Accomodate auth emulator behaviour in tests.

Where possible, tests are modified to account for the current behaviour in emulator mode (e.g., invalid or expired tokens or cookies still work). In one case, signer verification didn't account for padding being stripped in JWT tokens, and was fixed to do so.

Author: muru

firebase_admin/_auth_client.py

@@ -127,7 +127,7 @@ def verify_id_token(self, id_token, check_revoked=False):
 raise_auth_utils.TenantIdMismatchError(
 'Invalid tenant ID: {0}'.format(token_tenant_id))
 
-ifnotself.emulatedandcheck_revoked:
+ifcheck_revoked:
 self._check_jwt_revoked(verified_claims, _token_gen.RevokedIdTokenError, 'ID token')
 returnverified_claims
 

tests/test_token_gen.py

@@ -76,13 +76,18 @@ def _merge_jwt_claims(defaults, overrides):
 
 defverify_custom_token(custom_token, expected_claims, tenant_id=None):
 assertisinstance(custom_token, bytes)
-token=google.oauth2.id_token.verify_token(
-custom_token,
-testutils.MockRequest(200, MOCK_PUBLIC_CERTS),
-_token_gen.FIREBASE_AUDIENCE)
+expected_email=MOCK_SERVICE_ACCOUNT_EMAIL
+if_is_emulated():
+expected_email=_token_gen.AUTH_EMULATOR_EMAIL
+token=jwt.decode(custom_token, verify=False)
+else:
+token=google.oauth2.id_token.verify_token(
+custom_token,
+testutils.MockRequest(200, MOCK_PUBLIC_CERTS),
+_token_gen.FIREBASE_AUDIENCE)
 asserttoken['uid'] ==MOCK_UID
-asserttoken['iss'] ==MOCK_SERVICE_ACCOUNT_EMAIL
-asserttoken['sub'] ==MOCK_SERVICE_ACCOUNT_EMAIL
+asserttoken['iss'] ==expected_email
+asserttoken['sub'] ==expected_email
 iftenant_idisNone:
 assert'tenant_id'notintoken
 else:
@@ -141,7 +146,15 @@ def _overwrite_iam_request(app, request):
 client=auth._get_client(app)
 client._token_generator.request=request
 
-@pytest.fixture(scope='module', params=[{'emulated': False}, {'emulated': True}])
+
+def_is_emulated():
+emulator_host=os.getenv(EMULATOR_HOST_ENV_VAR, '')
+returnemulator_hostand'//'notinemulator_host
+
+
+# These fixtures are set to the default function scope as the emulator environment variable bleeds
+# over when in module scope.
+@pytest.fixture(params=[{'emulated': False}, {'emulated': True}])
 defauth_app(request):
 """Returns an App initialized with a mock service account credential.
 
@@ -157,7 +170,7 @@ def auth_app(request):
 firebase_admin.delete_app(app)
 monkeypatch.undo()
 
-@pytest.fixture(scope='module', params=[{'emulated': False}, {'emulated': True}])
+@pytest.fixture(params=[{'emulated': False}, {'emulated': True}])
 defuser_mgt_app(request):
 monkeypatch=testutils.new_monkeypatch()
 ifrequest.param['emulated']:
@@ -230,6 +243,12 @@ def test_invalid_params(self, auth_app, values):
 auth.create_custom_token(user, claims, app=auth_app)
 
 deftest_noncert_credential(self, user_mgt_app):
+if_is_emulated():
+# Should work fine with the emulator, so do a condensed version of
+# test_sign_with_iam below.
+custom_token=auth.create_custom_token(MOCK_UID, app=user_mgt_app).decode()
+self._verify_signer(custom_token, _token_gen.AUTH_EMULATOR_EMAIL)
+return
 withpytest.raises(ValueError):
 auth.create_custom_token(MOCK_UID, app=user_mgt_app)
 
@@ -304,7 +323,7 @@ def test_sign_with_discovery_failure(self):
 def_verify_signer(self, token, signer):
 segments=token.split('.')
 assertlen(segments) ==3
-body=json.loads(base64.b64decode(segments[1]).decode())
+body=jwt.decode(token, verify=False)
 assertbody['iss'] ==signer
 assertbody['sub'] ==signer
 
