diff --git a/samples/signBlob.js b/samples/signBlob.js new file mode 100644 index 00000000..ea52bb16 --- /dev/null +++ b/samples/signBlob.js @@ -0,0 +1,29 @@ +// Copyright 2020 Google LLC +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +const {auth} = require('google-auth-library'); + +/** + * Use the iamcredentials API to sign a blob of data. + */ +async function main() { + const signedData = await auth.sign('some data'); + console.log(signedData); +} + +main().catch(e => { + console.error(e); + throw e; +}); diff --git a/samples/test/jwt.test.js b/samples/test/jwt.test.js index 3664ec1e..42c2b226 100644 --- a/samples/test/jwt.test.js +++ b/samples/test/jwt.test.js @@ -84,4 +84,9 @@ describe('samples', () => { const output = execSync(`node idtokens-iap ${url} ${targetAudience}`); assert.match(output, /Hello, world/); }); + + it('should sign the blobs with IAM credentials API', () => { + const out = execSync('node signBlob'); + assert.ok(out.length > 0); + }); }); diff --git a/src/auth/googleauth.ts b/src/auth/googleauth.ts index cca1be5d..93d231ec 100644 --- a/src/auth/googleauth.ts +++ b/src/auth/googleauth.ts @@ -809,16 +809,19 @@ export class GoogleAuth { throw new Error('Cannot sign data without `client_email`.'); } - const id = `projects/${projectId}/serviceAccounts/${creds.client_email}`; + const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${creds.client_email}:signBlob`; const res = await this.request({ method: 'POST', - url: `https://iam.googleapis.com/v1/${id}:signBlob`, - data: {bytesToSign: crypto.encodeBase64StringUtf8(data)}, + url, + data: { + payload: crypto.encodeBase64StringUtf8(data), + }, }); - return res.data.signature; + return res.data.signedBlob; } } export interface SignBlobResponse { - signature: string; + keyId: string; + signedBlob: string; } diff --git a/test/test.googleauth.ts b/test/test.googleauth.ts index ebdd612e..c125046d 100644 --- a/test/test.googleauth.ts +++ b/test/test.googleauth.ts @@ -1390,21 +1390,21 @@ describe('googleauth', () => { const {auth, scopes} = mockGCE(); mockEnvVar('GCLOUD_PROJECT', STUB_PROJECT); const email = 'google@auth.library'; - const iamUri = `https://iam.googleapis.com`; - const iamPath = `/v1/projects/${STUB_PROJECT}/serviceAccounts/${email}:signBlob`; - const signature = 'erutangis'; + const iamUri = `https://iamcredentials.googleapis.com`; + const iamPath = `/v1/projects/-/serviceAccounts/${email}:signBlob`; + const signedBlob = 'erutangis'; const data = 'abc123'; scopes.push( nock(iamUri) .post(iamPath) - .reply(200, {signature}), + .reply(200, {signedBlob}), nock(host) .get(svcAccountPath) .reply(200, {default: {email, private_key: privateKey}}, HEADERS) ); const value = await auth.sign(data); scopes.forEach(x => x.done()); - assert.strictEqual(value, signature); + assert.strictEqual(value, signedBlob); }); it('should warn the user if using the getDefaultProjectId method', done => {