Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-google-auth for openSUSE:Factory checked in at 2022-11-17 17:23:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-google-auth (Old) and /work/SRC/openSUSE:Factory/.python-google-auth.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-google-auth" Thu Nov 17 17:23:32 2022 rev:24 rq:1036286 version:2.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-google-auth/python-google-auth.changes 2022-11-09 12:56:22.347988365 +0100 +++ /work/SRC/openSUSE:Factory/.python-google-auth.new.1597/python-google-auth.changes 2022-11-17 17:23:32.840761627 +0100 @@ -1,0 +2,9 @@ +Wed Nov 16 15:26:38 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Update to 2.14.1 + * Apply quota project for compute cred in adc (#1177) + * Update minimum required version of cryptography in pyopenssl extra (#1176) + * Validate url domain for aws metadata urls (#1174) +- Update Requires from setup.py + +------------------------------------------------------------------- Old: ---- google-auth-2.14.0.tar.gz New: ---- google-auth-2.14.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-google-auth.spec ++++++ --- /var/tmp/diff_new_pack.PeUjcq/_old 2022-11-17 17:23:33.300764061 +0100 +++ /var/tmp/diff_new_pack.PeUjcq/_new 2022-11-17 17:23:33.308764104 +0100 @@ -18,7 +18,7 @@ %define skip_python2 1 Name: python-google-auth -Version: 2.14.0 +Version: 2.14.1 Release: 0 Summary: Google Authentication Library License: Apache-2.0 @@ -47,6 +47,7 @@ BuildRequires: fdupes BuildRequires: python-rpm-macros Requires: python-cachetools >= 2.0.0 +Requires: python-cryptography >= 38.0.3 Requires: python-pyasn1-modules >= 0.2.1 Requires: python-rsa >= 3.1.4 Requires: python-setuptools >= 40.3.0 ++++++ google-auth-2.14.0.tar.gz -> google-auth-2.14.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/PKG-INFO new/google-auth-2.14.1/PKG-INFO --- old/google-auth-2.14.0/PKG-INFO 2022-10-31 22:53:05.791134800 +0100 +++ new/google-auth-2.14.1/PKG-INFO 2022-11-08 00:45:12.815617300 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.14.0 +Version: 2.14.1 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform @@ -52,6 +52,17 @@ .. _`Python Development Environment Setup Guide`: https://cloud.google.com/python/setup +Extras +------ + +google-auth has few extras that you can install. For example:: + + $ pip install google-auth[pyopenssl] + +Note that the extras pyopenssl and enterprise_cert should not be used together because they use conflicting versions of `cryptography`_. + +.. _`cryptography`: https://cryptography.io/en/latest/ + Supported Python Versions ^^^^^^^^^^^^^^^^^^^^^^^^^ Python >= 3.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/README.rst new/google-auth-2.14.1/README.rst --- old/google-auth-2.14.0/README.rst 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/README.rst 2022-11-08 00:41:53.000000000 +0100 @@ -22,6 +22,17 @@ .. _`Python Development Environment Setup Guide`: https://cloud.google.com/python/setup +Extras +------ + +google-auth has few extras that you can install. For example:: + + $ pip install google-auth[pyopenssl] + +Note that the extras pyopenssl and enterprise_cert should not be used together because they use conflicting versions of `cryptography`_. + +.. _`cryptography`: https://cryptography.io/en/latest/ + Supported Python Versions ^^^^^^^^^^^^^^^^^^^^^^^^^ Python >= 3.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/google/auth/_default.py new/google-auth-2.14.1/google/auth/_default.py --- old/google-auth-2.14.0/google/auth/_default.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/google/auth/_default.py 2022-11-08 00:41:53.000000000 +0100 @@ -267,7 +267,7 @@ return None, None -def _get_gce_credentials(request=None): +def _get_gce_credentials(request=None, quota_project_id=None): """Gets credentials and project ID from the GCE Metadata Service.""" # Ping requires a transport, but we want application default credentials # to require no arguments. So, we'll use the _http_client transport which @@ -293,7 +293,10 @@ except exceptions.TransportError: project_id = None - return compute_engine.Credentials(), project_id + cred = compute_engine.Credentials() + cred = _apply_quota_project_id(cred, quota_project_id) + + return cred, project_id else: _LOGGER.warning( "Authentication failed using Compute Engine authentication due to unavailable metadata server." @@ -603,7 +606,7 @@ lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id), lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id), _get_gae_credentials, - lambda: _get_gce_credentials(request), + lambda: _get_gce_credentials(request, quota_project_id=quota_project_id), ) for checker in checkers: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/google/auth/aws.py new/google-auth-2.14.1/google/auth/aws.py --- old/google-auth-2.14.0/google/auth/aws.