google-auth-library-python: initial integration (#8008)

* google-auth-library-python: initial integration

Initial integration of
https://github.com/googleapis/google-auth-library-python

* nit

4 files changed, 121 insertions, 0 deletions

diff --git a/projects/g-api-auth-library-python/Dockerfile b/projects/g-api-auth-library-python/Dockerfile
new file mode 100644
index 00000000..3dc0dfa5
--- /dev/null
+++ b/projects/g-api-auth-library-python/Dockerfile
@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN pip3 install --upgrade pip
+RUN git clone https://github.com/googleapis/google-auth-library-python
+COPY build.sh *.py $SRC/
+WORKDIR google-auth-library-python
diff --git a/projects/g-api-auth-library-python/build.sh b/projects/g-api-auth-library-python/build.sh
new file mode 100644
index 00000000..841b8501
--- /dev/null
+++ b/projects/g-api-auth-library-python/build.sh
@@ -0,0 +1,26 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Copy cryptographic test data
+cp tests/data/*.pem $OUT/
+cp tests/data/*.pub $OUT/
+
+pip3 install .
+
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  compile_python_fuzzer $fuzzer
+done
diff --git a/projects/g-api-auth-library-python/fuzz_jwt.py b/projects/g-api-auth-library-python/fuzz_jwt.py
new file mode 100644
index 00000000..cbc94be1
--- /dev/null
+++ b/projects/g-api-auth-library-python/fuzz_jwt.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import atheris
+import sys
+
+with atheris.instrument_imports():
+  from google.auth import jwt
+  from google.auth import crypt
+
+if os.path.isfile("privatekey.pem"):
+  with open("privatekey.pem", "rb") as fh:
+    PRIVATE_KEY_BYTES = fh.read()
+else:
+  raise Exception("Could not find private key")
+
+if os.path.isfile("public_cert.pem"):
+  with open("public_cert.pem", "rb") as fh:
+    PUBLIC_CERT_BYTES = fh.read()
+else:
+  raise Exception("Could not find public cert")
+
+
+def test_roundtrip_unverified(data):
+  fdp = atheris.FuzzedDataProvider(data)
+  raw_data = fdp.ConsumeString(200)
+  signer = crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, "1")
+  encoded = jwt.encode(signer, raw_data)
+
+  _, decoded_data, _, _ = jwt._unverified_decode(encoded)
+  assert(raw_data == decoded_data)
+
+def test_token_decode(data):
+  fdp = atheris.FuzzedDataProvider(data)
+  try:
+    jwt.decode(fdp.ConsumeString(200), certs=PUBLIC_CERT_BYTES)
+  except ValueError:  # ValueError is thrown if any failed verification checks
+    pass
+
+def TestOneInput(data):
+  test_roundtrip_unverified(data)
+  test_token_decode(data)
+
+def main():
+  atheris.instrument_all()
+  atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True)
+  atheris.Fuzz()
+
+if __name__ == "__main__":
+  main()
diff --git a/projects/g-api-auth-library-python/project.yaml b/projects/g-api-auth-library-python/project.yaml
new file mode 100644
index 00000000..19a2924c
--- /dev/null
+++ b/projects/g-api-auth-library-python/project.yaml
@@ -0,0 +1,12 @@
+fuzzing_engines:
+- libfuzzer
+homepage: https://github.com/googleapis/google-auth-library-python
+language: python
+main_repo: https://github.com/googleapis/google-auth-library-python
+sanitizers:
+- address
+- undefined
+vendor_ccs:
+- david@adalogics.com
+- adam@adalogics.com
+- arthur.chan@adalogics.com