Updated pr.

lu-ohai · lu-ohai · commit b2020e79b282 · 2023-06-14T12:38:35.000-07:00
diff --git a/ads/common/auth.py b/ads/common/auth.py
@@ -17,6 +17,22 @@
 from oci.config import DEFAULT_LOCATION  # "~/.oci/config"
 from oci.config import DEFAULT_PROFILE  # "DEFAULT"
 
+SECURITY_TOKEN_GENERIC_HEADERS = [
+    "date", 
+    "(request-target)", 
+    "host"
+]
+SECURITY_TOKEN_BODY_HEADERS = [
+    "content-length", 
+    "content-type", 
+    "x-content-sha256"
+]
+SECURITY_TOKEN_REQUIRED = [
+    "security_token_file", 
+    "key_file", 
+    "region"
+]
+
 
 class AuthType(str, metaclass=ExtendedEnumMeta):
     API_KEY = "api_key"
@@ -144,7 +160,8 @@ def set_auth(
     >>> ads.set_auth("security_token")  # Set security token authentication
 
     >>> config = dict(
-    ...     key_file=~/.oci/sessions/DEFAULT/oci_api_key.pem
+    ...     region=us-ashburn-1,
+    ...     key_file=~/.oci/sessions/DEFAULT/oci_api_key.pem,
     ...     security_token_file=~/.oci/sessions/DEFAULT/token
     ... )
     >>> ads.set_auth("security_token", config=config) # Set security token authentication from provided config
@@ -400,7 +417,8 @@ def create_signer(
     >>> signer_kwargs = dict(log_requests=True) # will log the request url and response data when retrieving
     >>> auth = ads.auth.create_signer(signer_callable=signer_callable, signer_kwargs=signer_kwargs) # instance principals authentication dictionary created based on callable with kwargs parameters
     >>> config = dict(
-    ...     key_file=~/.oci/sessions/DEFAULT/oci_api_key.pem
+    ...     region=us-ashburn-1,
+    ...     key_file=~/.oci/sessions/DEFAULT/oci_api_key.pem,
     ...     security_token_file=~/.oci/sessions/DEFAULT/token
     ... )
     >>> auth = ads.auth.create_signer(auth_type="security_token", config=config) # security token authentication created based on provided config
@@ -795,38 +813,29 @@ def create_signer(self) -> Dict:
 
         logger.info(f"Using 'security_token' authentication.")
 
-        if "security_token_file" not in configuration and "security_token_content" not in configuration:
-            raise ValueError(
-                "Parameter `security_token_file` or `security_token_content` must be provided for using `security_token` authentication."
-            )
-
-        if "key_file" not in configuration and "key_content" not in configuration:
-            raise ValueError(
-                "Parameter `key_file` or `key_content` must be provided for using `security_token` authentication."
-            )
+        for parameter in SECURITY_TOKEN_REQUIRED:
+            if parameter not in configuration:
+                raise ValueError(
+                    f"Parameter `{parameter}` must be provided for using `security_token` authentication."
+                )
         
-        if "security_token_content" not in configuration and not self.oci_config:
-            os.system(f'oci session refresh --profile {self.oci_key_profile or DEFAULT_PROFILE}')
+        if not self.oci_config:
+            os.system(f'oci session refresh --profile {self.oci_key_profile}')
 
         return {
             "config": configuration,
             "signer": oci.auth.signers.SecurityTokenSigner(
-                token=(
-                    configuration.get("security_token_content", None)
-                    or self._read_security_token_file(configuration.get("security_token_file"))
-                ),
-                private_key=(
-                    oci.signer.load_private_key(configuration.get("key_content"))
-                    if configuration.get("key_content")
-                    else oci.signer.load_private_key_from_file(configuration.get("key_file"))
-                ),
-                generic_headers=configuration.get("generic_headers"),
-                body_headers=configuration.get("body_headers")
+                token=self._read_security_token_file(configuration.get("security_token_file")),
+                private_key=oci.signer.load_private_key_from_file(configuration.get("key_file")),
+                generic_headers=configuration.get("generic_headers", SECURITY_TOKEN_GENERIC_HEADERS),
+                body_headers=configuration.get("body_headers", SECURITY_TOKEN_BODY_HEADERS)
             ),
             "client_kwargs": self.client_kwargs,
         }
     
     def _read_security_token_file(self, security_token_file: str) -> str:
+        if not os.path.isfile(security_token_file):
+            raise ValueError("Invalid `security_token_file`. Specify a valid path.")
         try:
             token = None
             with open(security_token_file, 'r') as f:
diff --git a/tests/unitary/default_setup/auth/test_auth.py b/tests/unitary/default_setup/auth/test_auth.py
@@ -125,44 +125,33 @@ def test_set_auth_with_key_content(self, mock_load_private_key, mock_validate_co
         set_auth()
 
