googleauth 0.6.2 → 0.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cb647efa48b73b48d9bf0aec7c572f944f31de67
-  data.tar.gz: 915dd9da0fc858a9f4b9dbdceaa64228218ff87c
+SHA256:
+  metadata.gz: 1528ae25e5c678b4b8be00b85095ee5f95ca83fdbcca2c7629cc429d80565e1c
+  data.tar.gz: cbc4aef5eea0fab23d0b529c8af5d9a2aa297c107e38e9fa1d220682d0f6fa61
 SHA512:
-  metadata.gz: b35a1ef32bc166af59bc0d0f491768957ff8f7d7a2d7cb303b375cd8f0fb90f6fda87d9fec4749850ce589393b94d69d181c8606d32c5b9cee04c8f8cae2744c
-  data.tar.gz: bc366d1b2a2dc4f49c4eced0ab9c2358070a47c88c3be922e36b68149f69f0b87ab215c8e6fa07c9677b3292664958f131a8efc3d3a36ce0a93c1c9a651bbdd1
+  metadata.gz: 13caa772bb5c2ebf1565f18160b59132839d5cd76560764cc235d2390df7b032196c6402fcd075e8356404a69d7970011bfde9904a86c20861a4a5031b221c81
+  data.tar.gz: e25c85dd789d8267e6c5aa4e7cd3041b5ce4185b97157cbee0b92e98a5a66c7cbd2dcdae459493d5b5f74d81e415958c764ab0ac4c998281bdc04b103363354a

data/.rubocop.yml

@@ -13,7 +13,7 @@ Metrics/MethodLength:
   Max: 20
 Metrics/ClassLength:
   Enabled: false
-Style/IndentHeredoc:
+Layout/IndentHeredoc:
   Enabled: false
 Style/FormatString:
   Enabled: false

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.6.3 (2018/08/02)
+
+* Resolve issue where token_store was being written to twice
+
+## 0.6.2 (2018/08/01)
+
+* Add warning when using cloud sdk credentials
+
 ## 0.6.1 (2017/10/18)
 
 * Fix file permissions

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project,
+and in the interest of fostering an open and welcoming community,
+we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project
+a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information,
+such as physical or electronic
+addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct
+may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported by opening an issue
+or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
+available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

data/Gemfile

@@ -8,6 +8,7 @@ group :development do
   gem 'coveralls', '~> 0.7'
   gem 'fakefs', '~> 0.6'
   gem 'fakeredis', '~> 0.5'
+  gem 'logging', '~> 2.0'
   gem 'rack-test', '~> 0.6'
   gem 'rake', '~> 10.0'
   gem 'redis', '~> 3.2'

data/README.md

@@ -143,6 +143,15 @@ authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
 authorizer.fetch_access_token!
 ```
 
+### Example (Environment Variables)
+
+```bash
+export GOOGLE_ACCOUNT_TYPE=service_account
+export GOOGLE_CLIENT_ID=000000000000000000000
+export GOOGLE_CLIENT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com
+export GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
+```
+
 ### Storage
 
 Authorizers require a storage instance to manage long term persistence of

data/googleauth.gemspec

@@ -27,10 +27,9 @@ Gem::Specification.new do |s|
   s.platform      = Gem::Platform::RUBY
 
   s.add_dependency 'faraday', '~> 0.12'
-  s.add_dependency 'logging', '~> 2.0'
   s.add_dependency 'jwt', '>= 1.4', '< 3.0'
   s.add_dependency 'memoist', '~> 0.12'
   s.add_dependency 'multi_json', '~> 1.11'
-  s.add_dependency 'os', '~> 0.9'
+  s.add_dependency 'os', '>= 0.9', '< 2.0'
   s.add_dependency 'signet', '~> 0.7'
 end

data/lib/googleauth/application_default.rb

@@ -58,7 +58,11 @@ ERROR_MESSAGE
               DefaultCredentials.from_well_known_path(scope) ||
               DefaultCredentials.from_system_default_path(scope)
       return creds unless creds.nil?
