googleauth 0.14.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8846e57d325ff993c15ca691e299b9c2c4b7472b1b0a9e905b36cdb99216e061
-  data.tar.gz: 2fcee29e36a6fd57420b9cd0106cf3ab73bf447e94e2f6bdce61a973d256cd5e
+  metadata.gz: b15478e865e5cfea5a21aaf18b55e6f7839c0c6a81fd127a249d414ce7f62589
+  data.tar.gz: 0a5ea3ff83f4706367b710ac200ef1936f042f8c124174c0ab5857aa435e940c
 SHA512:
-  metadata.gz: dd54bce055240fc1db34ccfe2850ab49f23b17f55f5336dfeccf380c2f93b8b9e29100a1c53f360564e8387805a9c4bf74d09eb2ca58b5bda666cdab3b061f45
-  data.tar.gz: 27dae4439e8163194604e912918709d2cd623c61856f70f7c350b08dfac010fdff50ad703934b88631c2759dcf7e5aab5b315a884cb160790c153115ee88bdfe
+  metadata.gz: a096b40f4f8559d1263e9f7fd8d28742ee63199dfc5ae77c486602f14bb9f03ed1331b86e64a0afe32bcafef38bb9e26140226615ac546817e1bc8d4c96812ba
+  data.tar.gz: fefa616d20dbfb6b11b71e7869d08e470b919cce6ea991d91930f5036f2945fb652cbb6dfe83f50e93c626c953ba4d9b82483b28891abc97bbb8f4fae863013c

data/.github/workflows/release.yml

@@ -0,0 +1,36 @@
+on:
+  schedule:
+    - cron: '29 9 * * 1'
+  workflow_dispatch:
+
+name: release
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ReleasePlease
+        id: release-please
+        uses: GoogleCloudPlatform/release-please-action@v2
+        with:
+          command: release-pr
+          token: ${{ secrets.YOSHI_CODE_BOT_TOKEN }}
+          fork: true
+          release-type: ruby
+          package-name: google-auth-library-ruby
+          version-file: lib/googleauth/version.rb
+          monorepo-tags: true
+          bump-minor-pre-major: true
+      - name: ReleaseLabel
+        id: release-label
+        if: ${{ steps.release-please.outputs.pr }}
+        uses: actions/github-script@v2
+        with:
+          github-token: ${{secrets.YOSHI_APPROVER_TOKEN}}
+          script: |
+            core.info("Labeling release");
+            github.issues.addLabels({
+              owner: 'googleapis',
+              repo: 'google-auth-library-ruby',
+              issue_number: ${{ steps.release-please.outputs.pr }},
+              labels: ["autorelease: pending", "kokoro:force-run"]
+            });

data/CHANGELOG.md

@@ -1,30 +1,44 @@
 # Release History
 
-### 0.14.0 / 2020-10-09
+## [0.15.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/v0.14.0...v0.15.0) (2021-01-26)
+
+
+### Features
+
+* Credential parameters inherit from superclasses ([4fa4720](https://www.github.com/googleapis/google-auth-library-ruby/commit/4fa47206dbd62f8bbdd1b9d3721f6baee9fd1d62))
+* Service accounts apply a self-signed JWT if scopes are marked as default ([d22acb8](https://www.github.com/googleapis/google-auth-library-ruby/commit/d22acb8a510e6711b5674545c31a4816e5a9168f))
+
+
+### Bug Fixes
+
+* Retry fetch_access_token when GCE metadata server returns unexpected errors ([cd9b012](https://www.github.com/googleapis/google-auth-library-ruby/commit/cd9b0126d3419b9953982f71edc9e6ba3f640e3c))
+* Support correct service account and user refresh behavior for custom credential env variables ([d2dffe5](https://www.github.com/googleapis/google-auth-library-ruby/commit/d2dffe592112b45006291ad9a57f56e00fb208c3))
+
+## 0.14.0 / 2020-10-09
 
 * Honor GCE_METADATA_HOST environment variable
 * Fix errors in some environments when requesting an access token for multiple scopes
 
-### 0.13.1 / 2020-07-30
+## 0.13.1 / 2020-07-30
 
 * Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
 
-### 0.13.0 / 2020-06-17
+## 0.13.0 / 2020-06-17
 
 * Support for validating ID tokens.
 * Fixed header application of ID tokens from service accounts.
 
