[googleapis_auth] feat: Add smart signing extension method to AuthClient (#712)

Author: demolaf

googleapis_auth/CHANGELOG.md

@@ -4,6 +4,7 @@
 - Add `sign()` method to `ServiceAccountCredentials` for RSA-SHA256 signing
 - Add `IAMSigner` class for signing via IAM Credentials API
 - Add `clientViaServiceAccountImpersonation()` function and `ImpersonatedAuthClient` class for service account impersonation via IAM Credentials API
+- Add `AuthClientSigningExtension` extension on `AuthClient` providing a universal `sign()` method that works across all auth contexts (service accounts, ADC, impersonated credentials)
 - Require `meta: ^1.0.2`
 - Require `sdk: ^3.9.0`
 - Drop unneeded `args` dependency.

googleapis_auth/lib/googleapis_auth.dart

@@ -26,6 +26,7 @@
 library;
 
 export 'src/auth_client.dart';
+export 'src/auth_client_signing_extension.dart';
 export 'src/auth_endpoints.dart';
 export 'src/auth_functions.dart';
 export 'src/client_id.dart';

googleapis_auth/lib/src/auth_client_signing_extension.dart

@@ -0,0 +1,91 @@
+// Copyright (c) 2026, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:convert';
+
+import 'auth_client.dart';
+import 'iam_signer.dart';
+import 'impersonated_auth_client.dart';
+import 'utils.dart';
+
+/// Extension providing smart signing capabilities for [AuthClient].
+///
+/// This extension adds a universal [sign] method that automatically selects
+/// the appropriate signing strategy based on the authentication context:
+///
+/// 1. **ImpersonatedAuthClient**: Uses IAM signBlob with the target principal
+/// 2. **Service account credentials**: Uses local RSA-SHA256 signing
+/// 3. **Other auth clients** (ADC on GCE/Cloud Run): Uses IAM signBlob with
+///    the default service account from metadata server
+///
+/// Example usage:
+/// ```dart
+/// // Works with service account credentials
+/// final client = await clientViaServiceAccount(credentials, scopes);
+/// final signature = await client.sign(utf8.encode('data to sign'));
+///
+/// // Works with ADC on GCE/Cloud Run
+/// final client = await clientViaApplicationDefaultCredentials(scopes: scopes);
+/// final signature = await client.sign(utf8.encode('data to sign'));
+///
+/// // Works with impersonated credentials
+/// final client = await clientViaServiceAccountImpersonation(
+///   sourceClient: sourceClient,
+///   targetServiceAccount: 'target@project.iam.gserviceaccount.com',
+///   targetScopes: scopes,
+/// );
+/// final signature = await client.sign(utf8.encode('data to sign'));
+/// ```
+extension AuthClientSigningExtension on AuthClient {
+  /// Signs some bytes using the credentials from this auth client.
+  ///
+  /// The signing behavior depends on the auth client type:
+  /// - [ImpersonatedAuthClient]: Uses IAM signBlob API to sign using the
+  ///   target principal.
+  /// - Auth clients with service account credentials: Signs locally using
+  ///   RSA-SHA256.
+  /// - Other auth clients: Uses IAM signBlob API with the default service
+  ///   account.
+  ///
+  /// [data] is the bytes to be signed.
+  ///
+  /// [endpoint] is an optional custom IAM Credentials API endpoint. This is
+  /// useful when working with different universe domains. If not provided,
+  /// the endpoint is automatically determined from the credential's universe
+  /// domain (e.g., `https://iamcredentials.googleapis.com` for the default
+  /// universe, or a custom universe domain from the service account JSON).
+  ///
+  /// Returns the signature as a String (base64-encoded).
+  ///
+  /// Example:
+  /// ```dart
+  /// import 'dart:convert';
+  ///
+  /// final client = await clientViaServiceAccount(credentials, scopes);
+  /// final data = utf8.encode('data to sign');
+  /// final signature = await client.sign(data);
+  /// print('Signature (base64): $signature');
+  /// ```
+  Future<String> sign(List<int> data, {String? endpoint}) async {
+    // Check if this is an impersonated client
+    if (this is ImpersonatedAuthClient) {
+      final impersonated = this as ImpersonatedAuthClient;
+      return impersonated.sign(data);
+    }
+
+    // Check if we have service account credentials for local signing
+    final serviceAccountCreds = serviceAccountCredentials;
+
+    if (serviceAccountCreds != null) {
+      // Use local signing with service account credentials
+      return base64Encode(serviceAccountCreds.sign(data));
+    }
+
+    // If we're NOT using local signing, use IAM API signing
+    final universeDomain =
+        serviceAccountCreds?.universeDomain ?? defaultUniverseDomain;
+    endpoint ??= 'https://iamcredentials.$universeDomain';
+    return IAMSigner(this, endpoint: endpoint).sign(data);
+  }
+}

