Skip to content

Commit

Permalink
fix: Prevent access tokens from being fetched at service account cons…
Browse files Browse the repository at this point in the history
…truction in the self-signed-jwt case
  • Loading branch information
dazuma committed Jan 25, 2024
1 parent 2a86821 commit 3d2272a
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 6 deletions.
17 changes: 11 additions & 6 deletions lib/googleauth/service_account.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
attr_reader :quota_project_id

def enable_self_signed_jwt?
@enable_self_signed_jwt
# Use a self-singed JWT if there's no information that can be used to
# obtain an OAuth token, OR if there are scopes but also an assertion
# that they are default scopes that shouldn't be used to fetch a token,
# OR we are not in the default universe and thus OAuth isn't supported.
target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
end

# Creates a ServiceAccountCredentials.
Expand Down Expand Up @@ -95,17 +99,18 @@ def initialize options = {}
# Extends the base class to use a transient
# ServiceAccountJwtHeaderCredentials for certain cases.
def apply! a_hash, opts = {}
# Use a self-singed JWT if there's no information that can be used to
# obtain an OAuth token, OR if there are scopes but also an assertion
# that they are default scopes that shouldn't be used to fetch a token,
# OR we are not in the default universe and thus OAuth isn't supported.
if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
if enable_self_signed_jwt?
apply_self_signed_jwt! a_hash
else
super
end
end

# Modifies this logic so it also requires self-signed-jwt to be disabled
def needs_access_token?
super && !enable_self_signed_jwt?
end

private

def apply_self_signed_jwt! a_hash
Expand Down
6 changes: 6 additions & 0 deletions spec/googleauth/service_account_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,12 @@ def expect_is_encoded_jwt hdr
expect_is_encoded_jwt auth_header
end
end

describe "#needs_access_token?" do
it "should always return false" do
expect(@client.needs_access_token?).to eq(false)
end
end
end
end

Expand Down

0 comments on commit 3d2272a

Please sign in to comment.