auth/httptransport/httptransport_test.go - gocloud - Git at Google

 // Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package httptransport

 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

 	"cloud.google.com/go/auth"
 	"cloud.google.com/go/auth/credentials"
 	"cloud.google.com/go/auth/internal"
 	"github.com/google/go-cmp/cmp"
 )

 func TestAddAuthorizationMiddleware(t *testing.T) {
 	creds := auth.NewCredentials(&auth.CredentialsOptions{
 		TokenProvider: staticTP("fakeToken"),
 	})
 	tests := []struct {
 		name    string
 		client  *http.Client
 		creds   *auth.Credentials
 		wantErr bool
 		want    string
 	}{
 		{
 			name:    "missing both required fields",
 			wantErr: true,
 		},
 		{
 			name:    "missing client field",
 			creds:   creds,
 			wantErr: true,
 		},
 		{
 			name:    "missing creds field",
 			client:  internal.CloneDefaultClient(),
 			wantErr: true,
 		},
 		{
 			name:   "works",
 			client: internal.CloneDefaultClient(),
 			creds:  creds,
 			want:   "fakeToken",
 		},
 		{
 			name:   "works, no transport",
 			client: &http.Client{},
 			creds:  creds,
 			want:   "fakeToken",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := AddAuthorizationMiddleware(tt.client, tt.creds)
 			if tt.wantErr && err == nil {
 				t.Fatalf("AddAuthorizationMiddleware() = nil, want error")
 			}
 			if tt.wantErr {
 				return
 			}
 			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				got := r.Header.Get("Authorization")
 				if !strings.Contains(got, tt.want) {
 					t.Errorf("got %q, want contain %q", got, tt.want)
 				}

 			}))
 			defer ts.Close()
 			tt.client.Get(ts.URL)
 		})
 	}
 }

 func TestNewClient_FailsValidation(t *testing.T) {
 	tests := []struct {
 		name string
 		opts *Options
 	}{
 		{
 			name: "missing options",
 		},
 		{
 			name: "has creds with disable options, tp",
 			opts: &Options{
 				DisableAuthentication: true,
 				Credentials: auth.NewCredentials(&auth.CredentialsOptions{
 					TokenProvider: staticTP("fakeToken"),
 				}),
 			},
 		},
 		{
 			name: "has creds with disable options, cred file",
 			opts: &Options{
 				DisableAuthentication: true,
 				DetectOpts: &credentials.DetectOptions{
 					CredentialsFile: "abc.123",
 				},
 			},
 		},
 		{
 			name: "has creds with disable options, cred json",
 			opts: &Options{
 				DisableAuthentication: true,
 				DetectOpts: &credentials.DetectOptions{
 					CredentialsJSON: []byte(`{"foo":"bar"}`),
 				},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_, err := NewClient(tt.opts)
 			if err == nil {
 				t.Fatal("NewClient() = _, nil, want error")
 			}
 		})
 	}
 }

 func TestDial_SkipValidation(t *testing.T) {
 	opts := &Options{
 		DisableAuthentication: true,
 		Credentials: auth.NewCredentials(&auth.CredentialsOptions{
 			TokenProvider: staticTP("fakeToken"),
 		}),
 	}
 	t.Run("invalid opts", func(t *testing.T) {
 		if err := opts.validate(); err == nil {
 			t.Fatalf("opts.validate() = nil, want error")
 		}
 	})

 	t.Run("skip invalid opts", func(t *testing.T) {
 		opts.InternalOptions = &InternalOptions{SkipValidation: true}
 		if err := opts.validate(); err != nil {
 			t.Fatalf("opts.validate() = %v, want nil", err)
 		}
 	})
 }

