Use TLS 1.2 for SignJWT

2026-06-28 09:51:36 +00:00 · 2023-04-06 09:36:23 +00:00
parent 024177b0c7
commit 8bc6814b42
4 changed files with 17 additions and 6 deletions
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -7195,8 +7195,10 @@ def enable_apis():
            controlflow.invalid_argument_exit(sys.argv[i],
                                              'gam enable apis')
    GAMProjectAPIs = getGAMProjectFile('project-apis.txt').splitlines()
+    request = signjwt.get_request()
    try:
-        _, projectId = google.auth.default()
+        _, projectId = google.auth.default(scopes=signjwt._IAM_SCOPES,
+                request=request)
    except google.auth.exceptions.DefaultCredentialsError as e:
        projectId = input('Please enter your project ID: ')
    while a_or_m not in ['a', 'm']:
@@ -7962,9 +7964,9 @@ def create_signjwt_serviceaccount():
            'key_type': 'signjwt',
            'token_uri': 'https://oauth2.googleapis.com/token'
            }
-    request = transport.create_request()
+    request = signjwt.get_request()
    try:
-        creds, sa_info['project_id'] = google.auth.default(scopes=['https://www.googleapis.com/auth/iam'],
+        creds, sa_info['project_id'] = google.auth.default(scopes=signjwt._IAM_SCOPES,
                request=request)
    except google.auth.exceptions.DefaultCredentialsError as e:
        controlflow.system_error_exit(2, e)
--- a/src/gam/auth/signjwt.py
+++ b/src/gam/auth/signjwt.py
@@ -14,6 +14,13 @@ from gam.var import GM_Globals, GM_CACHE_DIR

 _DEFAULT_TOKEN_LIFETIME_SECS = 3600  # 1 hour in seconds
 _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
+_IAM_SCOPES = ['https://www.googleapis.com/auth/iam']
+
+# Some Workforce Identity Federation endpoints such as GitHub Actions
+# only allow TLS 1.2 as of April 2023.
+def get_request():
+    httpc = transport.create_http(override_min_tls='TLSv1_2')
+    return transport.create_request(httpc)


 class JWTCredentials(google.auth.jwt.Credentials):
@@ -73,8 +80,10 @@ class SignJwt(google.auth.crypt.Signer):

    def sign(self, message):
        ''' Call IAM Credentials SignJWT API to get our signed JWT '''
+        request = get_request()
        try:
-            credentials, _ = google.auth.default(scopes=['https://www.googleapis.com/auth/iam'])
+            credentials, _ = google.auth.default(scopes=_IAM_SCOPES,
+                    request=request)
        except google.auth.exceptions.DefaultCredentialsError as e:
            controlflow.system_error_exit(2, e)
        httpObj = transport.AuthorizedHttp(
--- a/src/gam/var.py
+++ b/src/gam/var.py
@@ -1347,7 +1347,7 @@ GC_TLS_MAX_VERSION = 'tls_max_ver'
 # Path to certificate authority file for validating TLS hosts
 GC_CA_FILE = 'ca_file'

-TLS_MIN = 'TLSv1_3' if hasattr(ssl.SSLContext(), 'minimum_version') else None
+TLS_MIN = 'TLSv1_3'
 GC_Defaults = {
    GC_ADMIN_EMAIL: '',
    GC_AUTO_BATCH_MIN: 0,
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -4,7 +4,7 @@ filelock
 google-api-python-client>=2.1
 google-auth-httplib2
 google-auth-oauthlib>=0.4.1
-google-auth[reauth]>=2.3.2
+google-auth>=2.3.2
 httplib2>=0.17.0
 passlib>=1.7.2
 pathvalidate