-### 0.12.0 / 2020-04-08
+## 0.12.0 / 2020-04-08
 
 * Support for ID token credentials.
 * Support reading quota_id_project from service account credentials.
 
-### 0.11.0 / 2020-02-24
+## 0.11.0 / 2020-02-24
 
 * Support Faraday 1.x.
 * Allow special "postmessage" value for redirect_uri.
 
-### 0.10.0 / 2019-10-09
+## 0.10.0 / 2019-10-09
 
 Note: This release now requires Ruby 2.4 or later
 
@@ -34,7 +48,7 @@ Note: This release now requires Ruby 2.4 or later
 * Set instance variables at initialization to avoid spamming warnings
 * Pass "Metadata-Flavor" header to metadata server when checking for GCE
 
-### 0.9.0 / 2019-08-05
+## 0.9.0 / 2019-08-05
 
 * Restore compatibility with Ruby 2.0. This is the last release that will work on end-of-lifed versions of Ruby. The 0.10 release will require Ruby 2.4 or later.
 * Update Credentials to use methods for values that are intended to be changed by users, replacing constants.
@@ -43,79 +57,79 @@ Note: This release now requires Ruby 2.4 or later
 * Add verbosity none to gcloud command
 * Make arity of WebUserAuthorizer#get_credentials compatible with the base class
 
-### 0.8.1 / 2019-03-27
+## 0.8.1 / 2019-03-27
 
 * Silence unnecessary gcloud warning
 * Treat empty credentials environment variables as unset
 
-### 0.8.0 / 2019-01-02
+## 0.8.0 / 2019-01-02
 
 * Support connection options :default_connection and :connection_builder when creating credentials that need to refresh OAuth tokens. This lets clients provide connection objects with custom settings, such as proxies, needed for the client environment.
 * Removed an unnecessary warning about project IDs.
 
-### 0.7.1 / 2018-10-25
+## 0.7.1 / 2018-10-25
 
 * Make load_gcloud_project_id module function.
 
-### 0.7.0 / 2018-10-24
+## 0.7.0 / 2018-10-24
 
 * Add project_id instance variable to UserRefreshCredentials, ServiceAccountCredentials, and Credentials.
 
-### 0.6.7 / 2018-10-16
+## 0.6.7 / 2018-10-16
 
 * Update memoist dependency to ~> 0.16.
 
-### 0.6.6 / 2018-08-22
+## 0.6.6 / 2018-08-22
 
 * Remove ruby version warnings.
 
-### 0.6.5 / 2018-08-16
+## 0.6.5 / 2018-08-16
 
 * Fix incorrect http verb when revoking credentials.
 * Warn on EOL ruby versions.
 
-### 0.6.4 / 2018-08-03
+## 0.6.4 / 2018-08-03
 
 * Resolve issue where DefaultCredentials constant was undefined.
 
-### 0.6.3 / 2018-08-02
+## 0.6.3 / 2018-08-02
 
 * Resolve issue where token_store was being written to twice
 
-### 0.6.2 / 2018-08-01
+## 0.6.2 / 2018-08-01
 
 * Add warning when using cloud sdk credentials
 
-### 0.6.1 / 2017-10-18
+## 0.6.1 / 2017-10-18
 
 * Fix file permissions
 
-### 0.6.0 / 2017-10-17
+## 0.6.0 / 2017-10-17
 
 * Support ruby-jwt 2.0
 * Add simple credentials class
 
-### 0.5.3 / 2017-07-21
+## 0.5.3 / 2017-07-21
 
 * Fix file permissions on the gem's `.rb` files.
 
-### 0.5.2 / 2017-07-19
+## 0.5.2 / 2017-07-19
 
 * Add retry mechanism when fetching access tokens in `GCECredentials` and `UserRefreshCredentials` classes.
 * Update Google API OAuth2 token credential URI to v4.
 