 func TestOptions_ResolveDetectOptions(t *testing.T) {
 	tests := []struct {
 		name string
 		in   *Options
 		want *credentials.DetectOptions
 	}{
 		{
 			name: "base",
 			in: &Options{
 				DetectOpts: &credentials.DetectOptions{
 					Scopes:          []string{"scope"},
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Scopes:          []string{"scope"},
 				CredentialsFile: "/path/to/a/file",
 			},
 		},
 		{
 			name: "self-signed, with scope",
 			in: &Options{
 				InternalOptions: &InternalOptions{
 					EnableJWTWithScope: true,
 				},
 				DetectOpts: &credentials.DetectOptions{
 					Scopes:          []string{"scope"},
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Scopes:           []string{"scope"},
 				CredentialsFile:  "/path/to/a/file",
 				UseSelfSignedJWT: true,
 			},
 		},
 		{
 			name: "self-signed, with aud",
 			in: &Options{
 				DetectOpts: &credentials.DetectOptions{
 					Audience:        "aud",
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Audience:         "aud",
 				CredentialsFile:  "/path/to/a/file",
 				UseSelfSignedJWT: true,
 			},
 		},
 		{
 			name: "use default scopes",
 			in: &Options{
 				InternalOptions: &InternalOptions{
 					DefaultScopes:   []string{"default"},
 					DefaultAudience: "default",
 				},
 				DetectOpts: &credentials.DetectOptions{
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Scopes:          []string{"default"},
 				CredentialsFile: "/path/to/a/file",
 			},
 		},
 		{
 			name: "don't use default scopes, scope provided",
 			in: &Options{
 				InternalOptions: &InternalOptions{
 					DefaultScopes:   []string{"default"},
 					DefaultAudience: "default",
 				},
 				DetectOpts: &credentials.DetectOptions{
 					Scopes:          []string{"non-default"},
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Scopes:          []string{"non-default"},
 				CredentialsFile: "/path/to/a/file",
 			},
 		},
 		{
 			name: "don't use default scopes, aud provided",
 			in: &Options{
 				InternalOptions: &InternalOptions{
 					DefaultScopes:   []string{"default"},
 					DefaultAudience: "default",
 				},
 				DetectOpts: &credentials.DetectOptions{
 					Audience:        "non-default",
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Audience:         "non-default",
 				CredentialsFile:  "/path/to/a/file",
 				UseSelfSignedJWT: true,
 			},
 		},
 		{
 			name: "use default aud",
 			in: &Options{
 				InternalOptions: &InternalOptions{
 					DefaultAudience: "default",
 				},
 				DetectOpts: &credentials.DetectOptions{
 					CredentialsFile: "/path/to/a/file",
 				},
 			},
 			want: &credentials.DetectOptions{
 				Audience:        "default",
 				CredentialsFile: "/path/to/a/file",
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := tt.in.resolveDetectOptions()
 			if diff := cmp.Diff(tt.want, got); diff != "" {
 				t.Errorf("mismatch (-want +got):\n%s", diff)
 			}
 		})
 	}
 }

 func TestNewClient_DetectedServiceAccount(t *testing.T) {
 	testQuota := "testquota"
 	wantHeader := "bar"
 	t.Setenv(internal.QuotaProjectEnvVar, testQuota)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if got := r.Header.Get("Authorization"); got == "" {
 			t.Errorf(`got "", want an auth token`)
 		}
 		if got := r.Header.Get("Foo"); got != wantHeader {
 			t.Errorf("got %q, want %q", got, wantHeader)
 		}
 		if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
 			t.Errorf("got %q, want %q", got, testQuota)
 		}
 	}))
 	defer ts.Close()
 	client, err := NewClient(&Options{
 		Headers: http.Header{"Foo": []string{wantHeader}},
 		InternalOptions: &InternalOptions{
 			DefaultEndpointTemplate: ts.URL,
 		},
 		DetectOpts: &credentials.DetectOptions{
 			Audience:         ts.URL,
 			CredentialsFile:  "../internal/testdata/sa.json",
 			UseSelfSignedJWT: true,
 		},
 	})
 	if err != nil {
 		t.Fatalf("NewClient() = %v", err)
 	}
 	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if _, err := client.Do(req); err != nil {
 		t.Fatalf("client.Get() = %v", err)
 	}
 }

