Skip to content

Unit tests should not require credentials from environment #431

New issue
New issue
Closed
#432
Closed
Unit tests should not require credentials from environment#431
#432
Assignees
tseaver
Labels
api: spannerIssues related to the googleapis/python-spanner API.type: processA process-related concern. May include testing, release, or the like.
@tseaver

Description

@tseaver
tseaver
opened on Jul 28, 2021
$ git remote -v
origin	git@github.com:googleapis/python-spanner (fetch)
origin	git@github.com:googleapis/python-spanner (push)

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

$ env | grep GOOGLE || echo "No credentials in environment"
No credentials in environment

$ .nox/unit-3-6/bin/py.test -v -x tests/unit/spanner_dbapi/
...
=================================== FAILURES ===================================
____________________ Test_connect.test_connect_database_id _____________________

self = <tests.unit.spanner_dbapi.test_connect.Test_connect testMethod=test_connect_database_id>

    def test_connect_database_id(self):
        from google.cloud.spanner_dbapi import connect
        from google.cloud.spanner_dbapi import Connection
    
        DATABASE = "test-database"
    
        with mock.patch(
            "google.cloud.spanner_v1.instance.Instance.database"
        ) as database_mock:
            with mock.patch(
                "google.cloud.spanner_v1.instance.Instance.exists", return_value=True,
            ):
>               connection = connect("test-instance", DATABASE)

tests/unit/spanner_dbapi/test_connect.py:110: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
google/cloud/spanner_dbapi/connection.py:399: in connect
    project=project, credentials=credentials, client_info=client_info
google/cloud/spanner_v1/client.py:162: in __init__
    _http=None,
.nox/unit-3-6/lib/python3.6/site-packages/google/cloud/client.py:249: in __init__
    _ClientProjectMixin.__init__(self, project=project)
.nox/unit-3-6/lib/python3.6/site-packages/google/cloud/client.py:201: in __init__
    project = self._determine_default(project)
.nox/unit-3-6/lib/python3.6/site-packages/google/cloud/client.py:216: in _determine_default
    return _determine_default_project(project)
.nox/unit-3-6/lib/python3.6/site-packages/google/cloud/_helpers.py:186: in _determine_default_project
    _, project = google.auth.default()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

scopes = None, request = None, quota_project_id = None, default_scopes = None

    def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
        """Gets the default credentials for the current environment.
    
        `Application Default Credentials`_ provides an easy way to obtain
        credentials to call Google APIs for server-to-server or local applications.
        This function acquires credentials from the environment in the following
        order:
    
        1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
           to the path of a valid service account JSON private key file, then it is
           loaded and returned. The project ID returned is the project ID defined
           in the service account file if available (some older files do not
           contain project ID information).
    
           If the environment variable is set to the path of a valid external
           account JSON configuration file (workload identity federation), then the
           configuration file is used to determine and retrieve the external
           credentials from the current environment (AWS, Azure, etc).
           These will then be exchanged for Google access tokens via the Google STS
           endpoint.
           The project ID returned in this case is the one corresponding to the
           underlying workload identity pool resource if determinable.
        2. If the `Google Cloud SDK`_ is installed and has application default
           credentials set they are loaded and returned.
    
           To enable application default credentials with the Cloud SDK run::
    
                gcloud auth application-default login
    
           If the Cloud SDK has an active project, the project ID is returned. The
           active project can be set using::
    
                gcloud config set project
    
        3. If the application is running in the `App Engine standard environment`_
           (first generation) then the credentials and project ID from the
           `App Identity Service`_ are used.
        4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
           the `App Engine flexible environment`_ or the `App Engine standard
           environment`_ (second generation) then the credentials and project ID
           are obtained from the `Metadata Service`_.
        5. If no credentials are found,
           :class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
    
        .. _Application Default Credentials: https://developers.google.com\
                /identity/protocols/application-default-credentials
        .. _Google Cloud SDK: https://cloud.google.com/sdk
        .. _App Engine standard environment: https://cloud.google.com/appengine
        .. _App Identity Service: https://cloud.google.com/appengine/docs/python\
                /appidentity/
        .. _Compute Engine: https://cloud.google.com/compute
        .. _App Engine flexible environment: https://cloud.google.com\
                /appengine/flexible
        .. _Metadata Service: https://cloud.google.com/compute/docs\
                /storing-retrieving-metadata
        .. _Cloud Run: https://cloud.google.com/run
    
