feat(google credentials): private_key_id and private_key are secrets

ToucanToco · Oct 18, 2023 · 976a055 · 976a055
1 parent b6b3414
commit 976a055
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/tests/test_google_credentials.py b/tests/test_google_credentials.py
@@ -1,3 +1,5 @@
+import json
+
 from pytest_mock import MockFixture
 
 from toucan_connectors.google_credentials import GoogleCredentials, get_google_oauth2_credentials
@@ -17,6 +19,14 @@ def test_google_credentials(mocker: MockFixture):
         'client_x509_cert_url': 'https://www.googleapis.com/robot/v1/metadata/x509/xxx.iam.gserviceaccount.com',  # noqa: E501
     }
     credentials = GoogleCredentials(**conf)
+    # Ensure `private_key_id` and `private_key` are masked
+    assert credentials.json() == json.dumps(
+        {
+            **conf,
+            'private_key_id': '**********',
+            'private_key': '**********',
+        }
+    )
     # Ensure `Credentials` is called with the right values of secrets
     mock_credentials = mocker.patch('toucan_connectors.google_credentials.Credentials')
     get_google_oauth2_credentials(credentials)
@@ -38,7 +48,7 @@ def test_unespace_break_lines():
     }
     credentials = GoogleCredentials(**conf)
     assert (
-        credentials.private_key == '-----BEGIN PRIVATE KEY-----\n'
+        credentials.private_key.get_secret_value() == '-----BEGIN PRIVATE KEY-----\n'
         'aaa\n'
         'bbb\n'
         '-----END PRIVATE KEY-----\n'

diff --git a/toucan_connectors/google_credentials.py b/toucan_connectors/google_credentials.py
@@ -1,5 +1,5 @@
 from google.oauth2.service_account import Credentials
-from pydantic import BaseModel, Field, HttpUrl, validator
+from pydantic import BaseModel, Field, HttpUrl, SecretStr, validator
 
 CREDENTIALS_INFO_MESSAGE = (
     'This information is provided in your '
@@ -13,8 +13,10 @@ class GoogleCredentials(BaseModel):
         'service_account', title='Service account', description=CREDENTIALS_INFO_MESSAGE
     )
     project_id: str = Field(..., title='Project ID', description=CREDENTIALS_INFO_MESSAGE)
-    private_key_id: str = Field(..., title='Private Key ID', description=CREDENTIALS_INFO_MESSAGE)
-    private_key: str = Field(
+    private_key_id: SecretStr = Field(
+        ..., title='Private Key ID', description=CREDENTIALS_INFO_MESSAGE
+    )
+    private_key: SecretStr = Field(
         ...,
         title='Private Key',
         description=f'A private key in the form '
@@ -44,15 +46,18 @@ class GoogleCredentials(BaseModel):
     )
 
     @validator('private_key')
-    def unescape_break_lines(cls, v):
+    def unescape_break_lines(cls, v: SecretStr) -> SecretStr:
         """
         `private_key` is a long string like
         '-----BEGIN PRIVATE KEY-----\nxxx...zzz\n-----END PRIVATE KEY-----\n
         As the breaking line are often escaped by the client,
         we need to be sure it's unescaped
         """
-        return v.replace('\\n', '\n')
+        return SecretStr(v.get_secret_value().replace('\\n', '\n'))
 
 
 def get_google_oauth2_credentials(google_credentials: GoogleCredentials) -> Credentials:
-    return Credentials.from_service_account_info(google_credentials.dict())
+    creds = google_credentials.dict()
+    for secret_field in ('private_key_id', 'private_key'):
+        creds[secret_field] = creds[secret_field].get_secret_value()
+    return Credentials.from_service_account_info(creds)