 func TestNewClient_APIKey(t *testing.T) {
 	testQuota := "testquota"
 	apiKey := "thereisnospoon"
 	wantHeader := "bar"
 	t.Setenv(internal.QuotaProjectEnvVar, testQuota)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		got := r.URL.Query().Get("key")
 		if got != apiKey {
 			t.Errorf("got %q, want %q", got, apiKey)
 		}
 		if got := r.Header.Get("Foo"); got != wantHeader {
 			t.Errorf("got %q, want %q", got, wantHeader)
 		}
 		if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
 			t.Errorf("got %q, want %q", got, testQuota)
 		}
 	}))
 	defer ts.Close()
 	client, err := NewClient(&Options{
 		APIKey:  apiKey,
 		Headers: http.Header{"Foo": []string{wantHeader}},
 	})
 	if err != nil {
 		t.Fatalf("NewClient() = %v", err)
 	}
 	if _, err := client.Get(ts.URL); err != nil {
 		t.Fatalf("client.Get() = %v", err)
 	}
 }

 func TestNewClient_BaseRoundTripper(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		got := r.Header.Get("Foo")
 		if want := "foo"; got != want {
 			t.Errorf("got %q, want %q", got, want)
 		}
 		got = r.Header.Get("Bar")
 		if want := "bar"; got != want {
 			t.Errorf("got %q, want %q", got, want)
 		}
 	}))
 	defer ts.Close()
 	client, err := NewClient(&Options{
 		BaseRoundTripper: &rt{key: "Bar", value: "bar"},
 		Headers:          http.Header{"Foo": []string{"foo"}},
 		APIKey:           "key",
 	})
 	if err != nil {
 		t.Fatalf("NewClient() = %v", err)
 	}
 	if _, err := client.Get(ts.URL); err != nil {
 		t.Fatalf("client.Get() = %v", err)
 	}
 }

 type staticTP string

 func (tp staticTP) Token(context.Context) (*auth.Token, error) {
 	return &auth.Token{
 		Value: string(tp),
 	}, nil
 }

 type rt struct {
 	key   string
 	value string
 }

 func (r *rt) RoundTrip(req *http.Request) (*http.Response, error) {
 	req2 := req.Clone(req.Context())
 	req2.Header.Add(r.key, r.value)
 	return http.DefaultTransport.RoundTrip(req2)
 }
	// Copyright 2023 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package httptransport

	import (
	"context"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"

	"cloud.google.com/go/auth"
	"cloud.google.com/go/auth/credentials"
	"cloud.google.com/go/auth/internal"
	"github.com/google/go-cmp/cmp"
	)

	func TestAddAuthorizationMiddleware(t *testing.T) {
	creds := auth.NewCredentials(&auth.CredentialsOptions{
	TokenProvider: staticTP("fakeToken"),
	})
	tests := []struct {
	name string
	client *http.Client
	creds *auth.Credentials
	wantErr bool
	want string
	}{
	{
	name: "missing both required fields",
	wantErr: true,
	},
	{
	name: "missing client field",
	creds: creds,
	wantErr: true,
	},
	{
	name: "missing creds field",
	client: internal.CloneDefaultClient(),
	wantErr: true,
	},
	{
	name: "works",
	client: internal.CloneDefaultClient(),
	creds: creds,
	want: "fakeToken",
	},
	{
	name: "works, no transport",
	client: &http.Client{},
	creds: creds,
	want: "fakeToken",
	},
	}
	for _, tt := range tests {
	t.Run(tt.name, func(t *testing.T) {
	err := AddAuthorizationMiddleware(tt.client, tt.creds)
	if tt.wantErr && err == nil {
	t.Fatalf("AddAuthorizationMiddleware() = nil, want error")
	}
	if tt.wantErr {
	return
	}
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	got := r.Header.Get("Authorization")
	if !strings.Contains(got, tt.want) {
	t.Errorf("got %q, want contain %q", got, tt.want)
	}