@@ -406,14 +425,23 @@ class TestVerifyIdToken:
 'BadFormatToken': 'foobar'
  }
 
-@pytest.mark.parametrize('id_token', valid_tokens.values(), ids=list(valid_tokens))
-deftest_valid_token(self, user_mgt_app, id_token):
-_overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
-claims=auth.verify_id_token(id_token, app=user_mgt_app)
+tokens_not_invalid_in_emulator= [
+'WrongKid',
+'FutureToken',
+'ExpiredToken'
+ ]
+
+def_assert_valid_token(self, id_token, app):
+claims=auth.verify_id_token(id_token, app=app)
 assertclaims['admin'] isTrue
 assertclaims['uid'] ==claims['sub']
 assertclaims['firebase']['sign_in_provider'] =='provider'
 
+@pytest.mark.parametrize('id_token', valid_tokens.values(), ids=list(valid_tokens))
+deftest_valid_token(self, user_mgt_app, id_token):
+_overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
+self._assert_valid_token(id_token, app=user_mgt_app)
+
 deftest_valid_token_with_tenant(self, user_mgt_app):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 claims=auth.verify_id_token(TEST_ID_TOKEN_WITH_TENANT, app=user_mgt_app)
@@ -458,8 +486,12 @@ def test_invalid_arg(self, user_mgt_app, id_token):
 auth.verify_id_token(id_token, app=user_mgt_app)
 assert'Illegal ID token provided'instr(excinfo.value)
 
-@pytest.mark.parametrize('id_token', invalid_tokens.values(), ids=list(invalid_tokens))
-deftest_invalid_token(self, user_mgt_app, id_token):
+@pytest.mark.parametrize('id_token_key', list(invalid_tokens))
+deftest_invalid_token(self, user_mgt_app, id_token_key):
+id_token=self.invalid_tokens[id_token_key]
+if_is_emulated() andid_token_keyinself.tokens_not_invalid_in_emulator:
+self._assert_valid_token(id_token, user_mgt_app)
+return
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 withpytest.raises(auth.InvalidIdTokenError) asexcinfo:
 auth.verify_id_token(id_token, app=user_mgt_app)
@@ -469,6 +501,9 @@ def test_invalid_token(self, user_mgt_app, id_token):
 deftest_expired_token(self, user_mgt_app):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 id_token=self.invalid_tokens['ExpiredToken']
+if_is_emulated():
+self._assert_valid_token(id_token, user_mgt_app)
+return
 withpytest.raises(auth.ExpiredIdTokenError) asexcinfo:
 auth.verify_id_token(id_token, app=user_mgt_app)
 assertisinstance(excinfo.value, auth.InvalidIdTokenError)
@@ -506,6 +541,10 @@ def test_custom_token(self, auth_app):
 
 deftest_certificate_request_failure(self, user_mgt_app):
 _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found'))
+if_is_emulated():
+# Shouldn't fetch certificates in emulator mode.
+self._assert_valid_token(TEST_ID_TOKEN, app=user_mgt_app)
+return
 withpytest.raises(auth.CertificateFetchError) asexcinfo:
 auth.verify_id_token(TEST_ID_TOKEN, app=user_mgt_app)
 assert'Could not fetch certificates'instr(excinfo.value)
@@ -540,20 +579,27 @@ class TestVerifySessionCookie:
 'IDToken': TEST_ID_TOKEN,
  }
 
+cookies_not_invalid_in_emulator= [
+'WrongKid',
+'FutureCookie',
+'ExpiredCookie'
+ ]
+
+def_assert_valid_cookie(self, cookie, app, check_revoked=False):
+claims=auth.verify_session_cookie(cookie, app=app, check_revoked=check_revoked)
+assertclaims['admin'] isTrue
+assertclaims['uid'] ==claims['sub']
+
 @pytest.mark.parametrize('cookie', valid_cookies.values(), ids=list(valid_cookies))
 deftest_valid_cookie(self, user_mgt_app, cookie):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
-claims=auth.verify_session_cookie(cookie, app=user_mgt_app)
-assertclaims['admin'] isTrue
-assertclaims['uid'] ==claims['sub']
+self._assert_valid_cookie(cookie, user_mgt_app)
 
