Fix failing unit tests

Author: nbayati

google/oauth2/service_account.py

@@ -435,7 +435,7 @@ def _metric_header_for_usage(self):
             return metrics.CRED_TYPE_SA_JWT
         return metrics.CRED_TYPE_SA_ASSERTION
 
-    @_helpers.copy_docstring(credentials.Credentials)
+    @_helpers.copy_docstring(credentials.CredentialsWithTrustBoundary)
     def _refresh_token(self, request):
         if self._always_use_jwt_access and not self._jwt_credentials:
             # If self signed jwt should be used but jwt credential is not

tests/compute_engine/test_credentials.py

@@ -255,7 +255,7 @@ def test_user_provided_universe_domain(self, get_universe_domain):
         # domain endpoint.
         get_universe_domain.assert_not_called()
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary", autospec=True)
+    @mock.patch("google.oauth2._client._lookup_trust_boundary", autospec=True)
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_trust_boundary_lookup_skipped_if_env_var_not_true(
         self,
@@ -278,7 +278,7 @@ def test_refresh_trust_boundary_lookup_skipped_if_env_var_not_true(
         mock_lookup_tb.assert_not_called()
         assert creds._trust_boundary is None
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary", autospec=True)
+    @mock.patch("google.oauth2._client._lookup_trust_boundary", autospec=True)
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_trust_boundary_lookup_skipped_if_env_var_missing(
         self, mock_metadata_get, mock_lookup_tb
@@ -297,7 +297,7 @@ def test_refresh_trust_boundary_lookup_skipped_if_env_var_missing(
         mock_lookup_tb.assert_not_called()
         assert creds._trust_boundary is None
 
-    @mock.patch.object(_client, "lookup_trust_boundary", autospec=True)
+    @mock.patch.object(_client, "_lookup_trust_boundary", autospec=True)
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_trust_boundary_lookup_success(
         self, mock_metadata_get, mock_lookup_tb
@@ -329,7 +329,7 @@ def test_refresh_trust_boundary_lookup_success(
         mock_lookup_tb.assert_called_once_with(
             request,
             "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/resolved-email@example.com/allowedLocations",
-            "mock_token",
+            headers={"authorization": "Bearer mock_token"},
         )
         # Verify trust boundary was set
         assert creds._trust_boundary == {
@@ -343,7 +343,7 @@ def test_refresh_trust_boundary_lookup_success(
         assert headers_applied["x-allowed-locations"] == "0xABC"
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
-    @mock.patch.object(_client, "lookup_trust_boundary", autospec=True)
+    @mock.patch.object(_client, "_lookup_trust_boundary", autospec=True)
     def test_refresh_trust_boundary_lookup_fails_no_cache(
         self, mock_lookup_tb, mock_metadata_get
     ):
@@ -369,7 +369,7 @@ def test_refresh_trust_boundary_lookup_fails_no_cache(
         mock_lookup_tb.assert_called_once()
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
-    @mock.patch.object(_client, "lookup_trust_boundary", autospec=True)
+    @mock.patch.object(_client, "_lookup_trust_boundary", autospec=True)
     def test_refresh_trust_boundary_lookup_fails_with_cached_data(
         self, mock_lookup_tb, mock_metadata_get
     ):
@@ -420,7 +420,7 @@ def test_refresh_trust_boundary_lookup_fails_with_cached_data(
         mock_lookup_tb.assert_called_once()
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
-    @mock.patch.object(_client, "lookup_trust_boundary", autospec=True)
+    @mock.patch.object(_client, "_lookup_trust_boundary", autospec=True)
     def test_refresh_fetches_no_op_trust_boundary(
         self, mock_lookup_tb, mock_metadata_get
     ):
@@ -444,19 +444,21 @@ def test_refresh_fetches_no_op_trust_boundary(
         mock_lookup_tb.assert_called_once_with(
             request,
             "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/resolved-email@example.com/allowedLocations",
-            "mock_token",
+            headers={"authorization": "Bearer mock_token"},
         )
         # Verify that an empty header was added.
         headers_applied = {}
         creds.apply(headers_applied)
         assert headers_applied["x-allowed-locations"] == ""
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
-    @mock.patch.object(_client, "lookup_trust_boundary", autospec=True)
+    @mock.patch.object(_client, "_lookup_trust_boundary", autospec=True)
     def test_refresh_starts_with_no_op_trust_boundary_skips_lookup(
         self, mock_lookup_tb, mock_metadata_get
     ):
         creds = self.credentials
+        # Use pre-cache universe domain to avoid an extra metadata call.
+        creds._universe_domain_cached = True
         creds._trust_boundary = {"locations": [], "encodedLocations": "0x0"}
         request = mock.Mock()
 

