working IT test

Author: ldetmer

google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java

@@ -17,19 +17,17 @@
 package com.google.cloud.spanner.connection.it;
 
 import static org.junit.Assert.*;
-import static org.junit.Assume.assumeTrue;
 
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
 import com.google.cloud.spanner.*;
 import com.google.cloud.spanner.admin.database.v1.DatabaseAdminClient;
-import com.google.cloud.spanner.connection.ITAbstractSpannerTest;
 import com.google.cloud.spanner.connection.MutableCredentials;
 import com.google.spanner.admin.database.v1.Database;
 import com.google.spanner.admin.database.v1.InstanceName;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
@@ -38,78 +36,64 @@
 
 @Category(SerialIntegrationTest.class)
 @RunWith(JUnit4.class)
-public class ITMutableCredentialsTest extends ITAbstractSpannerTest {
-  private static final String VALID_KEY_RESOURCE =
-      "/com/google/cloud/spanner/connection/test-key.json";
+public class ITMutableCredentialsTest {
+  private static final String MISSING_PERM_KEY =
+      "/com/google/cloud/spanner/connection/test-key-missing-permissions.json";
 
-  private static final String INVALID_KEY_RESOURCE =
-      "/com/google/cloud/spanner/connection/invalid-test-key.json";
+  private static final String INVALID_KEY = "/com/google/cloud/spanner/connection/test-key.json";
 
   @Test
   public void testMutableCredentialsUpdateAuthorizationForRunningClient() throws IOException {
 
-    GoogleCredentials credentialsFromFile;
+    GoogleCredentials missingPermissionCredentials;
     try (InputStream stream =
-        ITMutableCredentialsTest.class.getResourceAsStream(VALID_KEY_RESOURCE)) {
-      assertNotNull("Missing test resource: " + VALID_KEY_RESOURCE, stream);
-      credentialsFromFile = GoogleCredentials.fromStream(stream);
+        ITMutableCredentialsTest.class.getResourceAsStream(MISSING_PERM_KEY)) {
+      missingPermissionCredentials = GoogleCredentials.fromStream(stream);
     }
-    assumeTrue(
-        "This test requires service account credentials",
-        credentialsFromFile instanceof ServiceAccountCredentials);
-
-    ServiceAccountCredentials validCredentials = (ServiceAccountCredentials) credentialsFromFile;
     ServiceAccountCredentials invalidCredentials;
-    try (InputStream stream =
-        ITMutableCredentialsTest.class.getResourceAsStream(INVALID_KEY_RESOURCE)) {
-      assertNotNull("Missing test resource: " + INVALID_KEY_RESOURCE, stream);
+    try (InputStream stream = ITMutableCredentialsTest.class.getResourceAsStream(INVALID_KEY)) {
       invalidCredentials = ServiceAccountCredentials.fromStream(stream);
     }
-
-    List<String> scopes = new ArrayList<>(getTestEnv().getTestHelper().getOptions().getScopes());
-    MutableCredentials mutableCredentials = new MutableCredentials(validCredentials, scopes);
+    List<String> scopes =
+        Collections.singletonList("https://www.googleapis.com/auth/cloud-platform");
+    // create MutableCredentials first with missing permissions
+    MutableCredentials mutableCredentials =
+        new MutableCredentials((ServiceAccountCredentials) missingPermissionCredentials, scopes);
 
     SpannerOptions options = SpannerOptions.newBuilder().setCredentials(mutableCredentials).build();
-
     try (Spanner spanner = options.getService();
         DatabaseAdminClient databaseAdminClient = spanner.createDatabaseAdminClient()) {
-      /* String dbName =
-          DatabaseName.of(
-                  getTestEnv().getTestHelper().getInstanceId().getProject(),
-                  getTestEnv().getTestHelper().getInstanceId().getInstance(),
-                  "TEST")
-              .toString();
-      Database database = databaseAdminClient.getDatabase(dbName);*/
-      InstanceName instanceName =
-          InstanceName.of(
-              getTestEnv().getTestHelper().getInstanceId().getProject(),
-              getTestEnv().getTestHelper().getInstanceId().getInstance());
-      DatabaseAdminClient.ListDatabasesPagedResponse response =
-          databaseAdminClient.listDatabases(instanceName);
-
-      boolean databaseFound = false;
-      for (DatabaseAdminClient.ListDatabasesPage page : response.iteratePages()) {
-        for (Database database : page.iterateAll()) {
-          System.out.println("\t" + database.getName());
-          databaseFound = true;
-        }
+      String project = "gcloud-devel";
+      String instance = "java-client-integration-tests";
+      try {
+        listDatabases(databaseAdminClient, project, instance);
+      } catch (Exception e) {
+        // specifically validate the permission denied error message
+        assertTrue(e.getMessage().contains("PERMISSION_DENIED"));
+        assertFalse(e.getMessage().contains("UNAUTHENTICATED"));
       }
-      assertTrue(databaseFound);
+
+      // update mutableCredentials now to use an invalid credential
+      mutableCredentials.updateCredentials(invalidCredentials);
       try {
-        mutableCredentials.updateCredentials(invalidCredentials);
-        DatabaseAdminClient.ListDatabasesPagedResponse responseFailure =
-            databaseAdminClient.listDatabases(instanceName);
-        for (DatabaseAdminClient.ListDatabasesPage page : responseFailure.iteratePages()) {
-          for (Database database : page.iterateAll()) {
-            System.out.println("\t" + database.getName());
-          }
-        }
+        listDatabases(databaseAdminClient, project, instance);
         fail("Expected UNAUTHENTICATED after switching to invalid credentials");
-      } catch (SpannerException e) {
-        assertEquals(ErrorCode.UNAUTHENTICATED, e.getErrorCode());
+      } catch (Exception e) {
+        assertTrue(e.getMessage().contains("UNAUTHENTICATED"));
+        assertFalse(e.getMessage().contains("PERMISSION_DENIED"));
+      }
+    }
+  }
+
+  private static void listDatabases(
+      DatabaseAdminClient databaseAdminClient, String projectId, String instanceId) {
+    DatabaseAdminClient.ListDatabasesPagedResponse response =
+        databaseAdminClient.listDatabases(InstanceName.of(projectId, instanceId));
+
+    for (DatabaseAdminClient.ListDatabasesPage page : response.iteratePages()) {
+      for (Database database : page.iterateAll()) {
+        // no-op
       }
-    } finally {
-      closeSpanner();
     }
   }
 }