-### 0.5.1 / 2016-01-06
+## 0.5.1 / 2016-01-06
 
 * Change header name emitted by `Client#apply` from "Authorization" to "authorization" ([@murgatroid99][])
 * Fix ADC not working on some windows machines ([@vsubramani][])
 [#55](https://github.com/google/google-auth-library-ruby/issues/55)
 
-### 0.5.0 / 2015-10-12
+## 0.5.0 / 2015-10-12
 
 * Initial support for user credentials ([@sqrrrl][])
 * Update Signet to 0.7
 
-### 0.4.2 / 2015-08-05
+## 0.4.2 / 2015-08-05
 
 * Updated UserRefreshCredentials hash to use string keys ([@haabaato][])
 [#36](https://github.com/google/google-auth-library-ruby/issues/36)
@@ -132,16 +146,16 @@ Note: This release now requires Ruby 2.4 or later
 * Enables passing credentials via environment variables. ([@haabaato][])
 [#27](https://github.com/google/google-auth-library-ruby/issues/27)
 
-### 0.4.1 / 2015-04-25
+## 0.4.1 / 2015-04-25
 
 * Improves handling of --no-scopes GCE authorization ([@tbetbetbe][])
 * Refactoring and cleanup ([@joneslee85][])
 
-### 0.4.0 / 2015-03-25
+## 0.4.0 / 2015-03-25
 
 * Adds an implementation of JWT header auth ([@tbetbetbe][])
 
-### 0.3.0 / 2015-03-23
+## 0.3.0 / 2015-03-23
 
 * makes the scope parameter's optional in all APIs. ([@tbetbetbe][])
 * changes the scope parameter's position in various constructors. ([@tbetbetbe][])

data/lib/googleauth/compute_engine.rb

@@ -108,8 +108,7 @@ module Google
           uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
           query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
           query[:scopes] = Array(scope).join "," if scope
-          headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get uri, query, headers
+          resp = c.get uri, query, "Metadata-Flavor" => "Google"
           case resp.status
           when 200
             content_type = resp.headers["content-type"]
@@ -118,11 +117,13 @@ module Google
             else
               Signet::OAuth2.parse_credentials resp.body, content_type
             end
+          when 403, 500
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::UnexpectedStatusError, msg
           when 404
             raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
           else
-            msg = "Unexpected error code #{resp.status}" \
-              "#{UNEXPECTED_ERROR_SUFFIX}"
+            msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::AuthorizationError, msg
           end
         end

data/lib/googleauth/credentials.rb

@@ -36,9 +36,46 @@ require "googleauth/credentials_loader"
 module Google
   module Auth
     ##
-    # Credentials is responsible for representing the authentication when connecting to an API. This
-    # class is also intended to be inherited by API-specific classes.
-    class Credentials
+    # Credentials is a high-level base class used by Google's API client
+    # libraries to represent the authentication when connecting to an API.
+    # In most cases, it is subclassed by API-specific credential classes that
+    # can be instantiated by clients.
+    #
+    # ## Options
+    #
+    # Credentials classes are configured with options that dictate default
+    # values for parameters such as scope and audience. These defaults are
+    # expressed as class attributes, and may differ from endpoint to endpoint.
+    # Normally, an API client will provide subclasses specific to each
+    # endpoint, configured with appropriate values.
+    #
+    # Note that these options inherit up the class hierarchy. If a particular
+    # options is not set for a subclass, its superclass is queried.
+    #
+    # Some older users of this class set options via constants. This usage is
+    # deprecated. For example, instead of setting the `AUDIENCE` constant on
+    # your subclass, call the `audience=` method.
+    #
+    # ## Example
+    #
+    #     class MyCredentials < Google::Auth::Credentials
+    #       # Set the default scope for these credentials
+    #       self.scope = "http://example.com/my_scope"
+    #     end
+    #
+    #     # creds is a credentials object suitable for Google API clients
+    #     creds = MyCredentials.default
+    #     creds.scope  # => ["http://example.com/my_scope"]
+    #
+    #     class SubCredentials < MyCredentials
+    #       # Override the default scope for this subclass
+    #       self.scope = "http://example.com/sub_scope"
+    #     end
+    #
+    #     creds2 = SubCredentials.default
+    #     creds2.scope  # => ["http://example.com/sub_scope"]
+    #
+    class Credentials # rubocop:disable Metrics/ClassLength
       ##
       # The default token credential URI to be used when none is provided during initialization.
       TOKEN_CREDENTIAL_URI = "https://oauth2.googleapis.com/token".freeze
@@ -47,7 +84,7 @@ module Google
       # The default target audience ID to be used when none is provided during initialization.
       AUDIENCE = "https://oauth2.googleapis.com/token".freeze
 
