fix: fix error in sign_bytes (#905)
* fix: fix error in sign_bytes
* fix test
diff --git a/.coveragerc b/.coveragerc
index 494c03f..9ba3d3f 100644
--- a/.coveragerc
+++ b/.coveragerc
@@ -5,6 +5,7 @@
omit =
*/samples/*
*/conftest.py
+ */google-cloud-sdk/lib/*
exclude_lines =
# Re-enable the standard pragma
pragma: NO COVER
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
index b8a6c49..80d6fdf 100644
--- a/google/auth/impersonated_credentials.py
+++ b/google/auth/impersonated_credentials.py
@@ -290,6 +290,11 @@
url=iam_sign_endpoint, headers=headers, json=body
)
+ if response.status_code != http_client.OK:
+ raise exceptions.TransportError(
+ "Error calling sign_bytes: {}".format(response.json())
+ )
+
return base64.b64decode(response.json()["signedBlob"])
@property
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py
index bceaeba..bc404e3 100644
--- a/tests/test_impersonated_credentials.py
+++ b/tests/test_impersonated_credentials.py
@@ -345,6 +345,19 @@
signature = credentials.sign_bytes(b"signed bytes")
assert signature == b"signature"
+ def test_sign_bytes_failure(self):
+ credentials = self.make_credentials(lifetime=None)
+
+ with mock.patch(
+ "google.auth.transport.requests.AuthorizedSession.request", autospec=True
+ ) as auth_session:
+ data = {"error": {"code": 403, "message": "unauthorized"}}
+ auth_session.return_value = MockResponse(data, http_client.FORBIDDEN)
+
+ with pytest.raises(exceptions.TransportError) as excinfo:
+ credentials.sign_bytes(b"foo")
+ assert excinfo.match("'code': 403")
+
def test_with_quota_project(self):
credentials = self.make_credentials()
