ToucanToco · lukapeschke · Dec 4, 2023 · Dec 15, 2023 · Dec 15, 2023
@@ -1,4 +1,36 @@
-from toucan_connectors.google_credentials import GoogleCredentials
+import json
+
+from pytest_mock import MockFixture
+
+from toucan_connectors.google_credentials import GoogleCredentials, get_google_oauth2_credentials
+
+
+def test_google_credentials(mocker: MockFixture):
+    conf = {
+        'type': 'service_account',
+        'project_id': 'my_project_id',
+        'private_key_id': 'my_private_key_id',
+        'private_key': '-----BEGIN PRIVATE KEY-----\naaa\nbbb\n-----END PRIVATE KEY-----\n',
+        'client_email': 'my_client_email',
+        'client_id': 'my_client_id',
+        'auth_uri': 'https://accounts.google.com/o/oauth2/auth',
+        'token_uri': 'https://oauth2.googleapis.com/token',
+        'auth_provider_x509_cert_url': 'https://www.googleapis.com/oauth2/v1/certs',
+        'client_x509_cert_url': 'https://www.googleapis.com/robot/v1/metadata/x509/xxx.iam.gserviceaccount.com',  # noqa: E501
+    }
+    credentials = GoogleCredentials(**conf)
+    # Ensure `private_key_id` and `private_key` are masked
+    assert credentials.json() == json.dumps(
+        {
+            **conf,
+            'private_key_id': '**********',
+            'private_key': '**********',
+        }
+    )
+    # Ensure `Credentials` is called with the right values of secrets
+    mock_credentials = mocker.patch('toucan_connectors.google_credentials.Credentials')
+    get_google_oauth2_credentials(credentials)
+    mock_credentials.from_service_account_info.assert_called_once_with(conf)
 
 
 def test_unespace_break_lines():
@@ -16,7 +48,7 @@ def test_unespace_break_lines():
     }
     credentials = GoogleCredentials(**conf)
     assert (
-        credentials.private_key == '-----BEGIN PRIVATE KEY-----\n'
+        credentials.private_key.get_secret_value() == '-----BEGIN PRIVATE KEY-----\n'
         'aaa\n'
         'bbb\n'
         '-----END PRIVATE KEY-----\n'

@@ -1,5 +1,5 @@
 from google.oauth2.service_account import Credentials
-from pydantic import BaseModel, Field, HttpUrl, validator
+from pydantic import BaseModel, Field, HttpUrl, SecretStr, validator
 
 CREDENTIALS_INFO_MESSAGE = (
     'This information is provided in your '
@@ -28,8 +28,10 @@ class GoogleCredentials(BaseModel):
         'service_account', title='Service account', description=CREDENTIALS_INFO_MESSAGE
     )
     project_id: str = Field(..., title='Project ID', description=CREDENTIALS_INFO_MESSAGE)
-    private_key_id: str = Field(..., title='Private Key ID', description=CREDENTIALS_INFO_MESSAGE)
-    private_key: str = Field(
+    private_key_id: SecretStr = Field(
+        ..., title='Private Key ID', description=CREDENTIALS_INFO_MESSAGE
+    )
+    private_key: SecretStr = Field(
         ...,
         title='Private Key',
         description=f'A private key in the form '
@@ -59,15 +61,18 @@ class GoogleCredentials(BaseModel):
     )
 
     @validator('private_key')
-    def unescape_break_lines(cls, v):
+    def unescape_break_lines(cls, v: SecretStr) -> SecretStr:
         """
         `private_key` is a long string like
         '-----BEGIN PRIVATE KEY-----\nxxx...zzz\n-----END PRIVATE KEY-----\n
         As the breaking line are often escaped by the client,
         we need to be sure it's unescaped
         """
-        return v.replace('\\n', '\n')
+        return SecretStr(v.get_secret_value().replace('\\n', '\n'))
 
 
 def get_google_oauth2_credentials(google_credentials: GoogleCredentials) -> Credentials:
-    return Credentials.from_service_account_info(google_credentials.dict())
+    creds = google_credentials.dict()
+    for secret_field in ('private_key_id', 'private_key'):
+        creds[secret_field] = creds[secret_field].get_secret_value()
+    return Credentials.from_service_account_info(creds)