googleapis_auth/test/auth_client_signing_extension_test.dart

@@ -0,0 +1,273 @@
+// Copyright (c) 2026, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:convert';
+
+import 'package:googleapis_auth/src/auth_client_signing_extension.dart';
+import 'package:googleapis_auth/src/auth_functions.dart';
+import 'package:googleapis_auth/src/impersonated_auth_client.dart';
+import 'package:googleapis_auth/src/service_account_client.dart';
+import 'package:googleapis_auth/src/service_account_credentials.dart';
+import 'package:http/http.dart' as http;
+import 'package:test/test.dart';
+
+import 'test_utils.dart';
+
+void main() {
+  group('auth-client-signing-extension', () {
+    final dataToSign = utf8.encode('data to sign');
+
+    test('sign with service account credentials uses local signing', () async {
+      // Create service account credentials with private key
+      final credentials = ServiceAccountCredentials.fromJson({
+        'private_key_id': '1',
+        'private_key': testPrivateKeyString,
+        'client_email': 'test@test.iam.gserviceaccount.com',
+        'client_id': 'test',
+        'type': 'service_account',
+      });
+
+      final client = await clientViaServiceAccount(
+        credentials,
+        ['https://www.googleapis.com/auth/cloud-platform'],
+        baseClient: mockClient(
+          (request) async => http.Response(
+            jsonEncode({
+              'access_token': 'test-token',
+              'token_type': 'Bearer',
+              'expires_in': 3600,
+            }),
+            200,
+            headers: jsonContentType,
+          ),
+          expectClose: false,
+        ),
+      );
+
+      // Should use local RSA signing, no HTTP requests to IAM API
+      final signature = await client.sign(dataToSign);
+
+      expect(signature, isNotEmpty);
+      expect(
+        signature.length,
+        equals(344),
+      ); // RSA-2048 signature base64-encoded length
+
+      client.close();
+    });
+
+    test('sign with impersonated client uses IAM API', () async {
+      var requestCount = 0;
+      final baseClient = mockClient(
+        expectAsync1((request) async {
+          requestCount++;
+
+          if (requestCount == 1) {
+            // Initial generateAccessToken for impersonated client
+            final expireTime = DateTime.now().toUtc().add(
+              const Duration(hours: 1),
+            );
+            return http.Response(
+              jsonEncode({
+                'accessToken': 'impersonated-token',
+                'expireTime': expireTime.toIso8601String(),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          } else {
+            // signBlob request via ImpersonatedAuthClient.sign()
+            expect(request.method, equals('POST'));
+            expect(request.url.toString(), contains(':signBlob'));
+
+            return http.Response(
+              jsonEncode({
+                'signedBlob': base64Encode([1, 2, 3, 4, 5]),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          }
+        }, count: 2),
+        expectClose: false,
+      );
+
+      final sourceCredentials = AccessCredentials(
+        AccessToken(
+          'Bearer',
+          'source-token',
+          DateTime.now().toUtc().add(const Duration(hours: 1)),
+        ),
+        null,
+        [],
+      );
+      final sourceClient = authenticatedClient(baseClient, sourceCredentials);
+
+      final impersonated = await clientViaServiceAccountImpersonation(
+        sourceClient: sourceClient,
+        targetServiceAccount: 'target@project.iam.gserviceaccount.com',
+        targetScopes: ['https://www.googleapis.com/auth/cloud-platform'],
+      );
+
+      final signature = await impersonated.sign(dataToSign);
+
+      expect(signature, equals(base64Encode([1, 2, 3, 4, 5])));
+
+      impersonated.close();
+    });
+
+    test('explicitly calling extension on impersonated client delegates to '
+        'instance method', () async {
+      var requestCount = 0;
+      final baseClient = mockClient(
+        expectAsync1((request) async {
+          requestCount++;
+
+          if (requestCount == 1) {
+            // Initial generateAccessToken for impersonated client
+            final expireTime = DateTime.now().toUtc().add(
+              const Duration(hours: 1),
+            );
+            return http.Response(
+              jsonEncode({
