googleauth 0.4.1 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e62231971bac1c91acd998f3c70095834c4f4b6c
-  data.tar.gz: dc687953a02e4c2eca85dbf044bcab4be46e69fd
+  metadata.gz: adef96ddcbbab3bf0cdf0bcb5e2772bbf3de2f04
+  data.tar.gz: ab58fe380898294110ec76ac571a22ef411efe6b
 SHA512:
-  metadata.gz: e18ff4154e5f66978e93156551804699cd3a62d4ae920893a94178ad276495130bbb0711b1e6284ab35eef04191f306c0c457aeedfad3b68e0612529daaf3b86
-  data.tar.gz: 4835734c63b673c62fcfbea1ee6407f2ffb1a7cc3c05d5bffecfbe8293e186b9f8a7d594d1722097d552b205e64fa3d4ff6e566ceadc8035c9e7a0c5c8c9bb59
+  metadata.gz: 5ad82896ca3cac5f605ece8cf51c512bc4625c782045452fee044064ae4d751e33e29101f6c9caef569f08816b1b1066626000a3b541c30dc02033a70cbebe7c
+  data.tar.gz: cd31e77291d39c9cf44c6ffa39a3e939274a5ca9834d6ee558f2e5ec4d5b575d6c8d29655cbaa4b25dc8e5ca89330a5f87d61dd1eea302398ac388c27f56aa46

data/.rubocop_todo.yml

@@ -1,5 +1,5 @@
 # This configuration was generated by `rubocop --auto-gen-config`
-# on 2015-04-23 11:18:24 -0700 using RuboCop version 0.30.0.
+# on 2015-05-18 09:38:28 -0700 using RuboCop version 0.31.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -9,7 +9,7 @@
 Metrics/AbcSize:
   Max: 24
 
-# Offense count: 6
+# Offense count: 10
 # Configuration parameters: CountComments.
 Metrics/MethodLength:
   Max: 13

data/.travis.yml

@@ -1,3 +1,4 @@
+sudo: false
 language: ruby
 rvm:
   - 2.2
@@ -7,9 +8,24 @@ rvm:
   - rbx-2
   - jruby
 script: "bundle exec rake"
+addons:
+  apt:
+    packages:
+    - idn
+    - build-essential  # this and below attempt allow rubinius to be setup ok
+    - bison
+    - ruby-dev
+    - rake zlib1g-dev
+    - libyaml-dev
+    - libssl-dev
+    - libreadline-dev
+    - libncurses5-dev
+    - llvm
+    - llvm-dev
+    - libeditline-dev
+    - libedit-dev
 before_install:
- - sudo apt-get update
- - sudo apt-get install idn
+ - gem update bundler
 notifications:
   email:
     recipients:

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.4.2 (05/08/2015)
+
+### Changes
+
+* Updated UserRefreshCredentials hash to use string keys ([@haabator][])
+[#36](https://github.com/google/google-auth-library-ruby/issues/36)
+
+* Add support for a system default credentials file. ([@mr-salty][])
+[#33](https://github.com/google/google-auth-library-ruby/issues/33)
+
+* Fix bug when loading credentials from ENV ([@dwilkie][])
+[#31](https://github.com/google/google-auth-library-ruby/issues/31)
+
+* Relax the constraint of dependent version of multi_json ([@igrep][])
+[#30](https://github.com/google/google-auth-library-ruby/issues/30)
+
+### Changes
+
+* Enables passing credentials via environment variables. ([@haabaato][])
+[#27](https://github.com/google/google-auth-library-ruby/issues/27)
+
 ## 0.4.1 (25/04/2015)
 
 ### Changes
@@ -18,5 +39,9 @@
 * makes the scope parameter's optional in all APIs. ([@tbetbetbe][])
 * changes the scope parameter's position in various constructors. ([@tbetbetbe][])
 
-[@tbetbetbe]: https://github.com/tbetbetbe
+[@dwilkie]: https://github.com/dwilkie
+[@haabaato]: https://github.com/haabaato
+[@igrep]: https://github.com/igrep
 [@joneslee85]: https://github.com/joneslee85
+[@mr-salty]: https://github.com/mr-salty
+[@tbetbetbe]: https://github.com/tbetbetbe

data/googleauth.gemspec

@@ -29,12 +29,13 @@ Gem::Specification.new do |s|
   s.add_dependency 'logging', '~> 2.0'
   s.add_dependency 'jwt', '~> 1.4'
   s.add_dependency 'memoist', '~> 0.12'
-  s.add_dependency 'multi_json', '1.11'
+  s.add_dependency 'multi_json', '~> 1.11'
   s.add_dependency 'signet', '~> 0.6'
 