-      raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
+      unless GCECredentials.on_gce?(options)
+        # Clear cache of the result of GCECredentials.on_gce?
+        GCECredentials.unmemoize_all
+        raise NOT_FOUND_ERROR
+      end
       GCECredentials.new
     end
 

data/lib/googleauth/client_id.rb

@@ -28,6 +28,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 require 'multi_json'
+require 'googleauth/credentials_loader'
 
 module Google
   module Auth
@@ -63,13 +64,14 @@ module Google
       #       & secrets in source. See {#from_file} to load from
       #       `client_secrets.json` files.
       def initialize(id, secret)
+        CredentialsLoader.warn_if_cloud_sdk_credentials id
         raise 'Client id can not be nil' if id.nil?
         raise 'Client secret can not be nil' if secret.nil?
         @id = id
         @secret = secret
       end
 
-      # Constructs a Client ID from a JSON file downloaed from the
+      # Constructs a Client ID from a JSON file downloaded from the
       # Google Developers Console.
       #
       # @param [String, File] file
@@ -79,7 +81,7 @@ module Google
         raise 'File can not be nil.' if file.nil?
         File.open(file.to_s) do |f|
           json = f.read
-          config = MultiJson.load(json)
+          config = MultiJson.load json
           from_hash(config)
         end
       end

data/lib/googleauth/credentials.rb

@@ -31,15 +31,15 @@ require 'forwardable'
 require 'json'
 require 'signet/oauth_2/client'
 
-require 'googleauth/default_credentials'
+require 'googleauth/credentials_loader'
 
 module Google
   module Auth
     # This class is intended to be inherited by API-specific classes
     # which overrides the SCOPE constant.
     class Credentials
-      TOKEN_CREDENTIAL_URI = 'https://accounts.google.com/o/oauth2/token'.freeze
-      AUDIENCE = 'https://accounts.google.com/o/oauth2/token'.freeze
+      TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'.freeze
+      AUDIENCE = 'https://oauth2.googleapis.com/token'.freeze
       SCOPE = [].freeze
       PATH_ENV_VARS = [].freeze
       JSON_ENV_VARS = [].freeze
@@ -68,6 +68,7 @@ module Google
           json['scope'] ||= scope
           @client = init_client json
         end
+        CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
         @client.fetch_access_token!
       end
 
@@ -78,16 +79,16 @@ module Google
       def self.default(options = {})
         scope = options[:scope]
         # First try to find keyfile file from environment variables.
-        client = from_path_vars(scope)
+        client = from_path_vars scope
 
         # Second try to find keyfile json from environment variables.
-        client ||= from_json_vars(scope)
+        client ||= from_json_vars scope
 
         # Third try to find keyfile file from known file paths.
-        client ||= from_default_paths(scope)
+        client ||= from_default_paths scope
 
         # Finally get instantiated client from Google::Auth
-        client ||= from_application_default(scope)
+        client ||= from_application_default scope
         client
       end
 

data/lib/googleauth/credentials_loader.rb

@@ -57,6 +57,17 @@ module Google
       SYSTEM_DEFAULT_ERROR =
         'Unable to read the system default credential file'.freeze
 
+      CLOUD_SDK_CLIENT_ID = '764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app'\
+        's.googleusercontent.com'.freeze
+
+      CLOUD_SDK_CREDENTIALS_WARNING = 'Your application has authenticated '\
+        'using end user credentials from Google Cloud SDK. We recommend that '\
+        'most server applications use service accounts instead. If your '\
+        'application continues to use end user credentials from Cloud SDK, '\
+        'you might receive a "quota exceeded" or "API not enabled" error. For'\
+        ' more information about service accounts, see '\
+        'https://cloud.google.com/docs/authentication/.'.freeze
+
       # make_creds proxies the construction of a credentials instance
       #
       # By default, it calls #new on the current class, but this behaviour can
@@ -119,6 +130,12 @@ module Google
         raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
       end
 
+      # Issues warning if cloud sdk client id is used
+      def warn_if_cloud_sdk_credentials(client_id)
+        warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
+      end
+      module_function :warn_if_cloud_sdk_credentials
+
       private
 
       def service_account_env_vars?

