feat: AL-9

d-goog · d-goog · commit a4351cadc2b6 · 2024-01-05T18:32:20.000-08:00
diff --git a/src/auth/jwtclient.ts b/src/auth/jwtclient.ts
@@ -122,6 +122,13 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
       (!this.hasUserScopes() && url) ||
       (this.useJWTAccessWithScope && this.hasAnyScopes()) ||
       this.universeDomain !== DEFAULT_UNIVERSE;
+
+    if (this.subject && this.universeDomain !== DEFAULT_UNIVERSE) {
+      throw new RangeError(
+        `Service Account user is configured for the credential. Domain-wide delegation is not supported in universes other than ${DEFAULT_UNIVERSE}`
+      );
+    }
+
     if (!this.apiKey && useSelfSignedJWT) {
       if (
         this.additionalClaims &&
diff --git a/test/test.jwt.ts b/test/test.jwt.ts
@@ -1016,7 +1016,6 @@ describe('jwt', () => {
         email: 'foo@serviceaccount.com',
         key: fs.readFileSync(PEM_PATH, 'utf8'),
         scopes: ['scope1', 'scope2'],
-        subject: 'bar@subjectaccount.com',
         universeDomain: 'my-universe.com',
       });
       jwt.defaultScopes = ['scope1', 'scope2'];
@@ -1039,7 +1038,6 @@ describe('jwt', () => {
         email: 'foo@serviceaccount.com',
         key: fs.readFileSync(PEM_PATH, 'utf8'),
         scopes: ['scope1', 'scope2'],
-        subject: 'bar@subjectaccount.com',
         universeDomain: 'my-universe.com',
       });
       jwt.useJWTAccessWithScope = true;
@@ -1054,6 +1052,27 @@ describe('jwt', () => {
       );
     });
 
+    it('throws on domain-wide delegation on non-default universe', async () => {
+      const stubGetRequestHeaders = sandbox.stub().returns({});
+      const stubJWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
+        getRequestHeaders: stubGetRequestHeaders,
+      });
+      const jwt = new JWT({
+        email: 'foo@serviceaccount.com',
+        key: fs.readFileSync(PEM_PATH, 'utf8'),
+        scopes: ['scope1', 'scope2'],
+        subject: 'bar@subjectaccount.com',
+        universeDomain: 'my-universe.com',
+      });
+      jwt.useJWTAccessWithScope = true;
+      jwt.defaultScopes = ['scope1', 'scope2'];
+
+      await assert.rejects(
+        () => jwt.getRequestHeaders('https//beepboop.googleapis.com'),
+        /Domain-wide delegation is not supported in universes other than/
+      );
+    });
+
     it('does not use self signed JWT if target_audience provided', async () => {
       const JWTAccess = sandbox.stub(jwtaccess, 'JWTAccess').returns({
         getRequestHeaders: sinon.stub().returns({}),