-      @audience = @scope = @target_audience = @env_vars = @paths = nil
+      @audience = @scope = @target_audience = @env_vars = @paths = @token_credential_uri = nil
 
       ##
       # The default token credential URI to be used when none is provided during initialization.
@@ -57,9 +94,9 @@ module Google
       # @return [String]
       #
       def self.token_credential_uri
-        return @token_credential_uri unless @token_credential_uri.nil?
-
-        const_get :TOKEN_CREDENTIAL_URI if const_defined? :TOKEN_CREDENTIAL_URI
+        lookup_auth_param :token_credential_uri do
+          lookup_local_constant :TOKEN_CREDENTIAL_URI
+        end
       end
 
       ##
@@ -79,9 +116,9 @@ module Google
       # @return [String]
       #
       def self.audience
-        return @audience unless @audience.nil?
-
-        const_get :AUDIENCE if const_defined? :AUDIENCE
+        lookup_auth_param :audience do
+          lookup_local_constant :AUDIENCE
+        end
       end
 
       ##
@@ -106,9 +143,10 @@ module Google
       # @return [String, Array<String>]
       #
       def self.scope
-        return @scope unless @scope.nil?
-
-        Array(const_get(:SCOPE)).flatten.uniq if const_defined? :SCOPE
+        lookup_auth_param :scope do
+          vals = lookup_local_constant :SCOPE
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
@@ -137,7 +175,7 @@ module Google
       # @return [String]
       #
       def self.target_audience
-        @target_audience
+        lookup_auth_param :target_audience
       end
 
       ##
@@ -161,13 +199,12 @@ module Google
       # @return [Array<String>]
       #
       def self.env_vars
-        return @env_vars unless @env_vars.nil?
-
-        # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
-        tmp_env_vars = []
-        tmp_env_vars << const_get(:PATH_ENV_VARS) if const_defined? :PATH_ENV_VARS
-        tmp_env_vars << const_get(:JSON_ENV_VARS) if const_defined? :JSON_ENV_VARS
-        tmp_env_vars.flatten.uniq
+        lookup_auth_param :env_vars do
+          # Pull values when PATH_ENV_VARS or JSON_ENV_VARS constants exists.
+          path_env_vars = lookup_local_constant :PATH_ENV_VARS
+          json_env_vars = lookup_local_constant :JSON_ENV_VARS
+          (Array(path_env_vars) + Array(json_env_vars)).flatten.uniq if path_env_vars || json_env_vars
+        end
       end
 
       ##
@@ -187,12 +224,11 @@ module Google
       # @return [Array<String>]
       #
       def self.paths
-        return @paths unless @paths.nil?
-
-        tmp_paths = []
-        # Pull in values is the DEFAULT_PATHS constant exists.
-        tmp_paths << const_get(:DEFAULT_PATHS) if const_defined? :DEFAULT_PATHS
-        tmp_paths.flatten.uniq
+        lookup_auth_param :paths do
+          # Pull in values if the DEFAULT_PATHS constant exists.
+          vals = lookup_local_constant :DEFAULT_PATHS
+          vals ? Array(vals).flatten.uniq : nil
+        end
       end
 
