fix: Prevent access tokens from being fetched at service account cons…

…truction in the self-signed-jwt case
googleapis · Jan 25, 2024 · 43fd24b · 43fd24b
1 parent 2a86821
commit 43fd24b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/lib/googleauth/service_account.rb b/lib/googleauth/service_account.rb
@@ -39,7 +39,11 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -95,17 +99,18 @@ def initialize options = {}
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token,
-        # OR we are not in the default universe and thus OAuth isn't supported.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash

diff --git a/spec/googleauth/service_account_spec.rb b/spec/googleauth/service_account_spec.rb
@@ -92,6 +92,12 @@ def expect_is_encoded_jwt hdr
         expect_is_encoded_jwt auth_header
       end
     end
+
+    describe "#needs_access_token?" do
+      it "should always return false" do
+        expect(@client.needs_access_token?).to eq(false)
+      end
+    end
   end
 end
 
@@ -176,7 +182,7 @@ def cred_json_text_with_universe_domain
     end
   end
 
-  context "when scope is nil" do
+  context "when scope is nil", focus: true do
     before :example do
       @client.scope = nil
     end