	}))
	defer ts.Close()
	tt.client.Get(ts.URL)
	})
	}
	}

	func TestNewClient_FailsValidation(t *testing.T) {
	tests := []struct {
	name string
	opts *Options
	}{
	{
	name: "missing options",
	},
	{
	name: "has creds with disable options, tp",
	opts: &Options{
	DisableAuthentication: true,
	Credentials: auth.NewCredentials(&auth.CredentialsOptions{
	TokenProvider: staticTP("fakeToken"),
	}),
	},
	},
	{
	name: "has creds with disable options, cred file",
	opts: &Options{
	DisableAuthentication: true,
	DetectOpts: &credentials.DetectOptions{
	CredentialsFile: "abc.123",
	},
	},
	},
	{
	name: "has creds with disable options, cred json",
	opts: &Options{
	DisableAuthentication: true,
	DetectOpts: &credentials.DetectOptions{
	CredentialsJSON: []byte(`{"foo":"bar"}`),
	},
	},
	},
	}
	for _, tt := range tests {
	t.Run(tt.name, func(t *testing.T) {
	_, err := NewClient(tt.opts)
	if err == nil {
	t.Fatal("NewClient() = _, nil, want error")
	}
	})
	}
	}

	func TestDial_SkipValidation(t *testing.T) {
	opts := &Options{
	DisableAuthentication: true,
	Credentials: auth.NewCredentials(&auth.CredentialsOptions{
	TokenProvider: staticTP("fakeToken"),
	}),
	}
	t.Run("invalid opts", func(t *testing.T) {
	if err := opts.validate(); err == nil {
	t.Fatalf("opts.validate() = nil, want error")
	}
	})

	t.Run("skip invalid opts", func(t *testing.T) {
	opts.InternalOptions = &InternalOptions{SkipValidation: true}
	if err := opts.validate(); err != nil {
	t.Fatalf("opts.validate() = %v, want nil", err)
	}
	})
	}

	func TestOptions_ResolveDetectOptions(t *testing.T) {
	tests := []struct {
	name string
	in *Options
	want *credentials.DetectOptions
	}{
	{
	name: "base",
	in: &Options{
	DetectOpts: &credentials.DetectOptions{
	Scopes: []string{"scope"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Scopes: []string{"scope"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	{
	name: "self-signed, with scope",
	in: &Options{
	InternalOptions: &InternalOptions{
	EnableJWTWithScope: true,
	},
	DetectOpts: &credentials.DetectOptions{
	Scopes: []string{"scope"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Scopes: []string{"scope"},
	CredentialsFile: "/path/to/a/file",
	UseSelfSignedJWT: true,
	},
	},
	{
	name: "self-signed, with aud",
	in: &Options{
	DetectOpts: &credentials.DetectOptions{
	Audience: "aud",
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Audience: "aud",
	CredentialsFile: "/path/to/a/file",
	UseSelfSignedJWT: true,
	},
	},
	{
	name: "use default scopes",
	in: &Options{
	InternalOptions: &InternalOptions{
	DefaultScopes: []string{"default"},
	DefaultAudience: "default",
	},
	DetectOpts: &credentials.DetectOptions{
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Scopes: []string{"default"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	{
	name: "don't use default scopes, scope provided",
	in: &Options{
	InternalOptions: &InternalOptions{
	DefaultScopes: []string{"default"},
	DefaultAudience: "default",
	},
	DetectOpts: &credentials.DetectOptions{
	Scopes: []string{"non-default"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Scopes: []string{"non-default"},
	CredentialsFile: "/path/to/a/file",
	},
	},
	{
	name: "don't use default scopes, aud provided",
	in: &Options{
	InternalOptions: &InternalOptions{
	DefaultScopes: []string{"default"},
	DefaultAudience: "default",
	},
	DetectOpts: &credentials.DetectOptions{
	Audience: "non-default",
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Audience: "non-default",
	CredentialsFile: "/path/to/a/file",
	UseSelfSignedJWT: true,
	},
	},
	{
	name: "use default aud",
	in: &Options{
	InternalOptions: &InternalOptions{
	DefaultAudience: "default",
	},
	DetectOpts: &credentials.DetectOptions{
	CredentialsFile: "/path/to/a/file",
	},
	},
	want: &credentials.DetectOptions{
	Audience: "default",
	CredentialsFile: "/path/to/a/file",
	},
	},
	}
	for _, tt := range tests {
	t.Run(tt.name, func(t *testing.T) {
	got := tt.in.resolveDetectOptions()
	if diff := cmp.Diff(tt.want, got); diff != "" {
	t.Errorf("mismatch (-want +got):\n%s", diff)
	}
	})
	}
	}

