OpenMetadata/ingestion/tests/unit/test_credentials.py

#  Copyright 2025 Collate
#  Licensed under the Collate Community License, Version 1.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#  https://github.com/open-metadata/OpenMetadata/blob/main/ingestion/LICENSE
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
"""
Test Credentials helper module
"""
from unittest import TestCase

from pydantic import AnyUrl, SecretStr

from metadata.generated.schema.security.credentials.gcpCredentials import GCPCredentials
from metadata.generated.schema.security.credentials.gcpExternalAccount import (
    GcpExternalAccount,
)
from metadata.generated.schema.security.credentials.gcpValues import (
    GcpCredentialsValues,
)
from metadata.utils.credentials import (
    InvalidPrivateKeyException,
    build_google_credentials_dict,
    set_google_credentials,
)
from metadata.utils.logger import Loggers


class TestCredentials(TestCase):
    """
    Validate credentials handling
    """

    def test_build_service_account_google_credentials_dict(self):
        """
        Check how we can validate GCS values
        """

        # Key mocked online
        private_key = """-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDMGwM93kIt3D4r4+dWAGdoTboSaZcFLhsG1lvnZlYEpnZoFo1M
ek7laRKDUW3CkdTlSid9p4/RTs9SYKuuXvNKNSLApHUeR2zgKBIHYTGGv1t1bEWc
ohVeqr7w8HkFr9LV4qxgFEWBBd3QYncY/Y1iZgTtbmMiUxJN9vj/kuH0xQIDAQAB
AoGAPDqAY2JRrwy9v9/ZpPQrj4jYLpS//sRTL1pT9l2pZmfkquR0v6ub2nB+CQgf
VnoIE70lGBw5AS+7V/i00JiuO6GP/MWWqxKdc5McjBGYDIb+9gQ/DrryVDHsqgGX
iZrWr7rIrpGsbCB2xt2HPpKR7D9IpI8FA+EEU9fIPfETM6ECQQDv69L78zdijSNk
CYx70dVHqCiDZT5RbkJqDmQwKabIGXBqZLTM+7ZAHotq0EXGc5BvQGyIMso/qIOs
Wq3imi3dAkEA2ci4xEzj5guQcGxoVcxfGm+M/VqXLuw/eW1sYdOp52OwdDywxG+I
6tpm5ByVowhqT8PHDJVOy8GEV9QNw0Y4CQJBAJiyn/rJJlPr/j1aMnZP642KwhY2
pr4PDegQNsXMjKDISBr+82+POMSAbD1UR0RyItgbybe5k62GZB+bKxaRCGUCQEVj
l8MrwH0eeCHp2IBlwnN40VIz1/GiYkL9I0g0GXFZKPKQF74uz1AM0DWkCeVNHBpY
BYaz18xB1znonY33RIkCQQDE3wAWxFrvr582J12qJkE4enmNhRJFdcSREDX54d/5
VEhPQF0i0tUU7Fl071hcYaiQoZx4nIjN+NG6p5QKbl6k
-----END RSA PRIVATE KEY-----"""

        gcp_values = GcpCredentialsValues(
            type="service_account",
            projectId=["project_id"],
            privateKeyId="private_key_id",
            privateKey=private_key,
            clientEmail="email@mail.com",
            clientId="client_id",
            clientX509CertUrl=AnyUrl("http://localhost:1234"),
        )

        expected_dict = {
            "type": "service_account",
            "project_id": ["project_id"],
            "private_key_id": "private_key_id",
            "private_key": private_key,
            "client_email": "email@mail.com",
            "client_id": "client_id",
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://oauth2.googleapis.com/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": "http://localhost:1234/",
        }

        self.assertEqual(expected_dict, build_google_credentials_dict(gcp_values))

        gcp_values.privateKey = SecretStr("I don't think I am a proper Private Key")

        with self.assertRaises(InvalidPrivateKeyException):
            build_google_credentials_dict(gcp_values)

    def test_build_external_account_google_credentials_dict(self):
        """
        Check how we can validate GCS values
        """
        gcp_values = GcpExternalAccount(
            externalType="external_account",
            audience="audience",
            subjectTokenType="subject_token_type",
            tokenURL="token_url",
            credentialSource={"environmentId": "environment_id"},
        )

        expected_dict = {
            "type": "external_account",
            "audience": "audience",
            "subject_token_type": "subject_token_type",
            "token_url": "token_url",
            "credential_source": {"environmentId": "environment_id"},
        }

        self.assertEqual(expected_dict, build_google_credentials_dict(gcp_values))
        with self.assertLogs(Loggers.UTILS.value, level="INFO") as log:
            set_google_credentials(
                GCPCredentials(gcpConfig=gcp_values, gcpImpersonateServiceAccount=None)
            )
            self.assertIn(
                "Using External account credentials to authenticate with GCP services.",
                log.output[0],
            )
MINOR: Change ingestion licence header (#20549) 2025-04-03 10:39:47 +05:30			`# Copyright 2025 Collate`
			`# Licensed under the Collate Community License, Version 1.0 (the "License");`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
MINOR: Change ingestion licence header (#20549) 2025-04-03 10:39:47 +05:30			`# https://github.com/open-metadata/OpenMetadata/blob/main/ingestion/LICENSE`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`"""`
			`Test Credentials helper module`
			`"""`
			`from unittest import TestCase`

