googleauth 0.8.1 → 0.9.0

data/lib/googleauth/credentials_loader.rb

@@ -49,7 +49,8 @@ module Google
       PROJECT_ID_VAR            = "GOOGLE_PROJECT_ID".freeze
       GCLOUD_POSIX_COMMAND      = "gcloud".freeze
       GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
-      GCLOUD_CONFIG_COMMAND     = "config config-helper --format json".freeze
+      GCLOUD_CONFIG_COMMAND     =
+        "config config-helper --format json --verbosity none".freeze
 
       CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
       NOT_FOUND_ERROR =
@@ -162,12 +163,11 @@ module Google
         raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
       end
 
-      module_function
-
       # Issues warning if cloud sdk client id is used
       def warn_if_cloud_sdk_credentials client_id
         warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
       end
+      module_function :warn_if_cloud_sdk_credentials
 
       # Finds project_id from gcloud CLI configuration
       def load_gcloud_project_id
@@ -179,6 +179,7 @@ module Google
       rescue StandardError
         nil
       end
+      module_function :load_gcloud_project_id
 
       private
 
@@ -192,13 +193,15 @@ module Google
       end
 
       def service_account_env_vars?
-        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty? &&
-          !ENV.to_h.fetch_values(PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR).join(" ").empty?
+        [PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR].all? do |key|
+          ENV[key] && !ENV[key].empty?
+        end
       end
 
       def authorized_user_env_vars?
-        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] - ENV.keys).empty? &&
-          !ENV.to_h.fetch_values(CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR).join(" ").empty?
+        [CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR].all? do |key|
+          ENV[key] && !ENV[key].empty?
+        end
       end
     end
   end

data/lib/googleauth/signet.rb

@@ -76,7 +76,9 @@ module Signet
           connection = build_default_connection
           options = options.merge connection: connection if connection
         end
-        info = orig_fetch_access_token! options
+        info = retry_with_error do
+          orig_fetch_access_token! options
+        end
         notify_refresh_listeners
         info
       end
@@ -89,9 +91,8 @@ module Signet
       end
 
       def build_default_connection
-        if !defined?(@connection_info)
-          nil
-        elsif @connection_info.respond_to? :call
+        return nil unless defined?(@connection_info)
+        if @connection_info.respond_to? :call
           @connection_info.call
         else
           @connection_info

data/lib/googleauth/user_authorizer.rb

@@ -129,8 +129,8 @@ module Google
         data = MultiJson.load saved_token
 
         if data.fetch("client_id", @client_id.id) != @client_id.id
-          raise format(MISMATCHED_CLIENT_ID_ERROR,
-                       data["client_id"], @client_id.id)
+          raise sprintf(MISMATCHED_CLIENT_ID_ERROR,
+                        data["client_id"], @client_id.id)
         end
 
         credentials = UserRefreshCredentials.new(

data/lib/googleauth/user_refresh.rb

@@ -79,7 +79,7 @@ module Google
       # JSON key.
       def self.read_json_key json_key_io
         json_key = MultiJson.load json_key_io.read
-        wanted = %w[client_id client_secret refresh_token]
+        wanted = ["client_id", "client_secret", "refresh_token"]
         wanted.each do |key|
           raise "the json is missing the #{key} field" unless json_key.key? key
         end

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.8.1".freeze
+    VERSION = "0.9.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -154,6 +154,8 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if
       #  not nil.
+      # @param [Hash] state
+      #  Optional key-values to be returned to the oauth callback.
       # @return [String]
       #  Authorization url
       def get_authorization_url options = {}
@@ -162,22 +164,25 @@ module Google
         raise NIL_REQUEST_ERROR if request.nil?
         raise NIL_SESSION_ERROR if request.session.nil?
 
+        state = options[:state] || {}
+
         redirect_to = options[:redirect_to] || request.url
         request.session[XSRF_KEY] = SecureRandom.base64
-        options[:state] = MultiJson.dump(
-          SESSION_ID_KEY  => request.session[XSRF_KEY],
-          CURRENT_URI_KEY => redirect_to
-        )
+        options[:state] = MultiJson.dump(state.merge(
+                                           SESSION_ID_KEY  => request.session[XSRF_KEY],
+                                           CURRENT_URI_KEY => redirect_to
+        ))
         options[:base_url] = request.url
         super options
       end
 