tests/oauth2/test__client.py

@@ -667,7 +667,7 @@ def test_lookup_trust_boundary():
 
     url = "http://example.com"
     headers = {"Authorization": "Bearer access_token"}
-    response = _client.lookup_trust_boundary(mock_request, url, headers=headers)
+    response = _client._lookup_trust_boundary(mock_request, url, headers=headers)
 
     assert response["encodedLocations"] == "0x80080000000000"
     assert response["locations"] == ["us-central1", "us-east1"]
@@ -688,7 +688,7 @@ def test_lookup_trust_boundary_no_op_response_without_locations():
     url = "http://example.com"
     headers = {"Authorization": "Bearer access_token"}
     # for the response to be valid, we only need encodedLocations to be present.
-    response = _client.lookup_trust_boundary(mock_request, url, headers=headers)
+    response = _client._lookup_trust_boundary(mock_request, url, headers=headers)
     assert response["encodedLocations"] == "0x0"
     assert "locations" not in response
 
@@ -707,7 +707,7 @@ def test_lookup_trust_boundary_no_op_response():
 
     url = "http://example.com"
     headers = {"Authorization": "Bearer access_token"}
-    response = _client.lookup_trust_boundary(mock_request, url, headers=headers)
+    response = _client._lookup_trust_boundary(mock_request, url, headers=headers)
 
     assert response["encodedLocations"] == "0x0"
     assert response["locations"] == []
@@ -726,7 +726,7 @@ def test_lookup_trust_boundary_error():
     url = "http://example.com"
     headers = {"Authorization": "Bearer access_token"}
     with pytest.raises(exceptions.RefreshError) as excinfo:
-        _client.lookup_trust_boundary(mock_request, url, headers=headers)
+        _client._lookup_trust_boundary(mock_request, url, headers=headers)
     assert excinfo.match("this is an error message")
 
     mock_request.assert_called_with(method="GET", url=url, headers=headers)
@@ -745,7 +745,7 @@ def test_lookup_trust_boundary_missing_encoded_locations():
     url = "http://example.com"
     headers = {"Authorization": "Bearer access_token"}
     with pytest.raises(exceptions.MalformedError) as excinfo:
-        _client.lookup_trust_boundary(mock_request, url, headers=headers)
+        _client._lookup_trust_boundary(mock_request, url, headers=headers)
     assert excinfo.match("Invalid trust boundary info")
 
     mock_request.assert_called_once_with(method="GET", url=url, headers=headers)
@@ -823,7 +823,7 @@ def test_lookup_trust_boundary_with_headers():
         "x-test-header": "test-value",
     }
 