       ##
@@ -206,6 +242,39 @@ module Google
         @paths = new_paths
       end
 
+      ##
+      # @private
+      # Return the given parameter value, defaulting up the class hierarchy.
+      #
+      # First returns the value of the instance variable, if set.
+      # Next, calls the given block if provided. (This is generally used to
+      # look up legacy constant-based values.)
+      # Otherwise, calls the superclass method if present.
+      # Returns nil if all steps fail.
+      #
+      # @param [Symbol] The parameter name
+      # @return [Object] The value
+      #
+      def self.lookup_auth_param name
+        val = instance_variable_get "@#{name}".to_sym
+        val = yield if val.nil? && block_given?
+        return val unless val.nil?
+        return superclass.send name if superclass.respond_to? name
+        nil
+      end
+
+      ##
+      # @private
+      # Return the value of the given constant if it is defined directly in
+      # this class, or nil if not.
+      #
+      # @param [Symbol] Name of the constant
+      # @return [Object] The value
+      #
+      def self.lookup_local_constant name
+        const_defined?(name, false) ? const_get(name) : nil
+      end
+
       ##
       # The Signet::OAuth2::Client object the Credentials instance is using.
       #
@@ -336,8 +405,15 @@ module Google
         env_vars.each do |env_var|
           str = ENV[env_var]
           next if str.nil?
-          return new str, options if ::File.file? str
-          return new ::JSON.parse(str), options rescue nil
+          io =
+            if ::File.file? str
+              ::StringIO.new ::File.read str
+            else
+              json = ::JSON.parse str rescue nil
+              json ? ::StringIO.new(str) : nil
+            end
+          next if io.nil?
+          return from_io io, options
         end
         nil
       end
@@ -345,11 +421,11 @@ module Google
       ##
       # @private Lookup Credentials from default file paths.
       def self.from_default_paths options
-        paths
-          .select { |p| ::File.file? p }
-          .each do |file|
-            return new file, options
-          end
+        paths.each do |path|
+          next unless path && ::File.file?(path)
+          io = ::StringIO.new ::File.read path
+          return from_io io, options
+        end
         nil
       end
 
@@ -357,14 +433,34 @@ module Google
       # @private Lookup Credentials using Google::Auth.get_application_default.
       def self.from_application_default options
         scope = options[:scope] || self.scope
-        auth_opts = { target_audience: options[:target_audience] || target_audience }
+        auth_opts = {
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?
+        }
         client = Google::Auth.get_application_default scope, auth_opts
         new client, options
       end
 
+      # @private Read credentials from a JSON stream.
+      def self.from_io io, options
+        creds_input = {
+          json_key_io:            io,
+          scope:                  options[:scope] || scope,
+          target_audience:        options[:target_audience] || target_audience,
+          enable_self_signed_jwt: options[:enable_self_signed_jwt] && options[:scope].nil?,
+          token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
+          audience:               options[:audience] || audience
+        }
+        client = Google::Auth::DefaultCredentials.make_creds creds_input
+        new client
+      end
+
       private_class_method :from_env_vars,
                            :from_default_paths,
-                           :from_application_default
+                           :from_application_default,
+                           :from_io
 
       protected
 

data/lib/googleauth/service_account.rb

@@ -53,12 +53,18 @@ module Google
       attr_reader :project_id
       attr_reader :quota_project_id
 
+      def enable_self_signed_jwt?
+        @enable_self_signed_jwt
+      end
+
       # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
       def self.make_creds options = {}
-        json_key_io, scope, target_audience = options.values_at :json_key_io, :scope, :target_audience
+        json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
+          options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
+                            :audience, :token_credential_uri
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
@@ -71,14 +77,15 @@ module Google
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
-        new(token_credential_uri: TOKEN_CRED_URI,
-            audience:             TOKEN_CRED_URI,
-            scope:                scope,
-            target_audience:      target_audience,
-            issuer:               client_email,
-            signing_key:          OpenSSL::PKey::RSA.new(private_key),
-            project_id:           project_id,
-            quota_project_id:     quota_project_id)
+        new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
+            audience:               audience || TOKEN_CRED_URI,
+            scope:                  scope,
+            enable_self_signed_jwt: enable_self_signed_jwt,
+            target_audience:        target_audience,
+            issuer:                 client_email,
+            signing_key:            OpenSSL::PKey::RSA.new(private_key),
+            project_id:             project_id,
+            quota_project_id:       quota_project_id)
           .configure_connection(options)
       end
 
@@ -94,30 +101,33 @@ module Google
       def initialize options = {}
         @project_id = options[:project_id]
         @quota_project_id = options[:quota_project_id]
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
         super options
       end
 
-      # Extends the base class.
-      #
-      # If scope(s) is not set, it creates a transient
-      # ServiceAccountJwtHeaderCredentials instance and uses that to
-      # authenticate instead.
+      # Extends the base class to use a transient
+      # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use the base implementation if scopes are set
-        unless scope.nil? && target_audience.nil?
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token.
+        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+          apply_self_signed_jwt! a_hash
+        else
           super
-          return
         end
+      end
+
+      private
 
+      def apply_self_signed_jwt! a_hash
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
-        # if no scopes are set.
         cred_json = {
           private_key:  @signing_key.to_s,
           client_email: @issuer
         }
-        alt_clz = ServiceAccountJwtHeaderCredentials
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = alt_clz.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io
         alt.apply! a_hash
       end
     end

