Skip to content

Commit

Permalink
fix: Prevent access tokens from being fetched at service account cons…
Browse files Browse the repository at this point in the history
…truction in the self-signed-jwt case (#467)
  • Loading branch information
dazuma authored Jan 25, 2024
1 parent 2a86821 commit 96b009f
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 7 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,9 @@ jobs:
node-version: "16.x"
- name: Install dependencies
shell: bash
run: "gem install --no-document bundler toys && bundle install"
run: |
gem install --no-document toys
bundle install
- name: Test ${{ matrix.task }}
shell: bash
run: toys do ${{ matrix.task }} < /dev/null
22 changes: 16 additions & 6 deletions lib/googleauth/service_account.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
attr_reader :quota_project_id

def enable_self_signed_jwt?
@enable_self_signed_jwt
# Use a self-singed JWT if there's no information that can be used to
# obtain an OAuth token, OR if there are scopes but also an assertion
# that they are default scopes that shouldn't be used to fetch a token,
# OR we are not in the default universe and thus OAuth isn't supported.
target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
end

# Creates a ServiceAccountCredentials.
Expand Down Expand Up @@ -95,17 +99,18 @@ def initialize options = {}
# Extends the base class to use a transient
# ServiceAccountJwtHeaderCredentials for certain cases.
def apply! a_hash, opts = {}
# Use a self-singed JWT if there's no information that can be used to
# obtain an OAuth token, OR if there are scopes but also an assertion
# that they are default scopes that shouldn't be used to fetch a token,
# OR we are not in the default universe and thus OAuth isn't supported.
if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
if enable_self_signed_jwt?
apply_self_signed_jwt! a_hash
else
super
end
end

# Modifies this logic so it also requires self-signed-jwt to be disabled
def needs_access_token?
super && !enable_self_signed_jwt?
end

private

def apply_self_signed_jwt! a_hash
Expand Down Expand Up @@ -216,6 +221,11 @@ def new_jwt_token jwt_aud_uri = nil, options = {}

JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
end

# Duck-types the corresponding method from BaseClient
def needs_access_token?
false
end
end
end
end
6 changes: 6 additions & 0 deletions spec/googleauth/service_account_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,12 @@ def expect_is_encoded_jwt hdr
expect_is_encoded_jwt auth_header
end
end

describe "#needs_access_token?" do
it "should always return false" do
expect(@client.needs_access_token?).to eq(false)
end
end
end
end

Expand Down

0 comments on commit 96b009f

Please sign in to comment.