googleauth 0.14.0 → 0.16.2

data/lib/googleauth/credentials_loader.rb

@@ -103,7 +103,7 @@ module Google
             return make_creds options.merge(json_key_io: f)
           end
         elsif service_account_env_vars? || authorized_user_env_vars?
-          return make_creds options
+          make_creds options
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"

data/lib/googleauth/iam.rb

@@ -68,7 +68,7 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, _opts = {}| apply a_hash }
       end
     end
   end

data/lib/googleauth/id_tokens/key_sources.rb

@@ -171,7 +171,9 @@ module Google
             curve_name = CURVE_NAME_MAP[jwk[:crv]]
             raise KeySourceError, "Unsupported EC curve #{jwk[:crv]}" unless curve_name
             group = OpenSSL::PKey::EC::Group.new curve_name
-            bn = OpenSSL::BN.new ["04" + x_data.unpack1("H*") + y_data.unpack1("H*")].pack("H*"), 2
+            x_hex = x_data.unpack1 "H*"
+            y_hex = y_data.unpack1 "H*"
+            bn = OpenSSL::BN.new ["04#{x_hex}#{y_hex}"].pack("H*"), 2
             key = OpenSSL::PKey::EC.new curve_name
             key.public_key = OpenSSL::PKey::EC::Point.new group, bn
             key
@@ -284,10 +286,10 @@ module Google
             raise KeySourceError, "Unable to retrieve data from #{uri}" unless response.is_a? Net::HTTPSuccess
 
             data = begin
-                     JSON.parse response.body
-                   rescue JSON::ParserError
-                     raise KeySourceError, "Unable to parse JSON"
-                   end
+              JSON.parse response.body
+            rescue JSON::ParserError
+              raise KeySourceError, "Unable to parse JSON"
+            end
 
             @current_keys = Array(interpret_json(data))
           end

data/lib/googleauth/id_tokens/verifier.rb

@@ -105,15 +105,13 @@ module Google
         def decode_token token, keys, aud, azp, iss
           payload = nil
           keys.find do |key|
-            begin
-              options = { algorithms: key.algorithm }
-              decoded_token = JWT.decode token, key.key, true, options
-              payload = decoded_token.first
-            rescue JWT::ExpiredSignature
-              raise ExpiredTokenError, "Token signature is expired"
-            rescue JWT::DecodeError
-              nil # Try the next key
-            end
+            options = { algorithms: key.algorithm }
+            decoded_token = JWT.decode token, key.key, true, options
+            payload = decoded_token.first
+          rescue JWT::ExpiredSignature
+            raise ExpiredTokenError, "Token signature is expired"
+          rescue JWT::DecodeError
+            nil # Try the next key
           end
 
           normalize_and_verify_payload payload, aud, azp, iss

data/lib/googleauth/scope_util.rb

@@ -51,7 +51,7 @@ module Google
         when Array
           scope
         when String
-          scope.split " "
+          scope.split
         else
           raise "Invalid scope value. Must be string or array"
         end

data/lib/googleauth/service_account.rb

@@ -53,12 +53,18 @@ module Google
       attr_reader :project_id
       attr_reader :quota_project_id
 
+      def enable_self_signed_jwt?
+        @enable_self_signed_jwt
+      end
+
       # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
       def self.make_creds options = {}
-        json_key_io, scope, target_audience = options.values_at :json_key_io, :scope, :target_audience
+        json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
+          options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
+                            :audience, :token_credential_uri
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
@@ -71,14 +77,15 @@ module Google
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
-        new(token_credential_uri: TOKEN_CRED_URI,
-            audience:             TOKEN_CRED_URI,
-            scope:                scope,
-            target_audience:      target_audience,
-            issuer:               client_email,
-            signing_key:          OpenSSL::PKey::RSA.new(private_key),
-            project_id:           project_id,
-            quota_project_id:     quota_project_id)
+        new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
+            audience:               audience || TOKEN_CRED_URI,
+            scope:                  scope,
+            enable_self_signed_jwt: enable_self_signed_jwt,
+            target_audience:        target_audience,
+            issuer:                 client_email,
+            signing_key:            OpenSSL::PKey::RSA.new(private_key),
+            project_id:             project_id,
+            quota_project_id:       quota_project_id)
           .configure_connection(options)
       end
 
