From 43fd24b5611e0020d718e525d0f8bc6d9dee2e02 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Thu, 25 Jan 2024 19:03:09 +0000
Subject: [PATCH] fix: Prevent access tokens from being fetched at service
 account construction in the self-signed-jwt case

---
 lib/googleauth/service_account.rb       | 17 +++++++++++------
 spec/googleauth/service_account_spec.rb |  8 +++++++-
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/lib/googleauth/service_account.rb b/lib/googleauth/service_account.rb
index 50ce43cf..74711fd2 100644
--- a/lib/googleauth/service_account.rb
+++ b/lib/googleauth/service_account.rb
@@ -39,7 +39,11 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -95,17 +99,18 @@ def initialize options = {}
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token,
-        # OR we are not in the default universe and thus OAuth isn't supported.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt? || universe_domain != "googleapis.com")
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
diff --git a/spec/googleauth/service_account_spec.rb b/spec/googleauth/service_account_spec.rb
index 9fc375cd..4b3a6f23 100644
--- a/spec/googleauth/service_account_spec.rb
+++ b/spec/googleauth/service_account_spec.rb
@@ -92,6 +92,12 @@ def expect_is_encoded_jwt hdr
         expect_is_encoded_jwt auth_header
       end
     end
+
+    describe "#needs_access_token?" do
+      it "should always return false" do
+        expect(@client.needs_access_token?).to eq(false)
+      end
+    end
   end
 end
 
@@ -176,7 +182,7 @@ def cred_json_text_with_universe_domain
     end
   end
 
-  context "when scope is nil" do
+  context "when scope is nil", focus: true do
     before :example do
       @client.scope = nil
     end