data/lib/googleauth/default_credentials.rb

@@ -49,9 +49,11 @@ module Google
         json_key_io, scope = options.values_at(:json_key_io, :scope)
         if json_key_io
           json_key, clz = determine_creds_class(json_key_io)
+          warn_if_cloud_sdk_credentials json_key['client_id']
           clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
                          scope: scope)
         else
+          warn_if_cloud_sdk_credentials ENV[CLIENT_ID_VAR]
           clz = read_creds
           clz.make_creds(scope: scope)
         end
@@ -73,7 +75,7 @@ module Google
 
       # Reads the input json and determines which creds class to use.
       def self.determine_creds_class(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
+        json_key = MultiJson.load json_key_io.read
         key = 'type'
         raise "the json is missing the '#{key}' field" unless json_key.key?(key)
         type = json_key[key]

data/lib/googleauth/json_key_reader.rb

@@ -0,0 +1,45 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # JsonKeyReader contains the behaviour used to read private key and
+    # client email fields from the service account
+    module JsonKeyReader
+      def read_json_key(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        raise 'missing client_email' unless json_key.key?('client_email')
+        raise 'missing private_key' unless json_key.key?('private_key')
+        [json_key['private_key'], json_key['client_email']]
+      end
+    end
+  end
+end

data/lib/googleauth/service_account.rb

@@ -29,6 +29,7 @@
 
 require 'googleauth/signet'
 require 'googleauth/credentials_loader'
+require 'googleauth/json_key_reader'
 require 'jwt'
 require 'multi_json'
 require 'stringio'
@@ -48,6 +49,7 @@ module Google
     class ServiceAccountCredentials < Signet::OAuth2::Client
       TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v4/token'.freeze
       extend CredentialsLoader
+      extend JsonKeyReader
 
       # Creates a ServiceAccountCredentials.
       #
@@ -58,7 +60,7 @@ module Google
         if json_key_io
           private_key, client_email = read_json_key(json_key_io)
         else
-          private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+          private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
         end
 
@@ -69,13 +71,13 @@ module Google
             signing_key: OpenSSL::PKey::RSA.new(private_key))
       end
 
-      # Reads the private key and client email fields from the service account
-      # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        raise 'missing client_email' unless json_key.key?('client_email')
-        raise 'missing private_key' unless json_key.key?('private_key')
-        [json_key['private_key'], json_key['client_email']]
+      # Handles certain escape sequences that sometimes appear in input.
+      # Specifically, interprets the "\n" sequence for newline, and removes
+      # enclosing quotes.
+      def self.unescape(str)
+        str = str.gsub '\n', "\n"
+        str = str[1..-2] if str.start_with?('"') && str.end_with?('"')
+        str
       end
 
       def initialize(options = {})
@@ -123,6 +125,7 @@ module Google
       SIGNING_ALGORITHM = 'RS256'.freeze
       EXPIRY = 60
       extend CredentialsLoader
+      extend JsonKeyReader
 
       # make_creds proxies the construction of a credentials instance
       #
@@ -135,15 +138,6 @@ module Google
         new(json_key_io: args[0][:json_key_io])
       end
 
-      # Reads the private key and client email fields from the service account
-      # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        raise 'missing client_email' unless json_key.key?('client_email')
-        raise 'missing private_key' unless json_key.key?('private_key')
-        [json_key['private_key'], json_key['client_email']]
-      end
-
       # Initializes a ServiceAccountJwtHeaderCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read

data/lib/googleauth/user_authorizer.rb

@@ -198,7 +198,6 @@ module Google
       #  Credentials if exchange is successful
       def get_and_store_credentials_from_code(options = {})
         credentials = get_credentials_from_code(options)
-        monitor_credentials(options[:user_id], credentials)
         store_credentials(options[:user_id], credentials)
       end
 

data/lib/googleauth/user_refresh.rb

@@ -46,9 +46,9 @@ module Google
     #
     # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
     class UserRefreshCredentials < Signet::OAuth2::Client
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v4/token'.freeze
+      TOKEN_CRED_URI = 'https://oauth2.googleapis.com/token'.freeze
       AUTHORIZATION_URI = 'https://accounts.google.com/o/oauth2/auth'.freeze
-      REVOKE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/revoke'.freeze
+      REVOKE_TOKEN_URI = 'https://oauth2.googleapis.com/revoke'.freeze
       extend CredentialsLoader
 
