fix: rename CLOCK_SKEW and separate client/server user case (#863) * fix: rename CLOCK_SKEW and separate client/server user case * update clock skew to 20s

commit: 738611bd2914f0fd5fa8b49b65f56ef321829c85 [log] [tgz]
author: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Thu Sep 09 17:09:54 2021 -0700
committer: GitHub <noreply@github.com> Thu Sep 09 17:09:54 2021 -0700
tree: 5a9d1e0c2138c038066dd66d9bf639da4b4123f6
parent: 13aed5ffe3ba435004ab48202462452f04d7cb29 [diff]
diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py index 11c6b1a..55adf5b 100644 --- a/google/auth/_helpers.py +++ b/google/auth/_helpers.py 
@@ -20,8 +20,11 @@  import urllib     -CLOCK_SKEW_SECS = 60 # 60 seconds -CLOCK_SKEW = datetime.timedelta(seconds=CLOCK_SKEW_SECS) +# Token server doesn't provide a new a token when doing refresh unless the +# token is expiring within 30 seconds, so refresh threshold should not be +# more than 30 seconds. Otherwise auth lib will send tons of refresh requests +# until 30 seconds before the expiration, and cause a spike of CPU usage. +REFRESH_THRESHOLD = datetime.timedelta(seconds=20)      def copy_docstring(source_class): 
diff --git a/google/auth/credentials.py b/google/auth/credentials.py index 6356f54..8d9974c 100644 --- a/google/auth/credentials.py +++ b/google/auth/credentials.py 
@@ -62,7 +62,7 @@    # Remove 10 seconds from expiry to err on the side of reporting  # expiration early so that we avoid the 401-refresh-retry loop. - skewed_expiry = self.expiry - _helpers.CLOCK_SKEW + skewed_expiry = self.expiry - _helpers.REFRESH_THRESHOLD  return _helpers.utcnow() >= skewed_expiry    @property 
diff --git a/google/auth/jwt.py b/google/auth/jwt.py index 1bc7e5e..bb9ffae 100644 --- a/google/auth/jwt.py +++ b/google/auth/jwt.py 
@@ -167,12 +167,14 @@  return header     -def _verify_iat_and_exp(payload): +def _verify_iat_and_exp(payload, clock_skew_in_seconds=0):  """Verifies the ``iat`` (Issued At) and ``exp`` (Expires) claims in a token  payload.    Args:  payload (Mapping[str, str]): The JWT payload. + clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` + validation.    Raises:  ValueError: if any checks failed. @@ -188,7 +190,7 @@  iat = payload["iat"]  # Err on the side of accepting a token that is slightly early to account  # for clock skew. - earliest = iat - _helpers.CLOCK_SKEW_SECS + earliest = iat - clock_skew_in_seconds  if now < earliest:  raise ValueError(  "Token used too early, {} < {}. Check that your computer's clock is set correctly.".format( @@ -200,12 +202,12 @@  exp = payload["exp"]  # Err on the side of accepting a token that is slightly out of date  # to account for clow skew. - latest = exp + _helpers.CLOCK_SKEW_SECS + latest = exp + clock_skew_in_seconds  if latest < now:  raise ValueError("Token expired, {} < {}".format(latest, now))     -def decode(token, certs=None, verify=True, audience=None): +def decode(token, certs=None, verify=True, audience=None, clock_skew_in_seconds=0):  """Decode and verify a JWT.    Args: @@ -221,6 +223,8 @@  audience (str or list): The audience claim, 'aud', that this JWT should  contain. Or a list of audience claims. If None then the JWT's 'aud'  parameter is not verified. + clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` + validation.    Returns:  Mapping[str, str]: The deserialized JSON payload in the JWT. @@ -271,7 +275,7 @@  raise ValueError("Could not verify token signature.")    # Verify the issued at and created times in the payload. - _verify_iat_and_exp(payload) + _verify_iat_and_exp(payload, clock_skew_in_seconds)    # Check audience.  if audience is not None: 
diff --git a/google/oauth2/credentials.py b/google/oauth2/credentials.py index e259f78..6d34edf 100644 --- a/google/oauth2/credentials.py +++ b/google/oauth2/credentials.py 
@@ -270,7 +270,7 @@  raise exceptions.RefreshError(  "The refresh_handler returned expiry is not a datetime object."  ) - if _helpers.utcnow() >= expiry - _helpers.CLOCK_SKEW: + if _helpers.utcnow() >= expiry - _helpers.REFRESH_THRESHOLD:  raise exceptions.RefreshError(  "The credentials returned by the refresh_handler are "  "already expired." @@ -359,7 +359,7 @@  expiry.rstrip("Z").split(".")[0], "%Y-%m-%dT%H:%M:%S"  )  else: - expiry = _helpers.utcnow() - _helpers.CLOCK_SKEW + expiry = _helpers.utcnow() - _helpers.REFRESH_THRESHOLD    # process scopes, which needs to be a seq  if scopes is None and "scopes" in info: 
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py index ebe9aa5..81cc6db 100644 --- a/tests/compute_engine/test_credentials.py +++ b/tests/compute_engine/test_credentials.py 
