From 5f8b409c2839b0a64e760af4faa8a050e783b47b Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Wed, 13 Dec 2023 11:45:03 -0800
Subject: [PATCH] throw exception for domain-wide delegation outside GDU

---
 src/Credentials/ServiceAccountCredentials.php  | 14 ++++++++++++++
 .../ServiceAccountCredentialsTest.php          | 18 ++++++++++++++++++
 tests/FetchAuthTokenTest.php                   |  2 ++
 3 files changed, 34 insertions(+)

diff --git a/src/Credentials/ServiceAccountCredentials.php b/src/Credentials/ServiceAccountCredentials.php
index 6eceec5a6..eba43cf9f 100644
--- a/src/Credentials/ServiceAccountCredentials.php
+++ b/src/Credentials/ServiceAccountCredentials.php
@@ -349,6 +349,20 @@ public function getUniverseDomain(): string
      */
     private function useSelfSignedJwt()
     {
+        // When a sub is supplied, the user is using domain-wide delegation, which not available
+        // with self-signed JWTs
+        if (null !== $this->auth->getSub()) {
+            // If we are outside the GDU, we can't use domain-wide delegation
+            if ($this->getUniverseDomain() !== self::DEFAULT_UNIVERSE_DOMAIN) {
+                throw new \LogicException(sprintf(
+                    'Service Account subject is configured for the credential. Domain-wide ' .
+                    'delegation is not supported in universes other than %s.',
+                    self::DEFAULT_UNIVERSE_DOMAIN
+                ));
+            }
+            return false;
+        }
+
         // If claims are set, this call is for "id_tokens"
         if ($this->auth->getAdditionalClaims()) {
             return false;
diff --git a/tests/Credentials/ServiceAccountCredentialsTest.php b/tests/Credentials/ServiceAccountCredentialsTest.php
index c6ff2520d..4a1e276e8 100644
--- a/tests/Credentials/ServiceAccountCredentialsTest.php
+++ b/tests/Credentials/ServiceAccountCredentialsTest.php
@@ -321,6 +321,24 @@ public function testSettingBothScopeAndTargetAudienceThrowsException()
         );
     }
 
+    public function testDomainWideDelegationOutsideGduThrowsException()
+    {
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage(
+            'Service Account subject is configured for the credential. Domain-wide ' .
+            'delegation is not supported in universes other than googleapis.com'
+        );
+        $testJson = $this->createTestJson() + ['universe_domain' => 'abc.xyz'];
+        $sub = 'sub123';
+        $sa = new ServiceAccountCredentials(
+            null,
+            $testJson,
+            $sub
+        );
+
+        $sa->fetchAuthToken();
+    }
+
     public function testReturnsClientEmail()
     {
         $testJson = $this->createTestJson();
diff --git a/tests/FetchAuthTokenTest.php b/tests/FetchAuthTokenTest.php
index 6fe7df242..433dbe851 100644
--- a/tests/FetchAuthTokenTest.php
+++ b/tests/FetchAuthTokenTest.php
@@ -168,6 +168,8 @@ public function testServiceAccountCredentialsGetLastReceivedToken()
             ->willReturn($this->scopes);
         $oauth2Mock->getAdditionalClaims()
             ->willReturn([]);
+        $oauth2Mock->getSub()
+            ->willReturn(null);
 
         $credentials = new ServiceAccountCredentials($this->scopes, $jsonPath);
         $property->setValue($credentials, $oauth2Mock->reveal());