adnanhemani commented on code in PR #3246:
URL: https://github.com/apache/polaris/pull/3246#discussion_r2604816225
##########
polaris-core/src/test/java/org/apache/polaris/service/storage/gcp/GcpCredentialsStorageIntegrationTest.java:
##########
@@ -309,6 +315,63 @@ public void testRefreshCredentialsEndpointIsReturned()
throws IOException {
.isEqualTo(REFRESH_ENDPOINT);
}
+ @Test
+ public void testImpersonation() throws IOException {
+ String serviceAccount = "[email protected]";
+ GcpStorageConfigurationInfo config =
+ GcpStorageConfigurationInfo.builder()
+ .addAllAllowedLocations(List.of("gs://bucket/path"))
+ .gcpServiceAccount(serviceAccount)
+ .build();
+
+ IamCredentialsClient mockIamClient =
Mockito.mock(IamCredentialsClient.class);
+ GenerateAccessTokenResponse mockResponse =
+ GenerateAccessTokenResponse.newBuilder()
+ .setAccessToken("impersonated-token")
+ .setExpireTime(
+ Timestamp.newBuilder().setSeconds(System.currentTimeMillis() /
1000 + 3600).build())
+ .build();
+
Mockito.when(mockIamClient.generateAccessToken(Mockito.any(GenerateAccessTokenRequest.class)))
+ .thenReturn(mockResponse);
+
+ GoogleCredentials mockCreds = Mockito.mock(GoogleCredentials.class);
+
Mockito.when(mockCreds.createScoped(Mockito.any(String.class))).thenReturn(mockCreds);
+
+ GcpCredentialsStorageIntegration integration =
+ new GcpCredentialsStorageIntegration(
+ config,
+ mockCreds,
+ ServiceOptions.getFromServiceLoader(
+ HttpTransportFactory.class, NetHttpTransport::new)) {
+ @Override
+ protected IamCredentialsClient
createIamCredentialsClient(GoogleCredentials credentials) {
+ return mockIamClient;
+ }
+
+ @Override
+ protected AccessToken refreshAccessToken(DownscopedCredentials
credentials) {
+ return new AccessToken("downscoped-token", new Date());
+ }
+ };
+
+ integration.getSubscopedCreds(
+ EMPTY_REALM_CONFIG,
+ true,
+ Set.of("gs://bucket/path"),
+ Set.of("gs://bucket/path"),
+ Optional.empty());
+
+ Mockito.verify(mockIamClient)
+ .generateAccessToken(
+ Mockito.argThat(
+ request ->
+ request.getName().equals("projects/-/serviceAccounts/" +
serviceAccount)
Review Comment:
nit: Would recommend moving these variables out to the main class as public
variables and then referencing them here from there so that we don't have magic
variables and it will be cleaner to maintain if there are any changes in the
future!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
