googleauth 0.1.0 → 0.16.2

data/lib/googleauth/application_default.rb

@@ -0,0 +1,81 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/compute_engine"
+require "googleauth/default_credentials"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
+      Could not load the default credentials. Browse to
+      https://developers.google.com/accounts/docs/application-default-credentials
+      for more information
+    ERROR_MESSAGE
+
+    module_function
+
+    # Obtains the default credentials implementation to use in this
+    # environment.
+    #
+    # Use this to obtain the Application Default Credentials for accessing
+    # Google APIs.  Application Default Credentials are described in detail
+    # at https://cloud.google.com/docs/authentication/production.
+    #
+    # If supplied, scope is used to create the credentials instance, when it can
+    # be applied.  E.g, on google compute engine and for user credentials the
+    # scope is ignored.
+    #
+    # @param scope [string|array|nil] the scope(s) to access
+    # @param options [Hash] Connection options. These may be used to configure
+    #     the `Faraday::Connection` used for outgoing HTTP requests. For
+    #     example, if a connection proxy must be used in the current network,
+    #     you may provide a connection with with the needed proxy options.
+    #     The following keys are recognized:
+    #     * `:default_connection` The connection object to use for token
+    #       refresh requests.
+    #     * `:connection_builder` A `Proc` that creates and returns a
+    #       connection to use for token refresh requests.
+    #     * `:connection` The connection to use to determine whether GCE
+    #       metadata credentials are available.
+    def get_application_default scope = nil, options = {}
+      creds = DefaultCredentials.from_env(scope, options) ||
+              DefaultCredentials.from_well_known_path(scope, options) ||
+              DefaultCredentials.from_system_default_path(scope, options)
+      return creds unless creds.nil?
+      unless GCECredentials.on_gce? options
+        # Clear cache of the result of GCECredentials.on_gce?
+        GCECredentials.unmemoize_all
+        raise NOT_FOUND_ERROR
+      end
+      GCECredentials.new scope: scope
+    end
+  end
+end

data/lib/googleauth/client_id.rb

@@ -0,0 +1,104 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "multi_json"
+require "googleauth/credentials_loader"
+
+module Google
+  module Auth
+    # Representation of an application's identity for user authorization
+    # flows.
+    class ClientId
+      INSTALLED_APP = "installed".freeze
+      WEB_APP = "web".freeze
+      CLIENT_ID = "client_id".freeze
+      CLIENT_SECRET = "client_secret".freeze
+      MISSING_TOP_LEVEL_ELEMENT_ERROR =
+        "Expected top level property 'installed' or 'web' to be present.".freeze
+
+      # Text identifier of the client ID
+      # @return [String]
+      attr_reader :id
+
+      # Secret associated with the client ID
+      # @return [String]
+      attr_reader :secret
+
+      class << self
+        attr_accessor :default
+      end
+
+      # Initialize the Client ID
+      #
+      # @param [String] id
+      #  Text identifier of the client ID
+      # @param [String] secret
+      #  Secret associated with the client ID
+      # @note Direction instantion is discouraged to avoid embedding IDs
+      #       & secrets in source. See {#from_file} to load from
+      #       `client_secrets.json` files.
+      def initialize id, secret
+        CredentialsLoader.warn_if_cloud_sdk_credentials id
+        raise "Client id can not be nil" if id.nil?
+        raise "Client secret can not be nil" if secret.nil?
+        @id = id
+        @secret = secret
+      end
+
+      # Constructs a Client ID from a JSON file downloaded from the
+      # Google Developers Console.
+      #
+      # @param [String, File] file
+      #  Path of file to read from
+      # @return [Google::Auth::ClientID]
+      def self.from_file file
+        raise "File can not be nil." if file.nil?
+        File.open file.to_s do |f|
+          json = f.read
+          config = MultiJson.load json
+          from_hash config
+        end
+      end
+
+      # Constructs a Client ID from a previously loaded JSON file. The hash
+      # structure should
+      # match the expected JSON format.
+      #
+      # @param [hash] config
+      #  Parsed contents of the JSON file
+      # @return [Google::Auth::ClientID]
+      def self.from_hash config
+        raise "Hash can not be nil." if config.nil?
+        raw_detail = config[INSTALLED_APP] || config[WEB_APP]
+        raise MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
+        ClientId.new raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET]
+      end
+    end
+  end
+end

