountCredentials._make_ais_token_request", autospec=True, ) def test_refresh(self, ais_token_request, k8s_token_request): @@ -152,11 +152,11 @@ def test_refresh(self, ais_token_request, k8s_token_request): assert creds.expiry == mock_expiry @mock.patch( - "google.oauth2.gdch_credentials.Credentials._make_k8s_token_request", + "google.oauth2.gdch_credentials.ServiceAccountCredentials._make_k8s_token_request", autospec=True, ) @mock.patch( - "google.oauth2.gdch_credentials.Credentials._make_ais_token_request", + "google.oauth2.gdch_credentials.ServiceAccountCredentials._make_ais_token_request", autospec=True, ) def test_before_request(self, ais_token_request, k8s_token_request): diff --git a/tests/test__default.py b/tests/test__default.py index 9cbe56248..707e5aa25 100644 --- a/tests/test__default.py +++ b/tests/test__default.py @@ -51,7 +51,7 @@ CLIENT_SECRETS_FILE = os.path.join(DATA_DIR, "client_secrets.json") -GDCH_FILE = os.path.join(DATA_DIR, "gdch.json") +GDCH_SERVICE_ACCOUNT_FILE = os.path.join(DATA_DIR, "gdch_service_account.json") with open(SERVICE_ACCOUNT_FILE) as fh: SERVICE_ACCOUNT_FILE_DATA = json.load(fh) @@ -1148,11 +1148,11 @@ def test_default_impersonated_service_account_set_both_scopes_and_default_scopes @mock.patch( "google.auth._cloud_sdk.get_application_default_credentials_path", autospec=True ) -def test_default_gdch_credentials(get_adc_path): - get_adc_path.return_value = GDCH_FILE +def test_default_gdch_service_account_credentials(get_adc_path): + get_adc_path.return_value = GDCH_SERVICE_ACCOUNT_FILE credentials, _ = _default.default(quota_project_id="project-foo") - assert isinstance(credentials, gdch_credentials.Credentials) + assert isinstance(credentials, gdch_credentials.ServiceAccountCredentials) assert credentials._quota_project_id == "project-foo" assert credentials._k8s_ca_cert_path == "./k8s_ca_cert.pem" assert credentials._k8s_cert_path == "./k8s_cert.pem"