	func TestNewClient_DetectedServiceAccount(t *testing.T) {
	testQuota := "testquota"
	wantHeader := "bar"
	t.Setenv(internal.QuotaProjectEnvVar, testQuota)
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	if got := r.Header.Get("Authorization"); got == "" {
	t.Errorf(`got "", want an auth token`)
	}
	if got := r.Header.Get("Foo"); got != wantHeader {
	t.Errorf("got %q, want %q", got, wantHeader)
	}
	if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
	t.Errorf("got %q, want %q", got, testQuota)
	}
	}))
	defer ts.Close()
	client, err := NewClient(&Options{
	Headers: http.Header{"Foo": []string{wantHeader}},
	InternalOptions: &InternalOptions{
	DefaultEndpointTemplate: ts.URL,
	},
	DetectOpts: &credentials.DetectOptions{
	Audience: ts.URL,
	CredentialsFile: "../internal/testdata/sa.json",
	UseSelfSignedJWT: true,
	},
	})
	if err != nil {
	t.Fatalf("NewClient() = %v", err)
	}
	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
	if err != nil {
	t.Fatal(err)
	}
	if _, err := client.Do(req); err != nil {
	t.Fatalf("client.Get() = %v", err)
	}
	}

	func TestNewClient_APIKey(t *testing.T) {
	testQuota := "testquota"
	apiKey := "thereisnospoon"
	wantHeader := "bar"
	t.Setenv(internal.QuotaProjectEnvVar, testQuota)
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	got := r.URL.Query().Get("key")
	if got != apiKey {
	t.Errorf("got %q, want %q", got, apiKey)
	}
	if got := r.Header.Get("Foo"); got != wantHeader {
	t.Errorf("got %q, want %q", got, wantHeader)
	}
	if got := r.Header.Get(quotaProjectHeaderKey); got != testQuota {
	t.Errorf("got %q, want %q", got, testQuota)
	}
	}))
	defer ts.Close()
	client, err := NewClient(&Options{
	APIKey: apiKey,
	Headers: http.Header{"Foo": []string{wantHeader}},
	})
	if err != nil {
	t.Fatalf("NewClient() = %v", err)
	}
	if _, err := client.Get(ts.URL); err != nil {
	t.Fatalf("client.Get() = %v", err)
	}
	}

	func TestNewClient_BaseRoundTripper(t *testing.T) {
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	got := r.Header.Get("Foo")
	if want := "foo"; got != want {
	t.Errorf("got %q, want %q", got, want)
	}
	got = r.Header.Get("Bar")
	if want := "bar"; got != want {
	t.Errorf("got %q, want %q", got, want)
	}
	}))
	defer ts.Close()
	client, err := NewClient(&Options{
	BaseRoundTripper: &rt{key: "Bar", value: "bar"},
	Headers: http.Header{"Foo": []string{"foo"}},
	APIKey: "key",
	})
	if err != nil {
	t.Fatalf("NewClient() = %v", err)
	}
	if _, err := client.Get(ts.URL); err != nil {
	t.Fatalf("client.Get() = %v", err)
	}
	}

	type staticTP string

	func (tp staticTP) Token(context.Context) (*auth.Token, error) {
	return &auth.Token{
	Value: string(tp),
	}, nil
	}

	type rt struct {
	key string
	value string
	}

	func (r rt) RoundTrip(req http.Request) (*http.Response, error) {
	req2 := req.Clone(req.Context())
	req2.Header.Add(r.key, r.value)
	return http.DefaultTransport.RoundTrip(req2)
	}