feat: add sign method to JWT

src/auth/googleauth.ts

@@ -16,6 +16,7 @@
 
 import {AxiosError, AxiosRequestConfig, AxiosResponse} from 'axios';
 import {exec} from 'child_process';
+import crypto from 'crypto';
 import fs from 'fs';
 import * as gcpMetadata from 'gcp-metadata';
 import http from 'http';
@@ -723,4 +724,40 @@ export class GoogleAuth {
   getEnv(): Promise<GCPEnv> {
     return getEnv();
   }
+
+  /**
+   * Sign the given data with the current private key, or go out
+   * to the IAM API to sign it.
+   * @param data The data to be signed.
+   */
+  async sign(data: string): Promise<string> {
+    const client = await this.getClient();
+    if (client instanceof JWT && client.key) {
+      const sign = crypto.createSign('RSA-SHA256');
+      sign.update(data);
+      return sign.sign(client.key, 'base64');
+    }
+
+    const projectId = await this.getProjectId();
+    if (!projectId) {
+      throw new Error('Cannot sign data without a project ID.');
+    }
+
+    const creds = await this.getCredentials();
+    if (!creds.client_email) {
+      throw new Error('Cannot sign data without `client_email`.');
+    }
+
+    const id = `projects/${projectId}/serviceAccounts/${creds.client_email}`;
+    const res = await this.request<SignBlobResponse>({
+      method: 'POST',
+      url: `https://iam.googleapis.com/v1/${id}:signBlob`,
+      data: {bytesToSign: Buffer.from(data).toString('base64')}
+    });
+    return res.data.signature;
+  }
+}
+
+export interface SignBlobResponse {
+  signature: string;
 }

src/auth/jwtclient.ts

@@ -16,7 +16,6 @@
 
 import {GoogleToken} from 'gtoken';
 import stream from 'stream';
-
 import {CredentialBody, Credentials, JWTInput} from './credentials';
 import {JWTAccess} from './jwtaccess';
 import {GetTokenResponse, OAuth2Client, RefreshOptions, RequestMetadataResponse} from './oauth2client';

test/test.googleauth.ts

@@ -16,6 +16,7 @@
 
 import assert from 'assert';
 import child_process from 'child_process';
+import crypto from 'crypto';
 import fs from 'fs';
 import {BASE_PATH, HEADER_NAME, HOST_ADDRESS} from 'gcp-metadata';
 import nock from 'nock';
@@ -45,6 +46,7 @@ const privateJSON = require('../../test/fixtures/private.json');
 const private2JSON = require('../../test/fixtures/private2.json');
 const refreshJSON = require('../../test/fixtures/refresh.json');
 const fixedProjectId = 'my-awesome-project';
+const privateKey = fs.readFileSync('./test/fixtures/private.pem', 'utf-8');
 
 let auth: GoogleAuth;
 let sandbox: sinon.SinonSandbox|undefined;
@@ -1325,3 +1327,38 @@ it('should make the request', async () => {
   scopes.forEach(s => s.done());
   assert.deepEqual(res.data, data);
 });
+
+it('sign should use the private key for JWT clients', async () => {
+  const data = 'abc123';
+  const auth = new GoogleAuth({
+    credentials:
+        {client_email: '[email protected]', private_key: privateKey}
+  });
+  const value = await auth.sign(data);
+  const sign = crypto.createSign('RSA-SHA256');
+  sign.update(data);
+  const computed = sign.sign(privateKey, 'base64');
+  assert.equal(value, computed);
+});
+
+it('sign should hit the IAM endpoint if no private_key is available',
+   async () => {
+     mockEnvVar('GCLOUD_PROJECT', fixedProjectId);
+     const {auth, scopes} = mockGCE();
+     const email = '[email protected]';
+     const iamUri = `https://iam.googleapis.com`;
+     const iamPath =
+         `/v1/projects/${fixedProjectId}/serviceAccounts/${email}:signBlob`;
+     const signature = 'erutangis';
+     const data = 'abc123';
+     scopes.push(
+         nock(iamUri).post(iamPath).reply(200, {signature}),
+         nock(host)
+             .get(svcAccountPath)
+             .reply(
+                 200, {default: {email, private_key: privateKey}},
+                 {'Metadata-Flavor': 'Google'}));
+     const value = await auth.sign(data);
+     scopes.forEach(x => x.done());
+     assert.equal(value, signature);
+   });