-    _client.lookup_trust_boundary(mock_request, "http://example.com", headers=headers)
+    _client._lookup_trust_boundary(mock_request, "http://example.com", headers=headers)
 
     mock_request.assert_called_once_with(
         method="GET", url="http://example.com", headers=headers

tests/oauth2/test_service_account.py

@@ -521,7 +521,7 @@ def test_refresh_success(self, jwt_grant):
         # boundary was provided.
         assert credentials._trust_boundary is None
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_skips_trust_boundary_lookup_non_default_universe(
         self, mock_jwt_grant, mock_lookup_trust_boundary
@@ -658,7 +658,7 @@ def test_refresh_non_gdu_domain_wide_delegation_not_supported(self):
             credentials.refresh(None)
         assert excinfo.match("domain wide delegation is not supported")
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_success_with_valid_trust_boundary(
         self, mock_jwt_grant, mock_lookup_trust_boundary
@@ -702,7 +702,7 @@ def test_refresh_success_with_valid_trust_boundary(
             == self.VALID_TRUST_BOUNDARY["encodedLocations"]
         )
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_fetches_no_op_trust_boundary(
         self, mock_jwt_grant, mock_lookup_trust_boundary
@@ -736,7 +736,7 @@ def test_refresh_fetches_no_op_trust_boundary(
         credentials.apply(headers_applied)
         assert headers_applied["x-allowed-locations"] == ""
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_starts_with_no_op_trust_boundary_skips_lookup(
         self, mock_jwt_grant, mock_lookup_trust_boundary
@@ -770,7 +770,7 @@ def test_refresh_starts_with_no_op_trust_boundary_skips_lookup(
         credentials.apply(headers_applied)
         assert headers_applied["x-allowed-locations"] == ""
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_trust_boundary_lookup_fails_no_cache(
         self, mock_jwt_grant, mock_lookup_trust_boundary
@@ -796,7 +796,7 @@ def test_refresh_trust_boundary_lookup_fails_no_cache(
         assert credentials._trust_boundary is None
         mock_lookup_trust_boundary.assert_called_once()
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     def test_refresh_trust_boundary_lookup_fails_with_cached_data(
         self, mock_jwt_grant, mock_lookup_trust_boundary

tests/test_impersonated_credentials.py

@@ -281,7 +281,7 @@ def test_token_usage_metrics(self):
         assert headers["x-goog-api-client"] == "cred-type/imp"
 
     @pytest.mark.parametrize("use_data_bytes", [True, False])
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_success(
         self, mock_lookup_trust_boundary, use_data_bytes, mock_donor_credentials
     ):
@@ -344,7 +344,7 @@ def test_refresh_success(
             == self.VALID_TRUST_BOUNDARY["encodedLocations"]
         )
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_trust_boundary_lookup_fails_no_cache(
         self, mock_lookup_trust_boundary, mock_donor_credentials
     ):
@@ -376,7 +376,7 @@ def test_refresh_trust_boundary_lookup_fails_no_cache(
         assert credentials._trust_boundary is None  # Still no trust boundary
         mock_lookup_trust_boundary.assert_called_once()
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_fetches_no_op_trust_boundary(
         self, mock_lookup_trust_boundary, mock_donor_credentials
     ):
@@ -414,7 +414,7 @@ def test_refresh_fetches_no_op_trust_boundary(
         credentials.apply(headers_applied)
         assert headers_applied["x-allowed-locations"] == ""
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_skips_trust_boundary_lookup_non_default_universe(
         self, mock_lookup_trust_boundary
     ):
@@ -450,7 +450,7 @@ def test_refresh_skips_trust_boundary_lookup_non_default_universe(
         credentials.apply(headers_applied)
         assert "x-allowed-locations" not in headers_applied
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_starts_with_no_op_trust_boundary_skips_lookup(
         self, mock_lookup_trust_boundary, mock_donor_credentials
     ):
@@ -485,7 +485,7 @@ def test_refresh_starts_with_no_op_trust_boundary_skips_lookup(
         credentials.apply(headers_applied)
         assert headers_applied["x-allowed-locations"] == ""
 
-    @mock.patch("google.oauth2._client.lookup_trust_boundary")
+    @mock.patch("google.oauth2._client._lookup_trust_boundary")
     def test_refresh_trust_boundary_lookup_fails_with_cached_data2(
         self, mock_lookup_trust_boundary, mock_donor_credentials
     ):