@@ -64,7 +64,7 @@    @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)  def test_refresh_success(self, get, utcnow): @@ -98,7 +98,7 @@    @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)  def test_refresh_success_with_scopes(self, get, utcnow): 
diff --git a/tests/oauth2/test_credentials.py b/tests/oauth2/test_credentials.py index b6a80e3..243f97d 100644 --- a/tests/oauth2/test_credentials.py +++ b/tests/oauth2/test_credentials.py 
@@ -115,7 +115,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_refresh_success(self, unused_utcnow, refresh_grant):  token = "token" @@ -175,7 +175,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_refresh_with_refresh_token_and_refresh_handler(  self, unused_utcnow, refresh_grant @@ -361,7 +361,7 @@    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)  def test_refresh_with_refresh_handler_expired_token(self, unused_utcnow): - expected_expiry = datetime.datetime.min + _helpers.CLOCK_SKEW + expected_expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD  # Simulate refresh handler returns an expired token.  refresh_handler = mock.Mock(return_value=("TOKEN", expected_expiry))  scopes = ["email", "profile"] @@ -391,7 +391,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_credentials_with_scopes_requested_refresh_success(  self, unused_utcnow, refresh_grant @@ -457,7 +457,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_credentials_with_only_default_scopes_requested(  self, unused_utcnow, refresh_grant @@ -521,7 +521,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_credentials_with_scopes_returned_refresh_success(  self, unused_utcnow, refresh_grant @@ -588,7 +588,7 @@  @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  def test_credentials_with_scopes_refresh_failure_raises_refresh_error(  self, unused_utcnow, refresh_grant 
diff --git a/tests/test_credentials.py b/tests/test_credentials.py index 0633b38..2de6388 100644 --- a/tests/test_credentials.py +++ b/tests/test_credentials.py 
@@ -46,7 +46,9 @@  # Set the expiration to one second more than now plus the clock skew  # accomodation. These credentials should be valid.  credentials.expiry = ( - datetime.datetime.utcnow() + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1) + datetime.datetime.utcnow() + + _helpers.REFRESH_THRESHOLD + + datetime.timedelta(seconds=1)  )    assert credentials.valid 
diff --git a/tests/test_downscoped.py b/tests/test_downscoped.py index 795ec29..9ca95f5 100644 --- a/tests/test_downscoped.py +++ b/tests/test_downscoped.py 
@@ -669,7 +669,9 @@  # Set the expiration to one second more than now plus the clock skew  # accommodation. These credentials should be valid.  credentials.expiry = ( - datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1) + datetime.datetime.min + + _helpers.REFRESH_THRESHOLD + + datetime.timedelta(seconds=1)  )    assert credentials.valid 
diff --git a/tests/test_external_account.py b/tests/test_external_account.py index e8297da..df6174f 100644 --- a/tests/test_external_account.py +++ b/tests/test_external_account.py 
@@ -976,7 +976,9 @@  # Set the expiration to one second more than now plus the clock skew  # accomodation. These credentials should be valid.  credentials.expiry = ( - datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1) + datetime.datetime.min + + _helpers.REFRESH_THRESHOLD + + datetime.timedelta(seconds=1)  )    assert credentials.valid @@ -1027,7 +1029,9 @@  # Set the expiration to one second more than now plus the clock skew  # accomodation. These credentials should be valid.  credentials.expiry = ( - datetime.datetime.min + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1) + datetime.datetime.min + + _helpers.REFRESH_THRESHOLD + + datetime.timedelta(seconds=1)  )    assert credentials.valid 
diff --git a/tests/test_iam.py b/tests/test_iam.py index 30ce227..e9eca58 100644 --- a/tests/test_iam.py +++ b/tests/test_iam.py 
@@ -45,7 +45,7 @@  super(CredentialsImpl, self).__init__()  self.token = "token"  # Force refresh - self.expiry = datetime.datetime.min + _helpers.CLOCK_SKEW + self.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD    def refresh(self, request):  pass 
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py index 126c4c3..3dbb6ca 100644 --- a/tests/test_impersonated_credentials.py +++ b/tests/test_impersonated_credentials.py 