       # Create a UserRefreshCredentials.

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = '0.6.2'.freeze
+    VERSION = '0.6.3'.freeze
   end
 end

data/spec/googleauth/client_id_spec.rb

@@ -48,7 +48,7 @@ describe Google::Auth::ClientId do
 
   shared_examples 'it can successfully load client_id' do
     context 'loaded from hash' do
-      let(:client_id) { Google::Auth::ClientId.from_hash(config) }
+      let(:client_id) { Google::Auth::ClientId.from_hash config }
 
       it_behaves_like 'it has a valid config'
     end
@@ -103,7 +103,7 @@ describe Google::Auth::ClientId do
     end
 
     it 'should raise error' do
-      expect { Google::Auth::ClientId.from_hash(config) }.to raise_error(
+      expect { Google::Auth::ClientId.from_hash config }.to raise_error(
         /Expected top level property/
       )
     end
@@ -119,7 +119,7 @@ describe Google::Auth::ClientId do
     end
 
     it 'should raise error' do
-      expect { Google::Auth::ClientId.from_hash(config) }.to raise_error(
+      expect { Google::Auth::ClientId.from_hash config }.to raise_error(
         /Client id can not be nil/
       )
     end
@@ -135,9 +135,26 @@ describe Google::Auth::ClientId do
     end
 
     it 'should raise error' do
-      expect { Google::Auth::ClientId.from_hash(config) }.to raise_error(
+      expect { Google::Auth::ClientId.from_hash config }.to raise_error(
         /Client secret can not be nil/
       )
     end
   end
+
+  context 'with cloud sdk credentials' do
+    let(:config) do
+      {
+        'web' => {
+          'client_id' => Google::Auth::CredentialsLoader::CLOUD_SDK_CLIENT_ID,
+          'client_secret' => 'notasecret'
+        }
+      }
+    end
+
+    it 'should raise warning' do
+      expect { Google::Auth::ClientId.from_hash config }.to output(
+        Google::Auth::CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING + "\n"
+      ).to_stderr
+    end
+  end
 end

data/spec/googleauth/credentials_spec.rb

@@ -29,6 +29,7 @@
 
 require 'googleauth'
 