@@ -94,30 +101,35 @@ module Google
       def initialize options = {}
         @project_id = options[:project_id]
         @quota_project_id = options[:quota_project_id]
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
         super options
       end
 
-      # Extends the base class.
-      #
-      # If scope(s) is not set, it creates a transient
-      # ServiceAccountJwtHeaderCredentials instance and uses that to
-      # authenticate instead.
+      # Extends the base class to use a transient
+      # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use the base implementation if scopes are set
-        unless scope.nil? && target_audience.nil?
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token.
+        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+          apply_self_signed_jwt! a_hash
+        else
           super
-          return
         end
+      end
+
+      private
 
+      def apply_self_signed_jwt! a_hash
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
-        # if no scopes are set.
         cred_json = {
-          private_key:  @signing_key.to_s,
-          client_email: @issuer
+          private_key: @signing_key.to_s,
+          client_email: @issuer,
+          project_id: @project_id,
+          quota_project_id: @quota_project_id
         }
-        alt_clz = ServiceAccountJwtHeaderCredentials
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = alt_clz.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
         alt.apply! a_hash
       end
     end
@@ -193,7 +205,7 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       protected

data/lib/googleauth/signet.rb

@@ -63,7 +63,7 @@ module Signet
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       def on_refresh &block

data/lib/googleauth/stores/file_token_store.rb

@@ -40,6 +40,7 @@ module Google
         # @param [String, File] file
         #  Path to storage file
         def initialize options = {}
+          super()
           path = options[:file]
           @store = YAML::Store.new path
         end

data/lib/googleauth/stores/redis_token_store.rb

@@ -49,6 +49,7 @@ module Google
         #  the options passed through. You may include any other keys accepted
         #  by `Redis.new`
         def initialize options = {}
+          super()
           redis = options.delete :redis
           prefix = options.delete :prefix
           @redis = case redis

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.14.0".freeze
+    VERSION = "0.16.2".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -58,12 +58,9 @@ module Google
     #    end
     #
     # Instead of implementing the callback directly, applications are
-    # encouraged to use {Google::Auth::Web::AuthCallbackApp} instead.
+    # encouraged to use {Google::Auth::WebUserAuthorizer::CallbackApp} instead.
     #
-    # For rails apps, see {Google::Auth::ControllerHelpers}
-    #
-    # @see {Google::Auth::AuthCallbackApp}
-    # @see {Google::Auth::ControllerHelpers}
+    # @see CallbackApp
     # @note Requires sessions are enabled
     class WebUserAuthorizer < Google::Auth::UserAuthorizer
       STATE_PARAM = "state".freeze
@@ -192,7 +189,7 @@ module Google
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
       def get_credentials user_id, request = nil, scope = nil
-        if request && request.session.key?(CALLBACK_STATE_KEY)
+        if request&.session&.key? CALLBACK_STATE_KEY
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
           state_json = request.session.delete CALLBACK_STATE_KEY
@@ -261,7 +258,7 @@ module Google
       #       Google::Auth::WebUserAuthorizer::CallbackApp.call(env)
       #     end
       #
-      # @see {Google::Auth::WebUserAuthorizer}
+      # @see Google::Auth::WebUserAuthorizer
       class CallbackApp
         LOCATION_HEADER = "Location".freeze
         REDIR_STATUS = 302

data/spec/googleauth/compute_engine_spec.rb

@@ -90,6 +90,24 @@ describe Google::Auth::GCECredentials do
         expect(stub).to have_been_requested
       end
 
