chore: address additional review

src/auth/impersonated.ts

@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2021 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,12 +15,13 @@
  */
 
 import {GetTokenResponse, OAuth2Client, RefreshOptions} from './oauth2client';
+import {AuthClient} from './authclient';
 
 export interface ImpersonatedOptions extends RefreshOptions {
   /**
    * Client used to perform exchange for impersonated client.
    */
-  sourceClient?: OAuth2Client;
+  sourceClient?: AuthClient;
   /**
    * The service account to impersonate.
    */
@@ -49,7 +50,7 @@ export interface TokenResponse {
 }
 
 export class Impersonated extends OAuth2Client {
-  private sourceClient: OAuth2Client;
+  private sourceClient: AuthClient;
   private targetPrincipal: string;
   private targetScopes: string[];
   private delegates: string[];
@@ -67,24 +68,27 @@ export class Impersonated extends OAuth2Client {
    * Also, the target service account must grant the orginating principal
    * the "Service Account Token Creator" IAM role.
    *
-   * @param credentials the service account email address.
-   * @param sourceClient the source credential used as to acquire the
-   * impersonated credentials
-   * @param targetPrincipal the service account to impersonate.
-   * @param delegates the chained list of delegates required to grant the
-   *  final access_token. If set, the sequence of identities must have
-   * "Service Account Token Creator" capability granted to the preceding
-   * identity. For example, if set to [serviceAccountB, serviceAccountC],
-   * the sourceCredential must have the Token Creator role on serviceAccountB.
-   * serviceAccountB must have the Token Creator on serviceAccountC.
-   * Finally, C must have Token Creator on target_principal.
+   * @param {object} options - The configuration object.
+   * @param {object} [options.credentials] the service account email address.
+   * @param {object} [options.sourceClient] the source credential used as to
+   * acquire the impersonated credentials.
+   * @param {string} [options.targetPrincipal] the service account to
+   * impersonate.
+   * @param {string[]} [options.delegates] the chained list of delegates
+   * required to grant the final access_token. If set, the sequence of
+   * identities must have "Service Account Token Creator" capability granted to
+   * the preceding identity. For example, if set to [serviceAccountB,
+   * serviceAccountC], the sourceCredential must have the Token Creator role on
+   * serviceAccountB. serviceAccountB must have the Token Creator on
+   * serviceAccountC. Finally, C must have Token Creator on target_principal.
    * If left unset, sourceCredential must have that role on targetPrincipal.
-   * @param targetScopes scopes to request during the authorization grant.
-   * @param lifetime number of seconds the delegated credential should be
-   * valid for up to 3600 seconds by default, or 43,200 seconds by
-   * extending the token's lifetime, see:
+   * @param {string[]} [options.targetScopes] scopes to request during the
+   * authorization grant.
+   * @param {number} [options.lifetime] number of seconds the delegated
+   * credential should be valid for up to 3600 seconds by default, or 43,200
+   * seconds by extending the token's lifetime, see:
    * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
-   * @param endpoint api endpoint override.
+   * @param {string} [options.endpoint] api endpoint override.
    */
   constructor(options: ImpersonatedOptions = {}) {
     super(options);

test/test.impersonated.ts

@@ -42,6 +42,7 @@ describe('impersonated', () => {
   afterEach(() => {
     nock.cleanAll();
   });
+
   it('should request impersonated credentials on first request', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -89,6 +90,7 @@ describe('impersonated', () => {
     );
     scopes.forEach(s => s.done());
   });
+
   it('should not request impersonated credentials on second request', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -138,6 +140,7 @@ describe('impersonated', () => {
     );
     scopes.forEach(s => s.done());
   });
+
   it('should request impersonated credentials once new credentials expire', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -200,6 +203,7 @@ describe('impersonated', () => {
     );
     scopes.forEach(s => s.done());
   });
+
   it('throws meaningful error when context available', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -238,6 +242,7 @@ describe('impersonated', () => {
     await assert.rejects(impersonated.request({url}), /NOT_FOUND/);
     scopes.forEach(s => s.done());
   });
+
   it('handles errors without context', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -270,6 +275,7 @@ describe('impersonated', () => {
     await assert.rejects(impersonated.request({url}), /unable to impersonate/);
     scopes.forEach(s => s.done());
   });
+
   it('handles error authenticating sourceClient', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);
@@ -293,6 +299,7 @@ describe('impersonated', () => {
     await assert.rejects(impersonated.request({url}), /unable to impersonate/);
     scopes.forEach(s => s.done());
   });
+
   it('should populate request headers', async () => {
     const tomorrow = new Date();
     tomorrow.setDate(tomorrow.getDate() + 1);

test/test.index.ts

@@ -43,5 +43,6 @@ describe('index', () => {
     assert(gal.AwsClient);
     assert(gal.BaseExternalAccountClient);
     assert(gal.DownscopedClient);
+    assert(gal.Impersonated);
   });
 });