From c148fc12bb2fee7dc53e2dc2157f2aa6fa6378d8 Mon Sep 17 00:00:00 2001
From: Ernest Landrito <landrito@google.com>
Date: Thu, 12 Oct 2017 09:19:43 -0700
Subject: [PATCH] Add simple credentials class. (#122)

* Add simple credentials class

* 1.9.3 fix

* Review fixes

* Move  into it's own file. Cleanup require statements
---
 lib/googleauth.rb                     |  96 +-------------
 lib/googleauth/application_default.rb |  67 ++++++++++
 lib/googleauth/credentials.rb         | 177 ++++++++++++++++++++++++++
 lib/googleauth/default_credentials.rb |  91 +++++++++++++
 spec/googleauth/credentials_spec.rb   | 108 ++++++++++++++++
 5 files changed, 446 insertions(+), 93 deletions(-)
 create mode 100644 lib/googleauth/application_default.rb
 create mode 100644 lib/googleauth/credentials.rb
 create mode 100644 lib/googleauth/default_credentials.rb
 create mode 100644 spec/googleauth/credentials_spec.rb

diff --git a/lib/googleauth.rb b/lib/googleauth.rb
index fa4da01..7382b07 100644
--- a/lib/googleauth.rb
+++ b/lib/googleauth.rb
@@ -27,99 +27,9 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
-require 'stringio'
-
-require 'googleauth/credentials_loader'
-require 'googleauth/compute_engine'
-require 'googleauth/service_account'
-require 'googleauth/user_refresh'
+require 'googleauth/application_default'
 require 'googleauth/client_id'
+require 'googleauth/credentials'
+require 'googleauth/default_credentials'
 require 'googleauth/user_authorizer'
 require 'googleauth/web_user_authorizer'
-
-module Google
-  # Module Auth provides classes that provide Google-specific authorization
-  # used to access Google APIs.
-  module Auth
-    NOT_FOUND_ERROR = <<END.freeze
-Could not load the default credentials. Browse to
-https://developers.google.com/accounts/docs/application-default-credentials
-for more information
-END
-
-    # DefaultCredentials is used to preload the credentials file, to determine
-    # which type of credentials should be loaded.
-    class DefaultCredentials
-      extend CredentialsLoader
-
-      # override CredentialsLoader#make_creds to use the class determined by
-      # loading the json.
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
-        if json_key_io
-          json_key, clz = determine_creds_class(json_key_io)
-          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
-                         scope: scope)
-        else
-          clz = read_creds
-          clz.make_creds(scope: scope)
-        end
-      end
-
-      def self.read_creds
-        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
-        type = ENV[env_var]
-        raise "#{env_var} is undefined in env" unless type
-        case type
-        when 'service_account'
-          ServiceAccountCredentials
-        when 'authorized_user'
-          UserRefreshCredentials
-        else
-          raise "credentials type '#{type}' is not supported"
-        end
-      end
-
-      # Reads the input json and determines which creds class to use.
-      def self.determine_creds_class(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        key = 'type'
-        raise "the json is missing the '#{key}' field" unless json_key.key?(key)
-        type = json_key[key]
-        case type
-        when 'service_account'
-          [json_key, ServiceAccountCredentials]
-        when 'authorized_user'
-          [json_key, UserRefreshCredentials]
-        else
-          raise "credentials type '#{type}' is not supported"
-        end
-      end
-    end
-
-    # Obtains the default credentials implementation to use in this
-    # environment.
-    #
-    # Use this to obtain the Application Default Credentials for accessing
-    # Google APIs.  Application Default Credentials are described in detail
-    # at http://goo.gl/IUuyuX.
-    #
-    # If supplied, scope is used to create the credentials instance, when it can
-    # be applied.  E.g, on google compute engine and for user credentials the
-    # scope is ignored.
-    #
-    # @param scope [string|array|nil] the scope(s) to access
-    # @param options [hash] allows override of the connection being used
-    def get_application_default(scope = nil, options = {})
-      creds = DefaultCredentials.from_env(scope) ||
-              DefaultCredentials.from_well_known_path(scope) ||
-              DefaultCredentials.from_system_default_path(scope)
-      return creds unless creds.nil?