+
 # This test is testing the private class Google::Auth::Credentials. We want to
 # make sure that the passed in scope propogates to the Signet object. This means
 # testing the private API, which is generally frowned on.
@@ -46,9 +47,10 @@ describe Google::Auth::Credentials, :private do
   it 'uses a default scope' do
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq([])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -62,9 +64,10 @@ describe Google::Auth::Credentials, :private do
   it 'uses a custom scope' do
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -93,9 +96,10 @@ describe Google::Auth::Credentials, :private do
 
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -124,9 +128,10 @@ describe Google::Auth::Credentials, :private do
 
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -154,9 +159,10 @@ describe Google::Auth::Credentials, :private do
 
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -185,9 +191,10 @@ describe Google::Auth::Credentials, :private do
 
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -215,6 +222,7 @@ describe Google::Auth::Credentials, :private do
 
     mocked_signet = double('Signet::OAuth2::Client')
     allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(mocked_signet).to receive(:client_id)
     allow(Google::Auth).to receive(:get_application_default) do |scope|
       expect(scope).to eq(TestCredentials::SCOPE)
 
@@ -223,8 +231,8 @@ describe Google::Auth::Credentials, :private do
       default_keyfile_hash
     end
     allow(Signet::OAuth2::Client).to receive(:new) do |options|
-      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
-      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:token_credential_uri]).to eq('https://oauth2.googleapis.com/token')
+      expect(options[:audience]).to eq('https://oauth2.googleapis.com/token')
       expect(options[:scope]).to eq(['http://example.com/scope'])
       expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
       expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
@@ -236,4 +244,16 @@ describe Google::Auth::Credentials, :private do
     expect(creds).to be_a_kind_of(TestCredentials)
     expect(creds.client).to eq(mocked_signet)
   end
+
+  it 'warns when cloud sdk credentials are used' do
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      mocked_signet
+    end
+    allow(mocked_signet).to receive(:client_id).and_return(Google::Auth::CredentialsLoader::CLOUD_SDK_CLIENT_ID)
+    expect { Google::Auth::Credentials.new default_keyfile_hash }.to output(
+      Google::Auth::CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING + "\n"
+    ).to_stderr
+  end
 end

data/spec/googleauth/get_application_default_spec.rb

@@ -63,7 +63,7 @@ describe '#get_application_default' do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
         ENV[@var_name] = key_path
-        expect { Google::Auth.get_application_default(@scope, options) }
+        expect { Google::Auth.get_application_default @scope, options }
           .to raise_error RuntimeError
       end
     end
@@ -76,7 +76,7 @@ describe '#get_application_default' do
         ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
         ENV['HOME'] = dir # no config present in this tmp dir
         expect do
-          Google::Auth.get_application_default(@scope, options)
+          Google::Auth.get_application_default @scope, options
         end.to raise_error RuntimeError
       end
       expect(stub).to have_been_requested
@@ -90,7 +90,7 @@ describe '#get_application_default' do
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV[@var_name] = key_path
-        expect(Google::Auth.get_application_default(@scope, options))
+        expect(Google::Auth.get_application_default @scope, options)
           .to_not be_nil
       end
     end
@@ -102,7 +102,7 @@ describe '#get_application_default' do
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
-        expect(Google::Auth.get_application_default(@scope, options))
+        expect(Google::Auth.get_application_default @scope, options)
           .to_not be_nil
       end
     end
@@ -114,7 +114,7 @@ describe '#get_application_default' do
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
-        expect(Google::Auth.get_application_default(nil, options)).to_not be_nil
+        expect(Google::Auth.get_application_default nil, options).to_not be_nil
       end
     end
 
@@ -125,7 +125,7 @@ describe '#get_application_default' do
       Dir.mktmpdir do |dir|
         ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
         ENV['HOME'] = dir # no config present in this tmp dir
-        creds = Google::Auth.get_application_default(@scope, options)
