105 lines
3.6 KiB
TypeScript
105 lines
3.6 KiB
TypeScript
// Copyright 2023 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
import { test } from 'node:test';
|
|
import assert from 'node:assert';
|
|
|
|
import { tmpdir } from 'os';
|
|
import { join as pathjoin } from 'path';
|
|
import { readFileSync } from 'fs';
|
|
|
|
import { randomFilename } from '@google-github-actions/actions-utils';
|
|
|
|
import { NullLogger } from '../../src/logger';
|
|
import { WorkloadIdentityFederationClient } from '../../src/client/workload_identity_federation';
|
|
|
|
test('#createCredentialsFile', { concurrency: true }, async (suite) => {
|
|
await suite.test('writes the file', async () => {
|
|
const outputFile = pathjoin(tmpdir(), randomFilename());
|
|
const client = new WorkloadIdentityFederationClient({
|
|
logger: new NullLogger(),
|
|
universe: 'googleapis.com',
|
|
|
|
githubOIDCToken: 'my-token',
|
|
githubOIDCTokenRequestURL: 'https://example.com/',
|
|
githubOIDCTokenRequestToken: 'token',
|
|
githubOIDCTokenAudience: 'my-aud',
|
|
workloadIdentityProviderName: 'my-provider',
|
|
});
|
|
|
|
const exp = {
|
|
audience: '//iam.googleapis.com/my-provider',
|
|
credential_source: {
|
|
format: {
|
|
subject_token_field_name: 'value',
|
|
type: 'json',
|
|
},
|
|
headers: {
|
|
Authorization: 'Bearer token',
|
|
},
|
|
url: 'https://example.com/?audience=my-aud',
|
|
},
|
|
subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
|
|
token_url: 'https://sts.googleapis.com/v1/token',
|
|
type: 'external_account',
|
|
};
|
|
|
|
const pth = await client.createCredentialsFile(outputFile);
|
|
const data = readFileSync(pth);
|
|
const got = JSON.parse(data.toString('utf8'));
|
|
|
|
assert.deepStrictEqual(got, exp);
|
|
});
|
|
|
|
await suite.test('writes the file with impersonation', async () => {
|
|
const outputFile = pathjoin(tmpdir(), randomFilename());
|
|
const client = new WorkloadIdentityFederationClient({
|
|
logger: new NullLogger(),
|
|
universe: 'googleapis.com',
|
|
|
|
githubOIDCToken: 'my-token',
|
|
githubOIDCTokenRequestURL: 'https://example.com/',
|
|
githubOIDCTokenRequestToken: 'token',
|
|
githubOIDCTokenAudience: 'my-aud',
|
|
workloadIdentityProviderName: 'my-provider',
|
|
serviceAccount: 'my-service@my-project.iam.gserviceaccount.com',
|
|
});
|
|
|
|
const exp = {
|
|
audience: '//iam.googleapis.com/my-provider',
|
|
credential_source: {
|
|
format: {
|
|
subject_token_field_name: 'value',
|
|
type: 'json',
|
|
},
|
|
headers: {
|
|
Authorization: 'Bearer token',
|
|
},
|
|
url: 'https://example.com/?audience=my-aud',
|
|
},
|
|
service_account_impersonation_url:
|
|
'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-service@my-project.iam.gserviceaccount.com:generateAccessToken',
|
|
subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
|
|
token_url: 'https://sts.googleapis.com/v1/token',
|
|
type: 'external_account',
|
|
};
|
|
|
|
const pth = await client.createCredentialsFile(outputFile);
|
|
const data = readFileSync(pth);
|
|
const got = JSON.parse(data.toString('utf8'));
|
|
|
|
assert.deepStrictEqual(got, exp);
|
|
});
|
|
});
|