@@ -211,11 +211,11 @@  credentials = self.make_credentials(lifetime=None)    # Source credentials is refreshed only if it is expired within - # _helpers.CLOCK_SKEW from now. We add a time_skew to the expiry, so + # _helpers.REFRESH_THRESHOLD from now. We add a time_skew to the expiry, so  # source credentials is refreshed only if time_skew <= 0.  credentials._source_credentials.expiry = (  _helpers.utcnow() - + _helpers.CLOCK_SKEW + + _helpers.REFRESH_THRESHOLD  + datetime.timedelta(seconds=time_skew)  )  credentials._source_credentials.token = "Token" @@ -238,7 +238,7 @@  assert not credentials.expired    # Source credentials is refreshed only if it is expired within - # _helpers.CLOCK_SKEW + # _helpers.REFRESH_THRESHOLD  if time_skew > 0:  source_cred_refresh.assert_not_called()  else: 
diff --git a/tests/test_jwt.py b/tests/test_jwt.py index 0dd7fa9..ba7277c 100644 --- a/tests/test_jwt.py +++ b/tests/test_jwt.py 
@@ -197,7 +197,7 @@  }  )  with pytest.raises(ValueError) as excinfo: - jwt.decode(token, PUBLIC_CERT_BYTES) + jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59)  assert excinfo.match(r"Token used too early")     @@ -210,10 +210,40 @@  }  )  with pytest.raises(ValueError) as excinfo: - jwt.decode(token, PUBLIC_CERT_BYTES) + jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=59)  assert excinfo.match(r"Token expired")     +def test_decode_success_with_no_clock_skew(token_factory): + token = token_factory( + claims={ + "exp": _helpers.datetime_to_secs( + _helpers.utcnow() + datetime.timedelta(seconds=1) + ), + "iat": _helpers.datetime_to_secs( + _helpers.utcnow() - datetime.timedelta(seconds=1) + ), + } + ) + + jwt.decode(token, PUBLIC_CERT_BYTES) + + +def test_decode_success_with_custom_clock_skew(token_factory): + token = token_factory( + claims={ + "exp": _helpers.datetime_to_secs( + _helpers.utcnow() + datetime.timedelta(seconds=2) + ), + "iat": _helpers.datetime_to_secs( + _helpers.utcnow() - datetime.timedelta(seconds=2) + ), + } + ) + + jwt.decode(token, PUBLIC_CERT_BYTES, clock_skew_in_seconds=1) + +  def test_decode_bad_token_wrong_audience(token_factory):  token = token_factory()  audience = "audience2@example.com" 
diff --git a/tests/transport/test_grpc.py b/tests/transport/test_grpc.py index 926c1bc..3437658 100644 --- a/tests/transport/test_grpc.py +++ b/tests/transport/test_grpc.py 
@@ -80,7 +80,7 @@    def test_call_refresh(self):  credentials = CredentialsStub() - credentials.expiry = datetime.datetime.min + _helpers.CLOCK_SKEW + credentials.expiry = datetime.datetime.min + _helpers.REFRESH_THRESHOLD  request = mock.create_autospec(transport.Request)    plugin = google.auth.transport.grpc.AuthMetadataPlugin(credentials, request) 
diff --git a/tests_async/oauth2/test_credentials_async.py b/tests_async/oauth2/test_credentials_async.py index bc89392..06c9141 100644 --- a/tests_async/oauth2/test_credentials_async.py +++ b/tests_async/oauth2/test_credentials_async.py 
@@ -62,7 +62,7 @@  @mock.patch("google.oauth2._reauth_async.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @pytest.mark.asyncio  async def test_refresh_success(self, unused_utcnow, refresh_grant): @@ -124,7 +124,7 @@  @mock.patch("google.oauth2._reauth_async.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @pytest.mark.asyncio  async def test_credentials_with_scopes_requested_refresh_success( @@ -188,7 +188,7 @@  @mock.patch("google.oauth2._reauth_async.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @pytest.mark.asyncio  async def test_credentials_with_scopes_returned_refresh_success( @@ -251,7 +251,7 @@  @mock.patch("google.oauth2._reauth_async.refresh_grant", autospec=True)  @mock.patch(  "google.auth._helpers.utcnow", - return_value=datetime.datetime.min + _helpers.CLOCK_SKEW, + return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,  )  @pytest.mark.asyncio  async def test_credentials_with_scopes_refresh_failure_raises_refresh_error( 
diff --git a/tests_async/test_credentials_async.py b/tests_async/test_credentials_async.py index 0a48908..5315483 100644 --- a/tests_async/test_credentials_async.py +++ b/tests_async/test_credentials_async.py 
@@ -46,7 +46,9 @@  # Set the expiration to one second more than now plus the clock skew  # accomodation. These credentials should be valid.  credentials.expiry = ( - datetime.datetime.utcnow() + _helpers.CLOCK_SKEW + datetime.timedelta(seconds=1) + datetime.datetime.utcnow() + + _helpers.REFRESH_THRESHOLD + + datetime.timedelta(seconds=1)  )    assert credentials.valid
commit	738611bd2914f0fd5fa8b49b65f56ef321829c85	[log] [tgz]
author	arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>	Thu Sep 09 17:09:54 2021 -0700
committer	GitHub <noreply@github.com>	Thu Sep 09 17:09:54 2021 -0700
tree	5a9d1e0c2138c038066dd66d9bf639da4b4123f6
parent	13aed5ffe3ba435004ab48202462452f04d7cb29 [diff]