Skip to content

Commit

Permalink
feat: Use self-signed JWTs when non-default Universe Domains (#1722)
Browse files Browse the repository at this point in the history
* feat: Use self-signed JWTs when non-default Universe Domains

* feat: AL-9

* fix: remove unused
  • Loading branch information
d-goog authored Jan 26, 2024
1 parent bcefe96 commit 7e9876e
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 1 deletion.
11 changes: 10 additions & 1 deletion src/auth/jwtclient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import {
OAuth2ClientOptions,
RequestMetadataResponse,
} from './oauth2client';
import {DEFAULT_UNIVERSE} from './authclient';

export interface JWTOptions extends OAuth2ClientOptions {
email?: string;
Expand Down Expand Up @@ -119,7 +120,15 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
url = this.defaultServicePath ? `https://${this.defaultServicePath}/` : url;
const useSelfSignedJWT =
(!this.hasUserScopes() && url) ||
(this.useJWTAccessWithScope && this.hasAnyScopes());
(this.useJWTAccessWithScope && this.hasAnyScopes()) ||
this.universeDomain !== DEFAULT_UNIVERSE;

if (this.subject && this.universeDomain !== DEFAULT_UNIVERSE) {
throw new RangeError(
`Service Account user is configured for the credential. Domain-wide delegation is not supported in universes other than ${DEFAULT_UNIVERSE}`
);
}

if (!this.apiKey && useSelfSignedJWT) {
if (
this.additionalClaims &&
Expand Down
66 changes: 66 additions & 0 deletions test/test.jwt.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1007,6 +1007,72 @@ describe('jwt', () => {
);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, universeDomain = not default universe', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
});
const jwt = new JWT({
email: 'foo@serviceaccount.com',
key: fs.readFileSync(PEM_PATH, 'utf8'),
scopes: ['scope1', 'scope2'],
universeDomain: 'my-universe.com',
});
jwt.defaultScopes = ['scope1', 'scope2'];
await jwt.getRequestHeaders('https//beepboop.googleapis.com');
sandbox.assert.calledOnce(stubJWTAccess);
sandbox.assert.calledWith(
stubGetRequestHeaders,
'https//beepboop.googleapis.com',
undefined,
undefined
);
});

it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true, universeDomain = not default universe', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
});
const jwt = new JWT({
email: 'foo@serviceaccount.com',
key: fs.readFileSync(PEM_PATH, 'utf8'),
scopes: ['scope1', 'scope2'],
universeDomain: 'my-universe.com',
});
jwt.useJWTAccessWithScope = true;
jwt.defaultScopes = ['scope1', 'scope2'];
await jwt.getRequestHeaders('https//beepboop.googleapis.com');
sandbox.assert.calledOnce(stubJWTAccess);
sandbox.assert.calledWith(
stubGetRequestHeaders,
'https//beepboop.googleapis.com',
undefined,
['scope1', 'scope2']
);
});

it('throws on domain-wide delegation on non-default universe', async () => {
const stubGetRequestHeaders = sandbox.stub().returns({});
sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: stubGetRequestHeaders,
});
const jwt = new JWT({
email: 'foo@serviceaccount.com',
key: fs.readFileSync(PEM_PATH, 'utf8'),
scopes: ['scope1', 'scope2'],
subject: 'bar@subjectaccount.com',
universeDomain: 'my-universe.com',
});
jwt.useJWTAccessWithScope = true;
jwt.defaultScopes = ['scope1', 'scope2'];

await assert.rejects(
() => jwt.getRequestHeaders('https//beepboop.googleapis.com'),
/Domain-wide delegation is not supported in universes other than/
);
});

it('does not use self signed JWT if target_audience provided', async () => {
const JWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
getRequestHeaders: sinon.stub().returns({}),
Expand Down

0 comments on commit 7e9876e

Please sign in to comment.