googleauth 0.5.1 → 0.14.0

data/spec/googleauth/service_account_spec.rb

@@ -27,80 +27,81 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-spec_dir = File.expand_path(File.join(File.dirname(__FILE__)))
-$LOAD_PATH.unshift(spec_dir)
+spec_dir = File.expand_path File.join(File.dirname(__FILE__))
+$LOAD_PATH.unshift spec_dir
 $LOAD_PATH.uniq!
 
-require 'apply_auth_examples'
-require 'fakefs/safe'
-require 'fileutils'
-require 'googleauth/service_account'
-require 'jwt'
-require 'multi_json'
-require 'openssl'
-require 'spec_helper'
-require 'tmpdir'
+require "apply_auth_examples"
+require "fakefs/safe"
+require "fileutils"
+require "googleauth/service_account"
+require "jwt"
+require "multi_json"
+require "openssl"
+require "spec_helper"
+require "tmpdir"
+require "os"
 
 include Google::Auth::CredentialsLoader
 
-shared_examples 'jwt header auth' do
-  context 'when jwt_aud_uri is present' do
-    let(:test_uri) { 'https://www.googleapis.com/myservice' }
-    let(:auth_prefix) { 'Bearer ' }
+shared_examples "jwt header auth" do
+  context "when jwt_aud_uri is present" do
+    let(:test_uri) { "https://www.googleapis.com/myservice" }
+    let(:auth_prefix) { "Bearer " }
     let(:auth_key) { ServiceAccountJwtHeaderCredentials::AUTH_METADATA_KEY }
     let(:jwt_uri_key) { ServiceAccountJwtHeaderCredentials::JWT_AUD_URI_KEY }
 
-    def expect_is_encoded_jwt(hdr)
+    def expect_is_encoded_jwt hdr
       expect(hdr).to_not be_nil
       expect(hdr.start_with?(auth_prefix)).to be true
       authorization = hdr[auth_prefix.length..-1]
-      payload, = JWT.decode(authorization, @key.public_key)
-      expect(payload['aud']).to eq(test_uri)
-      expect(payload['iss']).to eq(client_email)
+      payload, = JWT.decode authorization, @key.public_key, true, algorithm: "RS256"
+      expect(payload["aud"]).to eq(test_uri)
+      expect(payload["iss"]).to eq(client_email)
     end
 
-    describe '#apply!' do
-      it 'should update the target hash with a jwt token' do
-        md = { foo: 'bar' }
+    describe "#apply!" do
+      it "should update the target hash with a jwt token" do
+        md = { foo: "bar" }
         md[jwt_uri_key] = test_uri
-        @client.apply!(md)
+        @client.apply! md
         auth_header = md[auth_key]
-        expect_is_encoded_jwt(auth_header)
+        expect_is_encoded_jwt auth_header
         expect(md[jwt_uri_key]).to be_nil
       end
     end
 
-    describe 'updater_proc' do
-      it 'should provide a proc that updates a hash with a jwt token' do
-        md = { foo: 'bar' }
+    describe "updater_proc" do
+      it "should provide a proc that updates a hash with a jwt token" do
+        md = { foo: "bar" }
         md[jwt_uri_key] = test_uri
         the_proc = @client.updater_proc
-        got = the_proc.call(md)
+        got = the_proc.call md
         auth_header = got[auth_key]
-        expect_is_encoded_jwt(auth_header)
+        expect_is_encoded_jwt auth_header
         expect(got[jwt_uri_key]).to be_nil
         expect(md[jwt_uri_key]).to_not be_nil
       end
     end
 
-    describe '#apply' do
-      it 'should not update the original hash with a jwt token' do
-        md = { foo: 'bar' }
+    describe "#apply" do
+      it "should not update the original hash with a jwt token" do
+        md = { foo: "bar" }
         md[jwt_uri_key] = test_uri
         the_proc = @client.updater_proc
-        got = the_proc.call(md)
+        got = the_proc.call md
         auth_header = md[auth_key]
         expect(auth_header).to be_nil
         expect(got[jwt_uri_key]).to be_nil
         expect(md[jwt_uri_key]).to_not be_nil
       end
 