   s.add_development_dependency 'bundler', '~> 1.9'
   s.add_development_dependency 'simplecov', '~> 0.9'
   s.add_development_dependency 'coveralls', '~> 0.7'
+  s.add_development_dependency 'fakefs', '~> 0.6'
   s.add_development_dependency 'rake', '~> 10.0'
   s.add_development_dependency 'rubocop', '~> 0.30'
   s.add_development_dependency 'rspec', '~> 3.0'

data/lib/googleauth.rb

@@ -52,16 +52,38 @@ END
 
       # override CredentialsLoader#make_creds to use the class determined by
       # loading the json.
-      def self.make_creds(json_key_io, scope = nil)
-        json_key, clz = determine_creds_class(json_key_io)
-        clz.new(StringIO.new(MultiJson.dump(json_key)), scope)
+      def self.make_creds(options = {})
+        json_key_io, scope = options.values_at(:json_key_io, :scope)
+        if json_key_io
+          json_key, clz = determine_creds_class(json_key_io)
+          clz.new(json_key_io: StringIO.new(MultiJson.dump(json_key)),
+                  scope: scope)
+        else
+          clz = read_creds
+          clz.new(scope: scope)
+        end
+      end
+
+      def self.read_creds
+        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+        type = ENV[env_var]
+        fail "#{ACCOUNT_TYPE_VAR} is undefined in env" unless type
+        case type
+        when 'service_account'
+          ServiceAccountCredentials
+        when 'authorized_user'
+          UserRefreshCredentials
+        else
+          fail "credentials type '#{type}' is not supported"
+        end
       end
 
       # Reads the input json and determines which creds class to use.
       def self.determine_creds_class(json_key_io)
         json_key = MultiJson.load(json_key_io.read)
-        fail "the json is missing the #{key} field" unless json_key.key?('type')
-        type = json_key['type']
+        key = 'type'
+        fail "the json is missing the '#{key}' field" unless json_key.key?(key)
+        type = json_key[key]
         case type
         when 'service_account'
           [json_key, ServiceAccountCredentials]
@@ -88,7 +110,8 @@ END
     # @param options [hash] allows override of the connection being used
     def get_application_default(scope = nil, options = {})
       creds = DefaultCredentials.from_env(scope) ||
-              DefaultCredentials.from_well_known_path(scope)
+              DefaultCredentials.from_well_known_path(scope) ||
+              DefaultCredentials.from_system_default_path(scope)
       return creds unless creds.nil?
       fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
       GCECredentials.new

data/lib/googleauth/credentials_loader.rb

@@ -39,11 +39,22 @@ module Google
     module CredentialsLoader
       extend Memoist
       ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
+
+      PRIVATE_KEY_VAR = 'GOOGLE_PRIVATE_KEY'
+      CLIENT_EMAIL_VAR = 'GOOGLE_CLIENT_EMAIL'
+      CLIENT_ID_VAR = 'GOOGLE_CLIENT_ID'
+      CLIENT_SECRET_VAR = 'GOOGLE_CLIENT_SECRET'
+      REFRESH_TOKEN_VAR = 'GOOGLE_REFRESH_TOKEN'
+      ACCOUNT_TYPE_VAR = 'GOOGLE_ACCOUNT_TYPE'
+
+      CREDENTIALS_FILE_NAME = 'application_default_credentials.json'
       NOT_FOUND_ERROR =
         "Unable to read the credential file specified by #{ENV_VAR}"
-      WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
+      WELL_KNOWN_PATH = "gcloud/#{CREDENTIALS_FILE_NAME}"
       WELL_KNOWN_ERROR = 'Unable to read the default credential file'
 
