fix: disabling self-signed jwt for domain wide delegation (googleapis#754)

Timur Sadykov · web-flow · commit ac70a279bdaf · 2021-10-04T13:13:57.000-07:00
* disabling self-signed jwt for domain wide delegation

* fix: nit fixes
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -1018,7 +1018,8 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
 
     // If scopes are provided but we cannot use self signed JWT, then use scopes to get access
     // token.
-    if (!createScopedRequired() && !useJwtAccessWithScope) {
+    if ((!createScopedRequired() && !useJwtAccessWithScope)
+        || (serviceAccountUser != null && serviceAccountUser.length() > 0)) {
       return super.getRequestMetadata(uri);
     }
 
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -1355,7 +1355,6 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
             .setPrivateKey(privateKey)
             .setPrivateKeyId(PRIVATE_KEY_ID)
             .setScopes(SCOPES)
-            .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
             .setUseJwtAccessWithScope(true)
@@ -1366,16 +1365,51 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
   }
 
   @Test
-  public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
+  public void refreshAccessToken_withDomainDelegation_selfSignedJWT_disabled() throws IOException {
+    final String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
+    final String accessToken2 = "2/MkSJoj1xsli0AccessToken_NKPY2";
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    MockTokenServerTransport transport = transportFactory.transport;
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
     GoogleCredentials credentials =
         ServiceAccountCredentials.newBuilder()
             .setClientId(CLIENT_ID)
             .setClientEmail(CLIENT_EMAIL)
             .setPrivateKey(privateKey)
             .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setScopes(SCOPES)
             .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
+            .setHttpTransportFactory(transportFactory)
+            .setUseJwtAccessWithScope(true)
+            .build();
+
+    transport.addServiceAccount(CLIENT_EMAIL, accessToken1);
+    Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
+    TestUtils.assertContainsBearerToken(metadata, accessToken1);
+
+    try {
+      verifyJwtAccess(metadata, "dummy.scope");
+      fail("jwt access should fail with ServiceAccountUser");
+    } catch (Exception ex) {
+      // expected
+    }
+
+    transport.addServiceAccount(CLIENT_EMAIL, accessToken2);
+    credentials.refresh();
+    TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken2);
+  }
+
+  @Test
+  public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
+    GoogleCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientEmail(CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
             .build();
 
@@ -1393,7 +1427,6 @@ public void getRequestMetadata_selfSignedJWT_withDefaultScopes() throws IOExcept
             .setPrivateKey(privateKey)
             .setPrivateKeyId(PRIVATE_KEY_ID)
             .setScopes(null, SCOPES)
-            .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
             .setUseJwtAccessWithScope(true)
@@ -1412,7 +1445,6 @@ public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
             .setClientEmail(CLIENT_EMAIL)
             .setPrivateKey(privateKey)
             .setPrivateKeyId(PRIVATE_KEY_ID)
-            .setServiceAccountUser(USER)
             .setProjectId(PROJECT_ID)
             .setQuotaProjectId("my-quota-project-id")
             .setHttpTransportFactory(new MockTokenServerTransportFactory())
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java b/oauth2_http/javatests/com/google/auth/oauth2/TokenVerifierTest.java
@@ -242,8 +242,6 @@ public void verifyRs256TokenWithLegacyCertificateUrlFormat()
   @Test
   public void verifyServiceAccountRs256Token()
       throws TokenVerifier.VerificationException, IOException {
-    HttpTransportFactory httpTransportFactory =
-        mockTransport(SERVICE_ACCOUNT_CERT_URL, readResourceAsString("service_account_keys.json"));
     TokenVerifier tokenVerifier =
         TokenVerifier.newBuilder()
             .setClock(FIXED_CLOCK)

Original file line number	Diff line number	Diff line change
`@@ -1018,7 +1018,8 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException`
`1018`	`1018`
`1019`	`1019`	`// If scopes are provided but we cannot use self signed JWT, then use scopes to get access`
`1020`	`1020`	`// token.`
`1021`		`- if (!createScopedRequired() && !useJwtAccessWithScope) {`
	`1021`	`+ if ((!createScopedRequired() && !useJwtAccessWithScope)`
	`1022`	`+ \|\| (serviceAccountUser != null && serviceAccountUser.length() > 0)) {`
`1022`	`1023`	`return super.getRequestMetadata(uri);`
`1023`	`1024`	`}`
`1024`	`1025`