Remove todo!() when BoundToken and use_sign_blob is false

src/private/signing_key_inner.rs

@@ -4,6 +4,8 @@ use super::{BoundToken, SigningAlgorithm};
 pub(crate) enum Error {
     #[error("bound token authorizer error: {0}")]
     BoundTokenAuthorizer(#[source] crate::private::bound_token::BoundTokenError),
+    #[error("bound token must use sign blob")]
+    BoundTokenMustUseSignBlob,
     #[error("bound token signing error: {0}")]
     BoundTokenSigning(#[source] crate::private::bound_token::BoundTokenError),
     #[error("service account private key pem parsing error: {0}")]
@@ -53,7 +55,7 @@ impl SigningKeyInner {
                         .await
                         .map_err(Error::BoundTokenSigning)?)
                 } else {
-                    todo!()
+                    Err(Error::BoundTokenMustUseSignBlob)
                 }
             }
             SigningKeyInner::Hmac { .. } => todo!(),

tests/v0_6.rs

@@ -7,3 +7,27 @@ fn test_signing_key_mod() {
 
     let _: Result<SigningKey, Error> = ReExportedSigningKey::service_account_from_str("");
 }
+
+#[tokio::test]
+async fn test_dont_panic_when_bound_token_and_use_sign_blob_is_false(
+) -> Result<(), cloud_storage_signature::html_form_data::Error> {
+    use cloud_storage_signature::signing_key::SigningKey;
+    use cloud_storage_signature::HtmlFormData;
+    use cloud_storage_signature::PolicyDocumentSigningOptions;
+
+    // FIXME: mock `metadata.google.internal`
+
+    let _ = HtmlFormData::builder()
+        .bucket("bucket_name1")
+        .key("object_name1")
+        .policy_document_signing_options(PolicyDocumentSigningOptions {
+            accessible_at: None,
+            expiration: std::time::SystemTime::now() + std::time::Duration::from_secs(60),
+            region: None,
+            signing_key: SigningKey::bound_token(),
+            use_sign_blob: false,
+        })
+        .build()
+        .await?;
+    Ok(())
+}