+                'accessToken': 'impersonated-token',
+                'expireTime': expireTime.toIso8601String(),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          } else {
+            // signBlob request via ImpersonatedAuthClient.sign()
+            expect(request.method, equals('POST'));
+            expect(request.url.toString(), contains(':signBlob'));
+
+            return http.Response(
+              jsonEncode({
+                'signedBlob': base64Encode([5, 6, 7, 8]),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          }
+        }, count: 2),
+        expectClose: false,
+      );
+
+      final sourceCredentials = AccessCredentials(
+        AccessToken(
+          'Bearer',
+          'source-token',
+          DateTime.now().toUtc().add(const Duration(hours: 1)),
+        ),
+        null,
+        [],
+      );
+      final sourceClient = authenticatedClient(baseClient, sourceCredentials);
+
+      final impersonated = await clientViaServiceAccountImpersonation(
+        sourceClient: sourceClient,
+        targetServiceAccount: 'target@project.iam.gserviceaccount.com',
+        targetScopes: ['https://www.googleapis.com/auth/cloud-platform'],
+      );
+
+      // Explicitly call the extension method with endpoint parameter
+      // The endpoint is ignored since ImpersonatedAuthClient uses its
+      // configured universe domain
+      final signature = await AuthClientSigningExtension(
+        impersonated,
+      ).sign(dataToSign, endpoint: 'https://iamcredentials.example.com');
+
+      expect(signature, equals(base64Encode([5, 6, 7, 8])));
+
+      impersonated.close();
+    });
+
+    test('sign without service account credentials uses IAM API', () async {
+      final baseClient = mockClient(
+        expectAsync1((request) async {
+          if (request.url.path.contains('/email')) {
+            // Metadata server request for service account email
+            return http.Response('test@test.iam.gserviceaccount.com', 200);
+          } else {
+            // IAM signBlob request
+            expect(request.method, equals('POST'));
+            expect(request.url.toString(), contains(':signBlob'));
+
+            final body = jsonDecode(request.body) as Map<String, dynamic>;
+            expect(body['payload'], equals(base64Encode(dataToSign)));
+
+            return http.Response(
+              jsonEncode({
+                'signedBlob': base64Encode([10, 20, 30]),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          }
+        }, count: 2),
+        expectClose: false,
+      );
+
+      final credentials = AccessCredentials(
+        AccessToken(
+          'Bearer',
+          'token',
+          DateTime.now().toUtc().add(const Duration(hours: 1)),
+        ),
+        null,
+        [],
+      );
+      final client = authenticatedClient(baseClient, credentials);
+
+      final signature = await client.sign(dataToSign);
+
+      expect(signature, equals(base64Encode([10, 20, 30])));
+
+      client.close();
+    }, testOn: 'vm');
+
+    test('sign with custom endpoint extracts universe domain', () async {
+      final baseClient = mockClient(
+        expectAsync1((request) async {
+          if (request.url.path.contains('/email')) {
+            // Metadata server request for service account email
+            return http.Response('test@test.iam.gserviceaccount.com', 200);
+          } else {
+            // IAM signBlob request - verify custom universe domain is used
+            expect(request.url.host, equals('iamcredentials.example.com'));
+
+            return http.Response(
+              jsonEncode({
+                'signedBlob': base64Encode([5, 6, 7]),
+              }),
+              200,
+              headers: jsonContentType,
+            );
+          }
+        }, count: 2),
+        expectClose: false,
+      );
+
+      final credentials = AccessCredentials(
+        AccessToken(
+          'Bearer',
+          'token',
+          DateTime.now().toUtc().add(const Duration(hours: 1)),
+        ),
+        null,
+        [],
+      );
+      final client = authenticatedClient(baseClient, credentials);
+
+      final signature = await client.sign(
+        dataToSign,
+        endpoint: 'https://iamcredentials.example.com',
+      );
+
+      expect(signature, equals(base64Encode([5, 6, 7])));
+
+      client.close();
+    }, testOn: 'vm');
+  });
+}