data/lib/googleauth/compute_engine.rb

@@ -27,46 +27,74 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'faraday'
-require 'googleauth/signet'
-require 'memoist'
+require "faraday"
+require "googleauth/signet"
+require "memoist"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
+    NO_METADATA_SERVER_ERROR = <<~ERROR.freeze
+      Error code 404 trying to get security access token
+      from Compute Engine metadata for the default service account. This
+      may be because the virtual machine instance does not have permission
+      scopes specified.
+    ERROR
+    UNEXPECTED_ERROR_SUFFIX = <<~ERROR.freeze
+      trying to get security access token from Compute Engine metadata for
+      the default service account
+    ERROR
+
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
-      COMPUTE_AUTH_TOKEN_URI = 'http://169.254.169.254/computeMetadata/v1/'\
-                               'instance/service-accounts/default/token'
-      COMPUTE_CHECK_URI = 'http://169.254.169.254'
+      DEFAULT_METADATA_HOST = "169.254.169.254".freeze
+
+      # @private Unused and deprecated
+      COMPUTE_AUTH_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+      # @private Unused and deprecated
+      COMPUTE_ID_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+      # @private Unused and deprecated
+      COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
         extend Memoist
 
+        def metadata_host
+          ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
+        end
+
+        def compute_check_uri
+          "http://#{metadata_host}".freeze
+        end
+
+        def compute_auth_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
+        end
+
+        def compute_id_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+        end
+
         # Detect if this appear to be a GCE instance, by checking if metadata
-        # is available
-        def on_gce?(options = {})
+        # is available.
+        def on_gce? options = {}
+          # TODO: This should use google-cloud-env instead.
           c = options[:connection] || Faraday.default_connection
-          resp = c.get(COMPUTE_CHECK_URI) do |req|
-            # Comment from: oauth2client/client.py
-            #
-            # Note: the explicit `timeout` below is a workaround. The underlying
-            # issue is that resolving an unknown host on some networks will take
-            # 20-30 seconds; making this timeout short fixes the issue, but
-            # could lead to false negatives in the event that we are on GCE, but
-            # the metadata resolution was particularly slow. The latter case is
-            # "unlikely".
-            req.options.timeout = 0.1
+          headers = { "Metadata-Flavor" => "Google" }
+          resp = c.get compute_check_uri, nil, headers do |req|
+            req.options.timeout = 1.0
+            req.options.open_timeout = 0.1
           end
           return false unless resp.status == 200
-          return false unless resp.headers.key?('Metadata-Flavor')
-          return resp.headers['Metadata-Flavor'] == 'Google'
+          resp.headers["Metadata-Flavor"] == "Google"
         rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-          return false
+          false
         end
 
         memoize :on_gce?
@@ -74,12 +102,31 @@ module Google
 
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token(options = {})
+      def fetch_access_token options = {}
         c = options[:connection] || Faraday.default_connection
-        c.headers = { 'Metadata-Flavor' => 'Google' }
-        resp = c.get(COMPUTE_AUTH_TOKEN_URI)
-        Signet::OAuth2.parse_credentials(resp.body,
-                                         resp.headers['content-type'])
+        retry_with_error do
+          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
+          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
+          query[:scopes] = Array(scope).join "," if scope
+          resp = c.get uri, query, "Metadata-Flavor" => "Google"
+          case resp.status
+          when 200
+            content_type = resp.headers["content-type"]
+            if ["text/html", "application/text"].include? content_type
+              { (target_audience ? "id_token" : "access_token") => resp.body }
+            else
+              Signet::OAuth2.parse_credentials resp.body, content_type
+            end
+          when 403, 500
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::UnexpectedStatusError, msg
+          when 404
+            raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
+          else
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::AuthorizationError, msg
+          end
+        end
       end
     end
   end