+      SYSTEM_DEFAULT_ERROR = 'Unable to read the system default credential file'
+
       # determines if the current OS is windows
       def windows?
         RbConfig::CONFIG['host_os'] =~ /Windows|mswin/
@@ -63,11 +74,14 @@ module Google
       #
       # @param scope [string|array|nil] the scope(s) to access
       def from_env(scope = nil)
-        return nil unless ENV.key?(ENV_VAR)
-        path = ENV[ENV_VAR]
-        fail 'file #{path} does not exist' unless File.exist?(path)
-        File.open(path) do |f|
-          return make_creds(f, scope)
+        if ENV.key?(ENV_VAR)
+          path = ENV[ENV_VAR]
+          fail "file #{path} does not exist" unless File.exist?(path)
+          File.open(path) do |f|
+            return make_creds(json_key_io: f, scope: scope)
+          end
+        elsif service_account_env_vars? || authorized_user_env_vars?
+          return make_creds(scope: scope)
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"
@@ -77,17 +91,48 @@ module Google
       #
       # @param scope [string|array|nil] the scope(s) to access
       def from_well_known_path(scope = nil)
-        home_var, base = windows? ? 'APPDATA' : 'HOME', WELL_KNOWN_PATH
+        home_var = windows? ? 'APPDATA' : 'HOME'
+        base = WELL_KNOWN_PATH
         root = ENV[home_var].nil? ? '' : ENV[home_var]
         base = File.join('.config', base) unless windows?
         path = File.join(root, base)
         return nil unless File.exist?(path)
         File.open(path) do |f|
-          return make_creds(f, scope)
+          return make_creds(json_key_io: f, scope: scope)
         end
       rescue StandardError => e
         raise "#{WELL_KNOWN_ERROR}: #{e}"
       end
+
+      # Creates an instance from the system default path
+      #
+      # @param scope [string|array|nil] the scope(s) to access
+      def from_system_default_path(scope = nil)
+        if windows?
+          return nil unless ENV['ProgramData']
+          prefix = File.join(ENV['ProgramData'], 'Google/Auth')
+        else
+          prefix = '/etc/google/auth/'
+        end
+        path = File.join(prefix, CREDENTIALS_FILE_NAME)
+        return nil unless File.exist?(path)
+        File.open(path) do |f|
+          return make_creds(json_key_io: f, scope: scope)
+        end
+      rescue StandardError => e
+        raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
+      end
+
+      private
+
+      def service_account_env_vars?
+        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty?
+      end
+
+      def authorized_user_env_vars?
+        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] -
+          ENV.keys).empty?
+      end
     end
   end
 end

data/lib/googleauth/iam.rb

@@ -0,0 +1,75 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth/signet'
+require 'googleauth/credentials_loader'
+require 'multi_json'
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using IAM credentials.
+    class IAMCredentials
+      SELECTOR_KEY = 'x-goog-iam-authority-selector'
+      TOKEN_KEY = 'x-goog-iam-authorization-token'
+
+      # Initializes an IAMCredentials.
+      #
+      # @param selector the IAM selector.
+      # @param token the IAM token.
+      def initialize(selector, token)
+        fail TypeError unless selector.is_a? String
+        fail TypeError unless token.is_a? String
+        @selector = selector
+        @token = token
+      end
+
+      # Adds the credential fields to the hash.
+      def apply!(a_hash)
+        a_hash[SELECTOR_KEY] = @selector
+        a_hash[TOKEN_KEY] = @token
+        a_hash
+      end
+
+      # Returns a clone of a_hash updated with the authoriation header
+      def apply(a_hash)
+        a_copy = a_hash.clone
+        apply!(a_copy)
+        a_copy
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        lambda(&method(:apply))
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -62,8 +62,15 @@ module Google
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def initialize(json_key_io, scope = nil)
-        private_key, client_email = self.class.read_json_key(json_key_io)
+      def initialize(options = {})
+        json_key_io, scope = options.values_at(:json_key_io, :scope)
+        if json_key_io
+          private_key, client_email = self.class.read_json_key(json_key_io)
+        else
+          private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+        end
+
         super(token_credential_uri: TOKEN_CRED_URI,
               audience: TOKEN_CRED_URI,
               scope: scope,
@@ -90,7 +97,7 @@ module Google
           client_email: @issuer
         }
         alt_clz = ServiceAccountJwtHeaderCredentials
-        alt = alt_clz.new(StringIO.new(MultiJson.dump(cred_json)))
+        alt = alt_clz.new(json_key_io: StringIO.new(MultiJson.dump(cred_json)))
         alt.apply!(a_hash)
       end
     end
@@ -120,7 +127,7 @@ module Google
       # optional scope. Here's the constructor only has one param, so
       # we modify make_creds to reflect this.
       def self.make_creds(*args)
-        new(args[0])
+        new(json_key_io: args[0][:json_key_io])
       end
 
       # Reads the private key and client email fields from the service account
@@ -135,8 +142,14 @@ module Google
       # Initializes a ServiceAccountJwtHeaderCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize(json_key_io)
-        private_key, client_email = self.class.read_json_key(json_key_io)
+      def initialize(options = {})
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          private_key, client_email = self.class.read_json_key(json_key_io)
+        else
+          private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+        end
         @private_key = private_key
         @issuer = client_email
         @signing_key = OpenSSL::PKey::RSA.new(private_key)

data/lib/googleauth/user_refresh.rb

@@ -63,8 +63,15 @@ module Google
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def initialize(json_key_io, scope = nil)
-        user_creds = self.class.read_json_key(json_key_io)
+      def initialize(options = {})
+        json_key_io, scope = options.values_at(:json_key_io, :scope)
+        user_creds = self.class.read_json_key(json_key_io) if json_key_io
+        user_creds ||= {
+          'client_id'     => ENV[CredentialsLoader::CLIENT_ID_VAR],
+          'client_secret' => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
+          'refresh_token' => ENV[CredentialsLoader::REFRESH_TOKEN_VAR]
+        }
+
         super(token_credential_uri: TOKEN_CRED_URI,
               client_id: user_creds['client_id'],
               client_secret: user_creds['client_secret'],

