googleauth 0.5.3 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4a649619fb4bc6d65427dd24f868a1892ccdbd3b
-  data.tar.gz: a6d2a87215f39c86e3d526e6dabb84127cac5644
+  metadata.gz: cec38ca5e660e992fb100c34682b8c0091424cd0
+  data.tar.gz: 791afd4f7ed5f55b7a2e506f8fa7f9f9e4754135
 SHA512:
-  metadata.gz: 882116dc42c44734b9f1784dad7dabe7ab00819f335aca61396b4ed6740079aa1925290bf9ecf943abe1da507b6cd2876dc7415d87299a46f2554aaf992b41b3
-  data.tar.gz: 85a188f19aea2ce158143622658240d278ae644fe1a1e84cd35df34ab4b5b2a650912e32eb52cfdebe6875d96910d5d1aa00946da9fa05ca911aa1e799d4425c
+  metadata.gz: 0814d5fd8fc3a00d296dd9c9ad9b72dff84aec4e009d35930589435053307bf00b3296b1c30fab74a451cfdde3165df5b8b1d5c949d9476ed81d6e1ca838d02e
+  data.tar.gz: 9b83bbe09b924617fdad6f7d3853e17991c63db0ddf3c3be0283fce9e03cd16c881941cee7a09e549e38af1e0e604e7ac520cd13000d45d845e94446a1bb511b

data/.travis.yml

@@ -8,7 +8,7 @@ rvm:
   - 2.1
   - 1.9.3
   - rbx-2
-  - jruby
+  - jruby-9.1.9.0
 matrix:
   allow_failures:
     - rvm: rbx-2 # See rubinius/rubinius#3485 - rubocop segfaults

data/CONTRIBUTING.md

@@ -9,11 +9,12 @@ Please fill out either the individual or corporate Contributor License Agreement
 (CLA).
 
   * If you are an individual writing original source code and you're sure you
-    own the intellectual property, then you'll need to sign an [individual CLA]
-    (http://code.google.com/legal/individual-cla-v1.0.html).
+    own the intellectual property, then you'll need to sign an [individual CLA].
   * If you work for a company that wants to allow you to contribute your work,
-    then you'll need to sign a [corporate CLA]
-    (http://code.google.com/legal/corporate-cla-v1.0.html).
+    then you'll need to sign a [corporate CLA].
+
+[individual CLA]: http://code.google.com/legal/individual-cla-v1.0.html
+[corporate CLA]: http://code.google.com/legal/corporate-cla-v1.0.html
 
 Follow either of the two links above to access the appropriate CLA and
 instructions for how to sign and return it. Once we receive it, we'll be able to

data/Gemfile

@@ -12,7 +12,7 @@ group :development do
   gem 'rake', '~> 10.0'
   gem 'redis', '~> 3.2'
   gem 'rspec', '~> 3.0'
-  gem 'rubocop', '~> 0.30'
+  gem 'rubocop', '>= 0.41', '< 0.50'
   gem 'simplecov', '~> 0.9'
   gem 'sinatra'
   gem 'webmock', '~> 1.21'

data/README.md

@@ -8,9 +8,9 @@
 </dl>
 
 [![Gem Version](https://badge.fury.io/rb/googleauth.svg)](http://badge.fury.io/rb/googleauth)
-[![Build Status](https://secure.travis-ci.org/google/google-auth-library-ruby.png)](http://travis-ci.org/google/google-auth-library-ruby)
-[![Coverage Status](https://coveralls.io/repos/google/google-auth-library-ruby/badge.png)](https://coveralls.io/r/google/google-auth-library-ruby)
-[![Dependency Status](https://gemnasium.com/google/google-auth-library-ruby.png)](https://gemnasium.com/google/google-auth-library-ruby)
+[![Build Status](https://secure.travis-ci.org/google/google-auth-library-ruby.svg)](http://travis-ci.org/google/google-auth-library-ruby)
+[![Coverage Status](https://coveralls.io/repos/google/google-auth-library-ruby/badge.svg)](https://coveralls.io/r/google/google-auth-library-ruby)
+[![Dependency Status](https://gemnasium.com/google/google-auth-library-ruby.svg)](https://gemnasium.com/google/google-auth-library-ruby)
 
 ## Description
 

data/googleauth.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'faraday', '~> 0.12'
   s.add_dependency 'logging', '~> 2.0'
-  s.add_dependency 'jwt', '~> 1.4'
+  s.add_dependency 'jwt', '>= 1.4', '< 3.0'
   s.add_dependency 'memoist', '~> 0.12'
   s.add_dependency 'multi_json', '~> 1.11'
   s.add_dependency 'os', '~> 0.9'

data/lib/googleauth.rb

@@ -27,99 +27,9 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
-require 'stringio'
-
-require 'googleauth/credentials_loader'
-require 'googleauth/compute_engine'
-require 'googleauth/service_account'
-require 'googleauth/user_refresh'
+require 'googleauth/application_default'
 require 'googleauth/client_id'
+require 'googleauth/credentials'
+require 'googleauth/default_credentials'
 require 'googleauth/user_authorizer'
 require 'googleauth/web_user_authorizer'
-
-module Google
-  # Module Auth provides classes that provide Google-specific authorization
-  # used to access Google APIs.
-  module Auth
-    NOT_FOUND_ERROR = <<END.freeze
-Could not load the default credentials. Browse to
-https://developers.google.com/accounts/docs/application-default-credentials
-for more information
-END
-
-    # DefaultCredentials is used to preload the credentials file, to determine
-    # which type of credentials should be loaded.
-    class DefaultCredentials
-      extend CredentialsLoader
-
-      # override CredentialsLoader#make_creds to use the class determined by
-      # loading the json.
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
-        if json_key_io
-          json_key, clz = determine_creds_class(json_key_io)
-          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
-                         scope: scope)
-        else
-          clz = read_creds
-          clz.make_creds(scope: scope)
-        end
-      end
-
-      def self.read_creds
-        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
-        type = ENV[env_var]
-        raise "#{env_var} is undefined in env" unless type
-        case type
-        when 'service_account'
-          ServiceAccountCredentials
-        when 'authorized_user'
-          UserRefreshCredentials
-        else
-          raise "credentials type '#{type}' is not supported"
-        end
-      end
-
-      # Reads the input json and determines which creds class to use.
-      def self.determine_creds_class(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        key = 'type'
-        raise "the json is missing the '#{key}' field" unless json_key.key?(key)
-        type = json_key[key]
-        case type
-        when 'service_account'
-          [json_key, ServiceAccountCredentials]
-        when 'authorized_user'
-          [json_key, UserRefreshCredentials]
-        else
-          raise "credentials type '#{type}' is not supported"
-        end
-      end
-    end
-
-    # Obtains the default credentials implementation to use in this
-    # environment.
-    #
-    # Use this to obtain the Application Default Credentials for accessing
-    # Google APIs.  Application Default Credentials are described in detail
-    # at http://goo.gl/IUuyuX.
-    #
-    # If supplied, scope is used to create the credentials instance, when it can
-    # be applied.  E.g, on google compute engine and for user credentials the
-    # scope is ignored.
-    #
-    # @param scope [string|array|nil] the scope(s) to access
-    # @param options [hash] allows override of the connection being used
-    def get_application_default(scope = nil, options = {})
-      creds = DefaultCredentials.from_env(scope) ||
-              DefaultCredentials.from_well_known_path(scope) ||
-              DefaultCredentials.from_system_default_path(scope)
-      return creds unless creds.nil?
-      raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
-      GCECredentials.new
-    end
-
-    module_function :get_application_default
-  end
-end

data/lib/googleauth/application_default.rb

@@ -0,0 +1,67 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth/compute_engine'
+require 'googleauth/default_credentials'
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    NOT_FOUND_ERROR = <<ERROR_MESSAGE.freeze
+Could not load the default credentials. Browse to
+https://developers.google.com/accounts/docs/application-default-credentials
+for more information
+ERROR_MESSAGE
+
+    # Obtains the default credentials implementation to use in this
+    # environment.
+    #
+    # Use this to obtain the Application Default Credentials for accessing
+    # Google APIs.  Application Default Credentials are described in detail
+    # at http://goo.gl/IUuyuX.
+    #
+    # If supplied, scope is used to create the credentials instance, when it can
+    # be applied.  E.g, on google compute engine and for user credentials the
+    # scope is ignored.
+    #
+    # @param scope [string|array|nil] the scope(s) to access
+    # @param options [hash] allows override of the connection being used
+    def get_application_default(scope = nil, options = {})
+      creds = DefaultCredentials.from_env(scope) ||
+              DefaultCredentials.from_well_known_path(scope) ||
+              DefaultCredentials.from_system_default_path(scope)
+      return creds unless creds.nil?
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
+      GCECredentials.new
+    end
+
+    module_function :get_application_default
+  end
+end

data/lib/googleauth/credentials.rb

@@ -0,0 +1,177 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'forwardable'
+require 'json'
+require 'signet/oauth_2/client'
+
+require 'googleauth/default_credentials'
+
+module Google
+  module Auth
+    # This class is intended to be inherited by API-specific classes
+    # which overrides the SCOPE constant.
+    class Credentials
+      TOKEN_CREDENTIAL_URI = 'https://accounts.google.com/o/oauth2/token'.freeze
+      AUDIENCE = 'https://accounts.google.com/o/oauth2/token'.freeze
+      SCOPE = [].freeze
+      PATH_ENV_VARS = [].freeze
+      JSON_ENV_VARS = [].freeze
+      DEFAULT_PATHS = [].freeze
+
+      attr_accessor :client
+
+      # Delegate client methods to the client object.
+      extend Forwardable
+      def_delegators :@client,
+                     :token_credential_uri, :audience,
+                     :scope, :issuer, :signing_key, :updater_proc
+
+      def initialize(keyfile, options = {})
+        scope = options[:scope]
+        verify_keyfile_provided! keyfile
+        if keyfile.is_a? Signet::OAuth2::Client
+          @client = keyfile
+        elsif keyfile.is_a? Hash
+          hash = stringify_hash_keys keyfile
+          hash['scope'] ||= scope
+          @client = init_client hash
+        else
+          verify_keyfile_exists! keyfile
+          json = JSON.parse ::File.read(keyfile)
+          json['scope'] ||= scope
+          @client = init_client json
+        end
+        @client.fetch_access_token!
+      end
+
+      # Returns the default credentials checking, in this order, the path env
+      # evironment variables, json environment variables, default paths. If the
+      # previously stated locations do not contain keyfile information,
+      # this method defaults to use the application default.
+      def self.default(options = {})
+        scope = options[:scope]
+        # First try to find keyfile file from environment variables.
+        client = from_path_vars(scope)
+
+        # Second try to find keyfile json from environment variables.
+        client ||= from_json_vars(scope)
+
+        # Third try to find keyfile file from known file paths.
+        client ||= from_default_vars(scope)
+
+        # Finally get instantiated client from Google::Auth
+        client ||= from_application_default(scope)
+        client
+      end
+
+      def self.from_path_vars(scope)
+        self::PATH_ENV_VARS
+          .map { |v| ENV[v] }
+          .compact
+          .select { |p| ::File.file? p }
+          .each do |file|
+            return new file, scope: scope
+          end
+      end
+
+      def self.from_json_vars(scope)
+        json = lambda do |v|
+          unless ENV[v].nil?
+            begin
+              JSON.parse ENV[v]
+            rescue
+              nil
+            end
+          end
+        end
+        self::JSON_ENV_VARS.map(&json).compact.each do |hash|
+          return new hash, scope: scope
+        end
+      end
+
+      def self.from_default_paths(scope)
+        self::DEFAULT_PATHS
+          .select { |p| ::File.file? p }
+          .each do |file|
+            return new file, scope: scope
+          end
+      end
+
+      def self.from_application_default(scope)
+        scope ||= self::SCOPE
+        client = Google::Auth.get_application_default scope
+        new client
+      end
+      private_class_method :from_path_vars,
+                           :from_json_vars,
+                           :from_default_paths,
+                           :from_application_default
+
+      protected
+
+      # Verify that the keyfile argument is provided.
+      def verify_keyfile_provided!(keyfile)
+        return unless keyfile.nil?
+        raise 'The keyfile passed to Google::Auth::Credentials.new was nil.'
+      end
+
+      # Verify that the keyfile argument is a file.
+      def verify_keyfile_exists!(keyfile)
+        exists = ::File.file? keyfile
+        raise "The keyfile '#{keyfile}' is not a valid file." unless exists
+      end
+
+      # Initializes the Signet client.
+      def init_client(keyfile)
+        client_opts = client_options keyfile
+        Signet::OAuth2::Client.new client_opts
+      end
+
+      # returns a new Hash with string keys instead of symbol keys.
+      def stringify_hash_keys(hash)
+        Hash[hash.map { |k, v| [k.to_s, v] }]
+      end
+
+      def client_options(options)
+        # Keyfile options have higher priority over constructor defaults
+        options['token_credential_uri'] ||= self.class::TOKEN_CREDENTIAL_URI
+        options['audience'] ||= self.class::AUDIENCE
+        options['scope'] ||= self.class::SCOPE
+
+        # client options for initializing signet client
+        { token_credential_uri: options['token_credential_uri'],
+          audience: options['audience'],
+          scope: Array(options['scope']),
+          issuer: options['client_email'],
+          signing_key: OpenSSL::PKey::RSA.new(options['private_key']) }
+      end
+    end
+  end
+end

data/lib/googleauth/default_credentials.rb

@@ -0,0 +1,91 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'multi_json'
+require 'stringio'
+
+require 'googleauth/credentials_loader'
+require 'googleauth/service_account'
+require 'googleauth/user_refresh'
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds(options = {})
+        json_key_io, scope = options.values_at(:json_key_io, :scope)
+        if json_key_io
+          json_key, clz = determine_creds_class(json_key_io)
+          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
+                         scope: scope)
+        else
+          clz = read_creds
+          clz.make_creds(scope: scope)
+        end
+      end
+
+      def self.read_creds
+        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+        type = ENV[env_var]
+        raise "#{env_var} is undefined in env" unless type
+        case type
+        when 'service_account'
+          ServiceAccountCredentials
+        when 'authorized_user'
+          UserRefreshCredentials
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        key = 'type'
+        raise "the json is missing the '#{key}' field" unless json_key.key?(key)
+        type = json_key[key]
+        case type
+        when 'service_account'
+          [json_key, ServiceAccountCredentials]
+        when 'authorized_user'
+          [json_key, UserRefreshCredentials]
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/user_authorizer.rb

@@ -276,7 +276,7 @@ module Google
       def redirect_uri_for(base_url)
         return @callback_uri unless URI(@callback_uri).scheme.nil?
         if base_url.nil? || URI(base_url).scheme.nil?
-          raise sprintf(ISSING_ABSOLUTE_URL_ERROR, @callback_uri)
+          raise sprintf(MISSING_ABSOLUTE_URL_ERROR, @callback_uri)
         end
         URI.join(base_url, @callback_uri).to_s
       end

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = '0.5.3'.freeze
+    VERSION = '0.6.0'.freeze
   end
 end

data/spec/googleauth/credentials_spec.rb

@@ -0,0 +1,108 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth'
+
+# This test is testing the private class Google::Auth::Credentials. We want to
+# make sure that the passed in scope propogates to the Signet object. This means
+# testing the private API, which is generally frowned on.
+describe Google::Auth::Credentials, :private do
+  let(:default_keyfile_hash) do
+    {
+      'private_key_id' => 'testabc1234567890xyz',
+      'private_key' => "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAOyi0Hy1l4Ym2m2o71Q0TF4O9E81isZEsX0bb+Bqz1SXEaSxLiXM\nUZE8wu0eEXivXuZg6QVCW/5l+f2+9UPrdNUCAwEAAQJAJkqubA/Chj3RSL92guy3\nktzeodarLyw8gF8pOmpuRGSiEo/OLTeRUMKKD1/kX4f9sxf3qDhB4e7dulXR1co/\nIQIhAPx8kMW4XTTL6lJYd2K5GrH8uBMp8qL5ya3/XHrBgw3dAiEA7+3Iw3ULTn2I\n1J34WlJ2D5fbzMzB4FAHUNEV7Ys3f1kCIQDtUahCMChrl7+H5t9QS+xrn77lRGhs\nB50pjvy95WXpgQIhAI2joW6JzTfz8fAapb+kiJ/h9Vcs1ZN3iyoRlNFb61JZAiA8\nNy5NyNrMVwtB/lfJf1dAK/p/Bwd8LZLtgM6PapRfgw==\n-----END RSA PRIVATE KEY-----\n",
+      'client_email' => 'credz-testabc1234567890xyz@developer.gserviceaccount.com',
+      'client_id' => 'credz-testabc1234567890xyz.apps.googleusercontent.com',
+      'type' => 'service_account'
+    }
+  end
+
+  it 'uses a default scope' do
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq([])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    Google::Auth::Credentials.new default_keyfile_hash
+  end
+
+  it 'uses a custom scope' do
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq(['http://example.com/scope'])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    Google::Auth::Credentials.new default_keyfile_hash, scope: 'http://example.com/scope'
+  end
+
+  it 'can be subclassed to pass in other env paths' do
+    TEST_PATH_ENV_VAR = 'TEST_PATH'.freeze
+    TEST_PATH_ENV_VAL = '/unknown/path/to/file.txt'.freeze
+    TEST_JSON_ENV_VAR = 'TEST_JSON_VARS'.freeze
+
+    ENV[TEST_PATH_ENV_VAR] = TEST_PATH_ENV_VAL
+    ENV[TEST_JSON_ENV_VAR] = JSON.generate(default_keyfile_hash)
+
+    class TestCredentials < Google::Auth::Credentials
+      SCOPE = 'http://example.com/scope'.freeze
+      PATH_ENV_VARS = [TEST_PATH_ENV_VAR].freeze
+      JSON_ENV_VARS = [TEST_JSON_ENV_VAR].freeze
+    end
+
+    allow(::File).to receive(:file?).with(TEST_PATH_ENV_VAL) { false }
+
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq(['http://example.com/scope'])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    TestCredentials.default
+  end
+end

data/spec/googleauth/service_account_spec.rb

@@ -54,7 +54,7 @@ shared_examples 'jwt header auth' do
       expect(hdr).to_not be_nil
       expect(hdr.start_with?(auth_prefix)).to be true
       authorization = hdr[auth_prefix.length..-1]
-      payload, = JWT.decode(authorization, @key.public_key)
+      payload, = JWT.decode(authorization, @key.public_key, true, algorithm: 'RS256')
       expect(payload['aud']).to eq(test_uri)
       expect(payload['iss']).to eq(client_email)
     end
@@ -135,7 +135,8 @@ describe Google::Auth::ServiceAccountCredentials do
     blk = proc do |request|
       params = Addressable::URI.form_unencode(request.body)
       _claim, _header = JWT.decode(params.assoc('assertion').last,
-                                   @key.public_key)
+                                   @key.public_key, true,
+                                   algorithm: 'RS256')
     end
     stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token')
       .with(body: hash_including(

data/spec/googleauth/signet_spec.rb

@@ -57,7 +57,8 @@ describe Signet::OAuth2::Client do
     blk = proc do |request|
       params = Addressable::URI.form_unencode(request.body)
       _claim, _header = JWT.decode(params.assoc('assertion').last,
-                                   @key.public_key)
+                                   @key.public_key, true,
+                                   algorithm: 'RS256')
     end
     stub_request(:post, 'https://accounts.google.com/o/oauth2/token')
       .with(body: hash_including(

data/spec/googleauth/user_refresh_spec.rb

@@ -294,7 +294,7 @@ describe Google::Auth::UserRefreshCredentials do
     end
   end
 
-  describe 'when erros occured with request' do
+  describe 'when erros occurred with request' do
     it 'should fail with Signet::AuthorizationError if request times out' do
       allow_any_instance_of(Faraday::Connection).to receive(:get)
         .and_raise(Faraday::TimeoutError)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.6.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-21 00:00:00.000000000 Z
+date: 2017-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -42,16 +42,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: memoist
   requirement: !ruby/object:Gem::Requirement
@@ -129,9 +135,12 @@ files:
 - Rakefile
 - googleauth.gemspec
 - lib/googleauth.rb
+- lib/googleauth/application_default.rb
 - lib/googleauth/client_id.rb
 - lib/googleauth/compute_engine.rb
+- lib/googleauth/credentials.rb
 - lib/googleauth/credentials_loader.rb
+- lib/googleauth/default_credentials.rb
 - lib/googleauth/iam.rb
 - lib/googleauth/scope_util.rb
 - lib/googleauth/service_account.rb
@@ -146,6 +155,7 @@ files:
 - spec/googleauth/apply_auth_examples.rb
 - spec/googleauth/client_id_spec.rb
 - spec/googleauth/compute_engine_spec.rb
+- spec/googleauth/credentials_spec.rb
 - spec/googleauth/get_application_default_spec.rb
 - spec/googleauth/iam_spec.rb
 - spec/googleauth/scope_util_spec.rb
@@ -178,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby
@@ -186,6 +196,7 @@ test_files:
 - spec/googleauth/apply_auth_examples.rb
 - spec/googleauth/client_id_spec.rb
 - spec/googleauth/compute_engine_spec.rb
+- spec/googleauth/credentials_spec.rb
 - spec/googleauth/get_application_default_spec.rb
 - spec/googleauth/iam_spec.rb
 - spec/googleauth/scope_util_spec.rb