Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -362,8 +362,12 @@ def _build_regional_access_boundary_lookup_url(
Returns:
Optional[str]: The URL for the Regional Access Boundary lookup endpoint, or None
if the service account email is missing.
if the service account email is missing. Returns None if the subject is populated.
"""
if self._subject:
# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

Comment on lines +367 to +370

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Accessing self._subject on ImpersonatedCredentials will raise an AttributeError at runtime because _subject is not an attribute of this class. Furthermore, Domain-Wide Delegation (DWD) is not supported or applicable for impersonated credentials, so this check is unnecessary and should be removed.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that Gemini thinks this doesn't exist as an attribute of this class - I think it is just flat out wrong here, right?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, it's hallucinating. Unfortunately it seems to be an existing issue with the gemini reviewer on this PR that it checks the code that was modified and if it doesn't see something being imported or initialized in the new block, it doesn't check if it already existed in the file.

if not self.service_account_email:
_LOGGER.error(
"Service account email is required to build the Regional Access Boundary lookup URL for impersonated credentials."
Expand Down
12 changes: 11 additions & 1 deletion packages/google-auth/google/auth/jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -585,7 +585,17 @@ def _perform_refresh_token(self, request):
self.token, self.expiry = self._make_jwt()

def _build_regional_access_boundary_lookup_url(self, request=None):
"""Builds the lookup URL using the service account's email address."""
"""Builds the lookup URL using the service account's email address.

Returns None if the subject is populated.
"""
# In jwt.Credentials, subject defaults to client_email (which is the issuer).
# We must check self._subject != self._issuer to correctly determine if
# Domain-Wide Delegation is active.
if self._subject and self._subject != self._issuer:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just double checking since this is a bit different than the impersonated credentials case where we just look at _subject being set - is this the canonical way for detecting "DwD" here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is intentional. In google.auth.jwt.Credentials (unlike service_account.Credentials or ImpersonatedCredentials), subject defaults to client_email (which is the issuer) if not provided. Therefore, self._subject is always populated, and we have to check self._subject != self._issuer to determine if DwD is actually being used. I'll add an inline comment here for our future reference.

# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

if not self.signer_email:
return None

Expand Down
6 changes: 5 additions & 1 deletion packages/google-auth/google/oauth2/service_account.py
Original file line number Diff line number Diff line change
Expand Up @@ -514,8 +514,12 @@ def _build_regional_access_boundary_lookup_url(

Returns:
Optional[str]: The URL for the Regional Access Boundary lookup endpoint, or None
if the service account email is missing.
if the service account email is missing. Returns None if the subject is populated.
"""
if self._subject:
# RAB does not apply to Workspace User Accounts via Domain-wide Delegation.
return None

if not self.service_account_email:
_LOGGER.error(
"Service account email is required to build the Regional Access Boundary lookup URL for service account credentials."
Expand Down
4 changes: 4 additions & 0 deletions packages/google-auth/tests/oauth2/test_service_account.py
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,10 @@ def test_build_regional_access_boundary_lookup_url_mtls(self, monkeypatch):
)
assert url == expected_url

def test_build_regional_access_boundary_lookup_url_with_subject(self):
credentials = self.make_credentials().with_subject("user@example.com")
assert credentials._build_regional_access_boundary_lookup_url() is None

def test_with_token_uri(self):
credentials = self.make_credentials()
new_token_uri = "https://example2.com/oauth2/token"
Expand Down
4 changes: 4 additions & 0 deletions packages/google-auth/tests/test_impersonated_credentials.py
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,10 @@ def test_build_regional_access_boundary_lookup_url_success_mtls(self, monkeypatc
)
assert url == expected_url

def test_build_regional_access_boundary_lookup_url_with_subject(self):
credentials = self.make_credentials(subject="user@example.com")
assert credentials._build_regional_access_boundary_lookup_url() is None

Comment on lines +762 to +765

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since ImpersonatedCredentials does not support Domain-Wide Delegation or have a _subject attribute, this test is testing an invalid scenario and should be removed.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is based on the same incorrect assumption as the previous comment. _subject is supported and this test correctly verifies the expected behavior when Domain-Wide Delegation is used. Keeping this test as-is.

def test_with_scopes_provide_default_scopes(self):
credentials = self.make_credentials()
credentials._target_scopes = []
Expand Down
27 changes: 25 additions & 2 deletions packages/google-auth/tests/test_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -559,7 +559,14 @@ def test_build_regional_access_boundary_lookup_url_standard(self, monkeypatch):
# Mock check_use_client_cert to return False to simulate standard TLS
monkeypatch.setattr(_mtls_helper, "check_use_client_cert", lambda: False)

url = self.credentials._build_regional_access_boundary_lookup_url()
credentials = jwt.Credentials(
self.credentials._signer,
self.credentials.signer_email,
self.credentials.signer_email,
self.credentials._audience,
)

url = credentials._build_regional_access_boundary_lookup_url()
expected_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}/allowedLocations".format(
self.SERVICE_ACCOUNT_EMAIL
)
Expand All @@ -571,12 +578,28 @@ def test_build_regional_access_boundary_lookup_url_mtls(self, monkeypatch):
# Mock check_use_client_cert to return True to simulate mTLS
monkeypatch.setattr(_mtls_helper, "check_use_client_cert", lambda: True)

url = self.credentials._build_regional_access_boundary_lookup_url()
credentials = jwt.Credentials(
self.credentials._signer,
self.credentials.signer_email,
self.credentials.signer_email,
self.credentials._audience,
)

url = credentials._build_regional_access_boundary_lookup_url()
expected_url = "https://iamcredentials.mtls.googleapis.com/v1/projects/-/serviceAccounts/{}/allowedLocations".format(
self.SERVICE_ACCOUNT_EMAIL
)
assert url == expected_url

def test_build_regional_access_boundary_lookup_url_with_subject(self):
credentials = jwt.Credentials(
self.credentials._signer,
self.credentials._issuer,
"user@example.com",
self.credentials._audience,
)
assert credentials._build_regional_access_boundary_lookup_url() is None

def test_cloning_retains_rab_manager_data(self):
self.credentials._rab_manager._data = mock.sentinel.rab_data

Expand Down
Loading