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/google/auth/aws.py 2022-11-08 00:41:53.000000000 +0100 @@ -47,6 +47,7 @@ from six.moves import http_client from six.moves import urllib from six.moves.urllib.parse import urljoin +from six.moves.urllib.parse import urlparse from google.auth import _helpers from google.auth import environment_vars @@ -397,6 +398,8 @@ self._request_signer = None self._target_resource = audience + self.validate_metadata_server_urls() + # Get the environment ID. Currently, only one version supported (v1). matches = re.match(r"^(aws)([\d]+)$", self._environment_id) if matches: @@ -413,6 +416,22 @@ ) ) + def validate_metadata_server_urls(self): + self.validate_metadata_server_url_if_any(self._region_url, "region_url") + self.validate_metadata_server_url_if_any(self._security_credentials_url, "url") + self.validate_metadata_server_url_if_any( + self._imdsv2_session_token_url, "imdsv2_session_token_url" + ) + + @staticmethod + def validate_metadata_server_url_if_any(url_string, name_of_data): + if url_string: + url = urlparse(url_string) + if url.hostname != "169.254.169.254" and url.hostname != "fd00:ec2::254": + raise ValueError( + "Invalid hostname '{}' for '{}'".format(url.hostname, name_of_data) + ) + def retrieve_subject_token(self, request): """Retrieves the subject token using the credential_source object. The subject token is a serialized `AWS GetCallerIdentity signed request`_. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/google/auth/version.py new/google-auth-2.14.1/google/auth/version.py --- old/google-auth-2.14.0/google/auth/version.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/google/auth/version.py 2022-11-08 00:41:53.000000000 +0100 @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.14.0" +__version__ = "2.14.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/google_auth.egg-info/PKG-INFO new/google-auth-2.14.1/google_auth.egg-info/PKG-INFO --- old/google-auth-2.14.0/google_auth.egg-info/PKG-INFO 2022-10-31 22:53:05.000000000 +0100 +++ new/google-auth-2.14.1/google_auth.egg-info/PKG-INFO 2022-11-08 00:45:12.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.14.0 +Version: 2.14.1 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform @@ -52,6 +52,17 @@ .. _`Python Development Environment Setup Guide`: https://cloud.google.com/python/setup +Extras +------ + +google-auth has few extras that you can install. For example:: + + $ pip install google-auth[pyopenssl] + +Note that the extras pyopenssl and enterprise_cert should not be used together because they use conflicting versions of `cryptography`_. + +.. _`cryptography`: https://cryptography.io/en/latest/ + Supported Python Versions ^^^^^^^^^^^^^^^^^^^^^^^^^ Python >= 3.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/google_auth.egg-info/requires.txt new/google-auth-2.14.1/google_auth.egg-info/requires.txt --- old/google-auth-2.14.0/google_auth.egg-info/requires.txt 2022-10-31 22:53:05.000000000 +0100 +++ new/google-auth-2.14.1/google_auth.egg-info/requires.txt 2022-11-08 00:45:12.000000000 +0100 @@ -23,6 +23,7 @@ [pyopenssl] pyopenssl>=20.0.0 +cryptography>=38.0.3 [reauth] pyu2f>=0.1.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/setup.py new/google-auth-2.14.1/setup.py --- old/google-auth-2.14.0/setup.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/setup.py 2022-11-08 00:41:53.000000000 +0100 @@ -36,7 +36,7 @@ "aiohttp >= 3.6.2, < 4.0.0dev; python_version>='3.6'", "requests >= 2.20.0, < 3.0.0dev", ], - "pyopenssl": "pyopenssl>=20.0.0", + "pyopenssl": ["pyopenssl>=20.0.0", "cryptography>=38.0.3"], "reauth": "pyu2f>=0.1.5", # Enterprise cert only works for OpenSSL 1.1.1. Newer versions of these # dependencies are built with OpenSSL 3.0 so we need to fix the version. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/tests/test__default.py new/google-auth-2.14.1/tests/test__default.py --- old/google-auth-2.14.0/tests/test__default.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/tests/test__default.py 2022-11-08 00:41:53.000000000 +0100 @@ -1234,3 +1234,32 @@ explicit_quota = "explicit_quota" credentials, _ = _default.default(quota_project_id=explicit_quota) assert credentials.quota_project_id == explicit_quota + + +@mock.patch( + "google.auth.compute_engine._metadata.ping", return_value=True, autospec=True +) +@mock.patch( + "google.auth.compute_engine._metadata.get_project_id", + return_value="example-project", + autospec=True, +) +@mock.patch.dict(os.environ) +def test_quota_gce_credentials(unused_get, unused_ping): + # No quota + credentials, project_id = _default._get_gce_credentials() + assert project_id == "example-project" + assert credentials.quota_project_id is None + + # Quota from environment + quota_from_env = "quota_from_env" + os.environ[environment_vars.GOOGLE_CLOUD_QUOTA_PROJECT] = quota_from_env + credentials, project_id = _default._get_gce_credentials() + assert credentials.quota_project_id == quota_from_env + + # Explicit quota + explicit_quota = "explicit_quota" + credentials, project_id = _default._get_gce_credentials( + quota_project_id=explicit_quota + ) + assert credentials.quota_project_id == explicit_quota diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google-auth-2.14.0/tests/test_aws.py new/google-auth-2.14.1/tests/test_aws.py --- old/google-auth-2.14.0/tests/test_aws.py 2022-10-31 22:49:50.000000000 +0100 +++ new/google-auth-2.14.1/tests/test_aws.py 2022-11-08 00:41:53.000000000 +0100 @@ -50,6 +50,11 @@ REGION_URL = "http://169.254.169.254/latest/meta-data/placement/availability-zone"; IMDSV2_SESSION_TOKEN_URL = "http://169.254.169.254/latest/api/token"; SECURITY_CREDS_URL = "http://169.254.169.254/latest/meta-data/iam/security-credentials"; +REGION_URL_IPV6 = "http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone"; +IMDSV2_SESSION_TOKEN_URL_IPV6 = "http://[fd00:ec2::254]/latest/api/token"; +SECURITY_CREDS_URL_IPV6 = ( + "http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials"; +) CRED_VERIFICATION_URL = ( "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"; ) @@ -676,6 +681,13 @@ "url": SECURITY_CREDS_URL, "regional_cred_verification_url": CRED_VERIFICATION_URL, } + CREDENTIAL_SOURCE_IPV6 = { + "environment_id": "aws1", + "region_url": REGION_URL_IPV6, + "url": SECURITY_CREDS_URL_IPV6, + "regional_cred_verification_url": CRED_VERIFICATION_URL, + "imdsv2_session_token_url": IMDSV2_SESSION_TOKEN_URL_IPV6, + } SUCCESS_RESPONSE = { "access_token": "ACCESS_TOKEN", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", @@ -1308,6 +1320,97 @@ { "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, + }, + ) + + def test_validate_metadata_server_url_if_any(self): + aws.Credentials.validate_metadata_server_url_if_any( + "http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone";, "url" + ) + aws.Credentials.validate_metadata_server_url_if_any( + "http://169.254.169.254/latest/meta-data/placement/availability-zone";, "url" + ) + + with pytest.raises(ValueError) as excinfo: + aws.Credentials.validate_metadata_server_url_if_any( + "http://fd00:ec2::254/latest/meta-data/placement/availability-zone";, + "url", + ) + assert excinfo.match("Invalid hostname 'fd00' for 'url'") + + with pytest.raises(ValueError) as excinfo: + aws.Credentials.validate_metadata_server_url_if_any( + "http://abc.com/latest/meta-data/placement/availability-zone";, "url" + ) + assert excinfo.match("Invalid hostname 'abc.com' for 'url'") + + def test_retrieve_subject_token_invalid_hosts(self): + keys = ["url", "region_url", "imdsv2_session_token_url"] + for key in keys: + credential_source = self.CREDENTIAL_SOURCE.copy() + credential_source[ + key + ] = "http://abc.com/latest/meta-data/iam/security-credentials"; + + with pytest.raises(ValueError) as excinfo: + self.make_credentials(credential_source=credential_source) + assert excinfo.match("Invalid hostname 'abc.com' for '{}'".format(key)) + + @mock.patch("google.auth._helpers.utcnow") + def test_retrieve_subject_token_success_ipv6(self, utcnow): + utcnow.return_value = datetime.datetime.strptime( + self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ" + ) + request = self.make_mock_request( + region_status=http_client.OK, + region_name=self.AWS_REGION, + role_status=http_client.OK, + role_name=self.AWS_ROLE, + security_credentials_status=http_client.OK, + security_credentials_data=self.AWS_SECURITY_CREDENTIALS_RESPONSE, + imdsv2_session_token_status=http_client.OK, + imdsv2_session_token_data=self.AWS_IMDSV2_SESSION_TOKEN, + ) + credential_source_token_url = self.CREDENTIAL_SOURCE_IPV6.copy() + credentials = self.make_credentials( + credential_source=credential_source_token_url + ) + + subject_token = credentials.retrieve_subject_token(request) + + assert subject_token == self.make_serialized_aws_signed_request( + { + "access_key_id": ACCESS_KEY_ID, + "secret_access_key": SECRET_ACCESS_KEY, + "security_token": TOKEN, + } + ) + # Assert session token request. + self.assert_aws_metadata_request_kwargs( + request.call_args_list[0][1], + IMDSV2_SESSION_TOKEN_URL_IPV6, + {"X-aws-ec2-metadata-token-ttl-seconds": "300"}, + "PUT", + ) + # Assert region request. + self.assert_aws_metadata_request_kwargs( + request.call_args_list[1][1], + REGION_URL_IPV6, + {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, + ) + # Assert role request. + self.assert_aws_metadata_request_kwargs( + request.call_args_list[2][1], + SECURITY_CREDS_URL_IPV6, + {"X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN}, + ) + # Assert security credentials request. + self.assert_aws_metadata_request_kwargs( + request.call_args_list[3][1], + "{}/{}".format(SECURITY_CREDS_URL_IPV6, self.AWS_ROLE), + { + "Content-Type": "application/json", + "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, )