-      it 'should add a jwt token to the returned hash' do
-        md = { foo: 'bar' }
+      it "should add a jwt token to the returned hash" do
+        md = { foo: "bar" }
         md[jwt_uri_key] = test_uri
-        got = @client.apply(md)
+        got = @client.apply md
         auth_header = got[auth_key]
-        expect_is_encoded_jwt(auth_header)
+        expect_is_encoded_jwt auth_header
       end
     end
   end
@@ -108,156 +109,245 @@ end
 
 describe Google::Auth::ServiceAccountCredentials do
   ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
-  let(:client_email) { 'app@developer.gserviceaccount.com' }
-  let(:cred_json) do
+  let(:client_email) { "app@developer.gserviceaccount.com" }
+  let :cred_json do
     {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: client_email,
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
+      private_key_id:   "a_private_key_id",
+      private_key:      @key.to_pem,
+      client_email:     client_email,
+      client_id:        "app.apps.googleusercontent.com",
+      type:             "service_account",
+      project_id:       "a_project_id",
+      quota_project_id: "b_project_id"
     }
   end
 
-  before(:example) do
-    @key = OpenSSL::PKey::RSA.new(2048)
+  before :example do
+    @key = OpenSSL::PKey::RSA.new 2048
     @client = ServiceAccountCredentials.make_creds(
       json_key_io: StringIO.new(cred_json_text),
-      scope: 'https://www.googleapis.com/auth/userinfo.profile'
+      scope:       "https://www.googleapis.com/auth/userinfo.profile"
+    )
+    @id_client = ServiceAccountCredentials.make_creds(
+      json_key_io:     StringIO.new(cred_json_text),
+      target_audience: "https://pubsub.googleapis.com/"
     )
   end
 
-  def make_auth_stubs(opts = {})
-    access_token = opts[:access_token] || ''
-    body = MultiJson.dump('access_token' => access_token,
-                          'token_type' => 'Bearer',
-                          'expires_in' => 3600)
+  def make_auth_stubs opts
+    body_fields = { "token_type" => "Bearer", "expires_in" => 3600 }
+    body_fields["access_token"] = opts[:access_token] if opts[:access_token]
+    body_fields["id_token"] = opts[:id_token] if opts[:id_token]
+    body = MultiJson.dump body_fields
     blk = proc do |request|
-      params = Addressable::URI.form_unencode(request.body)
-      _claim, _header = JWT.decode(params.assoc('assertion').last,
-                                   @key.public_key)
+      params = Addressable::URI.form_unencode request.body
+      claim, _header = JWT.decode(params.assoc("assertion").last,
+                                  @key.public_key, true,
+                                  algorithm: "RS256")
+      !opts[:id_token] || claim["target_audience"] == "https://pubsub.googleapis.com/"
     end
-    stub_request(:post, 'https://www.googleapis.com/oauth2/v3/token')
+    stub_request(:post, "https://www.googleapis.com/oauth2/v4/token")
       .with(body: hash_including(
-        'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer'),
-            &blk)
-      .to_return(body: body,
-                 status: 200,
-                 headers: { 'Content-Type' => 'application/json' })
+        "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      ), &blk)
+      .to_return(body:    body,
+                 status:  200,
+                 headers: { "Content-Type" => "application/json" })
   end
 
   def cred_json_text
-    MultiJson.dump(cred_json)
+    MultiJson.dump cred_json
   end
 
-  it_behaves_like 'apply/apply! are OK'
+  it_behaves_like "apply/apply! are OK"
 
-  context 'when scope is nil' do
-    before(:example) do
+  context "when scope is nil" do
+    before :example do
       @client.scope = nil
     end
 
-    it_behaves_like 'jwt header auth'
+    it_behaves_like "jwt header auth"
   end
 
-  describe '#from_env' do
-    before(:example) do
+  describe "#from_env" do
+    before :example do
       @var_name = ENV_VAR
       @credential_vars = [
-        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR]
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR
+      ]
       @original_env_vals = {}
       @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
       ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
 
-      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
       @clz = ServiceAccountCredentials
     end
 
-    after(:example) do
+    after :example do
       @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
-    it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
+      expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
+    end
+
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is empty" do
+      ENV[@var_name] = ""
       expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
     end
 
-    it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
       expect(ServiceAccountCredentials.from_env(@scope)).to be_nil
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'does-not-exist')
+        key_path = File.join dir, "does-not-exist"
         ENV[@var_name] = key_path
-        expect { @clz.from_env(@scope) }.to raise_error RuntimeError
+        expect { @clz.from_env @scope }.to raise_error RuntimeError
       end
     end
 
-    it 'succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
+    it "succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'my_cert_file')
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
+        key_path = File.join dir, "my_cert_file"
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
         ENV[@var_name] = key_path
         expect(@clz.from_env(@scope)).to_not be_nil
       end
     end
 
