chore: rename _refresh_token to _perform_refresh_token (#1900)

[A recent
change](36ecb1d#diff-4762e5cf4088fa77af8bf63829f842548a4cad6e76be593786876e314807cd8f)
added an internal _refresh_token method to some credentials files.

Parts of the codebase were already using `_refresh_token` as an internal
variable, holding a token value

This causes some inconsistencies in the codebase, where it's not always
clear if `_refresh_token` is referring to an action or an object

It was also causing complications in internal code that depended on
_refresh_token objects

This PR renames the methods to `_perform_refresh_token`, to avoid the
duplicate naming

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Chalmer Lowe <chalmerlowe@google.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

Author: 4 people

google/auth/compute_engine/credentials.py

@@ -123,7 +123,7 @@ def _retrieve_info(self, request):
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_MDS
 
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Refresh the access token and scopes.
 
         Args:

google/auth/credentials.py

@@ -292,7 +292,7 @@ class CredentialsWithTrustBoundary(Credentials):
     """Abstract base for credentials supporting ``with_trust_boundary`` factory"""
 
     @abc.abstractmethod
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Refreshes the access token.
 
         Args:
@@ -303,7 +303,7 @@ def _refresh_token(self, request):
             google.auth.exceptions.RefreshError: If the credentials could
                 not be refreshed.
         """
-        raise NotImplementedError("_refresh_token must be implemented")
+        raise NotImplementedError("_perform_refresh_token must be implemented")
 
     def with_trust_boundary(self, trust_boundary):
         """Returns a copy of these credentials with a modified trust boundary.
@@ -362,7 +362,7 @@ def refresh(self, request):
         This method calls the subclass's token refresh logic and then
         refreshes the trust boundary if applicable.
         """
-        self._refresh_token(request)
+        self._perform_refresh_token(request)
         self._refresh_trust_boundary(request)
 
     def _refresh_trust_boundary(self, request):

google/auth/external_account.py

@@ -420,7 +420,7 @@ def refresh(self, request):
         source credentials and the impersonated credentials. For non-impersonated
         credentials, it will refresh the access token and the trust boundary.
         """
-        self._refresh_token(request)
+        self._perform_refresh_token(request)
         self._handle_trust_boundary(request)
 
     def _handle_trust_boundary(self, request):
@@ -432,7 +432,7 @@ def _handle_trust_boundary(self, request):
             # Otherwise, refresh the trust boundary for the external account.
             self._refresh_trust_boundary(request)
 
-    def _refresh_token(self, request, cert_fingerprint=None):
+    def _perform_refresh_token(self, request, cert_fingerprint=None):
         scopes = self._scopes if self._scopes is not None else self._default_scopes
 
         # Inject client certificate into request.

google/auth/external_account_authorized_user.py

@@ -124,7 +124,7 @@ def __init__(
         self.token = token
         self.expiry = expiry
         self._audience = audience
-        self._refresh_token_val = refresh_token
+        self._refresh_token = refresh_token
         self._token_url = token_url
         self._token_info_url = token_info_url
         self._client_id = client_id
@@ -171,7 +171,7 @@ def info(self):
     def constructor_args(self):
         return {
             "audience": self._audience,
-            "refresh_token": self._refresh_token_val,
+            "refresh_token": self._refresh_token,
             "token_url": self._token_url,
             "token_info_url": self._token_info_url,
             "client_id": self._client_id,
@@ -215,7 +215,7 @@ def audience(self):
     @property
     def refresh_token(self):
         """Optional[str]: The OAuth 2.0 refresh token."""
-        return self._refresh_token_val
+        return self._refresh_token
 
     @property
     def token_url(self):
@@ -241,7 +241,7 @@ def is_user(self):
     def can_refresh(self):
         return all(
             (
-                self._refresh_token_val,
+                self._refresh_token,
                 self._token_url,
                 self._client_id,
                 self._client_secret,
@@ -279,7 +279,7 @@ def to_json(self, strip=None):
         strip = strip if strip else []
         return json.dumps({k: v for (k, v) in self.info.items() if k not in strip})
 
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Refreshes the access token.
 
         Args:
@@ -298,15 +298,15 @@ def _refresh_token(self, request):
             )
 
         now = _helpers.utcnow()
-        response_data = self._sts_client.refresh_token(request, self._refresh_token_val)
+        response_data = self._sts_client.refresh_token(request, self._refresh_token)
 
         self.token = response_data.get("access_token")
 
         lifetime = datetime.timedelta(seconds=response_data.get("expires_in"))
         self.expiry = now + lifetime
 
         if "refresh_token" in response_data:
-            self._refresh_token_val = response_data["refresh_token"]
+            self._refresh_token = response_data["refresh_token"]
 
     def _build_trust_boundary_lookup_url(self):
         """Builds and returns the URL for the trust boundary lookup API."""
@@ -333,15 +333,15 @@ def revoke(self, request):
             google.auth.exceptions.OAuthError: If the token could not be
                 revoked.
         """
-        if not self._revoke_url or not self._refresh_token_val:
+        if not self._revoke_url or not self._refresh_token:
             raise exceptions.OAuthError(
                 "The credentials do not contain the necessary fields to "
                 "revoke the refresh token. You must specify revoke_url and "
                 "refresh_token."
             )
 
         self._sts_client.revoke_token(
-            request, self._refresh_token_val, "refresh_token", self._revoke_url
+            request, self._refresh_token, "refresh_token", self._revoke_url
         )
         self.token = None
         self._refresh_token = None

google/auth/identity_pool.py

@@ -571,5 +571,5 @@ def refresh(self, request):
                     _agent_identity_utils.calculate_certificate_fingerprint(cert)
                 )
 
