Add support for loading either credentials type as determined by the loaded content

lib/googleauth.rb

@@ -27,8 +27,13 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/service_account'
+require 'multi_json'
+require 'stringio'
+
+require 'googleauth/credentials_loader'
 require 'googleauth/compute_engine'
+require 'googleauth/service_account'
+require 'googleauth/user_refresh'
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -40,6 +45,28 @@ https://developers.google.com/accounts/docs/application-default-credentials
 for more information
 END
 
+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds(scope, json_key_io)
+        json_key, clz = determine_creds_class(json_key_io)
+        clz.new(scope, StringIO.new(MultiJson.dump(json_key)))
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        fail "the json is missing the #{key} field" unless json_key.key?('type')
+        svc_account = json_key['type'] == 'service_account'
+        return json_key, ServiceAccountCredentials if svc_account
+        [json_key, UserRefreshCredentials]
+      end
+    end
+
     # Obtains the default credentials implementation to use in this
     # environment.
     #
@@ -53,9 +80,9 @@ END
     # @param scope [string|array] the scope(s) to access
     # @param options [hash] allows override of the connection being used
     def get_application_default(scope, options = {})
-      creds = ServiceAccountCredentials.from_env(scope)
+      creds = DefaultCredentials.from_env(scope)
       return creds unless creds.nil?
-      creds = ServiceAccountCredentials.from_well_known_path(scope)
+      creds = DefaultCredentials.from_well_known_path(scope)
       return creds unless creds.nil?
       fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
       GCECredentials.new

lib/googleauth/credentials_loader.rb

@@ -50,6 +50,14 @@ module Google
       end
       memoize :windows?
 
+      # make_creds proxies the construction of a credentials instance
+      #
+      # By default, it calls #new on the current class, but this behaviour can
+      # be modified, allowing different instances to be created.
+      def make_creds(*args)
+        new(*args)
+      end
+
       # Creates an instance from the path specified in an environment
       # variable.
       #
@@ -59,7 +67,7 @@ module Google
         path = ENV[ENV_VAR]
         fail 'file #{path} does not exist' unless File.exist?(path)
         File.open(path) do |f|
-          return new(scope, f)
+          return make_creds(scope, f)
         end
       rescue StandardError => e
         raise "#{NOT_FOUND_ERROR}: #{e}"
@@ -75,7 +83,7 @@ module Google
         path = File.join(root, base)
         return nil unless File.exist?(path)
         File.open(path) do |f|
-          return new(scope, f)
+          return make_creds(scope, f)
         end
       rescue StandardError => e
         raise "#{WELL_KNOWN_ERROR}: #{e}"

spec/googleauth/get_application_default_spec.rb

@@ -49,17 +49,7 @@ describe '#get_application_default' do
     ENV['HOME'] = @home unless @home == ENV['HOME']
   end
 
-  def cred_json_text
+  shared_examples 'it loads them correctly' do
-    cred_json = {
-      private_key_id: 'a_private_key_id',
-      private_key: @key.to_pem,
-      client_email: 'app@developer.gserviceaccount.com',
-      client_id: 'app.apps.googleusercontent.com',
-      type: 'service_account'
-    }
-    MultiJson.dump(cred_json)
-  end
-
     it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
@@ -78,7 +68,7 @@ describe '#get_application_default' do
       end
     end
 
-  it 'succeeds with default file if GOOGLE_APPLICATION_CREDENTIALS is unset' do
+    it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
       ENV.delete(@var_name) unless ENV[@var_name].nil?
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, '.config',
@@ -126,9 +116,41 @@ describe '#get_application_default' do
         c = Faraday.new do |b|
           b.adapter(:test, stubs)
         end
-      expect(Google::Auth.get_application_default(@scope,
+        creds = Google::Auth.get_application_default(
-                                                  connection: c)).to_not be_nil
+          @scope,
+          connection: c)
+        expect(creds).to_not be_nil
       end
       stubs.verify_stubbed_calls
     end
   end
+
+  describe 'when credential type is service account' do
+    def cred_json_text
+      cred_json = {
+        private_key_id: 'a_private_key_id',
+        private_key: @key.to_pem,
+        client_email: 'app@developer.gserviceaccount.com',
+        client_id: 'app.apps.googleusercontent.com',
+        type: 'service_account'
+      }
+      MultiJson.dump(cred_json)
+    end
+
+    it_behaves_like 'it loads them correctly'
+  end
+
+  describe 'when credential type is authorized_user' do
+    def cred_json_text
+      cred_json = {
+        client_secret: 'privatekey',
+        refresh_token: 'refreshtoken',
+        client_id: 'app.apps.googleusercontent.com',
+        type: 'authorized_user'
+      }
+      MultiJson.dump(cred_json)
+    end
+
+    it_behaves_like 'it loads them correctly'
+  end
+end