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.14.0".freeze
+    VERSION = "0.15.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -58,12 +58,9 @@ module Google
     #    end
     #
     # Instead of implementing the callback directly, applications are
-    # encouraged to use {Google::Auth::Web::AuthCallbackApp} instead.
+    # encouraged to use {Google::Auth::WebUserAuthorizer::CallbackApp} instead.
     #
-    # For rails apps, see {Google::Auth::ControllerHelpers}
-    #
-    # @see {Google::Auth::AuthCallbackApp}
-    # @see {Google::Auth::ControllerHelpers}
+    # @see CallbackApp
     # @note Requires sessions are enabled
     class WebUserAuthorizer < Google::Auth::UserAuthorizer
       STATE_PARAM = "state".freeze
@@ -261,7 +258,7 @@ module Google
       #       Google::Auth::WebUserAuthorizer::CallbackApp.call(env)
       #     end
       #
-      # @see {Google::Auth::WebUserAuthorizer}
+      # @see Google::Auth::WebUserAuthorizer
       class CallbackApp
         LOCATION_HEADER = "Location".freeze
         REDIR_STATUS = 302

data/spec/googleauth/compute_engine_spec.rb

@@ -90,6 +90,24 @@ describe Google::Auth::GCECredentials do
         expect(stub).to have_been_requested
       end
 
+      it "should fail if the metadata request returns a 403" do
+        stub = stub_request(:get, MD_ACCESS_URI)
+                 .to_return(status:  403,
+                            headers: { "Metadata-Flavor" => "Google" })
+        expect { @client.fetch_access_token! }
+          .to raise_error Signet::AuthorizationError
+        expect(stub).to have_been_requested.times(6)
+      end
+
+      it "should fail if the metadata request returns a 500" do
+        stub = stub_request(:get, MD_ACCESS_URI)
+                 .to_return(status:  500,
+                            headers: { "Metadata-Flavor" => "Google" })
+        expect { @client.fetch_access_token! }
+          .to raise_error Signet::AuthorizationError
+        expect(stub).to have_been_requested.times(6)
+      end
+
       it "should fail if the metadata request returns an unexpected code" do
         stub = stub_request(:get, MD_ACCESS_URI)
                .to_return(status:  503,

data/spec/googleauth/credentials_spec.rb

@@ -46,37 +46,37 @@ describe Google::Auth::Credentials, :private do
     }
   end
 
-  it "uses a default scope" do
+  def mock_signet
     mocked_signet = double "Signet::OAuth2::Client"
     allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
     allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      yield options if block_given?
+      mocked_signet
+    end
+    mocked_signet
+  end
+
+  it "uses a default scope" do
+    mock_signet do |options|
       expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:scope]).to eq([])
       expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
     end
 
     Google::Auth::Credentials.new default_keyfile_hash
   end
 
   it "uses a custom scope" do
-    mocked_signet = double "Signet::OAuth2::Client"
-    allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-    allow(mocked_signet).to receive(:client_id)
-    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+    mock_signet do |options|
       expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
       expect(options[:scope]).to eq(["http://example.com/scope"])
       expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-      mocked_signet
     end
 
     Google::Auth::Credentials.new default_keyfile_hash, scope: "http://example.com/scope"
@@ -101,21 +101,22 @@ describe Google::Auth::Credentials, :private do
       allow(::File).to receive(:file?).with(test_path_env_val) { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://example.com/token")
         expect(options[:audience]).to eq("https://example.com/audience")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to eq(true)
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
-      creds = TestCredentials1.default
+      creds = TestCredentials1.default enable_self_signed_jwt: true
       expect(creds).to be_a_kind_of(TestCredentials1)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
@@ -130,25 +131,28 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { json_content }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials2.default
@@ -175,18 +179,19 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials3.default
@@ -204,25 +209,28 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { json_content }
+
+      mocked_signet = mock_signet
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials4.default
@@ -246,26 +254,18 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Google::Auth).to receive(:get_application_default) do |scope|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
         expect(scope).to eq([TestCredentials5::SCOPE])
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
 
