throw exception for domain-wide delegation outside GDU

googleapis · Dec 13, 2023 · 5f8b409 · 5f8b409
1 parent 50d81c9
commit 5f8b409
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/src/Credentials/ServiceAccountCredentials.php b/src/Credentials/ServiceAccountCredentials.php
@@ -349,6 +349,20 @@ public function getUniverseDomain(): string
      */
     private function useSelfSignedJwt()
     {
+        // When a sub is supplied, the user is using domain-wide delegation, which not available
+        // with self-signed JWTs
+        if (null !== $this->auth->getSub()) {
+            // If we are outside the GDU, we can't use domain-wide delegation
+            if ($this->getUniverseDomain() !== self::DEFAULT_UNIVERSE_DOMAIN) {
+                throw new \LogicException(sprintf(
+                    'Service Account subject is configured for the credential. Domain-wide ' .
+                    'delegation is not supported in universes other than %s.',
+                    self::DEFAULT_UNIVERSE_DOMAIN
+                ));
+            }
+            return false;
+        }
+
         // If claims are set, this call is for "id_tokens"
         if ($this->auth->getAdditionalClaims()) {
             return false;

diff --git a/tests/Credentials/ServiceAccountCredentialsTest.php b/tests/Credentials/ServiceAccountCredentialsTest.php
@@ -321,6 +321,24 @@ public function testSettingBothScopeAndTargetAudienceThrowsException()
         );
     }
 
+    public function testDomainWideDelegationOutsideGduThrowsException()
+    {
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage(
+            'Service Account subject is configured for the credential. Domain-wide ' .
+            'delegation is not supported in universes other than googleapis.com'
+        );
+        $testJson = $this->createTestJson() + ['universe_domain' => 'abc.xyz'];
+        $sub = 'sub123';
+        $sa = new ServiceAccountCredentials(
+            null,
+            $testJson,
+            $sub
+        );
+
+        $sa->fetchAuthToken();
+    }
+
     public function testReturnsClientEmail()
     {
         $testJson = $this->createTestJson();

diff --git a/tests/FetchAuthTokenTest.php b/tests/FetchAuthTokenTest.php
@@ -168,6 +168,8 @@ public function testServiceAccountCredentialsGetLastReceivedToken()
             ->willReturn($this->scopes);
         $oauth2Mock->getAdditionalClaims()
             ->willReturn([]);
+        $oauth2Mock->getSub()
+            ->willReturn(null);
 
         $credentials = new ServiceAccountCredentials($this->scopes, $jsonPath);
         $property->setValue($credentials, $oauth2Mock->reveal());