google-cloud-spanner/src/test/resources/com/google/cloud/spanner/connection/invalid-test-key.json

@@ -0,0 +1,13 @@
+{
+  "type": "service_account",
+  "project_id": "ldetmer-sanbox",
+  "private_key_id": "1f9be0fd206d51e759ab8577c32301333dda9103",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDgwaPePW0yK6Wg\nm0n0PgrmJbwbf0HgFQ9E5I5e+rZ+hl79pCxCkXcTVH6HsIgh+Lp1tyCTExjsE0cN\nDVRy9YD/BR4wKsxOhz5UKwmRhOg127EGvqMAwomEGOIyOuS+AMmdy710B/iBjc01\nLYTzNe1ldZ5SK69AJer9g1+mPn2H7AbZGQ8/ThKvzEAErmgd7PMATRwg6sAc5n6O\nIvcfQp4XApcYuCNH4KVmnXD3K9f0ySV5WKA14eHRIIxwjHagFvHaiMvU4/HXqCao\nClVoNmmoraUBfaDGj4JGMvj1JjTyz4VB0KGXxYTJJrViYhkKZs4zSo2k2qatPczn\nNHH6PkjLAgMBAAECggEAD+QWYPfjiOuQb1WWGgBqUYa+JmI4rHjwtm9D0wVTnTMv\nniwFu8MrMcuvPTVxupfVHyOOgwzo8zATEveBTrYlo7efQHVA3WsvMKZGVpVDZyNx\nqxy+y6agMHMjSGfk6mYwhclKS4eQviA3hRit0MBcWOhtruOgesmeNBnIy9PumOB+\nWVRp7uz8D/xaq55lFAShaH2DAEt316qetZW+LtNq473pPq9GlnFYsj+OPyWT84X2\nmeoWLxVwOpkx1RmmlAEOQCCK24H7GbZwsADiyHQ37cwQ/MfTs9qsib56TByVHSSb\nYD+lTMPT+5N/YY51AVq4op4kGPuVTHLE4D3uZduSEQKBgQDwmuSCjfvHr1LZxo/r\nVPR6+KiQC+o8qBzK0413D3rn+0pAWCcrkb9//PGwXxtRzjEodwbX9B+g8UGzkbfD\nH5scogl3Nd+3zUTsSp5D5IZUJsVv1lN2klv4y48zidey2qELOC8n6hPnrbOHfZqZ\nR22/o2/TeWxnWbmMUN2kx9r++QKBgQDvIyWePiJgFvlRLSLQQpZOiDV4z61Ixows\nDBrTeQyfAYG8gROA0LUS3zS4njA2Yr6xFj6M8rhUD9bLQ1+mGIJWi7ZI2cD+TDtH\ntdxTS7jBU8s26H2nisD8kvKpq61RxI1A2H7u+9gPzDweM0boBlERNqjyPUZhNbdD\n0+7AwmJC4wKBgB91kTVEzUvxr5qL7NtvUzwU8S1McYcW0BTxDkkn/AEDCVVacVyw\nBOL+NrfB57eNhz3sOjfYUp5fjSCmh+l6Y3Sd9zDgGW1V6JIgu4rTAYFVRHF4C5ew\nUVg5fXLWrh5TmcT2xquoXovnWVb45FLwVPg+rWtwL+1ffPRMyn42J3s5AoGAf6CR\ndigRLpl0THe7aczv7U/SwfyMrheRPfzj4FNtgftK43E8GHbK/Rx1RcbfUldXEKof\njhgIeozNhUQa60mPXmNIUQ8uakoDJV2RDj+OhleTUGW6kk2CfAptSlKeuNIe1Sn2\nbNOqV5wXxcJ2KGUepQI4HrjHNCB4A9I7TVMxICMCgYAPXO4/xTZJ/0Nmjd085yRo\nhDFBUTwWPHUTbUA1bBMd908F4RD0WnnLPzSC1hSxhhCGm119JGgusZfwL2Ey1nYh\n9B3b/EwArE/vC+Fl/tyILQR2G/D/f70dISuDut139cKEM8qBLJ2JRuYbKlEBPhGW\nw0x8SmTkNYepAG0SSaBu7g==\n-----END PRIVATE KEY-----\n",
+  "client_email": "test-mutable-credentials@ldetmer-sanbox.iam.gserviceaccount.com",
+  "client_id": "110488447517330409458",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-mutable-credentials%40ldetmer-sanbox.iam.gserviceaccount.com",
+  "universe_domain": "googleapis.com"
+}