+      it "should fail if the metadata request returns a 403" do
+        stub = stub_request(:get, MD_ACCESS_URI)
+                 .to_return(status:  403,
+                            headers: { "Metadata-Flavor" => "Google" })
+        expect { @client.fetch_access_token! }
+          .to raise_error Signet::AuthorizationError
+        expect(stub).to have_been_requested.times(6)
+      end
+
+      it "should fail if the metadata request returns a 500" do
+        stub = stub_request(:get, MD_ACCESS_URI)
+                 .to_return(status:  500,
+                            headers: { "Metadata-Flavor" => "Google" })
+        expect { @client.fetch_access_token! }
+          .to raise_error Signet::AuthorizationError
+        expect(stub).to have_been_requested.times(6)
+      end
+
       it "should fail if the metadata request returns an unexpected code" do
         stub = stub_request(:get, MD_ACCESS_URI)
                .to_return(status:  503,

data/spec/googleauth/credentials_spec.rb

@@ -46,42 +46,47 @@ describe Google::Auth::Credentials, :private do
     }
   end
 
-  it "uses a default scope" do
+  def mock_signet
     mocked_signet = double "Signet::OAuth2::Client"
     allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
     allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      yield options if block_given?
+      mocked_signet
+    end
+    mocked_signet
+  end
+
+  it "uses a default scope" do
+    mock_signet do |options|
       expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:scope]).to eq([])
       expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
     end
 
     Google::Auth::Credentials.new default_keyfile_hash
   end
 
   it "uses a custom scope" do
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+    mock_signet do |options|
       expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:scope]).to eq(["http://example.com/scope"])
       expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
     end
 
     Google::Auth::Credentials.new default_keyfile_hash, scope: "http://example.com/scope"
   end
 
+  it "uses empty paths and env_vars by default" do
+    expect(Google::Auth::Credentials.paths).to eq([])
+    expect(Google::Auth::Credentials.env_vars).to eq([])
+  end
+
   describe "using CONSTANTS" do
     it "can be subclassed to pass in other env paths" do
       test_path_env_val = "/unknown/path/to/file.txt".freeze
@@ -101,21 +106,22 @@ describe Google::Auth::Credentials, :private do
       allow(::File).to receive(:file?).with(test_path_env_val) { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://example.com/token")
         expect(options[:audience]).to eq("https://example.com/audience")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to eq(true)
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
-      creds = TestCredentials1.default
+      creds = TestCredentials1.default enable_self_signed_jwt: true
       expect(creds).to be_a_kind_of(TestCredentials1)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
@@ -130,25 +136,28 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { json_content }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials2.default
@@ -175,18 +184,19 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials3.default
@@ -204,25 +214,28 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { json_content }
+
+      mocked_signet = mock_signet
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials4.default
@@ -246,26 +259,18 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Google::Auth).to receive(:get_application_default) do |scope|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
         expect(scope).to eq([TestCredentials5::SCOPE])
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
 
         # This should really be a Signet::OAuth2::Client object,
         # but mocking is making that difficult, so return a valid hash instead.
         default_keyfile_hash
       end
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
-        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-        mocked_signet
-      end
 
       creds = TestCredentials5.default
       expect(creds).to be_a_kind_of(TestCredentials5)
@@ -273,6 +278,31 @@ describe Google::Auth::Credentials, :private do
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
+
+    it "can be subclassed to pass in other env paths" do
+      class TestCredentials6 < Google::Auth::Credentials
+        TOKEN_CREDENTIAL_URI = "https://example.com/token".freeze
+        AUDIENCE = "https://example.com/audience".freeze
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["TEST_PATH"].freeze
+        JSON_ENV_VARS = ["TEST_JSON_VARS"].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"]
+      end
+
+      class TestCredentials7 < TestCredentials6
+      end
+
+      expect(TestCredentials7.token_credential_uri).to eq("https://example.com/token")
+      expect(TestCredentials7.audience).to eq("https://example.com/audience")
+      expect(TestCredentials7.scope).to eq(["http://example.com/scope"])
+      expect(TestCredentials7.env_vars).to eq(["TEST_PATH", "TEST_JSON_VARS"])
+      expect(TestCredentials7.paths).to eq(["~/default/path/to/file.txt"])
+
+      TestCredentials7::TOKEN_CREDENTIAL_URI = "https://example.com/token2"
+      expect(TestCredentials7.token_credential_uri).to eq("https://example.com/token2")
+      TestCredentials7::AUDIENCE = nil
+      expect(TestCredentials7.audience).to eq("https://example.com/audience")
+    end
   end
 
   describe "using class methods" do
@@ -293,18 +323,19 @@ describe Google::Auth::Credentials, :private do
       allow(::File).to receive(:file?).with(test_path_env_val) { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://example.com/token")
         expect(options[:audience]).to eq("https://example.com/audience")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials11.default
@@ -321,25 +352,28 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { json_content }
+
+      mocked_signet = mock_signet
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials12.default
@@ -365,18 +399,19 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials13.default
@@ -393,25 +428,28 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { json_content }
+
+      mocked_signet = mock_signet
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials14.default
@@ -421,7 +459,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
-    it "subclasses that find no matches default to Google::Auth.get_application_default" do
+    it "subclasses that find no matches default to Google::Auth.get_application_default with self-signed jwt enabled" do
       class TestCredentials15 < Google::Auth::Credentials
         self.scope = "http://example.com/scope"
         self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
@@ -434,33 +472,117 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Google::Auth).to receive(:get_application_default) do |scope|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
         expect(scope).to eq(TestCredentials15.scope)
+        expect(options[:enable_self_signed_jwt]).to eq(true)
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
 
         # This should really be a Signet::OAuth2::Client object,
         # but mocking is making that difficult, so return a valid hash instead.
         default_keyfile_hash
       end
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+
+      creds = TestCredentials15.default enable_self_signed_jwt: true
+      expect(creds).to be_a_kind_of(TestCredentials15)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
+    end
+
+    it "subclasses that find no matches default to Google::Auth.get_application_default with self-signed jwt disabled" do
+      class TestCredentials16 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
+        expect(scope).to eq(TestCredentials16.scope)
+        expect(options[:enable_self_signed_jwt]).to be_nil
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
-      creds = TestCredentials15.default
-      expect(creds).to be_a_kind_of(TestCredentials15)
+      creds = TestCredentials16.default
+      expect(creds).to be_a_kind_of(TestCredentials16)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
+
+    it "subclasses that find no matches default to Google::Auth.get_application_default with custom values" do
+      scope2 = "http://example.com/scope2"
+
+      class TestCredentials17 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+        self.token_credential_uri = "https://example.com/token2"
+        self.audience = "https://example.com/token3"
+      end
+
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
+        expect(scope).to eq(scope2)
+        expect(options[:enable_self_signed_jwt]).to eq(false)
+        expect(options[:token_credential_uri]).to eq("https://example.com/token2")
+        expect(options[:audience]).to eq("https://example.com/token3")
+
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
+      end
+
+      creds = TestCredentials17.default scope: scope2, enable_self_signed_jwt: true
+      expect(creds).to be_a_kind_of(TestCredentials17)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
+    end
+
+    it "subclasses delegate up the class hierarchy" do
+      class TestCredentials18 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.target_audience = "https://example.com/target_audience"
+        self.env_vars = ["TEST_PATH", "TEST_JSON_VARS"]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      class TestCredentials19 < TestCredentials18
+      end
+
+      expect(TestCredentials19.scope).to eq(["http://example.com/scope"])
+      expect(TestCredentials19.target_audience).to eq("https://example.com/target_audience")
+      expect(TestCredentials19.env_vars).to eq(["TEST_PATH", "TEST_JSON_VARS"])
+      expect(TestCredentials19.paths).to eq(["~/default/path/to/file.txt"])
+
+      TestCredentials19.token_credential_uri = "https://example.com/token2"
+      expect(TestCredentials19.token_credential_uri).to eq("https://example.com/token2")
+      TestCredentials19.token_credential_uri = nil
+      expect(TestCredentials19.token_credential_uri).to eq("https://oauth2.googleapis.com/token")
+    end
   end
 
   it "warns when cloud sdk credentials are used" do