-      raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
-      GCECredentials.new
-    end
-
-    module_function :get_application_default
-  end
-end
diff --git a/lib/googleauth/application_default.rb b/lib/googleauth/application_default.rb
new file mode 100644
index 0000000..ec8b909
--- /dev/null
+++ b/lib/googleauth/application_default.rb
@@ -0,0 +1,67 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth/compute_engine'
+require 'googleauth/default_credentials'
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    NOT_FOUND_ERROR = <<ERROR_MESSAGE.freeze
+Could not load the default credentials. Browse to
+https://developers.google.com/accounts/docs/application-default-credentials
+for more information
+ERROR_MESSAGE
+
+    # Obtains the default credentials implementation to use in this
+    # environment.
+    #
+    # Use this to obtain the Application Default Credentials for accessing
+    # Google APIs.  Application Default Credentials are described in detail
+    # at http://goo.gl/IUuyuX.
+    #
+    # If supplied, scope is used to create the credentials instance, when it can
+    # be applied.  E.g, on google compute engine and for user credentials the
+    # scope is ignored.
+    #
+    # @param scope [string|array|nil] the scope(s) to access
+    # @param options [hash] allows override of the connection being used
+    def get_application_default(scope = nil, options = {})
+      creds = DefaultCredentials.from_env(scope) ||
+              DefaultCredentials.from_well_known_path(scope) ||
+              DefaultCredentials.from_system_default_path(scope)
+      return creds unless creds.nil?
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
+      GCECredentials.new
+    end
+
+    module_function :get_application_default
+  end
+end
diff --git a/lib/googleauth/credentials.rb b/lib/googleauth/credentials.rb
new file mode 100644
index 0000000..c5a6d06
--- /dev/null
+++ b/lib/googleauth/credentials.rb
@@ -0,0 +1,177 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'forwardable'
+require 'json'
+require 'signet/oauth_2/client'
+
+require 'googleauth/default_credentials'
+
+module Google
+  module Auth
+    # This class is intended to be inherited by API-specific classes
+    # which overrides the SCOPE constant.
+    class Credentials
+      TOKEN_CREDENTIAL_URI = 'https://accounts.google.com/o/oauth2/token'.freeze
+      AUDIENCE = 'https://accounts.google.com/o/oauth2/token'.freeze
+      SCOPE = [].freeze
+      PATH_ENV_VARS = [].freeze
+      JSON_ENV_VARS = [].freeze
+      DEFAULT_PATHS = [].freeze
+
+      attr_accessor :client
+
+      # Delegate client methods to the client object.
+      extend Forwardable
+      def_delegators :@client,
+                     :token_credential_uri, :audience,
+                     :scope, :issuer, :signing_key, :updater_proc
+
+      def initialize(keyfile, options = {})
+        scope = options[:scope]
+        verify_keyfile_provided! keyfile
+        if keyfile.is_a? Signet::OAuth2::Client
+          @client = keyfile
+        elsif keyfile.is_a? Hash
+          hash = stringify_hash_keys keyfile
+          hash['scope'] ||= scope
+          @client = init_client hash
+        else
+          verify_keyfile_exists! keyfile
+          json = JSON.parse ::File.read(keyfile)
+          json['scope'] ||= scope
+          @client = init_client json
+        end
+        @client.fetch_access_token!
+      end
+
+      # Returns the default credentials checking, in this order, the path env
+      # evironment variables, json environment variables, default paths. If the
+      # previously stated locations do not contain keyfile information,
+      # this method defaults to use the application default.
+      def self.default(options = {})
+        scope = options[:scope]
+        # First try to find keyfile file from environment variables.
+        client = from_path_vars(scope)
+
+        # Second try to find keyfile json from environment variables.
+        client ||= from_json_vars(scope)
+
+        # Third try to find keyfile file from known file paths.