data/lib/googleauth/credentials.rb

@@ -0,0 +1,561 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "forwardable"
+require "json"
+require "signet/oauth_2/client"
+
+require "googleauth/credentials_loader"
+
+module Google
+  module Auth
+    ##
+    # Credentials is a high-level base class used by Google's API client
+    # libraries to represent the authentication when connecting to an API.
+    # In most cases, it is subclassed by API-specific credential classes that
+    # can be instantiated by clients.
+    #
+    # ## Options
+    #
+    # Credentials classes are configured with options that dictate default
+    # values for parameters such as scope and audience. These defaults are
+    # expressed as class attributes, and may differ from endpoint to endpoint.
+    # Normally, an API client will provide subclasses specific to each
+    # endpoint, configured with appropriate values.
+    #
+    # Note that these options inherit up the class hierarchy. If a particular
+    # options is not set for a subclass, its superclass is queried.
+    #
+    # Some older users of this class set options via constants. This usage is
+    # deprecated. For example, instead of setting the `AUDIENCE` constant on
+    # your subclass, call the `audience=` method.
+    #
+    # ## Example
+    #
+    #     class MyCredentials < Google::Auth::Credentials
+    #       # Set the default scope for these credentials
+    #       self.scope = "http://example.com/my_scope"
+    #     end
+    #
+    #     # creds is a credentials object suitable for Google API clients
+    #     creds = MyCredentials.default
+    #     creds.scope  # => ["http://example.com/my_scope"]
+    #
+    #     class SubCredentials < MyCredentials
+    #       # Override the default scope for this subclass
+    #       self.scope = "http://example.com/sub_scope"
+    #     end
+    #
+    #     creds2 = SubCredentials.default
+    #     creds2.scope  # => ["http://example.com/sub_scope"]
+    #
+    class Credentials # rubocop:disable Metrics/ClassLength
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
+      TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
+      AUDIENCE = "https://oauth2.googleapis.com/token".freeze
+
+      @audience = @scope = @target_audience = @env_vars = @paths = @token_credential_uri = nil
+
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
+      # The URI is the authorization server's HTTP endpoint capable of issuing tokens and
+      # refreshing expired tokens.
+      #
+      # @return [String]
+      #
+      def self.token_credential_uri
+        lookup_auth_param :token_credential_uri do
+          lookup_local_constant :TOKEN_CREDENTIAL_URI
+        end
+      end
+
+      ##
+      # Set the default token credential URI to be used when none is provided during initialization.
+      #
+      # @param [String] new_token_credential_uri
+      #
+      def self.token_credential_uri= new_token_credential_uri
+        @token_credential_uri = new_token_credential_uri
+      end
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
+      # Used only by the assertion grant type.
+      #
+      # @return [String]
+      #
+      def self.audience
+        lookup_auth_param :audience do
+          lookup_local_constant :AUDIENCE
+        end
+      end
+
+      ##
+      # Sets the default target audience ID to be used when none is provided during initialization.
+      #
+      # @param [String] new_audience
+      #
+      def self.audience= new_audience
+        @audience = new_audience
+      end
+
+      ##
+      # The default scope to be used when none is provided during initialization.
+      # A scope is an access range defined by the authorization server.
+      # The scope can be a single value or a list of values.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @return [String, Array<String>, nil]
+      #
+      def self.scope
+        lookup_auth_param :scope do
+          vals = lookup_local_constant :SCOPE
+          vals ? Array(vals).flatten.uniq : nil
+        end
+      end
+
+      ##
+      # Sets the default scope to be used when none is provided during initialization.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @param [String, Array<String>, nil] new_scope
+      #
+      def self.scope= new_scope
+        new_scope = Array new_scope unless new_scope.nil?
+        @scope = new_scope
+      end
+
+      ##
+      # The default final target audience for ID tokens, to be used when none
