# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import json
import pytest

import google.oauth2.credentials
from google.oauth2 import service_account
import google.auth.impersonated_credentials
from google.auth import _helpers


GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"


@pytest.fixture
def service_account_credentials(service_account_file):
    yield service_account.Credentials.from_service_account_file(service_account_file)


@pytest.fixture
def impersonated_service_account_credentials(impersonated_service_account_file):
    yield service_account.Credentials.from_service_account_file(
        impersonated_service_account_file
    )


def test_refresh_with_user_credentials_as_source(
    authorized_user_file,
    impersonated_service_account_credentials,
    http_request,
    token_info,
):
    with open(authorized_user_file, "r") as fh:
        info = json.load(fh)

    source_credentials = google.oauth2.credentials.Credentials(
        None,
        refresh_token=info["refresh_token"],
        token_uri=GOOGLE_OAUTH2_TOKEN_ENDPOINT,
        client_id=info["client_id"],
        client_secret=info["client_secret"],
        # The source credential needs this scope for the generateAccessToken request
        # The user must also have `Service Account Token Creator` on the project
        # that owns the impersonated service account.
        # See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
        scopes=["https://www.googleapis.com/auth/cloud-platform"],
    )

    source_credentials.refresh(http_request)

    target_scopes = [
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/analytics",
    ]
    target_credentials = google.auth.impersonated_credentials.Credentials(
        source_credentials=source_credentials,
        target_principal=impersonated_service_account_credentials.service_account_email,
        target_scopes=target_scopes,
        lifetime=100,
    )

    target_credentials.refresh(http_request)
    assert target_credentials.token


def test_refresh_with_service_account_credentials_as_source(
    http_request,
    service_account_credentials,
    impersonated_service_account_credentials,
    token_info,
):
    source_credentials = service_account_credentials.with_scopes(["email"])
    source_credentials.refresh(http_request)
    assert source_credentials.token

    target_scopes = [
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/analytics",
    ]
    target_credentials = google.auth.impersonated_credentials.Credentials(
        source_credentials=source_credentials,
        target_principal=impersonated_service_account_credentials.service_account_email,
        target_scopes=target_scopes,
    )

    target_credentials.refresh(http_request)
    assert target_credentials.token