+        client ||= from_default_vars(scope)
+
+        # Finally get instantiated client from Google::Auth
+        client ||= from_application_default(scope)
+        client
+      end
+
+      def self.from_path_vars(scope)
+        self::PATH_ENV_VARS
+          .map { |v| ENV[v] }
+          .compact
+          .select { |p| ::File.file? p }
+          .each do |file|
+            return new file, scope: scope
+          end
+      end
+
+      def self.from_json_vars(scope)
+        json = lambda do |v|
+          unless ENV[v].nil?
+            begin
+              JSON.parse ENV[v]
+            rescue
+              nil
+            end
+          end
+        end
+        self::JSON_ENV_VARS.map(&json).compact.each do |hash|
+          return new hash, scope: scope
+        end
+      end
+
+      def self.from_default_paths(scope)
+        self::DEFAULT_PATHS
+          .select { |p| ::File.file? p }
+          .each do |file|
+            return new file, scope: scope
+          end
+      end
+
+      def self.from_application_default(scope)
+        scope ||= self::SCOPE
+        client = Google::Auth.get_application_default scope
+        new client
+      end
+      private_class_method :from_path_vars,
+                           :from_json_vars,
+                           :from_default_paths,
+                           :from_application_default
+
+      protected
+
+      # Verify that the keyfile argument is provided.
+      def verify_keyfile_provided!(keyfile)
+        return unless keyfile.nil?
+        raise 'The keyfile passed to Google::Auth::Credentials.new was nil.'
+      end
+
+      # Verify that the keyfile argument is a file.
+      def verify_keyfile_exists!(keyfile)
+        exists = ::File.file? keyfile
+        raise "The keyfile '#{keyfile}' is not a valid file." unless exists
+      end
+
+      # Initializes the Signet client.
+      def init_client(keyfile)
+        client_opts = client_options keyfile
+        Signet::OAuth2::Client.new client_opts
+      end
+
+      # returns a new Hash with string keys instead of symbol keys.
+      def stringify_hash_keys(hash)
+        Hash[hash.map { |k, v| [k.to_s, v] }]
+      end
+
+      def client_options(options)
+        # Keyfile options have higher priority over constructor defaults
+        options['token_credential_uri'] ||= self.class::TOKEN_CREDENTIAL_URI
+        options['audience'] ||= self.class::AUDIENCE
+        options['scope'] ||= self.class::SCOPE
+
+        # client options for initializing signet client
+        { token_credential_uri: options['token_credential_uri'],
+          audience: options['audience'],
+          scope: Array(options['scope']),
+          issuer: options['client_email'],
+          signing_key: OpenSSL::PKey::RSA.new(options['private_key']) }
+      end
+    end
+  end
+end
diff --git a/lib/googleauth/default_credentials.rb b/lib/googleauth/default_credentials.rb
new file mode 100644
index 0000000..cebb015
--- /dev/null
+++ b/lib/googleauth/default_credentials.rb
@@ -0,0 +1,91 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'multi_json'
+require 'stringio'
+
+require 'googleauth/credentials_loader'
+require 'googleauth/service_account'
+require 'googleauth/user_refresh'
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds(options = {})
+        json_key_io, scope = options.values_at(:json_key_io, :scope)
+        if json_key_io
+          json_key, clz = determine_creds_class(json_key_io)
+          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
+                         scope: scope)
+        else
+          clz = read_creds
+          clz.make_creds(scope: scope)
+        end
+      end
+
+      def self.read_creds
+        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+        type = ENV[env_var]
+        raise "#{env_var} is undefined in env" unless type
+        case type
+        when 'service_account'
+          ServiceAccountCredentials
+        when 'authorized_user'
+          UserRefreshCredentials
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class(json_key_io)
+        json_key = MultiJson.load(json_key_io.read)
+        key = 'type'
+        raise "the json is missing the '#{key}' field" unless json_key.key?(key)
+        type = json_key[key]
+        case type
+        when 'service_account'
+          [json_key, ServiceAccountCredentials]
+        when 'authorized_user'
+          [json_key, UserRefreshCredentials]
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+    end
+  end
+end
diff --git a/spec/googleauth/credentials_spec.rb b/spec/googleauth/credentials_spec.rb
new file mode 100644
index 0000000..aa10a51
--- /dev/null
+++ b/spec/googleauth/credentials_spec.rb
@@ -0,0 +1,108 @@
+# Copyright 2017, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require 'googleauth'
+
+# This test is testing the private class Google::Auth::Credentials. We want to
+# make sure that the passed in scope propogates to the Signet object. This means
+# testing the private API, which is generally frowned on.
