fix: Prevent access tokens from being fetched at service account cons…

…truction in the self-signed-jwt case (#467)
googleapis · Jan 25, 2024 · 96b009f · 96b009f
1 parent 2a86821
commit 96b009f
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 7 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,7 +49,9 @@ jobs:
         node-version: "16.x"
     - name: Install dependencies
       shell: bash
-      run: "gem install --no-document bundler toys && bundle install"
+      run: |
+        gem install --no-document toys
+        bundle install
     - name: Test ${{ matrix.task }}
       shell: bash
       run: toys do ${{ matrix.task }} < /dev/null
diff --git a/lib/googleauth/service_account.rb b/lib/googleauth/service_account.rb
@@ -39,7 +39,11 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -95,17 +99,18 @@ def initialize options = {}
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token,
-        # OR we are not in the default universe and thus OAuth isn't supported.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -216,6 +221,11 @@ def new_jwt_token jwt_aud_uri = nil, options = {}
 
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
     end
   end
 end
diff --git a/spec/googleauth/service_account_spec.rb b/spec/googleauth/service_account_spec.rb
@@ -92,6 +92,12 @@ def expect_is_encoded_jwt hdr
         expect_is_encoded_jwt auth_header
       end
     end
+
+    describe "#needs_access_token?" do
+      it "should always return false" do
+        expect(@client.needs_access_token?).to eq(false)
+      end
+    end
   end
 end