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = '0.4.1'
+    VERSION = '0.4.2'
   end
 end

data/spec/googleauth/get_application_default_spec.rb

@@ -32,20 +32,25 @@ $LOAD_PATH.unshift(spec_dir)
 $LOAD_PATH.uniq!
 
 require 'faraday'
+require 'fakefs/safe'
 require 'googleauth'
 require 'spec_helper'
 
 describe '#get_application_default' do
   before(:example) do
     @key = OpenSSL::PKey::RSA.new(2048)
-    @var_name = CredentialsLoader::ENV_VAR
-    @orig = ENV[@var_name]
+    @var_name = ENV_VAR
+    @credential_vars = [
+      ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, CLIENT_ID_VAR,
+      CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR, ACCOUNT_TYPE_VAR]
+    @original_env_vals = {}
+    @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
     @home = ENV['HOME']
     @scope = 'https://www.googleapis.com/auth/userinfo.profile'
   end
 
   after(:example) do
-    ENV[@var_name] = @orig unless @orig.nil?
+    @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     ENV['HOME'] = @home unless @home == ENV['HOME']
   end
 
@@ -54,7 +59,8 @@ describe '#get_application_default' do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
         ENV[@var_name] = key_path
-        expect { Google::Auth.get_application_default(@scope) }.to raise_error
+        expect { Google::Auth.get_application_default(@scope) }
+          .to raise_error RuntimeError
       end
     end
 
@@ -65,17 +71,17 @@ describe '#get_application_default' do
            { 'Metadata-Flavor' => 'Google' },
            '']
         end
-      end  # GCE not detected
+      end # GCE not detected
       Dir.mktmpdir do |dir|
         ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
-        ENV['HOME'] = dir  # no config present in this tmp dir
+        ENV['HOME'] = dir # no config present in this tmp dir
         c = Faraday.new do |b|
           b.adapter(:test, stubs)
         end
         blk = proc do
           Google::Auth.get_application_default(@scope, connection: c)
         end
-        expect(&blk).to raise_error
+        expect(&blk).to raise_error RuntimeError
       end
       stubs.verify_stubbed_calls
     end
@@ -95,8 +101,7 @@ describe '#get_application_default' do
     it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
       ENV.delete(@var_name) unless ENV[@var_name].nil?
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config',
-                             CredentialsLoader::WELL_KNOWN_PATH)
+        key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
@@ -107,8 +112,7 @@ describe '#get_application_default' do
     it 'succeeds with default file without a scope' do
       ENV.delete(@var_name) unless ENV[@var_name].nil?
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config',
-                             CredentialsLoader::WELL_KNOWN_PATH)
+        key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
@@ -123,10 +127,10 @@ describe '#get_application_default' do
            { 'Metadata-Flavor' => 'Google' },
            '']
         end
-      end  # GCE detected
+      end # GCE detected
       Dir.mktmpdir do |dir|
         ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
-        ENV['HOME'] = dir  # no config present in this tmp dir
+        ENV['HOME'] = dir # no config present in this tmp dir
         c = Faraday.new do |b|
           b.adapter(:test, stubs)
         end
@@ -137,17 +141,42 @@ describe '#get_application_default' do
       end
       stubs.verify_stubbed_calls
     end
+
+    it 'succeeds with system default file' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil?
+      FakeFS do
+        key_path = File.join('/etc/google/auth/', CREDENTIALS_FILE_NAME)
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+        File.delete(key_path)
+      end
+    end
+
+    it 'succeeds if environment vars are valid' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[CLIENT_ID_VAR] = cred_json[:client_id]
+      ENV[CLIENT_SECRET_VAR] = cred_json[:client_secret]
+      ENV[REFRESH_TOKEN_VAR] = cred_json[:refresh_token]
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
+      expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+    end
   end
 
   describe 'when credential type is service account' do
-    def cred_json_text
-      cred_json = {
+    let(:cred_json) do
+      {
         private_key_id: 'a_private_key_id',
         private_key: @key.to_pem,
         client_email: 'app@developer.gserviceaccount.com',
         client_id: 'app.apps.googleusercontent.com',
         type: 'service_account'
       }
+    end
+
+    def cred_json_text
       MultiJson.dump(cred_json)
     end
 