-    it 'succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are'\
-      ' valid' do
+    it "succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are"\
+      " valid" do
       ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
       ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
       expect(@clz.from_env(@scope)).to_not be_nil
     end
+
+    it "sets project_id when the PROJECT_ID_VAR env var is set" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[PROJECT_ID_VAR] = cred_json[:project_id]
+      ENV[ENV_VAR] = nil
+      credentials = @clz.from_env @scope
+      expect(credentials.project_id).to eq(cred_json[:project_id])
+    end
+
+    it "succeeds when GOOGLE_PRIVATE_KEY is escaped" do
+      escaped_key = cred_json[:private_key].gsub "\n", '\n'
+      ENV[PRIVATE_KEY_VAR] = "\"#{escaped_key}\""
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(@clz.from_env(@scope)).to_not be_nil
+    end
+
+    it "propagates default_connection option" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      connection = Faraday.new headers: { "User-Agent" => "hello" }
+      creds = @clz.from_env @scope, default_connection: connection
+      expect(creds.build_default_connection).to be connection
+    end
   end
 
-  describe '#from_well_known_path' do
-    before(:example) do
-      @home = ENV['HOME']
-      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+  describe "#from_well_known_path" do
+    before :example do
+      @home = ENV["HOME"]
+      @app_data = ENV["APPDATA"]
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
       @known_path = WELL_KNOWN_PATH
       @clz = ServiceAccountCredentials
     end
 
-    after(:example) do
-      ENV['HOME'] = @home unless @home == ENV['HOME']
+    after :example do
+      ENV["HOME"] = @home unless @home == ENV["HOME"]
+      ENV["APPDATA"] = @app_data unless @app_data == ENV["APPDATA"]
     end
 
-    it 'is nil if no file exists' do
-      ENV['HOME'] = File.dirname(__FILE__)
+    it "is nil if no file exists" do
+      ENV["HOME"] = File.dirname __FILE__
       expect(ServiceAccountCredentials.from_well_known_path(@scope)).to be_nil
     end
 
-    it 'successfully loads the file when it is present' do
+    it "successfully loads the file when it is present" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config', @known_path)
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
-        ENV['HOME'] = dir
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
         expect(@clz.from_well_known_path(@scope)).to_not be_nil
       end
     end
+
+    it "successfully sets project_id when file is present" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        credentials = @clz.from_well_known_path @scope
+        expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to eq(cred_json[:quota_project_id])
+      end
+    end
+
+    it "propagates default_connection option" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", @known_path
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        connection = Faraday.new headers: { "User-Agent" => "hello" }
+        creds = @clz.from_well_known_path @scope, default_connection: connection
+        expect(creds.build_default_connection).to be connection
+      end
+    end
   end
 
-  describe '#from_system_default_path' do
-    before(:example) do
-      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
-      @path = File.join('/etc/google/auth/', CREDENTIALS_FILE_NAME)
+  describe "#from_system_default_path" do
+    before :example do
+      @scope = "https://www.googleapis.com/auth/userinfo.profile"
+      @program_data = ENV["ProgramData"]
+      @prefix = OS.windows? ? "/etc/Google/Auth/" : "/etc/google/auth/"
+      @path = File.join @prefix, CREDENTIALS_FILE_NAME
       @clz = ServiceAccountCredentials
     end
 
-    it 'is nil if no file exists' do
+    after :example do
+      ENV["ProgramData"] = @program_data
+    end
+
+    it "is nil if no file exists" do
       FakeFS do
         expect(ServiceAccountCredentials.from_system_default_path(@scope))
           .to be_nil
       end
     end
 
-    it 'successfully loads the file when it is present' do
+    it "successfully loads the file when it is present" do
       FakeFS do
-        FileUtils.mkdir_p(File.dirname(@path))
-        File.write(@path, cred_json_text)
+        ENV["ProgramData"] = "/etc"
+        FileUtils.mkdir_p File.dirname(@path)
+        File.write @path, cred_json_text
         expect(@clz.from_system_default_path(@scope)).to_not be_nil
-        File.delete(@path)
+        File.delete @path
+      end
+    end
+
+    it "propagates default_connection option" do
+      FakeFS do
+        ENV["ProgramData"] = "/etc"
+        FileUtils.mkdir_p File.dirname(@path)
+        File.write @path, cred_json_text
+        connection = Faraday.new headers: { "User-Agent" => "hello" }
+        creds = @clz.from_system_default_path @scope, default_connection: connection
+        expect(creds.build_default_connection).to be connection
+        File.delete @path
       end
     end
   end
@@ -267,98 +357,133 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
   ServiceAccountJwtHeaderCredentials =
     Google::Auth::ServiceAccountJwtHeaderCredentials
 