#15243 - Pydantic V2 & Airflow 2.9 (#16480) * pydantic v2 * pydanticv2 * fix parser * fix annotated * fix model dumping * mysql ingestion * clean root models * clean root models * bump airflow * bump airflow * bump airflow * optionals * optionals * optionals * jdk * airflow migrate * fab provider * fab provider * fab provider * some more fixes * fixing tests and imports * model_dump and model_validate * model_dump and model_validate * model_dump and model_validate * union * pylint * pylint * integration tests * fix CostAnalysisReportData * integration tests * tests * missing defaults * missing defaults 2024-06-05 21:18:37 +02:00			`from pydantic import AnyUrl, SecretStr`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00
Minor: Fixes Bigquery External Account AttributeError (#16801) 2024-06-26 20:19:48 +05:30			`from metadata.generated.schema.security.credentials.gcpCredentials import GCPCredentials`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`from metadata.generated.schema.security.credentials.gcpExternalAccount import (`
Fix External Account Json Schema Issue (#15671) 2024-03-23 16:47:55 +05:30			`GcpExternalAccount,`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`)`
Rename GCS to GCP (#11812) 2023-06-06 11:57:00 +05:30			`from metadata.generated.schema.security.credentials.gcpValues import (`
			`GcpCredentialsValues,`
Fix#8648: Mask sensitive info from API responses (#10307) * Mask sensitive info from API responses * Rename converter classes * Add missing Java classes from JSON schemas and class converters * Update test service connection schema * Update datalakeConnection JSON schema and fix some tests * Fix AlertsRuleEvaluatorResourceTest and minor error in run_local_docker.sh * Fix Pipeline and Database service tests * Minor refactor * Fix CsvUtilTest * Fix EventMonitorFactoryTest * Fix CloudWatchEventMonitorTest * Update datalake metadata * Update bigquery metadata * Fix test connection functionality * Fix OMeta service api test * Update gcsValues title and revert changes in GH actions * Mask sensitive enabled by default for local docker * Add missing tests * Address PR comments * Address PR comments * fix ui breaks on gcsValues.json * Address PR comments * Minor refactor --------- Co-authored-by: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> 2023-03-03 19:10:01 +01:00			`)`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`from metadata.utils.credentials import (`
			`InvalidPrivateKeyException,`
			`build_google_credentials_dict,`
Minor: Fixes Bigquery External Account AttributeError (#16801) 2024-06-26 20:19:48 +05:30			`set_google_credentials,`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`)`
Minor: Fixes Bigquery External Account AttributeError (#16801) 2024-06-26 20:19:48 +05:30			`from metadata.utils.logger import Loggers`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00

			`class TestCredentials(TestCase):`
			`"""`
			`Validate credentials handling`
			`"""`

#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`def test_build_service_account_google_credentials_dict(self):`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`"""`
			`Check how we can validate GCS values`
			`"""`

			`# Key mocked online`
			`private_key = """-----BEGIN RSA PRIVATE KEY-----`
			`MIICXQIBAAKBgQDMGwM93kIt3D4r4+dWAGdoTboSaZcFLhsG1lvnZlYEpnZoFo1M`
			`ek7laRKDUW3CkdTlSid9p4/RTs9SYKuuXvNKNSLApHUeR2zgKBIHYTGGv1t1bEWc`
			`ohVeqr7w8HkFr9LV4qxgFEWBBd3QYncY/Y1iZgTtbmMiUxJN9vj/kuH0xQIDAQAB`
			`AoGAPDqAY2JRrwy9v9/ZpPQrj4jYLpS//sRTL1pT9l2pZmfkquR0v6ub2nB+CQgf`
			`VnoIE70lGBw5AS+7V/i00JiuO6GP/MWWqxKdc5McjBGYDIb+9gQ/DrryVDHsqgGX`
			`iZrWr7rIrpGsbCB2xt2HPpKR7D9IpI8FA+EEU9fIPfETM6ECQQDv69L78zdijSNk`
			`CYx70dVHqCiDZT5RbkJqDmQwKabIGXBqZLTM+7ZAHotq0EXGc5BvQGyIMso/qIOs`
			`Wq3imi3dAkEA2ci4xEzj5guQcGxoVcxfGm+M/VqXLuw/eW1sYdOp52OwdDywxG+I`
			`6tpm5ByVowhqT8PHDJVOy8GEV9QNw0Y4CQJBAJiyn/rJJlPr/j1aMnZP642KwhY2`
			`pr4PDegQNsXMjKDISBr+82+POMSAbD1UR0RyItgbybe5k62GZB+bKxaRCGUCQEVj`
			`l8MrwH0eeCHp2IBlwnN40VIz1/GiYkL9I0g0GXFZKPKQF74uz1AM0DWkCeVNHBpY`
			`BYaz18xB1znonY33RIkCQQDE3wAWxFrvr582J12qJkE4enmNhRJFdcSREDX54d/5`
			`VEhPQF0i0tUU7Fl071hcYaiQoZx4nIjN+NG6p5QKbl6k`
			`-----END RSA PRIVATE KEY-----"""`