     @mock.patch("oci.auth.signers.SecurityTokenSigner.__init__")
-    @mock.patch("oci.signer.load_private_key")
     @mock.patch("oci.signer.load_private_key_from_file")
     @mock.patch("ads.common.auth.SecurityToken._read_security_token_file")
-    def test_security_token(
+    def test_security_token_from_config(
         self,
         mock_read_security_token_file, 
         mock_load_private_key_from_file,
-        mock_load_private_key,
         mock_security_token_signer
     ):
         config = {
             "fingerprint": "test_fingerprint",
             "tenancy": "test_tenancy",
             "region": "us-ashburn-1",
+            "key_file": "test_key_file",
             "generic_headers": [1,2,3],
             "body_headers": [4,5,6]
         }
 
         with pytest.raises(
             ValueError,
-            match="Parameter `security_token_file` or `security_token_content` must be provided for using `security_token` authentication."
+            match="Parameter `security_token_file` must be provided for using `security_token` authentication."
         ):
             signer = security_token(
                 oci_config=config,
                 client_kwargs={"test_client_key":"test_client_value"}
             )
 
         config["security_token_file"] = "test_security_token"
-        with pytest.raises(
-            ValueError,
-            match="Parameter `key_file` or `key_content` must be provided for using `security_token` authentication."
-        ):
-            signer = security_token(
-                oci_config=config,
-                client_kwargs={"test_client_key":"test_client_value"}
-            )
-
-        config["key_file"] = "test_key_file"
         mock_security_token_signer.return_value = None
         signer = security_token(
             oci_config=config,
@@ -180,18 +169,51 @@ def test_security_token(
         assert signer["config"]["key_file"] == "test_key_file"
         assert isinstance(signer["signer"], SecurityTokenSigner)
 
-        config = {
+    @mock.patch("oci.auth.signers.SecurityTokenSigner.__init__")
+    @mock.patch("oci.signer.load_private_key_from_file")
+    @mock.patch("builtins.open")
+    @mock.patch("os.path.isfile")
+    @mock.patch("os.system")
+    @mock.patch("oci.config.from_file")
+    def test_security_token_from_file(
+        self,
+        mock_from_file,
+        mock_system,
+        mock_isfile,
+        mock_open,
+        mock_load_private_key_from_file,
+        mock_security_token_signer
+    ):
+        mock_from_file.return_value = {
             "fingerprint": "test_fingerprint",
             "tenancy": "test_tenancy",
             "region": "us-ashburn-1",
-            "security_token_content": "test_security_token_content",
-            "key_content": "test_key_content"
+            "key_file": "test_key_file",
+            "security_token_file": "test_security_token"
         }
+        mock_isfile.return_value = True
+        mock_security_token_signer.return_value = None
         signer = security_token(
-            oci_config=config,
+            oci_config="test_config_location",
+            profile="test_key_profile",
             client_kwargs={"test_client_key":"test_client_value"}
         )
-        mock_load_private_key.assert_called_with("test_key_content")
+
+        mock_from_file.assert_called_with("test_config_location", "test_key_profile")
+        mock_system.assert_called_with("oci session refresh --profile test_key_profile")
+        mock_isfile.assert_called_with("test_security_token")
+        mock_open.assert_called()
+        mock_load_private_key_from_file.assert_called_with("test_key_file")
+        mock_security_token_signer.assert_called()
+
+        assert signer["client_kwargs"] == {"test_client_key": "test_client_value"}
+        assert "additional_user_agent" in signer["config"]
+        assert signer["config"]["fingerprint"] == "test_fingerprint"
+        assert signer["config"]["tenancy"] == "test_tenancy"
+        assert signer["config"]["region"] == "us-ashburn-1"
+        assert signer["config"]["security_token_file"] == "test_security_token"
+        assert signer["config"]["key_file"] == "test_key_file"
+        assert isinstance(signer["signer"], SecurityTokenSigner)
 
 
 class TestOCIMixin(TestCase):