+      # is provided during initialization.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @return [String, nil]
+      #
+      def self.target_audience
+        lookup_auth_param :target_audience
+      end
+
+      ##
+      # Sets the default final target audience for ID tokens, to be used when none
+      # is provided during initialization.
+      #
+      # Either {#scope} or {#target_audience}, but not both, should be non-nil.
+      # If {#scope} is set, this credential will produce access tokens.
+      # If {#target_audience} is set, this credential will produce ID tokens.
+      #
+      # @param [String, nil] new_target_audience
+      #
+      def self.target_audience= new_target_audience
+        @target_audience = new_target_audience
+      end
+
+      ##
+      # The environment variables to search for credentials. Values can either be a file path to the
+      # credentials file, or the JSON contents of the credentials file.
+      # The env_vars will never be nil. If there are no vars, the empty array is returned.
+      #
+      # @return [Array<String>]
+      #
+      def self.env_vars
+        env_vars_internal || []
+      end
+
+      ##
+      # @private
+      # Internal recursive lookup for env_vars.
+      #
+      def self.env_vars_internal
+        lookup_auth_param :env_vars, :env_vars_internal do
+          # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+          path_env_vars = lookup_local_constant :PATH_ENV_VARS
+          json_env_vars = lookup_local_constant :JSON_ENV_VARS
+          (Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars
+        end
+      end
+
+      ##
+      # Sets the environment variables to search for credentials.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
+      #
+      # @param [String, Array<String>, nil] new_env_vars
+      #
+      def self.env_vars= new_env_vars
+        new_env_vars = Array new_env_vars unless new_env_vars.nil?
+        @env_vars = new_env_vars
+      end
+
+      ##
+      # The file paths to search for credentials files.
+      # The paths will never be nil. If there are no paths, the empty array is returned.
+      #
+      # @return [Array<String>]
+      #
+      def self.paths
+        paths_internal || []
+      end
+
+      ##
+      # @private
+      # Internal recursive lookup for paths.
+      #
+      def self.paths_internal
+        lookup_auth_param :paths, :paths_internal do
+          # Pull in values if the DEFAULT_PATHS constant exists.
+          vals = lookup_local_constant :DEFAULT_PATHS
+          vals ? Array(vals).flatten.uniq : nil
+        end
+      end
+
+      ##
+      # Set the file paths to search for credentials files.
+      # Setting to `nil` "unsets" the value, and defaults to the superclass
+      # (or to the empty array if there is no superclass).
+      #
+      # @param [String, Array<String>, nil] new_paths
+      #
+      def self.paths= new_paths
+        new_paths = Array new_paths unless new_paths.nil?
+        @paths = new_paths
+      end
+
+      ##
+      # @private
+      # Return the given parameter value, defaulting up the class hierarchy.
+      #
+      # First returns the value of the instance variable, if set.
+      # Next, calls the given block if provided. (This is generally used to
+      # look up legacy constant-based values.)
+      # Otherwise, calls the superclass method if present.
+      # Returns nil if all steps fail.
+      #
+      # @param name [Symbol] The parameter name
+      # @param method_name [Symbol] The lookup method name, if different
+      # @return [Object] The value
+      #
+      def self.lookup_auth_param name, method_name = name
+        val = instance_variable_get "@#{name}".to_sym
+        val = yield if val.nil? && block_given?
+        return val unless val.nil?
+        return superclass.send method_name if superclass.respond_to? method_name
+        nil
+      end
+
+      ##
+      # @private
+      # Return the value of the given constant if it is defined directly in
+      # this class, or nil if not.
+      #
+      # @param [Symbol] Name of the constant
+      # @return [Object] The value
+      #
+      def self.lookup_local_constant name
+        const_defined?(name, false) ? const_get(name) : nil
+      end
+
+      ##
+      # The Signet::OAuth2::Client object the Credentials instance is using.
+      #
+      # @return [Signet::OAuth2::Client]