Rename GCS to GCP (#11812) 2023-06-06 11:57:00 +05:30			`gcp_values = GcpCredentialsValues(`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`type="service_account",`
Fix: Changes in bigquey for project-id (#8708) 2022-11-17 14:26:37 +05:30			`projectId=["project_id"],`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`privateKeyId="private_key_id",`
			`privateKey=private_key,`
			`clientEmail="email@mail.com",`
			`clientId="client_id",`
#15243 - Pydantic V2 & Airflow 2.9 (#16480) * pydantic v2 * pydanticv2 * fix parser * fix annotated * fix model dumping * mysql ingestion * clean root models * clean root models * bump airflow * bump airflow * bump airflow * optionals * optionals * optionals * jdk * airflow migrate * fab provider * fab provider * fab provider * some more fixes * fixing tests and imports * model_dump and model_validate * model_dump and model_validate * model_dump and model_validate * union * pylint * pylint * integration tests * fix CostAnalysisReportData * integration tests * tests * missing defaults * missing defaults 2024-06-05 21:18:37 +02:00			`clientX509CertUrl=AnyUrl("http://localhost:1234"),`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`)`

			`expected_dict = {`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`"type": "service_account",`
Fix: Changes in bigquey for project-id (#8708) 2022-11-17 14:26:37 +05:30			`"project_id": ["project_id"],`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`"private_key_id": "private_key_id",`
			`"private_key": private_key,`
			`"client_email": "email@mail.com",`
			`"client_id": "client_id",`
			`"auth_uri": "https://accounts.google.com/o/oauth2/auth",`
			`"token_uri": "https://oauth2.googleapis.com/token",`
			`"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",`
#15243 - Pydantic V2 & Airflow 2.9 (#16480) * pydantic v2 * pydanticv2 * fix parser * fix annotated * fix model dumping * mysql ingestion * clean root models * clean root models * bump airflow * bump airflow * bump airflow * optionals * optionals * optionals * jdk * airflow migrate * fab provider * fab provider * fab provider * some more fixes * fixing tests and imports * model_dump and model_validate * model_dump and model_validate * model_dump and model_validate * union * pylint * pylint * integration tests * fix CostAnalysisReportData * integration tests * tests * missing defaults * missing defaults 2024-06-05 21:18:37 +02:00			`"client_x509_cert_url": "http://localhost:1234/",`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`}`

Rename GCS to GCP (#11812) 2023-06-06 11:57:00 +05:30			`self.assertEqual(expected_dict, build_google_credentials_dict(gcp_values))`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00
Rename GCS to GCP (#11812) 2023-06-06 11:57:00 +05:30			`gcp_values.privateKey = SecretStr("I don't think I am a proper Private Key")`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00
			`with self.assertRaises(InvalidPrivateKeyException):`
Rename GCS to GCP (#11812) 2023-06-06 11:57:00 +05:30			`build_google_credentials_dict(gcp_values)`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00
			`def test_build_external_account_google_credentials_dict(self):`
			`"""`
			`Check how we can validate GCS values`
			`"""`
Fix External Account Json Schema Issue (#15671) 2024-03-23 16:47:55 +05:30			`gcp_values = GcpExternalAccount(`
			`externalType="external_account",`
#14169: Support external_account type for GCP Auth (#14166) 2024-03-16 23:29:02 +09:00			`audience="audience",`
			`subjectTokenType="subject_token_type",`
			`tokenURL="token_url",`
			`credentialSource={"environmentId": "environment_id"},`
			`)`

			`expected_dict = {`
			`"type": "external_account",`
			`"audience": "audience",`
			`"subject_token_type": "subject_token_type",`
			`"token_url": "token_url",`
			`"credential_source": {"environmentId": "environment_id"},`
			`}`

			`self.assertEqual(expected_dict, build_google_credentials_dict(gcp_values))`
Minor: Fixes Bigquery External Account AttributeError (#16801) 2024-06-26 20:19:48 +05:30			`with self.assertLogs(Loggers.UTILS.value, level="INFO") as log:`
			`set_google_credentials(`
			`GCPCredentials(gcpConfig=gcp_values, gcpImpersonateServiceAccount=None)`
			`)`
			`self.assertIn(`
			`"Using External account credentials to authenticate with GCP services.",`
			`log.output[0],`
			`)`