refactor(tool): enforce strict ADK auth (3LO) and full test coverage

anubhav756 · anubhav756 · commit 3c99afa8ad33 · 2025-12-11T02:31:22.000+05:30
diff --git a/packages/toolbox-adk/src/toolbox_adk/tool.py b/packages/toolbox-adk/src/toolbox_adk/tool.py
@@ -20,12 +20,15 @@
 from google.adk.tools.base_tool import BaseTool
 from google.adk.agents.readonly_context import ReadonlyContext
 
-from google_auth_oauthlib.flow import InstalledAppFlow
-from google.auth.transport.requests import Request
+from google.adk.auth.auth_tool import AuthConfig
+from google.adk.auth.auth_credential import AuthCredential, AuthCredentialTypes, OAuth2Auth
+from fastapi.openapi.models import SecurityScheme, OAuthFlows, OAuthFlowAuthorizationCode, OAuth2
+
 from .credentials import CredentialConfig, CredentialType
 from .client import USER_TOKEN_CONTEXT_VAR
 
 
+
 class ToolboxContext:
     """Context object passed to pre/post hooks."""
     def __init__(self, arguments: Dict[str, Any], tool_context: ReadonlyContext):
@@ -70,7 +73,6 @@ def __init__(
         self._pre_hook = pre_hook
         self._post_hook = post_hook
         self._auth_config = auth_config
-        self._user_creds: Optional[Any] = None
 
     @override
     async def run_async(
@@ -88,36 +90,61 @@ async def run_async(
         # 2. ADK Auth Integration (3LO)
         # Check if USER_IDENTITY is configured
         reset_token = None
+        
         if self._auth_config and self._auth_config.type == CredentialType.USER_IDENTITY:
-            # Handle interactive flow if credentials are missing or expired
-            if not self._user_creds or not self._user_creds.valid:
-                if self._user_creds and self._user_creds.expired and self._user_creds.refresh_token:
-                    try:
-                        self._user_creds.refresh(Request())
-                    except Exception:
-                        self._user_creds = None
+            if not self._auth_config.client_id or not self._auth_config.client_secret:
+                raise ValueError("USER_IDENTITY requires client_id and client_secret")
                 
-                if not self._user_creds:
-                    # Trigger flow
-                    if not (self._auth_config.client_id and self._auth_config.client_secret):
-                        raise ValueError("USER_IDENTITY requires client_id and client_secret")
-                    
-                    config = {
-                        "installed": {
-                            "client_id": self._auth_config.client_id,
-                            "client_secret": self._auth_config.client_secret,
-                            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-                            "token_uri": "https://oauth2.googleapis.com/token",
-                        }
-                    }
-                    scopes = self._auth_config.scopes or ["https://www.googleapis.com/auth/cloud-platform"]
-                    
-                    flow = InstalledAppFlow.from_client_config(config, scopes=scopes)
-                    self._user_creds = flow.run_local_server(port=0)
+            # Construct ADK AuthConfig
+            scopes = self._auth_config.scopes or ["https://www.googleapis.com/auth/cloud-platform"]
+            scope_dict = {s: "" for s in scopes}
             
-            # Inject token into ContextVar
-            if self._user_creds:
-                reset_token = USER_TOKEN_CONTEXT_VAR.set(self._user_creds.token)
+            auth_config_adk = AuthConfig(
+                auth_scheme=OAuth2(
+                    flows=OAuthFlows(
+                        authorizationCode=OAuthFlowAuthorizationCode(
+                            authorizationUrl="https://accounts.google.com/o/oauth2/auth",
+                            tokenUrl="https://oauth2.googleapis.com/token",
+                            scopes=scope_dict
+                        )
+                    )
+                ),
+                raw_auth_credential=AuthCredential(
+                    auth_type=AuthCredentialTypes.OAUTH2,
+                    oauth2=OAuth2Auth(
+                        client_id=self._auth_config.client_id,
+                        client_secret=self._auth_config.client_secret,
+                        scopes=scopes
+                    )
+                )
+            )
+
+            # Check if we already have credentials from a previous exchange
+            try:
+                # get_auth_response returns AuthCredential if found
+                creds = tool_context.get_auth_response(auth_config_adk)
+                if creds and creds.oauth2 and creds.oauth2.access_token:
+                    reset_token = USER_TOKEN_CONTEXT_VAR.set(creds.oauth2.access_token)
+                else:
+                    # Request credentials. This will signal the runner to pause.
+                    # We return None (or raise) to stop current execution.
+                    tool_context.request_credential(auth_config_adk)
+                    # Returning None here. The ADK runner will see the requested_auth_configs
+                    # in the tool_context/event and trigger the client event.
+                    return None
+            except Exception as e:
+                # If get_auth_response fails drastically or request_credential fails
+                ctx.error = e
+                # We might want to request credential if retrieval failed?
+                # For now let's assume if it fails we can't proceed.
+                # Actually, strictly we should probably request credential if get_auth_response returns nothing
+                # but get_auth_response typically handles the lookup.
+                # If exception is unrelated, raise.
+                if "credential" in str(e).lower() or isinstance(e, ValueError): # Loose check, but safest is to re-raise
+                     raise e
+                # Fallback to request logic if it was a lookup error?
+                tool_context.request_credential(auth_config_adk)
+                return None
 