         # This should really be a Signet::OAuth2::Client object,
         # but mocking is making that difficult, so return a valid hash instead.
         default_keyfile_hash
       end
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
-        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
-
-        mocked_signet
-      end
 
       creds = TestCredentials5.default
       expect(creds).to be_a_kind_of(TestCredentials5)
@@ -273,6 +273,31 @@ describe Google::Auth::Credentials, :private do
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
+
+    it "can be subclassed to pass in other env paths" do
+      class TestCredentials6 < Google::Auth::Credentials
+        TOKEN_CREDENTIAL_URI = "https://example.com/token".freeze
+        AUDIENCE = "https://example.com/audience".freeze
+        SCOPE = "http://example.com/scope".freeze
+        PATH_ENV_VARS = ["TEST_PATH"].freeze
+        JSON_ENV_VARS = ["TEST_JSON_VARS"].freeze
+        DEFAULT_PATHS = ["~/default/path/to/file.txt"]
+      end
+
+      class TestCredentials7 < TestCredentials6
+      end
+
+      expect(TestCredentials7.token_credential_uri).to eq("https://example.com/token")
+      expect(TestCredentials7.audience).to eq("https://example.com/audience")
+      expect(TestCredentials7.scope).to eq(["http://example.com/scope"])
+      expect(TestCredentials7.env_vars).to eq(["TEST_PATH", "TEST_JSON_VARS"])
+      expect(TestCredentials7.paths).to eq(["~/default/path/to/file.txt"])
+
+      TestCredentials7::TOKEN_CREDENTIAL_URI = "https://example.com/token2"
+      expect(TestCredentials7.token_credential_uri).to eq("https://example.com/token2")
+      TestCredentials7::AUDIENCE = nil
+      expect(TestCredentials7.audience).to eq("https://example.com/audience")
+    end
   end
 
   describe "using class methods" do
@@ -293,18 +318,19 @@ describe Google::Auth::Credentials, :private do
       allow(::File).to receive(:file?).with(test_path_env_val) { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://example.com/token")
         expect(options[:audience]).to eq("https://example.com/audience")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials11.default
@@ -321,25 +347,28 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/unknown/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("/unknown/path/to/file.txt") { json_content }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials12.default
@@ -365,18 +394,19 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::ENV).to receive(:[]).with("JSON_ENV_TEST") { test_json_env_val }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(test_json_env_val)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials13.default
@@ -393,25 +423,28 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      json_content = JSON.generate default_keyfile_hash
+
       allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { true }
-      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { JSON.generate default_keyfile_hash }
+      allow(::File).to receive(:read).with("~/default/path/to/file.txt") { json_content }
+
+      mocked_signet = mock_signet
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      allow(Google::Auth::ServiceAccountCredentials).to receive(:make_creds) do |options|
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+        expect(options[:enable_self_signed_jwt]).to be_nil
+        expect(options[:target_audience]).to be_nil
+        expect(options[:json_key_io].read).to eq(json_content)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
       creds = TestCredentials14.default
@@ -421,7 +454,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
-    it "subclasses that find no matches default to Google::Auth.get_application_default" do
+    it "subclasses that find no matches default to Google::Auth.get_application_default with self-signed jwt enabled" do
       class TestCredentials15 < Google::Auth::Credentials
         self.scope = "http://example.com/scope"
         self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
@@ -434,33 +467,117 @@ describe Google::Auth::Credentials, :private do
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
       allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
 
-      mocked_signet = double "Signet::OAuth2::Client"
-      allow(mocked_signet).to receive(:configure_connection).and_return(mocked_signet)
-      allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
-      allow(mocked_signet).to receive(:client_id)
-      allow(Google::Auth).to receive(:get_application_default) do |scope|
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
         expect(scope).to eq(TestCredentials15.scope)
+        expect(options[:enable_self_signed_jwt]).to eq(true)
+        expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
+        expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
 
         # This should really be a Signet::OAuth2::Client object,
         # but mocking is making that difficult, so return a valid hash instead.
         default_keyfile_hash
       end
-      allow(Signet::OAuth2::Client).to receive(:new) do |options|
+
+      creds = TestCredentials15.default enable_self_signed_jwt: true
+      expect(creds).to be_a_kind_of(TestCredentials15)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
+    end
+
+    it "subclasses that find no matches default to Google::Auth.get_application_default with self-signed jwt disabled" do
+      class TestCredentials16 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
+        expect(scope).to eq(TestCredentials16.scope)
+        expect(options[:enable_self_signed_jwt]).to be_nil
         expect(options[:token_credential_uri]).to eq("https://oauth2.googleapis.com/token")
         expect(options[:audience]).to eq("https://oauth2.googleapis.com/token")
-        expect(options[:scope]).to eq(["http://example.com/scope"])
-        expect(options[:issuer]).to eq(default_keyfile_hash["client_email"])
-        expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
 