+describe Google::Auth::Credentials, :private do
+  let(:default_keyfile_hash) do
+    {
+      'private_key_id' => 'testabc1234567890xyz',
+      'private_key' => "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAOyi0Hy1l4Ym2m2o71Q0TF4O9E81isZEsX0bb+Bqz1SXEaSxLiXM\nUZE8wu0eEXivXuZg6QVCW/5l+f2+9UPrdNUCAwEAAQJAJkqubA/Chj3RSL92guy3\nktzeodarLyw8gF8pOmpuRGSiEo/OLTeRUMKKD1/kX4f9sxf3qDhB4e7dulXR1co/\nIQIhAPx8kMW4XTTL6lJYd2K5GrH8uBMp8qL5ya3/XHrBgw3dAiEA7+3Iw3ULTn2I\n1J34WlJ2D5fbzMzB4FAHUNEV7Ys3f1kCIQDtUahCMChrl7+H5t9QS+xrn77lRGhs\nB50pjvy95WXpgQIhAI2joW6JzTfz8fAapb+kiJ/h9Vcs1ZN3iyoRlNFb61JZAiA8\nNy5NyNrMVwtB/lfJf1dAK/p/Bwd8LZLtgM6PapRfgw==\n-----END RSA PRIVATE KEY-----\n",
+      'client_email' => 'credz-testabc1234567890xyz@developer.gserviceaccount.com',
+      'client_id' => 'credz-testabc1234567890xyz.apps.googleusercontent.com',
+      'type' => 'service_account'
+    }
+  end
+
+  it 'uses a default scope' do
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq([])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    Google::Auth::Credentials.new default_keyfile_hash
+  end
+
+  it 'uses a custom scope' do
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq(['http://example.com/scope'])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    Google::Auth::Credentials.new default_keyfile_hash, scope: 'http://example.com/scope'
+  end
+
+  it 'can be subclassed to pass in other env paths' do
+    TEST_PATH_ENV_VAR = 'TEST_PATH'.freeze
+    TEST_PATH_ENV_VAL = '/unknown/path/to/file.txt'.freeze
+    TEST_JSON_ENV_VAR = 'TEST_JSON_VARS'.freeze
+
+    ENV[TEST_PATH_ENV_VAR] = TEST_PATH_ENV_VAL
+    ENV[TEST_JSON_ENV_VAR] = JSON.generate(default_keyfile_hash)
+
+    class TestCredentials < Google::Auth::Credentials
+      SCOPE = 'http://example.com/scope'.freeze
+      PATH_ENV_VARS = [TEST_PATH_ENV_VAR].freeze
+      JSON_ENV_VARS = [TEST_JSON_ENV_VAR].freeze
+    end
+
+    allow(::File).to receive(:file?).with(TEST_PATH_ENV_VAL) { false }
+
+    mocked_signet = double('Signet::OAuth2::Client')
+    allow(mocked_signet).to receive(:fetch_access_token!).and_return(true)
+    allow(Signet::OAuth2::Client).to receive(:new) do |options|
+      expect(options[:token_credential_uri]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:audience]).to eq('https://accounts.google.com/o/oauth2/token')
+      expect(options[:scope]).to eq(['http://example.com/scope'])
+      expect(options[:issuer]).to eq(default_keyfile_hash['client_email'])
+      expect(options[:signing_key]).to be_a_kind_of(OpenSSL::PKey::RSA)
+
+      mocked_signet
+    end
+
+    TestCredentials.default
+  end
+end