-  let(:client_email) { 'app@developer.gserviceaccount.com' }
+  let(:client_email) { "app@developer.gserviceaccount.com" }
   let(:clz) { Google::Auth::ServiceAccountJwtHeaderCredentials }
-  let(:cred_json) do
+  let :cred_json do
     {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: client_email,
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
+      private_key_id: "a_private_key_id",
+      private_key:    @key.to_pem,
+      client_email:   client_email,
+      client_id:      "app.apps.googleusercontent.com",
+      type:           "service_account",
+      project_id:     "a_project_id"
     }
   end
 
-  before(:example) do
-    @key = OpenSSL::PKey::RSA.new(2048)
-    @client = clz.make_creds(json_key_io: StringIO.new(cred_json_text))
+  before :example do
+    @key = OpenSSL::PKey::RSA.new 2048
+    @client = clz.make_creds json_key_io: StringIO.new(cred_json_text)
   end
 
   def cred_json_text
-    MultiJson.dump(cred_json)
+    MultiJson.dump cred_json
   end
 
-  it_behaves_like 'jwt header auth'
+  it_behaves_like "jwt header auth"
 
-  describe '#from_env' do
-    before(:example) do
+  describe "#from_env" do
+    before :example do
       @var_name = ENV_VAR
       @credential_vars = [
-        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR]
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR
+      ]
       @original_env_vals = {}
       @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
       ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
     end
 
-    after(:example) do
+    after :example do
       @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
-    it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
+      expect(clz.from_env).to be_nil
+    end
+
+    it "returns nil if the GOOGLE_APPLICATION_CREDENTIALS is empty" do
+      ENV[@var_name] = ""
       expect(clz.from_env).to be_nil
     end
 
-    it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
+    it "fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist" do
+      ENV.delete @var_name unless ENV[@var_name].nil?
       expect(clz.from_env).to be_nil
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'does-not-exist')
+        key_path = File.join dir, "does-not-exist"
         ENV[@var_name] = key_path
         expect { clz.from_env }.to raise_error RuntimeError
       end
     end
 
-    it 'succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
+    it "succeeds when the GOOGLE_APPLICATION_CREDENTIALS file is valid" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'my_cert_file')
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
+        key_path = File.join dir, "my_cert_file"
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
         ENV[@var_name] = key_path
         expect(clz.from_env).to_not be_nil
       end
     end
 
-    it 'succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are'\
-      ' valid' do
+    it "succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are"\
+      " valid" do
       ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
       ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
       expect(clz.from_env(@scope)).to_not be_nil
     end
+
+    it "sets project_id when the PROJECT_ID_VAR env var is set" do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[PROJECT_ID_VAR] = cred_json[:project_id]
+      ENV[ENV_VAR] = nil
+      credentials = clz.from_env @scope
+      expect(credentials).to_not be_nil
+      expect(credentials.project_id).to eq(cred_json[:project_id])
+    end
   end
 
-  describe '#from_well_known_path' do
-    before(:example) do
-      @home = ENV['HOME']
+  describe "#from_well_known_path" do
+    before :example do
+      @home = ENV["HOME"]
+      @app_data = ENV["APPDATA"]
     end
 
-    after(:example) do
-      ENV['HOME'] = @home unless @home == ENV['HOME']
+    after :example do
+      ENV["HOME"] = @home unless @home == ENV["HOME"]
+      ENV["APPDATA"] = @app_data unless @app_data == ENV["APPDATA"]
     end
 
-    it 'is nil if no file exists' do
-      ENV['HOME'] = File.dirname(__FILE__)
+    it "is nil if no file exists" do
+      ENV["HOME"] = File.dirname __FILE__
       expect(clz.from_well_known_path).to be_nil
     end
 
-    it 'successfully loads the file when it is present' do
+    it "successfully loads the file when it is present" do
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
-        ENV['HOME'] = dir
+        key_path = File.join dir, ".config", WELL_KNOWN_PATH
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
         expect(clz.from_well_known_path).to_not be_nil
       end
     end
+
+    it "successfully sets project_id when file is present" do
+      Dir.mktmpdir do |dir|
+        key_path = File.join dir, ".config", WELL_KNOWN_PATH
+        key_path = File.join dir, WELL_KNOWN_PATH if OS.windows?
+        FileUtils.mkdir_p File.dirname(key_path)
+        File.write key_path, cred_json_text
+        ENV["HOME"] = dir
+        ENV["APPDATA"] = dir
+        credentials = clz.from_well_known_path @scope
+        expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to be_nil
+      end
+    end
   end
 end