googleauth 0.5.1 → 0.11.0

data/lib/googleauth/credentials.rb

@@ -0,0 +1,375 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "forwardable"
+require "json"
+require "signet/oauth_2/client"
+
+require "googleauth/credentials_loader"
+
+module Google
+  module Auth
+    ##
+    # Credentials is responsible for representing the authentication when connecting to an API. This
+    # class is also intended to be inherited by API-specific classes.
+    class Credentials
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
+      TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
+      AUDIENCE = "https://oauth2.googleapis.com/token".freeze
+
+      ##
+      # The default token credential URI to be used when none is provided during initialization.
+      # The URI is the authorization server's HTTP endpoint capable of issuing tokens and
+      # refreshing expired tokens.
+      #
+      # @return [String]
+      #
+      def self.token_credential_uri
+        return @token_credential_uri unless @token_credential_uri.nil?
+
+        const_get :TOKEN_CREDENTIAL_URI if const_defined? :TOKEN_CREDENTIAL_URI
+      end
+
+      ##
+      # Set the default token credential URI to be used when none is provided during initialization.
+      #
+      # @param [String] new_token_credential_uri
+      # @return [String]
+      #
+      def self.token_credential_uri= new_token_credential_uri
+        @token_credential_uri = new_token_credential_uri
+      end
+
+      ##
+      # The default target audience ID to be used when none is provided during initialization.
+      # Used only by the assertion grant type.
+      #
+      # @return [String]
+      #
+      def self.audience
+        return @audience unless @audience.nil?
+
+        const_get :AUDIENCE if const_defined? :AUDIENCE
+      end
+
+      ##
+      # Sets the default target audience ID to be used when none is provided during initialization.
+      #
+      # @param [String] new_audience
+      # @return [String]
+      #
+      def self.audience= new_audience
+        @audience = new_audience
+      end
+
+      ##
+      # The default scope to be used when none is provided during initialization.
+      # A scope is an access range defined by the authorization server.
+      # The scope can be a single value or a list of values.
+      #
+      # @return [String, Array<String>]
+      #
+      def self.scope
+        return @scope unless @scope.nil?
+
+        tmp_scope = []
+        # Pull in values is the SCOPE constant exists.
+        tmp_scope << const_get(:SCOPE) if const_defined? :SCOPE
+        tmp_scope.flatten.uniq
+      end
+
+      ##
+      # Sets the default scope to be used when none is provided during initialization.
+      #
+      # @param [String, Array<String>] new_scope
+      # @return [String, Array<String>]
+      #
+      def self.scope= new_scope
+        new_scope = Array new_scope unless new_scope.nil?
+        @scope = new_scope
+      end
+
+      ##
+      # The environment variables to search for credentials. Values can either be a file path to the
+      # credentials file, or the JSON contents of the credentials file.
+      #
+      # @return [Array<String>]
+      #
+      def self.env_vars
+        return @env_vars unless @env_vars.nil?
+
+        # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+        tmp_env_vars = []
+        tmp_env_vars << const_get(:PATH_ENV_VARS) if const_defined? :PATH_ENV_VARS
+        tmp_env_vars << const_get(:JSON_ENV_VARS) if const_defined? :JSON_ENV_VARS
+        tmp_env_vars.flatten.uniq
+      end
+
+      ##
+      # Sets the environment variables to search for credentials.
+      #
+      # @param [Array<String>] new_env_vars
+      # @return [Array<String>]
+      #
+      def self.env_vars= new_env_vars
+        new_env_vars = Array new_env_vars unless new_env_vars.nil?
+        @env_vars = new_env_vars
+      end
+
+      ##
+      # The file paths to search for credentials files.
+      #
+      # @return [Array<String>]
+      #
+      def self.paths
+        return @paths unless @paths.nil?
+
+        tmp_paths = []
+        # Pull in values is the DEFAULT_PATHS constant exists.
+        tmp_paths << const_get(:DEFAULT_PATHS) if const_defined? :DEFAULT_PATHS
+        tmp_paths.flatten.uniq
+      end
+
+      ##
+      # Set the file paths to search for credentials files.
+      #
+      # @param [Array<String>] new_paths
+      # @return [Array<String>]
+      #
+      def self.paths= new_paths
+        new_paths = Array new_paths unless new_paths.nil?
+        @paths = new_paths
+      end
+
+      ##
+      # The Signet::OAuth2::Client object the Credentials instance is using.
+      #
+      # @return [Signet::OAuth2::Client]
+      #
+      attr_accessor :client
+
+      ##
+      # Identifier for the project the client is authenticating with.
+      #
+      # @return [String]
+      #
+      attr_reader :project_id
+
+      # @private Delegate client methods to the client object.
+      extend Forwardable
+
+      ##
+      # @!attribute [r] token_credential_uri
+      #   @return [String] The token credential URI. The URI is the authorization server's HTTP
+      #     endpoint capable of issuing tokens and refreshing expired tokens.
+      #
+      # @!attribute [r] audience
+      #   @return [String] The target audience ID when issuing assertions. Used only by the
+      #     assertion grant type.
+      #
+      # @!attribute [r] scope
+      #   @return [String, Array<String>] The scope for this client. A scope is an access range
+      #     defined by the authorization server. The scope can be a single value or a list of values.
+      #
+      # @!attribute [r] issuer
+      #   @return [String] The issuer ID associated with this client.
+      #
+      # @!attribute [r] signing_key
+      #   @return [String, OpenSSL::PKey] The signing key associated with this client.
+      #
+      # @!attribute [r] updater_proc