-        mocked_signet
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
       end
 
-      creds = TestCredentials15.default
-      expect(creds).to be_a_kind_of(TestCredentials15)
+      creds = TestCredentials16.default
+      expect(creds).to be_a_kind_of(TestCredentials16)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
       expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
+
+    it "subclasses that find no matches default to Google::Auth.get_application_default with custom values" do
+      scope2 = "http://example.com/scope2"
+
+      class TestCredentials17 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.env_vars = %w[PATH_ENV_DUMMY JSON_ENV_DUMMY]
+        self.paths = ["~/default/path/to/file.txt"]
+        self.token_credential_uri = "https://example.com/token2"
+        self.audience = "https://example.com/token3"
+      end
+
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
+      allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
+      allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
+      allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
+      allow(::File).to receive(:file?).with("~/default/path/to/file.txt") { false }
+
+      mocked_signet = mock_signet
+
+      allow(Google::Auth).to receive(:get_application_default) do |scope, options|
+        expect(scope).to eq(scope2)
+        expect(options[:enable_self_signed_jwt]).to eq(false)
+        expect(options[:token_credential_uri]).to eq("https://example.com/token2")
+        expect(options[:audience]).to eq("https://example.com/token3")
+
+        # This should really be a Signet::OAuth2::Client object,
+        # but mocking is making that difficult, so return a valid hash instead.
+        default_keyfile_hash
+      end
+
+      creds = TestCredentials17.default scope: scope2, enable_self_signed_jwt: true
+      expect(creds).to be_a_kind_of(TestCredentials17)
+      expect(creds.client).to eq(mocked_signet)
+      expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
+    end
+
+    it "subclasses delegate up the class hierarchy" do
+      class TestCredentials18 < Google::Auth::Credentials
+        self.scope = "http://example.com/scope"
+        self.target_audience = "https://example.com/target_audience"
+        self.env_vars = ["TEST_PATH", "TEST_JSON_VARS"]
+        self.paths = ["~/default/path/to/file.txt"]
+      end
+
+      class TestCredentials19 < TestCredentials18
+      end
+
+      expect(TestCredentials19.scope).to eq(["http://example.com/scope"])
+      expect(TestCredentials19.target_audience).to eq("https://example.com/target_audience")
+      expect(TestCredentials19.env_vars).to eq(["TEST_PATH", "TEST_JSON_VARS"])
+      expect(TestCredentials19.paths).to eq(["~/default/path/to/file.txt"])
+
+      TestCredentials19.token_credential_uri = "https://example.com/token2"
+      expect(TestCredentials19.token_credential_uri).to eq("https://example.com/token2")
+      TestCredentials19.token_credential_uri = nil
+      expect(TestCredentials19.token_credential_uri).to eq("https://oauth2.googleapis.com/token")
+    end
   end
 
   it "warns when cloud sdk credentials are used" do

data/spec/googleauth/service_account_spec.rb

@@ -169,6 +169,14 @@ describe Google::Auth::ServiceAccountCredentials do
     it_behaves_like "jwt header auth"
   end
 
+  context "when enable_self_signed_jwt is set" do
+    before :example do
+      @client.instance_variable_set(:@enable_self_signed_jwt, true)
+    end
+
+    it_behaves_like "jwt header auth"
+  end
+
   describe "#from_env" do
     before :example do
       @var_name = ENV_VAR

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.15.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-09 00:00:00.000000000 Z
+date: 2021-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -140,6 +140,7 @@ files:
 - ".github/ISSUE_TEMPLATE/bug_report.md"
 - ".github/ISSUE_TEMPLATE/feature_request.md"
 - ".github/ISSUE_TEMPLATE/support_request.md"
+- ".github/workflows/release.yml"
 - ".gitignore"
 - ".kokoro/build.bat"
 - ".kokoro/build.sh"
@@ -232,7 +233,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.6
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby