-
Notifications
You must be signed in to change notification settings - Fork 1.7k
fix: disable RAB lookup for Domain-Wide Delegation #17763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -585,7 +585,17 @@ def _perform_refresh_token(self, request): | |
| self.token, self.expiry = self._make_jwt() | ||
|
|
||
| def _build_regional_access_boundary_lookup_url(self, request=None): | ||
| """Builds the lookup URL using the service account's email address.""" | ||
| """Builds the lookup URL using the service account's email address. | ||
|
|
||
| Returns None if the subject is populated. | ||
| """ | ||
| # In jwt.Credentials, subject defaults to client_email (which is the issuer). | ||
| # We must check self._subject != self._issuer to correctly determine if | ||
| # Domain-Wide Delegation is active. | ||
| if self._subject and self._subject != self._issuer: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just double checking since this is a bit different than the impersonated credentials case where we just look at _subject being set - is this the canonical way for detecting "DwD" here?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, it is intentional. In google.auth.jwt.Credentials (unlike service_account.Credentials or ImpersonatedCredentials), subject defaults to client_email (which is the issuer) if not provided. Therefore, self._subject is always populated, and we have to check self._subject != self._issuer to determine if DwD is actually being used. I'll add an inline comment here for our future reference. |
||
| # RAB does not apply to Workspace User Accounts via Domain-wide Delegation. | ||
| return None | ||
|
|
||
| if not self.signer_email: | ||
| return None | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -759,6 +759,10 @@ def test_build_regional_access_boundary_lookup_url_success_mtls(self, monkeypatc | |
| ) | ||
| assert url == expected_url | ||
|
|
||
| def test_build_regional_access_boundary_lookup_url_with_subject(self): | ||
| credentials = self.make_credentials(subject="user@example.com") | ||
| assert credentials._build_regional_access_boundary_lookup_url() is None | ||
|
|
||
|
Comment on lines
+762
to
+765
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is based on the same incorrect assumption as the previous comment. _subject is supported and this test correctly verifies the expected behavior when Domain-Wide Delegation is used. Keeping this test as-is. |
||
| def test_with_scopes_provide_default_scopes(self): | ||
| credentials = self.make_credentials() | ||
| credentials._target_scopes = [] | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accessing
self._subjectonImpersonatedCredentialswill raise anAttributeErrorat runtime because_subjectis not an attribute of this class. Furthermore, Domain-Wide Delegation (DWD) is not supported or applicable for impersonated credentials, so this check is unnecessary and should be removed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting that Gemini thinks this doesn't exist as an attribute of this class - I think it is just flat out wrong here, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, it's hallucinating. Unfortunately it seems to be an existing issue with the gemini reviewer on this PR that it checks the code that was modified and if it doesn't see something being imported or initialized in the new block, it doesn't check if it already existed in the file.