Implementing App Default and Refresh Token Credential Types (#6)

* Implementing app default and refresh token credential types * Added properties to refresh token class * Adding error handling; Removing the old exception wrapping syntax since it does not work on python 3. * Updated docstring * Updated comments and docstrings

Author: hiranya911

firebase_admin/credentials.py

@@ -1,6 +1,5 @@
 """Firebase credentials module."""
 import json
-import sys
 
 import httplib2
 
@@ -41,24 +40,28 @@ def __init__(self, file_path):
 
  Raises:
  IOError: If the specified file doesn't exist or cannot be read.
- ValueError: If an error occurs while parsing the file content.
+ ValueError: If the certificate file is invalid.
  """
  super(Certificate, self).__init__()
  # TODO(hkj): Clean this up once we are able to take a dependency
  # TODO(hkj): on latest oauth2client.
  with open(file_path) as json_keyfile:
  json_data = json.load(json_keyfile)
+ if json_data.get('type') != client.SERVICE_ACCOUNT:
+ raise ValueError('Invalid certificate file. File must contain a '
+ '"type" field set to "{0}".'.format(client.SERVICE_ACCOUNT))
  self._project_id = json_data.get('project_id')
+ self._service_account_email = json_data.get('client_email')
  try:
- self._signer = crypt.Signer.from_string(
- json_data.get('private_key'))
+ self._signer = crypt.Signer.from_string(json_data.get('private_key'))
  except Exception as error:
- err_type, err_value, err_traceback = sys.exc_info()
- err_message = 'Failed to parse the private key string: {0}'.format(
- error)
- raise ValueError, (err_message, err_type, err_value), err_traceback
- self._service_account_email = json_data.get('client_email')
- self._g_credential = client.GoogleCredentials.from_stream(file_path)
+ raise ValueError('Failed to parse the private key string or initialize an '
+ 'RSA signer. Caused by: "{0}".'.format(error))
+ try:
+ self._g_credential = client.GoogleCredentials.from_stream(file_path)
+ except client.ApplicationDefaultCredentialsError as error:
+ raise ValueError('Failed to initialize a certificate credential from file "{0}". '
+ 'Caused by: "{1}"'.format(file_path, error))
 
  @property
  def project_id(self):
@@ -77,3 +80,70 @@ def get_access_token(self):
 
  def get_credential(self):
  return self._g_credential
+
+
+class ApplicationDefault(Base):
+ """A Google Application Default credential."""
+
+ def __init__(self):
+ """Initializes the Application Default credentials for the current environment.
+
+ Raises:
+ oauth2client.client.ApplicationDefaultCredentialsError: If Application Default
+ credentials cannot be initialized in the current environment.
+ """
+ super(ApplicationDefault, self).__init__()
+ self._g_credential = client.GoogleCredentials.get_application_default()
+
+ def get_access_token(self):
+ return self._g_credential.get_access_token(_http)
+
+ def get_credential(self):
+ return self._g_credential
+
+
+class RefreshToken(Base):
+ """A credential initialized from an existing refresh token."""
+
+ def __init__(self, file_path):
+ """Initializes a refresh token credential from the specified JSON file.
+
+ Args:
+ file_path: File path to a refresh token JSON file.
+
+ Raises:
+ IOError: If the specified file doesn't exist or cannot be read.
+ ValueError: If the refresh token file is invalid.
+ """
+ super(RefreshToken, self).__init__()
+ with open(file_path) as json_keyfile:
+ json_data = json.load(json_keyfile)
+ if json_data.get('type') != client.AUTHORIZED_USER:
+ raise ValueError('Invalid refresh token file. File must contain a '
+ '"type" field set to "{0}".'.format(client.AUTHORIZED_USER))
+ self._client_id = json_data.get('client_id')
+ self._client_secret = json_data.get('client_secret')
+ self._refresh_token = json_data.get('refresh_token')
+ try:
+ self._g_credential = client.GoogleCredentials.from_stream(file_path)
+ except client.ApplicationDefaultCredentialsError as error:
+ raise ValueError('Failed to initialize a refresh token credential from file "{0}". '
+ 'Caused by: "{1}".'.format(file_path, error))
+
+ @property
+ def client_id(self):
+ return self._client_id
+
+ @property
+ def client_secret(self):
+ return self._client_secret
+
+ @property
+ def refresh_token(self):
+ return self._refresh_token
+
+ def get_access_token(self):
+ return self._g_credential.get_access_token(_http)
+
+ def get_credential(self):
+ return self._g_credential