@@ -156,13 +185,16 @@ describe '#get_application_default' do
   end
 
   describe 'when credential type is authorized_user' do
-    def cred_json_text
-      cred_json = {
+    let(:cred_json) do
+      {
         client_secret: 'privatekey',
         refresh_token: 'refreshtoken',
         client_id: 'app.apps.googleusercontent.com',
         type: 'authorized_user'
       }
+    end
+
+    def cred_json_text
       MultiJson.dump(cred_json)
     end
 
@@ -171,13 +203,18 @@ describe '#get_application_default' do
   end
 
   describe 'when credential type is unknown' do
-    def cred_json_text
-      cred_json = {
+    let(:cred_json) do
+      {
         client_secret: 'privatekey',
         refresh_token: 'refreshtoken',
         client_id: 'app.apps.googleusercontent.com',
+        private_key: @key.to_pem,
+        client_email: 'app@developer.gserviceaccount.com',
         type: 'not_known_type'
       }
+    end
+
+    def cred_json_text
       MultiJson.dump(cred_json)
     end
 
@@ -197,8 +234,7 @@ describe '#get_application_default' do
     it 'fails if the well known file contains the creds' do
       ENV.delete(@var_name) unless ENV[@var_name].nil?
       Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config',
-                             CredentialsLoader::WELL_KNOWN_PATH)
+        key_path = File.join(dir, '.config', WELL_KNOWN_PATH)
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
@@ -208,5 +244,14 @@ describe '#get_application_default' do
         expect(&blk).to raise_error RuntimeError
       end
     end
+
+    it 'fails if env vars are set' do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      blk = proc do
+        Google::Auth.get_application_default(@scope)
+      end
+      expect(&blk).to raise_error RuntimeError
+    end
   end
 end

data/spec/googleauth/iam_spec.rb

@@ -0,0 +1,80 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+spec_dir = File.expand_path(File.join(File.dirname(__FILE__)))
+$LOAD_PATH.unshift(spec_dir)
+$LOAD_PATH.uniq!
+
+require 'googleauth/iam'
+
+describe Google::Auth::IAMCredentials do
+  IAMCredentials = Google::Auth::IAMCredentials
+  let(:test_selector) { 'the-test-selector' }
+  let(:test_token) { 'the-test-token' }
+  let(:test_creds) { IAMCredentials.new(test_selector, test_token) }
+
+  describe '#apply!' do
+    it 'should update the target hash with the iam values' do
+      md = { foo: 'bar' }
+      test_creds.apply!(md)
+      expect(md[IAMCredentials::SELECTOR_KEY]).to eq test_selector
+      expect(md[IAMCredentials::TOKEN_KEY]).to eq test_token
+      expect(md[:foo]).to eq 'bar'
+    end
+  end
+
+  describe 'updater_proc' do
+    it 'should provide a proc that updates a hash with the iam values' do
+      md = { foo: 'bar' }
+      the_proc = test_creds.updater_proc
+      got = the_proc.call(md)
+      expect(got[IAMCredentials::SELECTOR_KEY]).to eq test_selector
+      expect(got[IAMCredentials::TOKEN_KEY]).to eq test_token
+      expect(got[:foo]).to eq 'bar'
+    end
+  end
+
+  describe '#apply' do
+    it 'should not update the original hash with the iam values' do
+      md = { foo: 'bar' }
+      test_creds.apply(md)
+      expect(md[IAMCredentials::SELECTOR_KEY]).to be_nil
+      expect(md[IAMCredentials::TOKEN_KEY]).to be_nil
+      expect(md[:foo]).to eq 'bar'
+    end
+
+    it 'should return a with the iam values' do
+      md = { foo: 'bar' }
+      got = test_creds.apply(md)
+      expect(got[IAMCredentials::SELECTOR_KEY]).to eq test_selector
+      expect(got[IAMCredentials::TOKEN_KEY]).to eq test_token
+      expect(got[:foo]).to eq 'bar'
+    end
+  end
+end

data/spec/googleauth/service_account_spec.rb

@@ -32,6 +32,7 @@ $LOAD_PATH.unshift(spec_dir)
 $LOAD_PATH.uniq!
 
 require 'apply_auth_examples'
+require 'fakefs/safe'
 require 'fileutils'
 require 'googleauth/service_account'
 require 'jwt'
@@ -53,7 +54,7 @@ shared_examples 'jwt header auth' do
       expect(hdr).to_not be_nil
       expect(hdr.start_with?(auth_prefix)).to be true
       authorization = hdr[auth_prefix.length..-1]
-      payload, _ = JWT.decode(authorization, @key.public_key)
+      payload, = JWT.decode(authorization, @key.public_key)
       expect(payload['aud']).to eq(test_uri)
       expect(payload['iss']).to eq(client_email)
     end
@@ -108,12 +109,22 @@ end
 describe Google::Auth::ServiceAccountCredentials do
   ServiceAccountCredentials = Google::Auth::ServiceAccountCredentials
   let(:client_email) { 'app@developer.gserviceaccount.com' }
+  let(:cred_json) do
+    {
+      private_key_id: 'a_private_key_id',
+      private_key: @key.to_pem,
+      client_email: client_email,
+      client_id: 'app.apps.googleusercontent.com',
+      type: 'service_account'
+    }
+  end
 
   before(:example) do
     @key = OpenSSL::PKey::RSA.new(2048)
     @client = ServiceAccountCredentials.new(
-      StringIO.new(cred_json_text),
-      'https://www.googleapis.com/auth/userinfo.profile')
+      json_key_io: StringIO.new(cred_json_text),
+      scope: 'https://www.googleapis.com/auth/userinfo.profile'
+    )
   end
 
   def make_auth_stubs(opts = {})
@@ -131,13 +142,6 @@ describe Google::Auth::ServiceAccountCredentials do
   end
 
   def cred_json_text
-    cred_json = {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: client_email,
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
-    }
     MultiJson.dump(cred_json)
   end
 
@@ -154,13 +158,18 @@ describe Google::Auth::ServiceAccountCredentials do
   describe '#from_env' do
     before(:example) do
       @var_name = ENV_VAR
-      @orig = ENV[@var_name]
+      @credential_vars = [
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR]
+      @original_env_vals = {}
+      @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
+
       @scope = 'https://www.googleapis.com/auth/userinfo.profile'
       @clz = ServiceAccountCredentials
     end
 
     after(:example) do
-      ENV[@var_name] = @orig unless @orig.nil?
+      @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
     it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
@@ -174,7 +183,7 @@ describe Google::Auth::ServiceAccountCredentials do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
         ENV[@var_name] = key_path
-        expect { @clz.from_env(@scope) }.to raise_error
+        expect { @clz.from_env(@scope) }.to raise_error RuntimeError
       end
     end
 
@@ -187,6 +196,13 @@ describe Google::Auth::ServiceAccountCredentials do
         expect(@clz.from_env(@scope)).to_not be_nil
       end
     end
+
+    it 'succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are'\
+      ' valid' do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(@clz.from_env(@scope)).to_not be_nil
+    end
   end
 
   describe '#from_well_known_path' do
@@ -216,6 +232,30 @@ describe Google::Auth::ServiceAccountCredentials do
       end
     end
   end
+
+  describe '#from_system_default_path' do
+    before(:example) do
+      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+      @path = File.join('/etc/google/auth/', CREDENTIALS_FILE_NAME)
+      @clz = ServiceAccountCredentials
+    end
+
+    it 'is nil if no file exists' do
+      FakeFS do
+        expect(ServiceAccountCredentials.from_system_default_path(@scope))
+          .to be_nil
+      end
+    end
+
+    it 'successfully loads the file when it is present' do
+      FakeFS do
+        FileUtils.mkdir_p(File.dirname(@path))
+        File.write(@path, cred_json_text)
+        expect(@clz.from_system_default_path(@scope)).to_not be_nil
+        File.delete(@path)
+      end
+    end
+  end
 end
 
 describe Google::Auth::ServiceAccountJwtHeaderCredentials do
@@ -224,20 +264,22 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
 
   let(:client_email) { 'app@developer.gserviceaccount.com' }
   let(:clz) { Google::Auth::ServiceAccountJwtHeaderCredentials }
-
-  before(:example) do
-    @key = OpenSSL::PKey::RSA.new(2048)
-    @client = clz.new(StringIO.new(cred_json_text))
-  end
-
-  def cred_json_text
-    cred_json = {
+  let(:cred_json) do
+    {
       private_key_id: 'a_private_key_id',
       private_key: @key.to_pem,
       client_email: client_email,
       client_id: 'app.apps.googleusercontent.com',
       type: 'service_account'
     }
+  end
+
+  before(:example) do
+    @key = OpenSSL::PKey::RSA.new(2048)
+    @client = clz.new(json_key_io: StringIO.new(cred_json_text))
+  end
+
+  def cred_json_text
     MultiJson.dump(cred_json)
   end
 
@@ -246,11 +288,15 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
   describe '#from_env' do
     before(:example) do
       @var_name = ENV_VAR
-      @orig = ENV[@var_name]
+      @credential_vars = [
+        ENV_VAR, PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR, ACCOUNT_TYPE_VAR]
+      @original_env_vals = {}
+      @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
     end
 
     after(:example) do
-      ENV[@var_name] = @orig unless @orig.nil?
+      @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
     it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
@@ -264,7 +310,7 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
         ENV[@var_name] = key_path
-        expect { clz.from_env }.to raise_error
+        expect { clz.from_env }.to raise_error RuntimeError
       end
     end
 
@@ -277,6 +323,13 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
         expect(clz.from_env).to_not be_nil
       end
     end
+
+    it 'succeeds when GOOGLE_PRIVATE_KEY and GOOGLE_CLIENT_EMAIL env vars are'\
+      ' valid' do
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(clz.from_env(@scope)).to_not be_nil
+    end
   end
 
   describe '#from_well_known_path' do

data/spec/googleauth/user_refresh_spec.rb

@@ -32,6 +32,7 @@ $LOAD_PATH.unshift(spec_dir)
 $LOAD_PATH.uniq!
 
 require 'apply_auth_examples'
+require 'fakefs/safe'
 require 'fileutils'
 require 'googleauth/user_refresh'
 require 'jwt'
@@ -40,15 +41,26 @@ require 'openssl'
 require 'spec_helper'
 require 'tmpdir'
 
+include Google::Auth::CredentialsLoader
+
 describe Google::Auth::UserRefreshCredentials do
   UserRefreshCredentials = Google::Auth::UserRefreshCredentials
-  CredentialsLoader = Google::Auth::CredentialsLoader
+
+  let(:cred_json) do
+    {
+      client_secret: 'privatekey',
+      client_id: 'client123',
+      refresh_token: 'refreshtoken',
+      type: 'authorized_user'
+    }
+  end
 
   before(:example) do
     @key = OpenSSL::PKey::RSA.new(2048)
     @client = UserRefreshCredentials.new(
-      StringIO.new(cred_json_text),
-      'https://www.googleapis.com/auth/userinfo.profile')
+      json_key_io: StringIO.new(cred_json_text),
+      scope: 'https://www.googleapis.com/auth/userinfo.profile'
+    )
   end
 
   def make_auth_stubs(opts = {})
@@ -64,12 +76,6 @@ describe Google::Auth::UserRefreshCredentials do
   end
 
   def cred_json_text(missing = nil)
-    cred_json = {
-      client_secret: 'privatekey',
-      client_id: 'client123',
-      refresh_token: 'refreshtoken',
-      type: 'authorized_user'
-    }
     cred_json.delete(missing.to_sym) unless missing.nil?
     MultiJson.dump(cred_json)
   end
@@ -78,14 +84,18 @@ describe Google::Auth::UserRefreshCredentials do
 
   describe '#from_env' do
     before(:example) do
-      @var_name = CredentialsLoader::ENV_VAR
-      @orig = ENV[@var_name]
+      @var_name = ENV_VAR
+      @credential_vars = [
+        ENV_VAR, CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR,
+        ACCOUNT_TYPE_VAR]
+      @original_env_vals = {}
+      @credential_vars.each { |var| @original_env_vals[var] = ENV[var] }
       @scope = 'https://www.googleapis.com/auth/userinfo.profile'
       @clz = UserRefreshCredentials
     end
 
     after(:example) do
-      ENV[@var_name] = @orig unless @orig.nil?
+      @credential_vars.each { |var| ENV[var] = @original_env_vals[var] }
     end
 
     it 'returns nil if the GOOGLE_APPLICATION_CREDENTIALS is unset' do
@@ -99,7 +109,7 @@ describe Google::Auth::UserRefreshCredentials do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
         ENV[@var_name] = key_path
-        expect { @clz.from_env(@scope) }.to raise_error
+        expect { @clz.from_env(@scope) }.to raise_error RuntimeError
       end
     end
 