-      # Fetch stored credentials for the user.
+      # Fetch stored credentials for the user from the given request session.
       #
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
       # @param [Rack::Request] request
-      #  Current request
+      #  Current request. Optional. If omitted, this will attempt to fall back
+      #  on the base class behavior of reading from the token store.
       # @param [Array<String>, String] scope
       #  If specified, only returns credentials that have all the \
       #  requested scopes
@@ -186,8 +191,8 @@ module Google
       # @raise [Signet::AuthorizationError]
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
-      def get_credentials user_id, request, scope = nil
-        if request.session.key? CALLBACK_STATE_KEY
+      def get_credentials user_id, request = nil, scope = nil
+        if request && request.session.key?(CALLBACK_STATE_KEY)
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
           state_json = request.session.delete CALLBACK_STATE_KEY

data/spec/googleauth/credentials_spec.rb

@@ -81,181 +81,367 @@ describe Google::Auth::Credentials, :private do
     Google::Auth::Credentials.new default_keyfile_hash, scope: "http://example.com/scope"
   end
 
-  it "can be subclassed to pass in other env paths" do
-    TEST_PATH_ENV_VAR = "TEST_PATH".freeze
-    TEST_PATH_ENV_VAL = "/unknown/path/to/file.txt".freeze
-    TEST_JSON_ENV_VAR = "TEST_JSON_VARS".freeze
-
-    ENV[TEST_PATH_ENV_VAR] = TEST_PATH_ENV_VAL
-    ENV[TEST_JSON_ENV_VAR] = JSON.generate default_keyfile_hash
-
-    class TestCredentials < Google::Auth::Credentials
-      SCOPE = "http://example.com/scope".freeze
-      PATH_ENV_VARS = [TEST_PATH_ENV_VAR].freeze
-      JSON_ENV_VARS = [TEST_JSON_ENV_VAR].freeze
+  describe "using CONSTANTS" do
+    it "can be subclassed to pass in other env paths" do
+      test_path_env_val = "/unknown/path/to/file.txt".freeze
+      test_json_env_val = JSON.generate default_keyfile_hash
+
+      ENV["TEST_PATH"] = test_path_env_val
+      ENV["TEST_JSON_VARS"] = test_json_env_val
+
+      class TestCredentials1 < Google::Auth::Credentials
+        TOKEN_CREDENTIAL_URI = "https://example.com/token".freeze
+        AUDIENCE = "https://example.com/audience".freeze
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["TEST_PATH"].freeze
+        JSON_ENV_VARS = ["TEST_JSON_VARS"].freeze
+      end
+
+      allow(::File).to receive(:file?).with(test_path_env_val) { false }
+      allow(::File).to receive(:file?).with(test_json_env_val) { false }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://example.com/token")
+        expect(options[:audience]).to eq("https://example.com/audience")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials1.default
+      expect(creds).to be_a_kind_of(TestCredentials1)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    allow(::File).to receive(:file?).with(TEST_PATH_ENV_VAL) { false }
-
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:scope]).to eq(["http://example.com/scope"])
-      expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
+    it "subclasses can use PATH_ENV_VARS to get keyfile path" do
+      class TestCredentials2 < Google::Auth::Credentials
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = %w[PATH_ENV_DUMMY PATH_ENV_TEST].freeze
+        JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials2.default
+      expect(creds).to be_a_kind_of(TestCredentials2)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    creds = TestCredentials.default
-    expect(creds).to be_a_kind_of(TestCredentials)
-    expect(creds.client).to eq(mocked_signet)
-    expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
-  end
-
-  it "subclasses can use PATH_ENV_VARS to get keyfile path" do
-    class TestCredentials < Google::Auth::Credentials
-      SCOPE = "http://example.com/scope".freeze
-      PATH_ENV_VARS = %w[PATH_ENV_DUMMY PATH_ENV_TEST].freeze
-      JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
-      DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+    it "subclasses can use JSON_ENV_VARS to get keyfile contents" do
+      test_json_env_val = JSON.generate default_keyfile_hash
+
+      class TestCredentials3 < Google::Auth::Credentials
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
+        JSON_ENV_VARS = %w[JSON_ENV_DUMMY JSON_ENV_TEST].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::File).to receive(:file?).with(test_json_env_val) { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials3.default
+      expect(creds).to be_a_kind_of(TestCredentials3)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
-    allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
-    allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
-    allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
-    allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
-
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:scope]).to eq(["http://example.com/scope"])
-      expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
+    it "subclasses can use DEFAULT_PATHS to get keyfile path" do
+      class TestCredentials4 < Google::Auth::Credentials
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
+        JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials4.default
+      expect(creds).to be_a_kind_of(TestCredentials4)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    creds = TestCredentials.default
-    expect(creds).to be_a_kind_of(TestCredentials)
-    expect(creds.client).to eq(mocked_signet)
-    expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
-  end
-
-  it "subclasses can use JSON_ENV_VARS to get keyfile contents" do
-    class TestCredentials < Google::Auth::Credentials
-      SCOPE = "http://example.com/scope".freeze
-      PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
-      JSON_ENV_VARS = %w[JSON_ENV_DUMMY JSON_ENV_TEST].freeze
-      DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+    it "subclasses that find no matches default to Google::Auth.get_application_default" do
+      class TestCredentials5 < Google::Auth::Credentials
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
+        JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Google::Auth).to receive(:get_application_default) do |scope|
+        expect(scope).to eq([TestCredentials5::SCOPE])
+
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
+      end
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials5.default
+      expect(creds).to be_a_kind_of(TestCredentials5)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
-
-    allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
-    allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
-    allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
-    allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { JSON.generate default_keyfile_hash }
-
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:scope]).to eq(["http://example.com/scope"])
-      expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
-    end
-
-    creds = TestCredentials.default
-    expect(creds).to be_a_kind_of(TestCredentials)
-    expect(creds.client).to eq(mocked_signet)
-    expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
   end
 
-  it "subclasses can use DEFAULT_PATHS to get keyfile path" do
-    class TestCredentials < Google::Auth::Credentials
-      SCOPE = "http://example.com/scope".freeze
-      PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
-      JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
-      DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+  describe "using class methods" do
+    it "can be subclassed to pass in other env paths" do
+      test_path_env_val = "/unknown/path/to/file.txt".freeze
+      test_json_env_val = JSON.generate default_keyfile_hash
+
+      ENV["TEST_PATH"] = test_path_env_val
+      ENV["TEST_JSON_VARS"] = test_json_env_val
+
+      class TestCredentials11 < Google::Auth::Credentials
+        self.token_credential_uri = "https://example.com/token"
+        self.audience = "https://example.com/audience"
+        self.scope = "http://example.com/scope"
+        self.env_vars = ["TEST_PATH", "TEST_JSON_VARS"]
+      end
+
+      allow(::File).to receive(:file?).with(test_path_env_val) { false }
+      allow(::File).to receive(:file?).with(test_json_env_val) { false }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://example.com/token")
+        expect(options[:audience]).to eq("https://example.com/audience")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials11.default
+      expect(creds).to be_a_kind_of(TestCredentials11)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
-    allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
-    allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
-    allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
-    allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
-
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:scope]).to eq(["http://example.com/scope"])
-      expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
+    it "subclasses can use PATH_ENV_VARS to get keyfile path" do
+      class TestCredentials12 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY PATH_ENV_TEST JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials12.default
+      expect(creds).to be_a_kind_of(TestCredentials12)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    creds = TestCredentials.default
-    expect(creds).to be_a_kind_of(TestCredentials)
-    expect(creds.client).to eq(mocked_signet)
-    expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
-  end
-
-  it "subclasses that find no matches default to Google::Auth.get_application_default" do
-    class TestCredentials < Google::Auth::Credentials
-      SCOPE = "http://example.com/scope".freeze
-      PATH_ENV_VARS = ["PATH_ENV_DUMMY"].freeze
-      JSON_ENV_VARS = ["JSON_ENV_DUMMY"].freeze
-      DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
+    it "subclasses can use JSON_ENV_VARS to get keyfile contents" do
+      test_json_env_val = JSON.generate default_keyfile_hash
+
+      class TestCredentials13 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY JSON_ENV_TEST]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::File).to receive(:file?).with(test_json_env_val) { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials13.default
+      expect(creds).to be_a_kind_of(TestCredentials13)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
 
-    allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
-    allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
-    allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
-    allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
-
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Google::Auth).to receive(:get_application_default) do |scope|
-      expect(scope).to eq(TestCredentials::SCOPE)
-
-      # This should really be a Signet::OAuth2::Client object,
-      # but mocking is making that difficult, so return a valid hash instead.
-      default_keyfile_hash
+    it "subclasses can use DEFAULT_PATHS to get keyfile path" do
+      class TestCredentials14 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials14.default
+      expect(creds).to be_a_kind_of(TestCredentials14)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-      expect(options[:scope]).to eq(["http://example.com/scope"])
-      expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
 
-      mocked_signet
+    it "subclasses that find no matches default to Google::Auth.get_application_default" do
+      class TestCredentials15 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = double "Signet::OAuth2::Client"
+      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
+      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+      allow(mocked_signet).to receive(:client_id)
+      allow(Google::Auth).to receive(:get_application_default) do |scope|
+        expect(scope).to eq(TestCredentials15.scope)
+
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
+      end
+      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:scope]).to eq(["http://example.com/scope"])
+        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
+        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+        mocked_signet
+      end
+
+      creds = TestCredentials15.default
+      expect(creds).to be_a_kind_of(TestCredentials15)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
     end
-
-    creds = TestCredentials.default
-    expect(creds).to be_a_kind_of(TestCredentials)
-    expect(creds.client).to eq(mocked_signet)
-    expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
   end
 
   it "warns when cloud sdk credentials are used" do