tests/data/refresh_token.json

@@ -0,0 +1,6 @@
+{
+ "type": "authorized_user",
+ "client_id": "mock.apps.googleusercontent.com",
+ "client_secret": "mock-secret",
+ "refresh_token": "mock-refresh-token"
+}

tests/test_credentials.py

@@ -1,4 +1,7 @@
 """Tests for firebase_admin.credentials module."""
+import json
+import os
+
 from firebase_admin import credentials
 from oauth2client import client
 from oauth2client import crypt
@@ -20,14 +23,84 @@ def test_init_from_file(self):
  assert isinstance(g_credential, client.GoogleCredentials)
  assert g_credential.access_token is None
 
+ # The HTTP client should not be used or referenced.
+ credentials._http = 'unused'
+ access_token = credential.get_access_token()
+ assert isinstance(access_token.access_token, basestring)
+ assert isinstance(access_token.expires_in, int)
+
+ def test_init_from_nonexisting_file(self):
+ with pytest.raises(IOError):
+ credentials.Certificate(
+ testutils.resource_filename('non_existing.json'))
+
+ def test_init_from_invalid_file(self):
+ with pytest.raises(ValueError):
+ credentials.Certificate(
+ testutils.resource_filename('refresh_token.json'))
+
+
+@pytest.fixture
+def app_default(request):
+ file_path = os.environ.get('GOOGLE_APPLICATION_CREDENTIALS')
+ os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = request.param
+ yield
+ if file_path:
+ os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = file_path
+
+
+class TestApplicationDefault(object):
+
+ @pytest.mark.parametrize('app_default', [testutils.resource_filename('service_account.json')],
+ indirect=True)
+ def test_init(self, app_default): # pylint: disable=unused-argument
+ credential = credentials.ApplicationDefault()
+ g_credential = credential.get_credential()
+ assert isinstance(g_credential, client.GoogleCredentials)
+ assert g_credential.access_token is None
+
  # The HTTP client should not be used.
- credential._http = None
+ credentials._http = 'unused'
  access_token = credential.get_access_token()
  assert isinstance(access_token.access_token, basestring)
  assert isinstance(access_token.expires_in, int)
 
+ @pytest.mark.parametrize('app_default', [testutils.resource_filename('non_existing.json')],
+ indirect=True)
+ def test_nonexisting_path(self, app_default): # pylint: disable=unused-argument
+ with pytest.raises(client.ApplicationDefaultCredentialsError):
+ credentials.ApplicationDefault()
+
+
+class TestRefreshToken(object):
+
+ def test_init_from_file(self):
+ credential = credentials.RefreshToken(
+ testutils.resource_filename('refresh_token.json'))
+ assert credential.client_id == 'mock.apps.googleusercontent.com'
+ assert credential.client_secret == 'mock-secret'
+ assert credential.refresh_token == 'mock-refresh-token'
+
+ g_credential = credential.get_credential()
+ assert isinstance(g_credential, client.GoogleCredentials)
+ assert g_credential.access_token is None
+
+ mock_response = {
+ 'access_token': 'mock_access_token',
+ 'expires_in': 1234
+ }
+ credentials._http = testutils.HttpMock(200, json.dumps(mock_response))
+ access_token = credential.get_access_token()
+ assert access_token.access_token == 'mock_access_token'
+ # GoogleCredentials class recalculates the expires_in property before returning.
+ assert access_token.expires_in <= 1234
 
  def test_init_from_nonexisting_file(self):
  with pytest.raises(IOError):
- credentials.Certificate(
+ credentials.RefreshToken(
  testutils.resource_filename('non_existing.json'))
+
+ def test_init_from_invalid_file(self):
+ with pytest.raises(ValueError):
+ credentials.RefreshToken(
+ testutils.resource_filename('service_account.json'))