        Example::
    
            import google.auth
    
            credentials, project_id = google.auth.default()
    
        Args:
            scopes (Sequence[str]): The list of scopes for the credentials. If
                specified, the credentials will automatically be scoped if
                necessary.
            request (Optional[google.auth.transport.Request]): An object used to make
                HTTP requests. This is used to either detect whether the application
                is running on Compute Engine or to determine the associated project
                ID for a workload identity pool resource (external account
                credentials). If not specified, then it will either use the standard
                library http client to make requests for Compute Engine credentials
                or a google.auth.transport.requests.Request client for external
                account credentials.
            quota_project_id (Optional[str]): The project ID used for
                quota and billing.
            default_scopes (Optional[Sequence[str]]): Default scopes passed by a
                Google client library. Use 'scopes' for user-defined scopes.
        Returns:
            Tuple[~google.auth.credentials.Credentials, Optional[str]]:
                the current environment's credentials and project ID. Project ID
                may be None, which indicates that the Project ID could not be
                ascertained from the environment.
    
        Raises:
            ~google.auth.exceptions.DefaultCredentialsError:
                If no credentials were found, or if the credentials found were
                invalid.
        """
        from google.auth.credentials import with_scopes_if_required
    
        explicit_project_id = os.environ.get(
            environment_vars.PROJECT, os.environ.get(environment_vars.LEGACY_PROJECT)
        )
    
        checkers = (
            # Avoid passing scopes here to prevent passing scopes to user credentials.
            # with_scopes_if_required() below will ensure scopes/default scopes are
            # safely set on the returned credentials since requires_scopes will
            # guard against setting scopes on user credentials.
            _get_explicit_environ_credentials,
            _get_gcloud_sdk_credentials,
            _get_gae_credentials,
            lambda: _get_gce_credentials(request),
        )
    
        for checker in checkers:
            credentials, project_id = checker()
            if credentials is not None:
                credentials = with_scopes_if_required(
                    credentials, scopes, default_scopes=default_scopes
                )
    
                # For external account credentials, scopes are required to determine
                # the project ID. Try to get the project ID again if not yet
                # determined.
                if not project_id and callable(
                    getattr(credentials, "get_project_id", None)
                ):
                    if request is None:
                        request = google.auth.transport.requests.Request()
                    project_id = credentials.get_project_id(request=request)
    
                if quota_project_id:
                    credentials = credentials.with_quota_project(quota_project_id)
    
                effective_project_id = explicit_project_id or project_id
                if not effective_project_id:
                    _LOGGER.warning(
                        "No project ID could be determined. Consider running "
                        "`gcloud config set project` or setting the %s "
                        "environment variable",
                        environment_vars.PROJECT,
                    )
                return credentials, effective_project_id
    
>       raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
E       google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

.nox/unit-3-6/lib/python3.6/site-packages/google/auth/_default.py:488: DefaultCredentialsError
------------------------------ Captured log call -------------------------------
WARNING  google.auth.compute_engine._metadata:_metadata.py:104 Compute Engine Metadata server unavailable onattempt 1 of 3. Reason: timed out
WARNING  google.auth.compute_engine._metadata:_metadata.py:104 Compute Engine Metadata server unavailable onattempt 2 of 3. Reason: [Errno 113] No route to host
WARNING  google.auth.compute_engine._metadata:_metadata.py:104 Compute Engine Metadata server unavailable onattempt 3 of 3. Reason: timed out
WARNING  google.auth._default:_default.py:287 Authentication failed using Compute Engine authentication due to unavailable metadata server.
=========================== short test summary info ============================
FAILED tests/unit/spanner_dbapi/test_connect.py::Test_connect::test_connect_database_id
!!!!!!!!!!!!!!!!!!!!!!!!!! stopping after 1 failures !!!!!!!!!!!!!!!!!!!!!!!!!!!
========================= 1 failed, 11 passed in 6.81s =========================

Metadata

Metadata

Assignees

Labels

api: spannerIssues related to the googleapis/python-spanner API.type: processA process-related concern. May include testing, release, or the like.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions