diff --git a/src/auth/jwtclient.ts b/src/auth/jwtclient.ts index d25f4146..9e12b23c 100644 --- a/src/auth/jwtclient.ts +++ b/src/auth/jwtclient.ts @@ -24,6 +24,7 @@ import { OAuth2ClientOptions, RequestMetadataResponse, } from './oauth2client'; +import {DEFAULT_UNIVERSE} from './authclient'; export interface JWTOptions extends OAuth2ClientOptions { email?: string; @@ -119,7 +120,15 @@ export class JWT extends OAuth2Client implements IdTokenProvider { url = this.defaultServicePath ? `https://${this.defaultServicePath}/` : url; const useSelfSignedJWT = (!this.hasUserScopes() && url) || - (this.useJWTAccessWithScope && this.hasAnyScopes()); + (this.useJWTAccessWithScope && this.hasAnyScopes()) || + this.universeDomain !== DEFAULT_UNIVERSE; + + if (this.subject && this.universeDomain !== DEFAULT_UNIVERSE) { + throw new RangeError( + `Service Account user is configured for the credential. Domain-wide delegation is not supported in universes other than ${DEFAULT_UNIVERSE}` + ); + } + if (!this.apiKey && useSelfSignedJWT) { if ( this.additionalClaims && diff --git a/test/test.jwt.ts b/test/test.jwt.ts index f20fcbe5..fc11bd02 100644 --- a/test/test.jwt.ts +++ b/test/test.jwt.ts @@ -1007,6 +1007,72 @@ describe('jwt', () => { ); }); + it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, universeDomain = not default universe', async () => { + const stubGetRequestHeaders = sandbox.stub().returns({}); + const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({ + getRequestHeaders: stubGetRequestHeaders, + }); + const jwt = new JWT({ + email: 'foo@serviceaccount.com', + key: fs.readFileSync(PEM_PATH, 'utf8'), + scopes: ['scope1', 'scope2'], + universeDomain: 'my-universe.com', + }); + jwt.defaultScopes = ['scope1', 'scope2']; + await jwt.getRequestHeaders('https//beepboop.googleapis.com'); + sandbox.assert.calledOnce(stubJWTAccess); + sandbox.assert.calledWith( + stubGetRequestHeaders, + 'https//beepboop.googleapis.com', + undefined, + undefined + ); + }); + + it('signs JWT with audience if: user scope = true, default scope = true, audience = truthy, useJWTAccessWithScope = true, universeDomain = not default universe', async () => { + const stubGetRequestHeaders = sandbox.stub().returns({}); + const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({ + getRequestHeaders: stubGetRequestHeaders, + }); + const jwt = new JWT({ + email: 'foo@serviceaccount.com', + key: fs.readFileSync(PEM_PATH, 'utf8'), + scopes: ['scope1', 'scope2'], + universeDomain: 'my-universe.com', + }); + jwt.useJWTAccessWithScope = true; + jwt.defaultScopes = ['scope1', 'scope2']; + await jwt.getRequestHeaders('https//beepboop.googleapis.com'); + sandbox.assert.calledOnce(stubJWTAccess); + sandbox.assert.calledWith( + stubGetRequestHeaders, + 'https//beepboop.googleapis.com', + undefined, + ['scope1', 'scope2'] + ); + }); + + it('throws on domain-wide delegation on non-default universe', async () => { + const stubGetRequestHeaders = sandbox.stub().returns({}); + sandbox.stub(jwtaccess, 'JWTAccess').returns({ + getRequestHeaders: stubGetRequestHeaders, + }); + const jwt = new JWT({ + email: 'foo@serviceaccount.com', + key: fs.readFileSync(PEM_PATH, 'utf8'), + scopes: ['scope1', 'scope2'], + subject: 'bar@subjectaccount.com', + universeDomain: 'my-universe.com', + }); + jwt.useJWTAccessWithScope = true; + jwt.defaultScopes = ['scope1', 'scope2']; + + await assert.rejects( + () => jwt.getRequestHeaders('https//beepboop.googleapis.com'), + /Domain-wide delegation is not supported in universes other than/ + ); + }); + it('does not use self signed JWT if target_audience provided', async () => { const JWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({ getRequestHeaders: sinon.stub().returns({}),