Validate credential account (#345)

Added validation to check whether it's an `external_account` or `service_account` to fix error `missing client_email` caused by https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/json_key_reader.rb#L24 when using Workload Identity Federation.
  - `service_account` –> `Google::Auth::ServiceAccountCredentials`
  - `external_account` –> `Google::Auth::ExternalAccount::Credentials`

Author: adrianha

lib/fastlane/plugin/firebase_app_distribution/helper/firebase_app_distribution_auth_client.rb

@@ -99,7 +99,10 @@ def firebase_token(refresh_token, debug)
       end
 
       def service_account(google_service_path, debug)
-        service_account_credentials = Google::Auth::ServiceAccountCredentials.make_creds(
+        # check if it's an external account or service account
+        json_file = JSON.parse(File.read(google_service_path))
+        auth = json_file["type"] == "external_account" ? Google::Auth::ExternalAccount::Credentials : Google::Auth::ServiceAccountCredentials
+        service_account_credentials = auth.make_creds(
           json_key_io: File.open(google_service_path),
           scope: SCOPE
         )

spec/firebase_app_distribution_auth_client_spec.rb

@@ -3,7 +3,10 @@
   let(:fake_binary) { double("Binary") }
   let(:fake_binary_contents) { double("Contents") }
   let(:firebase_auth) { Signet::OAuth2::Client }
-  let(:service_auth) { Google::Auth::ServiceAccountCredentials }
+  let(:service_account_auth) { Google::Auth::ServiceAccountCredentials }
+  let(:fake_service_account_contents_json) { "{\"type\": \"service_account\"}" }
+  let(:external_account_auth) { Google::Auth::ExternalAccount::Credentials }
+  let(:fake_external_account_contents_json) { "{\"type\": \"external_account\"}" }
   let(:fake_firebase_tools_contents) { "{\"tokens\": {\"refresh_token\": \"refresh_token\"} }" }
   let(:fake_firebase_tools_contents_no_tokens_field) { "{}" }
   let(:fake_firebase_tools_contents_no_refresh_field) { "{\"tokens\": \"empty\"}" }
@@ -20,14 +23,18 @@
     allow(fake_oauth_client).to receive(:access_token)
       .and_return("fake_auth_token")
 
-    allow(service_auth).to receive(:make_creds)
+    allow(service_account_auth).to receive(:make_creds)
+      .and_return(fake_service_creds)
+    allow(external_account_auth).to receive(:make_creds)
       .and_return(fake_service_creds)
     allow(fake_service_creds).to receive(:fetch_access_token!)
       .and_return(payload)
 
     allow(File).to receive(:open).and_call_original
     allow(File).to receive(:open)
       .and_return(fake_binary)
+    allow(File).to receive(:read)
+      .and_return(fake_service_account_contents_json)
     allow(fake_binary).to receive(:read)
       .and_return(fake_binary_contents)
     allow(fake_binary_contents).to receive(:key)
@@ -56,10 +63,20 @@
             .to eq(fake_service_creds)
         end
 
-        it 'auths with service credentials environment variable' do
+        it 'auths with service account credentials environment variable' do
+          allow(ENV).to receive(:[])
+            .with("GOOGLE_APPLICATION_CREDENTIALS")
+            .and_return("google_service_path")
+          expect(auth_client.get_authorization(empty_val, empty_val))
+            .to eq(fake_service_creds)
+        end
+
+        it 'auths with external account credentials environment variable' do
           allow(ENV).to receive(:[])
             .with("GOOGLE_APPLICATION_CREDENTIALS")
             .and_return("google_service_path")
+          allow(File).to receive(:read)
+            .and_return(fake_external_account_contents_json)
           expect(auth_client.get_authorization(empty_val, empty_val))
             .to eq(fake_service_creds)
         end