-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
impersonate_test.go
90 lines (82 loc) · 2.64 KB
/
impersonate_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// Copyright 2020 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build integration
package impersonate
import (
"context"
"fmt"
"math/rand"
"os"
"testing"
"time"
"google.golang.org/api/option"
"google.golang.org/api/storage/v1"
)
var (
// envReaderCredentialFile points to a service account that is a "Service
// Account Token Creator" on envReaderSA.
envBaseSACredentialFile = "API_GO_CLIENT_IMPERSONATE_BASE"
// envUserCredentialFile points to a user credential that is a "Service
// Account Token Creator" on envReaderSA.
envUserCredentialFile = "API_GO_CLIENT_IMPERSONATE_USER"
// envReaderCredentialFile points to a service account that is a "Storage
// Object Reader" and is a "Service Account Token Creator" on envWriterSA.
envReaderCredentialFile = "API_GO_CLIENT_IMPERSONATE_READER"
// envReaderSA is the name of the reader service account.
envReaderSA = "API_GO_CLIENT_IMPERSONATE_READER_SA"
// envWriterSA is the name of the writer service account. This service
// account has been granted roles/serviceusage.serviceUsageConsumer.
envWriterSA = "API_GO_CLIENT_IMPERSONATE_WRITER_SA"
// envProjectID is a project that hosts a GCS bucket.
envProjectID = "GOOGLE_CLOUD_PROJECT"
)
func init() {
rand.Seed(time.Now().UnixNano())
}
func TestImpersonatedCredentials(t *testing.T) {
ctx := context.Background()
projID := os.Getenv(envProjectID)
writerSA := os.Getenv(envWriterSA)
tests := []struct {
name string
baseSALocation string
delgates []string
}{
{
name: "SA -> SA",
baseSALocation: os.Getenv(envReaderCredentialFile),
delgates: []string{},
},
{
name: "SA -> Delegate -> SA",
baseSALocation: os.Getenv(envBaseSACredentialFile),
delgates: []string{os.Getenv(envReaderSA)},
},
{
name: "User Credential -> Delegate -> SA",
baseSALocation: os.Getenv(envUserCredentialFile),
delgates: []string{os.Getenv(envReaderSA)},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
svc, err := storage.NewService(ctx,
option.WithCredentialsFile(tt.baseSALocation),
option.ImpersonateCredentials(writerSA, tt.delgates...),
)
if err != nil {
t.Fatalf("failed to create client: %v", err)
}
bucketName := fmt.Sprintf("%s-%d", projID, rand.Int63())
if _, err := svc.Buckets.Insert(projID, &storage.Bucket{
Name: bucketName,
}).Do(); err != nil {
t.Fatalf("error creating bucket: %v", err)
}
if err := svc.Buckets.Delete(bucketName).Do(); err != nil {
t.Fatalf("unable to cleanup bucket %q: %v", bucketName, err)
}
})
}
}