 @pytest.mark.parametrize('cookie', valid_cookies.values(), ids=list(valid_cookies))
 deftest_valid_cookie_check_revoked(self, user_mgt_app, cookie):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 _instrument_user_manager(user_mgt_app, 200, MOCK_GET_USER_RESPONSE)
-claims=auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=True)
-assertclaims['admin'] isTrue
-assertclaims['uid'] ==claims['sub']
+self._assert_valid_cookie(cookie, app=user_mgt_app, check_revoked=True)
 
 @pytest.mark.parametrize('cookie', valid_cookies.values(), ids=list(valid_cookies))
 deftest_revoked_cookie_check_revoked(self, user_mgt_app, revoked_tokens, cookie):
@@ -567,9 +613,7 @@ def test_revoked_cookie_check_revoked(self, user_mgt_app, revoked_tokens, cookie
 deftest_revoked_cookie_does_not_check_revoked(self, user_mgt_app, revoked_tokens, cookie):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 _instrument_user_manager(user_mgt_app, 200, revoked_tokens)
-claims=auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=False)
-assertclaims['admin'] isTrue
-assertclaims['uid'] ==claims['sub']
+self._assert_valid_cookie(cookie, app=user_mgt_app, check_revoked=False)
 
 @pytest.mark.parametrize('cookie', INVALID_JWT_ARGS.values(), ids=list(INVALID_JWT_ARGS))
 deftest_invalid_args(self, user_mgt_app, cookie):
@@ -578,8 +622,12 @@ def test_invalid_args(self, user_mgt_app, cookie):
 auth.verify_session_cookie(cookie, app=user_mgt_app)
 assert'Illegal session cookie provided'instr(excinfo.value)
 
-@pytest.mark.parametrize('cookie', invalid_cookies.values(), ids=list(invalid_cookies))
-deftest_invalid_cookie(self, user_mgt_app, cookie):
+@pytest.mark.parametrize('cookie_key', list(invalid_cookies))
+deftest_invalid_cookie(self, user_mgt_app, cookie_key):
+cookie=self.invalid_cookies[cookie_key]
+if_is_emulated() andcookie_keyinself.cookies_not_invalid_in_emulator:
+self._assert_valid_cookie(cookie, user_mgt_app)
+return
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 withpytest.raises(auth.InvalidSessionCookieError) asexcinfo:
 auth.verify_session_cookie(cookie, app=user_mgt_app)
@@ -589,6 +637,9 @@ def test_invalid_cookie(self, user_mgt_app, cookie):
 deftest_expired_cookie(self, user_mgt_app):
 _overwrite_cert_request(user_mgt_app, MOCK_REQUEST)
 cookie=self.invalid_cookies['ExpiredCookie']
+if_is_emulated():
+self._assert_valid_cookie(cookie, user_mgt_app)
+return
 withpytest.raises(auth.ExpiredSessionCookieError) asexcinfo:
 auth.verify_session_cookie(cookie, app=user_mgt_app)
 assertisinstance(excinfo.value, auth.InvalidSessionCookieError)
@@ -621,6 +672,10 @@ def test_custom_token(self, auth_app):
 
 deftest_certificate_request_failure(self, user_mgt_app):
 _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found'))
+if_is_emulated():
+# Shouldn't fetch certificates in emulator mode.
+auth.verify_session_cookie(TEST_SESSION_COOKIE, app=user_mgt_app)
+return
 withpytest.raises(auth.CertificateFetchError) asexcinfo:
 auth.verify_session_cookie(TEST_SESSION_COOKIE, app=user_mgt_app)
 assert'Could not fetch certificates'instr(excinfo.value)
@@ -637,9 +692,11 @@ def test_certificate_caching(self, user_mgt_app, httpserver):
 verifier.cookie_verifier.cert_url=httpserver.url
 verifier.id_token_verifier.cert_url=httpserver.url
 verifier.verify_session_cookie(TEST_SESSION_COOKIE)
-assertlen(httpserver.requests) ==1
+# No requests should be made in emulated mode
+request_count=0if_is_emulated() else1
+assertlen(httpserver.requests) ==request_count
 # Subsequent requests should not fetch certs from the server
 verifier.verify_session_cookie(TEST_SESSION_COOKIE)
-assertlen(httpserver.requests) ==1
+assertlen(httpserver.requests) ==request_count
 verifier.verify_id_token(TEST_ID_TOKEN)
-assertlen(httpserver.requests) ==1
+assertlen(httpserver.requests) ==request_count