-        self._refresh_token(request, cert_fingerprint=cert_fingerprint)
+        self._perform_refresh_token(request, cert_fingerprint=cert_fingerprint)
         self._handle_trust_boundary(request)

google/auth/impersonated_credentials.py

@@ -272,7 +272,7 @@ def __init__(
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_IMPERSONATE
 
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         """Updates credentials with a new access_token representing
         the impersonated account.
 

google/oauth2/service_account.py

@@ -434,7 +434,7 @@ def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_ASSERTION
 
     @_helpers.copy_docstring(credentials.CredentialsWithTrustBoundary)
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         if self._always_use_jwt_access and not self._jwt_credentials:
             # If self signed jwt should be used but jwt credential is not
             # created, try to create one with scopes

tests/test_credentials.py

@@ -27,7 +27,7 @@
 
 
 class CredentialsImpl(credentials.CredentialsWithTrustBoundary):
-    def _refresh_token(self, request):
+    def _perform_refresh_token(self, request):
         self.token = "refreshed-token"
         self.expiry = (
             datetime.datetime.utcnow()

tests/test_external_account.py

@@ -737,7 +737,7 @@ def test_refresh_skips_trust_boundary_lookup_when_disabled(
         credentials.apply(headers_applied)
         assert "x-allowed-locations" not in headers_applied
 
-    def test_refresh_token_with_cert_fingerprint(self):
+    def test_perform_refresh_token_with_cert_fingerprint(self):
         credentials = self.make_credentials()
         credentials._sts_client = mock.MagicMock()
         credentials._sts_client.exchange_token.return_value = {
@@ -748,7 +748,7 @@ def test_refresh_token_with_cert_fingerprint(self):
             return_value="subject_token"
         )
 
-        credentials._refresh_token(
+        credentials._perform_refresh_token(
             request=mock.sentinel.request, cert_fingerprint="my-fingerprint"
         )
 

tests/test_external_account_authorized_user.py

@@ -194,7 +194,7 @@ def test_refresh_auth_success(self, utcnow):
         assert creds.valid
         assert not creds.requires_scopes
         assert creds.is_user
-        assert creds._refresh_token_val == REFRESH_TOKEN
+        assert creds._refresh_token == REFRESH_TOKEN
 
         request.assert_called_once_with(
             url=TOKEN_URL,
@@ -228,7 +228,7 @@ def test_refresh_auth_success_new_refresh_token(self, utcnow):
         assert creds.valid
         assert not creds.requires_scopes
         assert creds.is_user
-        assert creds._refresh_token_val == NEW_REFRESH_TOKEN
+        assert creds._refresh_token == NEW_REFRESH_TOKEN
 
         request.assert_called_once_with(
             url=TOKEN_URL,
@@ -510,7 +510,7 @@ def test_with_quota_project(self):
         )
         new_creds = creds.with_quota_project(QUOTA_PROJECT_ID)
         assert new_creds._audience == creds._audience
-        assert new_creds._refresh_token_val == creds.refresh_token
+        assert new_creds._refresh_token == creds.refresh_token
         assert new_creds._token_url == creds._token_url
         assert new_creds._token_info_url == creds._token_info_url
         assert new_creds._client_id == creds._client_id
@@ -529,7 +529,7 @@ def test_with_token_uri(self):
         )
         new_creds = creds.with_token_uri("https://google.com")
         assert new_creds._audience == creds._audience
-        assert new_creds._refresh_token_val == creds.refresh_token
+        assert new_creds._refresh_token == creds.refresh_token
         assert new_creds._token_url == "https://google.com"
         assert new_creds._token_info_url == creds._token_info_url
         assert new_creds._client_id == creds._client_id
@@ -548,7 +548,7 @@ def test_with_universe_domain(self):
         )
         new_creds = creds.with_universe_domain(FAKE_UNIVERSE_DOMAIN)
         assert new_creds._audience == creds._audience
-        assert new_creds._refresh_token_val == creds.refresh_token
+        assert new_creds._refresh_token == creds.refresh_token
         assert new_creds._token_url == creds._token_url
         assert new_creds._token_info_url == creds._token_info_url
         assert new_creds._client_id == creds._client_id
@@ -568,7 +568,7 @@ def test_with_trust_boundary(self):
         )
         new_creds = creds.with_trust_boundary({"encodedLocations": "new_boundary"})
         assert new_creds._audience == creds._audience
-        assert new_creds._refresh_token_val == creds.refresh_token
+        assert new_creds._refresh_token == creds.refresh_token
         assert new_creds._token_url == creds._token_url
         assert new_creds._token_info_url == creds._token_info_url
         assert new_creds._client_id == creds._client_id