+      #
+      attr_accessor :client
+
+      ##
+      # Identifier for the project the client is authenticating with.
+      #
+      # @return [String]
+      #
+      attr_reader :project_id
+
+      ##
+      # Identifier for a separate project used for billing/quota, if any.
+      #
+      # @return [String,nil]
+      #
+      attr_reader :quota_project_id
+
+      # @private Delegate client methods to the client object.
+      extend Forwardable
+
+      ##
+      # @!attribute [r] token_credential_uri
+      #   @return [String] The token credential URI. The URI is the authorization server's HTTP
+      #     endpoint capable of issuing tokens and refreshing expired tokens.
+      #
+      # @!attribute [r] audience
+      #   @return [String] The target audience ID when issuing assertions. Used only by the
+      #     assertion grant type.
+      #
+      # @!attribute [r] scope
+      #   @return [String, Array<String>] The scope for this client. A scope is an access range
+      #     defined by the authorization server. The scope can be a single value or a list of values.
+      #
+      # @!attribute [r] target_audience
+      #   @return [String] The final target audience for ID tokens returned by this credential.
+      #
+      # @!attribute [r] issuer
+      #   @return [String] The issuer ID associated with this client.
+      #
+      # @!attribute [r] signing_key
+      #   @return [String, OpenSSL::PKey] The signing key associated with this client.
+      #
+      # @!attribute [r] updater_proc
+      #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
+      #     suitable for passing as a closure.
+      #
+      def_delegators :@client,
+                     :token_credential_uri, :audience,
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
+
+      ##
+      # Creates a new Credentials instance with the provided auth credentials, and with the default
+      # values configured on the class.
+      #
+      # @param [String, Hash, Signet::OAuth2::Client] keyfile
+      #   The keyfile can be provided as one of the following:
+      #
+      #   * The path to a JSON keyfile (as a +String+)
+      #   * The contents of a JSON keyfile (as a +Hash+)
+      #   * A +Signet::OAuth2::Client+ object
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
+      def initialize keyfile, options = {}
+        verify_keyfile_provided! keyfile
+        @project_id = options["project_id"] || options["project"]
+        @quota_project_id = options["quota_project_id"]
+        case keyfile
+        when Signet::OAuth2::Client
+          update_from_signet keyfile
+        when Hash
+          update_from_hash keyfile, options
+        else
+          update_from_filepath keyfile, options
+        end
+        CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @client.fetch_access_token!
+        @env_vars = nil
+        @paths = nil
+        @scope = nil
+      end
+
+      ##
+      # Creates a new Credentials instance with auth credentials acquired by searching the
+      # environment variables and paths configured on the class, and with the default values
+      # configured on the class.
+      #
+      # The auth credentials are searched for in the following order:
+      #
+      # 1. configured environment variables (see {Credentials.env_vars})
+      # 2. configured default file paths (see {Credentials.paths})
+      # 3. application default (see {Google::Auth.get_application_default})
+      #
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
+      # @return [Credentials]
+      #
+      def self.default options = {}
+        # First try to find keyfile file or json from environment variables.
+        client = from_env_vars options
+
+        # Second try to find keyfile file from known file paths.
+        client ||= from_default_paths options
+
+        # Finally get instantiated client from Google::Auth
+        client ||= from_application_default options
+        client
+      end
+
+      ##
+      # @private Lookup Credentials from environment variables.
+      def self.from_env_vars options
+        env_vars.each do |env_var|
+          str = ENV[env_var]
+          next if str.nil?
+          io =
+            if ::File.file? str
+              ::StringIO.new ::File.read str
+            else
+              json = ::JSON.parse str rescue nil
+              json ? ::StringIO.new(str) : nil
+            end
+          next if io.nil?