         try:
             # Execute the core tool
diff --git a/packages/toolbox-adk/tests/unit/test_tool.py b/packages/toolbox-adk/tests/unit/test_tool.py
@@ -127,3 +127,122 @@ async def test_bind_params(self):
         # unless we mock properly.
         assert new_tool._core_tool == "new_core_tool"
         mock_core.bind_params.assert_called_with({"a": 1})
+    @pytest.mark.asyncio
+    async def test_3lo_missing_client_secret(self):
+        # Test ValueError when client_id/secret missing
+        core_tool = AsyncMock()
+        auth_config = CredentialConfig(type=CredentialType.USER_IDENTITY) 
+        # Missing client_id/secret
+        
+        tool = ToolboxTool(core_tool, auth_config=auth_config)
+        ctx = MagicMock() # Mock the context
+        
+        with pytest.raises(ValueError, match="USER_IDENTITY requires client_id and client_secret"):
+            await tool.run_async({"arg": "val"}, ctx)
+
+    @pytest.mark.asyncio
+    async def test_3lo_request_credential_when_missing(self):
+        # Test that if creds are missing, request_credential is called and returns None
+        core_tool = AsyncMock()
+        auth_config = CredentialConfig(
+            type=CredentialType.USER_IDENTITY,
+            client_id="cid",
+            client_secret="csec"
+        )
+        
+        tool = ToolboxTool(core_tool, auth_config=auth_config)
+        
+        ctx = MagicMock()
+        # Mock get_auth_response returning None (no creds yet)
+        ctx.get_auth_response.return_value = None
+        
+        result = await tool.run_async({}, ctx)
+        
+        # Verify result is None (signal pause)
+        assert result is None
+        # Verify request_credential was called
+        ctx.request_credential.assert_called_once()
+        # Verify core tool was NOT called
+        core_tool.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_3lo_uses_existing_credential(self):
+        # Test that if creds exist, they are used and injected
+        core_tool = AsyncMock(return_value="success")
+        auth_config = CredentialConfig(
+            type=CredentialType.USER_IDENTITY,
+            client_id="cid",
+            client_secret="csec"
+        )
+        
+        tool = ToolboxTool(core_tool, auth_config=auth_config)
+        
+        ctx = MagicMock()
+        # Mock get_auth_response returning valid creds
+        mock_creds = MagicMock()
+        mock_creds.oauth2.access_token = "valid_token"
+        ctx.get_auth_response.return_value = mock_creds
+        
+        result = await tool.run_async({}, ctx)
+        
+        # Verify result is success
+        assert result == "success"
+        # Verify request_credential was NOT called
+        ctx.request_credential.assert_not_called()
+        # Verify core tool WAS called
+        core_tool.assert_called_once()
+        
+
+    @pytest.mark.asyncio
+    async def test_3lo_exception_reraise(self):
+        # Test that specific credential errors are re-raised
+        core_tool = AsyncMock()
+        auth_config = CredentialConfig(
+             type=CredentialType.USER_IDENTITY,
+             client_id="cid",
+             client_secret="csec"
+        )
+        tool = ToolboxTool(core_tool, auth_config=auth_config)
+        ctx = MagicMock()
+        
+        # Mock get_auth_response raising ValueError
+        ctx.get_auth_response.side_effect = ValueError("Invalid Credential")
+        
+        with pytest.raises(ValueError, match="Invalid Credential"):
+            await tool.run_async({}, ctx)
+
+    @pytest.mark.asyncio
+    async def test_3lo_exception_fallback(self):
+        # Test that non-credential errors trigger fallback request
+        core_tool = AsyncMock()
+        auth_config = CredentialConfig(
+             type=CredentialType.USER_IDENTITY,
+             client_id="cid",
+             client_secret="csec"
+        )
+        tool = ToolboxTool(core_tool, auth_config=auth_config)
+        ctx = MagicMock()
+        
+        # Mock get_auth_response raising generic error
+        ctx.get_auth_response.side_effect = RuntimeError("Random failure")
+        
+        result = await tool.run_async({}, ctx)
+        
+        # Should catch RuntimeError, call request_credential, and return None
+        assert result is None
+        ctx.request_credential.assert_called_once()
+
+    def test_init_defaults(self):
+        # Test initialization with minimal tool metadata
+        class EmptyTool:
+            pass
+            
+        core_tool = EmptyTool()
+        args = {"core_tool": core_tool}
+        
+        # Directly instantiate or if strict typing prevents it, force it
+        # ToolboxTool expects CoreToolboxTool which is a Protocol/Class. 
+        # But at runtime it just checks attributes.
+        tool = ToolboxTool(core_tool)
+        assert tool.name == "unknown_tool"
+        assert tool.description == "No description provided."