@@ -111,7 +121,7 @@ describe Google::Auth::UserRefreshCredentials do
           FileUtils.mkdir_p(File.dirname(key_path))
           File.write(key_path, cred_json_text(missing))
           ENV[@var_name] = key_path
-          expect { @clz.from_env(@scope) }.to raise_error
+          expect { @clz.from_env(@scope) }.to raise_error RuntimeError
         end
       end
     end
@@ -125,13 +135,25 @@ describe Google::Auth::UserRefreshCredentials do
         expect(@clz.from_env(@scope)).to_not be_nil
       end
     end
+
+    it 'succeeds when GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and '\
+      'GOOGLE_REFRESH_TOKEN env vars are valid' do
+      ENV[CLIENT_ID_VAR] = cred_json[:client_id]
+      ENV[CLIENT_SECRET_VAR] = cred_json[:client_secret]
+      ENV[REFRESH_TOKEN_VAR] = cred_json[:refresh_token]
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
+      expect(@clz.from_env(@scope)).to_not be_nil
+      expect(subject.client_id).to eq(cred_json[:client_id])
+      expect(subject.client_secret).to eq(cred_json[:client_secret])
+      expect(subject.refresh_token).to eq(cred_json[:refresh_token])
+    end
   end
 
   describe '#from_well_known_path' do
     before(:example) do
       @home = ENV['HOME']
       @scope = 'https://www.googleapis.com/auth/userinfo.profile'
-      @known_path = CredentialsLoader::WELL_KNOWN_PATH
+      @known_path = WELL_KNOWN_PATH
       @clz = UserRefreshCredentials
     end
 
@@ -152,7 +174,8 @@ describe Google::Auth::UserRefreshCredentials do
           FileUtils.mkdir_p(File.dirname(key_path))
           File.write(key_path, cred_json_text(missing))
           ENV['HOME'] = dir
-          expect { @clz.from_env(@scope) }.to raise_error
+          expect { @clz.from_well_known_path(@scope) }
+            .to raise_error RuntimeError
         end
       end
     end
@@ -167,4 +190,41 @@ describe Google::Auth::UserRefreshCredentials do
       end
     end
   end
+
+  describe '#from_system_default_path' do
+    before(:example) do
+      @scope = 'https://www.googleapis.com/auth/userinfo.profile'
+      @path = File.join('/etc/google/auth/', CREDENTIALS_FILE_NAME)
+      @clz = UserRefreshCredentials
+    end
+
+    it 'is nil if no file exists' do
+      FakeFS do
+        expect(UserRefreshCredentials.from_system_default_path(@scope))
+          .to be_nil
+      end
+    end
+
+    it 'fails if the file is invalid' do
+      needed = %w(client_id client_secret refresh_token)
+      needed.each do |missing|
+        FakeFS do
+          FileUtils.mkdir_p(File.dirname(@path))
+          File.write(@path, cred_json_text(missing))
+          expect { @clz.from_system_default_path(@scope) }
+            .to raise_error RuntimeError
+          File.delete(@path)
+        end
+      end
+    end
+
+    it 'successfully loads the file when it is present' do
+      FakeFS do
+        FileUtils.mkdir_p(File.dirname(@path))
+        File.write(@path, cred_json_text)
+        expect(@clz.from_system_default_path(@scope)).to_not be_nil
+        File.delete(@path)
+      end
+    end
+  end
 end

metadata

@@ -1,178 +1,192 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.2
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-23 00:00:00.000000000 Z
+date: 2015-08-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: faraday
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: logging
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: jwt
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: memoist
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.12'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.12'
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: multi_json
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.11'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.11'
 - !ruby/object:Gem::Dependency
+  type: :runtime
   name: signet
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
-  type: :runtime
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: bundler
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
-  type: :development
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: simplecov
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-  type: :development
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: coveralls
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
   type: :development
+  name: fakefs
   prerelease: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.7'
+        version: '0.6'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: rake
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
-  type: :development
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: rubocop
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.30'
-  type: :development
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.30'
 - !ruby/object:Gem::Dependency
+  type: :development
   name: rspec
+  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-  type: :development
-  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -202,6 +216,7 @@ files:
 - lib/googleauth.rb
 - lib/googleauth/compute_engine.rb
 - lib/googleauth/credentials_loader.rb
+- lib/googleauth/iam.rb
 - lib/googleauth/service_account.rb
 - lib/googleauth/signet.rb
 - lib/googleauth/user_refresh.rb
@@ -209,6 +224,7 @@ files:
 - spec/googleauth/apply_auth_examples.rb
 - spec/googleauth/compute_engine_spec.rb
 - spec/googleauth/get_application_default_spec.rb
+- spec/googleauth/iam_spec.rb
 - spec/googleauth/service_account_spec.rb
 - spec/googleauth/signet_spec.rb
 - spec/googleauth/user_refresh_spec.rb
@@ -233,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.3
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby
@@ -241,6 +257,7 @@ test_files:
 - spec/googleauth/apply_auth_examples.rb
 - spec/googleauth/compute_engine_spec.rb
 - spec/googleauth/get_application_default_spec.rb
+- spec/googleauth/iam_spec.rb
 - spec/googleauth/service_account_spec.rb
 - spec/googleauth/signet_spec.rb
 - spec/googleauth/user_refresh_spec.rb