Skip to content

Commit

Permalink
fix: disabling self-signed jwt for domain wide delegation (#754)
Browse files Browse the repository at this point in the history
* disabling self-signed jwt for domain wide delegation

* fix: nit fixes
  • Loading branch information
TimurSadykov authored Oct 4, 2021
1 parent 8e8c73a commit ac70a27
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1018,7 +1018,8 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException

// If scopes are provided but we cannot use self signed JWT, then use scopes to get access
// token.
if (!createScopedRequired() && !useJwtAccessWithScope) {
if ((!createScopedRequired() && !useJwtAccessWithScope)
|| (serviceAccountUser != null && serviceAccountUser.length() > 0)) {
return super.getRequestMetadata(uri);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1355,7 +1355,6 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setScopes(SCOPES)
.setServiceAccountUser(USER)
.setProjectId(PROJECT_ID)
.setHttpTransportFactory(new MockTokenServerTransportFactory())
.setUseJwtAccessWithScope(true)
Expand All @@ -1366,16 +1365,51 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
}

@Test
public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
public void refreshAccessToken_withDomainDelegation_selfSignedJWT_disabled() throws IOException {
final String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
final String accessToken2 = "2/MkSJoj1xsli0AccessToken_NKPY2";
MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
MockTokenServerTransport transport = transportFactory.transport;
PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
GoogleCredentials credentials =
ServiceAccountCredentials.newBuilder()
.setClientId(CLIENT_ID)
.setClientEmail(CLIENT_EMAIL)
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setScopes(SCOPES)
.setServiceAccountUser(USER)
.setProjectId(PROJECT_ID)
.setHttpTransportFactory(transportFactory)
.setUseJwtAccessWithScope(true)
.build();

transport.addServiceAccount(CLIENT_EMAIL, accessToken1);
Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
TestUtils.assertContainsBearerToken(metadata, accessToken1);

try {
verifyJwtAccess(metadata, "dummy.scope");
fail("jwt access should fail with ServiceAccountUser");
} catch (Exception ex) {
// expected
}

transport.addServiceAccount(CLIENT_EMAIL, accessToken2);
credentials.refresh();
TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken2);
}

@Test
public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
GoogleCredentials credentials =
ServiceAccountCredentials.newBuilder()
.setClientId(CLIENT_ID)
.setClientEmail(CLIENT_EMAIL)
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setProjectId(PROJECT_ID)
.setHttpTransportFactory(new MockTokenServerTransportFactory())
.build();

Expand All @@ -1393,7 +1427,6 @@ public void getRequestMetadata_selfSignedJWT_withDefaultScopes() throws IOExcept
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setScopes(null, SCOPES)
.setServiceAccountUser(USER)
.setProjectId(PROJECT_ID)
.setHttpTransportFactory(new MockTokenServerTransportFactory())
.setUseJwtAccessWithScope(true)
Expand All @@ -1412,7 +1445,6 @@ public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
.setClientEmail(CLIENT_EMAIL)
.setPrivateKey(privateKey)
.setPrivateKeyId(PRIVATE_KEY_ID)
.setServiceAccountUser(USER)
.setProjectId(PROJECT_ID)
.setQuotaProjectId("my-quota-project-id")
.setHttpTransportFactory(new MockTokenServerTransportFactory())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -242,8 +242,6 @@ public void verifyRs256TokenWithLegacyCertificateUrlFormat()
@Test
public void verifyServiceAccountRs256Token()
throws TokenVerifier.VerificationException, IOException {
HttpTransportFactory httpTransportFactory =
mockTransport(SERVICE_ACCOUNT_CERT_URL, readResourceAsString("service_account_keys.json"));
TokenVerifier tokenVerifier =
TokenVerifier.newBuilder()
.setClock(FIXED_CLOCK)
Expand Down

0 comments on commit ac70a27

Please sign in to comment.