+        creds = Google::Auth.get_application_default @scope, options
         expect(creds).to_not be_nil
       end
       expect(stub).to have_been_requested
@@ -137,7 +137,7 @@ describe '#get_application_default' do
         key_path = File.join('/etc/google/auth/', CREDENTIALS_FILE_NAME)
         FileUtils.mkdir_p(File.dirname(key_path))
         File.write(key_path, cred_json_text)
-        expect(Google::Auth.get_application_default(@scope, options))
+        expect(Google::Auth.get_application_default @scope, options)
           .to_not be_nil
         File.delete(key_path)
       end
@@ -151,9 +151,22 @@ describe '#get_application_default' do
       ENV[CLIENT_SECRET_VAR] = cred_json[:client_secret]
       ENV[REFRESH_TOKEN_VAR] = cred_json[:refresh_token]
       ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
-      expect(Google::Auth.get_application_default(@scope, options))
+      expect(Google::Auth.get_application_default @scope, options)
         .to_not be_nil
     end
+
+    it 'warns when using cloud sdk credentials' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil? # no env var
+      ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      ENV[CLIENT_ID_VAR] = Google::Auth::CredentialsLoader::CLOUD_SDK_CLIENT_ID
+      ENV[CLIENT_SECRET_VAR] = cred_json[:client_secret]
+      ENV[REFRESH_TOKEN_VAR] = cred_json[:refresh_token]
+      ENV[ACCOUNT_TYPE_VAR] = cred_json[:type]
+      expect { Google::Auth.get_application_default @scope, options }.to output(
+          Google::Auth::CredentialsLoader::CLOUD_SDK_CREDENTIALS_WARNING + "\n"
+      ).to_stderr
+    end
   end
 
   describe 'when credential type is service account' do
@@ -216,7 +229,7 @@ describe '#get_application_default' do
         File.write(key_path, cred_json_text)
         ENV[@var_name] = key_path
         expect do
-          Google::Auth.get_application_default(@scope, options)
+          Google::Auth.get_application_default @scope, options
         end.to raise_error RuntimeError
       end
     end
@@ -229,7 +242,7 @@ describe '#get_application_default' do
         File.write(key_path, cred_json_text)
         ENV['HOME'] = dir
         expect do
-          Google::Auth.get_application_default(@scope, options)
+          Google::Auth.get_application_default @scope, options
         end.to raise_error RuntimeError
       end
     end
@@ -238,7 +251,7 @@ describe '#get_application_default' do
       ENV[PRIVATE_KEY_VAR] = cred_json[:private_key]
       ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
       expect do
-        Google::Auth.get_application_default(@scope, options)
+        Google::Auth.get_application_default @scope, options
       end.to raise_error RuntimeError
     end
   end

data/spec/googleauth/service_account_spec.rb

@@ -211,6 +211,13 @@ describe Google::Auth::ServiceAccountCredentials do
       ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
       expect(@clz.from_env(@scope)).to_not be_nil
     end
+
+    it 'succeeds when GOOGLE_PRIVATE_KEY is escaped' do
+      escaped_key = cred_json[:private_key].gsub "\n", '\n'
+      ENV[PRIVATE_KEY_VAR] = "\"#{escaped_key}\""
+      ENV[CLIENT_EMAIL_VAR] = cred_json[:client_email]
+      expect(@clz.from_env(@scope)).to_not be_nil
+    end
   end
 
   describe '#from_well_known_path' do

data/spec/googleauth/signet_spec.rb

@@ -41,10 +41,10 @@ describe Signet::OAuth2::Client do
   before(:example) do
     @key = OpenSSL::PKey::RSA.new(2048)
     @client = Signet::OAuth2::Client.new(
-      token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
+      token_credential_uri: 'https://oauth2.googleapis.com/token',
       scope: 'https://www.googleapis.com/auth/userinfo.profile',
       issuer: 'app@example.com',
-      audience: 'https://accounts.google.com/o/oauth2/token',
+      audience: 'https://oauth2.googleapis.com/token',
       signing_key: @key
     )
   end
@@ -60,7 +60,7 @@ describe Signet::OAuth2::Client do
                                    @key.public_key, true,
                                    algorithm: 'RS256')
     end
-    stub_request(:post, 'https://accounts.google.com/o/oauth2/token')
+    stub_request(:post, 'https://oauth2.googleapis.com/token')
       .with(body: hash_including(
         'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer'
       ), &blk)

data/spec/googleauth/user_authorizer_spec.rb

@@ -242,7 +242,7 @@ describe Google::Auth::UserAuthorizer do
     end
 
     before(:example) do
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token')
+      stub_request(:post, 'https://oauth2.googleapis.com/token')
         .to_return(body: token_json, status: 200, headers: {
                      'Content-Type' => 'application/json'