+          return from_io io, options
+        end
+        nil
+      end
+
+      ##
+      # @private Lookup Credentials from default file paths.
+      def self.from_default_paths options
+        paths.each do |path|
+          next unless path && ::File.file?(path)
+          io = ::StringIO.new ::File.read path
+          return from_io io, options
+        end
+        nil
+      end
+
+      ##
+      # @private Lookup Credentials using Google::Auth.get_application_default.
+      def self.from_application_default options
+        scope = options[:scope] || self.scope
+        auth_opts = {
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?
+        }
+        client = Google::Auth.get_application_default scope, auth_opts
+        new client, options
+      end
+
+      # @private Read credentials from a JSON stream.
+      def self.from_io io, options
+        creds_input = {
+          json_key_io:            io,
+          scope:                  options[:scope] || scope,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?,
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience
+        }
+        client = Google::Auth::DefaultCredentials.make_creds creds_input
+        new client
+      end
+
+      private_class_method :from_env_vars,
+                           :from_default_paths,
+                           :from_application_default,
+                           :from_io
+
+      protected
+
+      # Verify that the keyfile argument is provided.
+      def verify_keyfile_provided! keyfile
+        return unless keyfile.nil?
+        raise "The keyfile passed to Google::Auth::Credentials.new was nil."
+      end
+
+      # Verify that the keyfile argument is a file.
+      def verify_keyfile_exists! keyfile
+        exists = ::File.file? keyfile
+        raise "The keyfile '#{keyfile}' is not a valid file." unless exists
+      end
+
+      # Initializes the Signet client.
+      def init_client keyfile, connection_options = {}
+        client_opts = client_options keyfile
+        Signet::OAuth2::Client.new(client_opts)
+                              .configure_connection(connection_options)
+      end
+
+      # returns a new Hash with string keys instead of symbol keys.
+      def stringify_hash_keys hash
+        hash.to_h.transform_keys(&:to_s)
+      end
+
+      # rubocop:disable Metrics/AbcSize
+
+      def client_options options
+        # Keyfile options have higher priority over constructor defaults
+        options["token_credential_uri"] ||= self.class.token_credential_uri
+        options["audience"] ||= self.class.audience
+        options["scope"] ||= self.class.scope
+        options["target_audience"] ||= self.class.target_audience
+
+        if !Array(options["scope"]).empty? && options["target_audience"]
+          raise ArgumentError, "Cannot specify both scope and target_audience"
+        end
+
+        needs_scope = options["target_audience"].nil?
+        # client options for initializing signet client
+        { token_credential_uri: options["token_credential_uri"],
+          audience:             options["audience"],
+          scope:                (needs_scope ? Array(options["scope"]) : nil),
+          target_audience:      options["target_audience"],
+          issuer:               options["client_email"],
+          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+      end
+
+      # rubocop:enable Metrics/AbcSize
+
+      def update_from_signet client
+        @project_id ||= client.project_id if client.respond_to? :project_id
+        @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
+        @client = client
+      end
+
+      def update_from_hash hash, options
+        hash = stringify_hash_keys hash
+        hash["scope"] ||= options[:scope]
+        hash["target_audience"] ||= options[:target_audience]
+        @project_id ||= (hash["project_id"] || hash["project"])
+        @quota_project_id ||= hash["quota_project_id"]
+        @client = init_client hash, options
+      end
+
+      def update_from_filepath path, options
+        verify_keyfile_exists! path
+        json = JSON.parse ::File.read(path)
+        json["scope"] ||= options[:scope]
+        json["target_audience"] ||= options[:target_audience]
+        @project_id ||= (json["project_id"] || json["project"])
+        @quota_project_id ||= json["quota_project_id"]
+        @client = init_client json, options
+      end
+    end
+  end
+end