+      #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
+      #     suitable for passing as a closure.
+      #
+      def_delegators :@client,
+                     :token_credential_uri, :audience,
+                     :scope, :issuer, :signing_key, :updater_proc
+
+      # rubocop:disable Metrics/AbcSize
+
+      ##
+      # Creates a new Credentials instance with the provided auth credentials, and with the default
+      # values configured on the class.
+      #
+      # @param [String, Hash, Signet::OAuth2::Client] keyfile
+      #   The keyfile can be provided as one of the following:
+      #
+      #   * The path to a JSON keyfile (as a +String+)
+      #   * The contents of a JSON keyfile (as a +Hash+)
+      #   * A +Signet::OAuth2::Client+ object
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
+      def initialize keyfile, options = {}
+        scope = options[:scope]
+        verify_keyfile_provided! keyfile
+        @project_id = options["project_id"] || options["project"]
+        if keyfile.is_a? Signet::OAuth2::Client
+          @client = keyfile
+          @project_id ||= keyfile.project_id if keyfile.respond_to? :project_id
+        elsif keyfile.is_a? Hash
+          hash = stringify_hash_keys keyfile
+          hash["scope"] ||= scope
+          @client = init_client hash, options
+          @project_id ||= (hash["project_id"] || hash["project"])
+        else
+          verify_keyfile_exists! keyfile
+          json = JSON.parse ::File.read(keyfile)
+          json["scope"] ||= scope
+          @project_id ||= (json["project_id"] || json["project"])
+          @client = init_client json, options
+        end
+        CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        @client.fetch_access_token!
+        @env_vars = nil
+        @paths = nil
+        @scope = nil
+      end
+      # rubocop:enable Metrics/AbcSize
+
+      ##
+      # Creates a new Credentials instance with auth credentials acquired by searching the
+      # environment variables and paths configured on the class, and with the default values
+      # configured on the class.
+      #
+      # The auth credentials are searched for in the following order:
+      #
+      # 1. configured environment variables (see {Credentials.env_vars})
+      # 2. configured default file paths (see {Credentials.paths})
+      # 3. application default (see {Google::Auth.get_application_default})
+      #
+      # @param [Hash] options
+      #   The options for configuring the credentials instance. The following is supported:
+      #
+      #   * +:scope+ - the scope for the client
+      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
+      #   * +:connection_builder+ - the connection builder to use for the client
+      #   * +:default_connection+ - the default connection to use for the client
+      #
+      # @return [Credentials]
+      #
+      def self.default options = {}
+        # First try to find keyfile file or json from environment variables.
+        client = from_env_vars options
+
+        # Second try to find keyfile file from known file paths.
+        client ||= from_default_paths options
+
+        # Finally get instantiated client from Google::Auth
+        client ||= from_application_default options
+        client
+      end
+
+      ##
+      # @private Lookup Credentials from environment variables.
+      def self.from_env_vars options
+        env_vars.each do |env_var|
+          str = ENV[env_var]
+          next if str.nil?
+          return new str, options if ::File.file? str
+          return new ::JSON.parse(str), options rescue nil
+        end
+        nil
+      end
+
+      ##
+      # @private Lookup Credentials from default file paths.
+      def self.from_default_paths options
+        paths
+          .select { |p| ::File.file? p }
+          .each do |file|
+            return new file, options
+          end
+        nil
+      end
+
+      ##
+      # @private Lookup Credentials using Google::Auth.get_application_default.
+      def self.from_application_default options
+        scope = options[:scope] || self.scope
+        client = Google::Auth.get_application_default scope
+        new client, options
+      end
+
+      private_class_method :from_env_vars,
+                           :from_default_paths,
+                           :from_application_default
+
+      protected
+
+      # Verify that the keyfile argument is provided.
+      def verify_keyfile_provided! keyfile
+        return unless keyfile.nil?
+        raise "The keyfile passed to Google::Auth::Credentials.new was nil."
+      end
+
+      # Verify that the keyfile argument is a file.
+      def verify_keyfile_exists! keyfile
+        exists = ::File.file? keyfile
+        raise "The keyfile '#{keyfile}' is not a valid file." unless exists
+      end
+
+      # Initializes the Signet client.
+      def init_client keyfile, connection_options = {}
+        client_opts = client_options keyfile
+        Signet::OAuth2::Client.new(client_opts)
+                              .configure_connection(connection_options)
+      end
+
+      # returns a new Hash with string keys instead of symbol keys.
+      def stringify_hash_keys hash
+        Hash[hash.map { |k, v| [k.to_s, v] }]
+      end
+
+      def client_options options
+        # Keyfile options have higher priority over constructor defaults
+        options["token_credential_uri"] ||= self.class.token_credential_uri
+        options["audience"] ||= self.class.audience
+        options["scope"] ||= self.class.scope
+
+        # client options for initializing signet client
+        { token_credential_uri: options["token_credential_uri"],
+          audience:             options["audience"],
+          scope:                Array(options["scope"]),
+          issuer:               options["client_email"],
+          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+      end
+    end
+  end
+end

data/lib/googleauth/credentials_loader.rb

@@ -27,9 +27,9 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'memoist'
-require 'os'
-require 'rbconfig'
+require "memoist"
+require "os"
+require "rbconfig"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -39,44 +39,71 @@ module Google
     # credentials files on the file system.
     module CredentialsLoader
       extend Memoist
-      ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
+      ENV_VAR                   = "GOOGLE_APPLICATION_CREDENTIALS".freeze
+      PRIVATE_KEY_VAR           = "GOOGLE_PRIVATE_KEY".freeze
+      CLIENT_EMAIL_VAR          = "GOOGLE_CLIENT_EMAIL".freeze
+      CLIENT_ID_VAR             = "GOOGLE_CLIENT_ID".freeze
+      CLIENT_SECRET_VAR         = "GOOGLE_CLIENT_SECRET".freeze
+      REFRESH_TOKEN_VAR         = "GOOGLE_REFRESH_TOKEN".freeze
+      ACCOUNT_TYPE_VAR          = "GOOGLE_ACCOUNT_TYPE".freeze
+      PROJECT_ID_VAR            = "GOOGLE_PROJECT_ID".freeze
+      GCLOUD_POSIX_COMMAND      = "gcloud".freeze
+      GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
+      GCLOUD_CONFIG_COMMAND     =
+        "config config-helper --format json --verbosity none".freeze
 
-      PRIVATE_KEY_VAR = 'GOOGLE_PRIVATE_KEY'
-      CLIENT_EMAIL_VAR = 'GOOGLE_CLIENT_EMAIL'
-      CLIENT_ID_VAR = 'GOOGLE_CLIENT_ID'
-      CLIENT_SECRET_VAR = 'GOOGLE_CLIENT_SECRET'
-      REFRESH_TOKEN_VAR = 'GOOGLE_REFRESH_TOKEN'
-      ACCOUNT_TYPE_VAR = 'GOOGLE_ACCOUNT_TYPE'
-
-      CREDENTIALS_FILE_NAME = 'application_default_credentials.json'
+      CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
       NOT_FOUND_ERROR =
-        "Unable to read the credential file specified by #{ENV_VAR}"
-      WELL_KNOWN_PATH = "gcloud/#{CREDENTIALS_FILE_NAME}"
-      WELL_KNOWN_ERROR = 'Unable to read the default credential file'
+        "Unable to read the credential file specified by #{ENV_VAR}".freeze
+      WELL_KNOWN_PATH = "gcloud/#{CREDENTIALS_FILE_NAME}".freeze
+      WELL_KNOWN_ERROR = "Unable to read the default credential file".freeze
+
+      SYSTEM_DEFAULT_ERROR =
+        "Unable to read the system default credential file".freeze
+
+      CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
+        "s.googleusercontent.com".freeze
 
-      SYSTEM_DEFAULT_ERROR = 'Unable to read the system default credential file'
+      CLOUD_SDK_CREDENTIALS_WARNING = "Your application has authenticated using end user "\
+        "credentials from Google Cloud SDK. We recommend that most server applications use "\
+        "service accounts instead. If your application continues to use end user credentials "\
+        'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For '\
+        "more information about service accounts, see "\
+        "https://cloud.google.com/docs/authentication/. To suppress this message, set the "\
+        "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
 
       # make_creds proxies the construction of a credentials instance
       #
       # By default, it calls #new on the current class, but this behaviour can
       # be modified, allowing different instances to be created.
-      def make_creds(*args)
-        new(*args)
+      def make_creds *args
+        creds = new(*args)
+        creds = creds.configure_connection args[0] if creds.respond_to?(:configure_connection) && args.size == 1
+        creds
       end
 
       # Creates an instance from the path specified in an environment
       # variable.
       #
       # @param scope [string|array|nil] the scope(s) to access
-      def from_env(scope = nil)
-        if ENV.key?(ENV_VAR)
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_env scope = nil, options = {}
+        options = interpret_options scope, options
+        if ENV.key?(ENV_VAR) && !ENV[ENV_VAR].empty?
           path = ENV[ENV_VAR]
-          fail "file #{path} does not exist" unless File.exist?(path)
-          File.open(path) do |f|
-            return make_creds(json_key_io: f, scope: scope)
+          raise "file #{path} does not exist" unless File.exist? path
+          File.open path do |f|
+            return make_creds options.merge(json_key_io: f)
           end
         elsif service_account_env_vars? || authorized_user_env_vars?
-          return make_creds(scope: scope)
+          return make_creds options
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"
@@ -85,15 +112,24 @@ module Google
       # Creates an instance from a well known path.
       #
       # @param scope [string|array|nil] the scope(s) to access
-      def from_well_known_path(scope = nil)
-        home_var = OS.windows? ? 'APPDATA' : 'HOME'
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_well_known_path scope = nil, options = {}
+        options = interpret_options scope, options
+        home_var = OS.windows? ? "APPDATA" : "HOME"
         base = WELL_KNOWN_PATH
-        root = ENV[home_var].nil? ? '' : ENV[home_var]
-        base = File.join('.config', base) unless OS.windows?
-        path = File.join(root, base)
-        return nil unless File.exist?(path)
-        File.open(path) do |f|
-          return make_creds(json_key_io: f, scope: scope)
+        root = ENV[home_var].nil? ? "" : ENV[home_var]
+        base = File.join ".config", base unless OS.windows?
+        path = File.join root, base
+        return nil unless File.exist? path
+        File.open path do |f|
+          return make_creds options.merge(json_key_io: f)
         end
       rescue StandardError => e
         raise "#{WELL_KNOWN_ERROR}: #{e}"
@@ -102,31 +138,69 @@ module Google
       # Creates an instance from the system default path
       #
       # @param scope [string|array|nil] the scope(s) to access
-      def from_system_default_path(scope = nil)
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_system_default_path scope = nil, options = {}
+        options = interpret_options scope, options
         if OS.windows?
-          return nil unless ENV['ProgramData']
-          prefix = File.join(ENV['ProgramData'], 'Google/Auth')
+          return nil unless ENV["ProgramData"]
+          prefix = File.join ENV["ProgramData"], "Google/Auth"
         else
-          prefix = '/etc/google/auth/'
+          prefix = "/etc/google/auth/"
         end
-        path = File.join(prefix, CREDENTIALS_FILE_NAME)
-        return nil unless File.exist?(path)
-        File.open(path) do |f|
-          return make_creds(json_key_io: f, scope: scope)
+        path = File.join prefix, CREDENTIALS_FILE_NAME
+        return nil unless File.exist? path
+        File.open path do |f|
+          return make_creds options.merge(json_key_io: f)
         end
       rescue StandardError => e
         raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
       end
 
+      module_function
+
+      # Issues warning if cloud sdk client id is used
+      def warn_if_cloud_sdk_credentials client_id
+        return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
+        warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
+      end
+
+      # Finds project_id from gcloud CLI configuration
+      def load_gcloud_project_id
+        gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
+        gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
+        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", &:read)
+        config = MultiJson.load gcloud_json
+        config["configuration"]["properties"]["core"]["project"]
+      rescue StandardError
+        nil
+      end
+
       private
 
+      def interpret_options scope, options
+        if scope.is_a? Hash
+          options = scope
+          scope = nil
+        end
+        return options.merge scope: scope if scope && !options[:scope]
+        options
+      end
+
       def service_account_env_vars?
-        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty?
+        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR).join(" ").empty?
       end
 
       def authorized_user_env_vars?
-        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] -
-          ENV.keys).empty?
+        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR).join(" ").empty?
       end
     end
   end

data/lib/googleauth/default_credentials.rb

@@ -0,0 +1,93 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "multi_json"
+require "stringio"
+
+require "googleauth/credentials_loader"
+require "googleauth/service_account"
+require "googleauth/user_refresh"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds options = {}
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          json_key, clz = determine_creds_class json_key_io
+          warn_if_cloud_sdk_credentials json_key["client_id"]
+          io = StringIO.new MultiJson.dump(json_key)
+          clz.make_creds options.merge(json_key_io: io)
+        else
+          warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
+          clz = read_creds
+          clz.make_creds options
+        end
+      end
+
+      def self.read_creds
+        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+        type = ENV[env_var]
+        raise "#{env_var} is undefined in env" unless type
+        case type
+        when "service_account"
+          ServiceAccountCredentials
+        when "authorized_user"
+          UserRefreshCredentials
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class json_key_io
+        json_key = MultiJson.load json_key_io.read
+        key = "type"
+        raise "the json is missing the '#{key}' field" unless json_key.key? key
+        type = json_key[key]
+        case type
+        when "service_account"
+          [json_key, ServiceAccountCredentials]
+        when "authorized_user"
+          [json_key, UserRefreshCredentials]
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+    end
+  end
+end