                    })
@@ -270,7 +270,7 @@ describe Google::Auth::UserAuthorizer do
 
   context 'with invalid authorization code' do
     before(:example) do
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token')
+      stub_request(:post, 'https://oauth2.googleapis.com/token')
         .to_return(status: 400)
     end
 
@@ -300,7 +300,7 @@ describe Google::Auth::UserAuthorizer do
     before(:example) do
       token_store.store('user1', token_json)
       stub_request(
-        :get, 'https://accounts.google.com/o/oauth2/revoke?token=refreshtoken'
+        :get, 'https://oauth2.googleapis.com/revoke?token=refreshtoken'
       )
         .to_return(status: 200)
     end
@@ -308,7 +308,7 @@ describe Google::Auth::UserAuthorizer do
     it 'should revoke the grant' do
       authorizer.revoke_authorization('user1')
       expect(a_request(
-               :get, 'https://accounts.google.com/o/oauth2/revoke?token=refreshtoken'
+               :get, 'https://oauth2.googleapis.com/revoke?token=refreshtoken'
       ))
         .to have_been_made
     end

data/spec/googleauth/user_refresh_spec.rb

@@ -68,7 +68,7 @@ describe Google::Auth::UserRefreshCredentials do
     body = MultiJson.dump('access_token' => access_token,
                           'token_type' => 'Bearer',
                           'expires_in' => 3600)
-    stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token')
+    stub_request(:post, 'https://oauth2.googleapis.com/token')
       .with(body: hash_including('grant_type' => 'refresh_token'))
       .to_return(body: body,
                  status: 200,
@@ -246,7 +246,7 @@ describe Google::Auth::UserRefreshCredentials do
 
   describe 'when revoking a refresh token' do
     let(:stub) do
-      stub_request(:get, 'https://accounts.google.com/o/oauth2/revoke' \
+      stub_request(:get, 'https://oauth2.googleapis.com/revoke' \
                          '?token=refreshtoken')
         .to_return(status: 200,
                    headers: { 'Content-Type' => 'application/json' })
@@ -262,7 +262,7 @@ describe Google::Auth::UserRefreshCredentials do
 
   describe 'when revoking an access token' do
     let(:stub) do
-      stub_request(:get, 'https://accounts.google.com/o/oauth2/revoke' \
+      stub_request(:get, 'https://oauth2.googleapis.com/revoke' \
                          '?token=accesstoken')
         .to_return(status: 200,
                    headers: { 'Content-Type' => 'application/json' })
@@ -280,7 +280,7 @@ describe Google::Auth::UserRefreshCredentials do
 
   describe 'when revoking an invalid token' do
     let(:stub) do
-      stub_request(:get, 'https://accounts.google.com/o/oauth2/revoke' \
+      stub_request(:get, 'https://oauth2.googleapis.com/revoke' \
                          '?token=refreshtoken')
         .to_return(status: 400,
                    headers: { 'Content-Type' => 'application/json' })
@@ -294,7 +294,7 @@ describe Google::Auth::UserRefreshCredentials do
     end
   end
 
-  describe 'when erros occurred with request' do
+  describe 'when errors occurred with request' do
     it 'should fail with Signet::AuthorizationError if request times out' do
       allow_any_instance_of(Faraday::Connection).to receive(:get)
         .and_raise(Faraday::TimeoutError)

data/spec/googleauth/web_user_authorizer_spec.rb

@@ -107,7 +107,7 @@ describe Google::Auth::WebUserAuthorizer do
     end
 
     before(:example) do
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token')
+      stub_request(:post, 'https://oauth2.googleapis.com/token')
         .to_return(body: token_json,
                    status: 200,
                    headers: { 'Content-Type' => 'application/json' })

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.6.3
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-10 00:00:00.000000000 Z
+date: 2018-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -24,20 +24,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.12'
-- !ruby/object:Gem::Dependency
-  name: logging
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -90,16 +76,22 @@ dependencies:
   name: os
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: signet
   requirement: !ruby/object:Gem::Requirement
@@ -128,6 +120,7 @@ files:
 - ".rubocop.yml"
 - ".travis.yml"
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - COPYING
 - Gemfile
@@ -142,6 +135,7 @@ files:
 - lib/googleauth/credentials_loader.rb
 - lib/googleauth/default_credentials.rb
 - lib/googleauth/iam.rb
+- lib/googleauth/json_key_reader.rb
 - lib/googleauth/scope_util.rb
 - lib/googleauth/service_account.rb
 - lib/googleauth/signet.rb
@@ -188,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby