2f0b4dbd9b
* Add support for specifying authentication via JSON service account keys * Update README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Update README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Update README.md Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Review feedback * Undo interface * Use TokenCreator instead Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
103 lines
3.3 KiB
TypeScript
103 lines
3.3 KiB
TypeScript
import 'mocha';
|
|
import { expect } from 'chai';
|
|
|
|
import { tmpdir } from 'os';
|
|
import { readFileSync } from 'fs';
|
|
import { WorkloadIdentityClient } from '../../src/client/workload_identity_client';
|
|
|
|
describe('WorkloadIdentityClient', () => {
|
|
describe('#getProjectID', () => {
|
|
it('extracts project ID from the service account email', async () => {
|
|
const client = new WorkloadIdentityClient({
|
|
providerID: 'my-provider',
|
|
token: 'my-token',
|
|
serviceAccount: 'my-service@my-project.iam.gserviceaccount.com',
|
|
audience: 'my-aud',
|
|
});
|
|
|
|
const result = await client.getProjectID();
|
|
expect(result).to.eq('my-project');
|
|
});
|
|
|
|
it('prefers the override if given', async () => {
|
|
const client = new WorkloadIdentityClient({
|
|
projectID: 'my-other-project',
|
|
providerID: 'my-provider',
|
|
token: 'my-token',
|
|
serviceAccount: 'my-service@my-project.iam.gserviceaccount.com',
|
|
audience: 'my-aud',
|
|
});
|
|
|
|
const result = await client.getProjectID();
|
|
expect(result).to.eq('my-other-project');
|
|
});
|
|
|
|
it('throws an error when extraction fails', async () => {
|
|
const fn = () => {
|
|
return new WorkloadIdentityClient({
|
|
providerID: 'my-provider',
|
|
token: 'my-token',
|
|
serviceAccount: 'my-service@developers.google.com',
|
|
audience: 'my-aud',
|
|
});
|
|
};
|
|
return expect(fn).to.throw(Error);
|
|
});
|
|
});
|
|
|
|
describe('#getServiceAccount', () => {
|
|
it('returns the provided value', async () => {
|
|
const client = new WorkloadIdentityClient({
|
|
projectID: 'my-project',
|
|
providerID: 'my-provider',
|
|
serviceAccount: 'my-service@my-project.iam.gserviceaccount.com',
|
|
token: 'my-token',
|
|
audience: 'my-aud',
|
|
});
|
|
const result = await client.getServiceAccount();
|
|
expect(result).to.eq('my-service@my-project.iam.gserviceaccount.com');
|
|
});
|
|
});
|
|
|
|
describe('#createCredentialsFile', () => {
|
|
it('writes the file', async () => {
|
|
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://actions-token.url';
|
|
process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'github-token';
|
|
|
|
const tmp = tmpdir();
|
|
const client = new WorkloadIdentityClient({
|
|
projectID: 'my-project',
|
|
providerID: 'my-provider',
|
|
serviceAccount: 'my-service@my-project.iam.gserviceaccount.com',
|
|
token: 'my-token',
|
|
audience: 'my-aud',
|
|
});
|
|
|
|
const exp = {
|
|
audience: '//iam.googleapis.com/my-provider',
|
|
credential_source: {
|
|
format: {
|
|
subject_token_field_name: 'value',
|
|
type: 'json',
|
|
},
|
|
headers: {
|
|
Authorization: 'Bearer github-token',
|
|
},
|
|
url: 'https://actions-token.url/?audience=my-aud',
|
|
},
|
|
service_account_impersonation_url:
|
|
'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-service@my-project.iam.gserviceaccount.com:generateAccessToken',
|
|
subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
|
|
token_url: 'https://sts.googleapis.com/v1/token',
|
|
type: 'external_account',
|
|
};
|
|
|
|
const pth = await client.createCredentialsFile(tmp);
|
|
const data = readFileSync(pth);
|
|
const got = JSON.parse(data.toString('utf8'));
|
|
|
|
expect(got).to.deep.equal(exp);
|
|
});
|
|
});
|
|
});
|