googleapis
diff --git a/‎Credentials.md‎
Lines changed: 6 additions & 2 deletions b/‎Credentials.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎lib/googleauth/credentials.rb‎
Lines changed: 49 additions & 34 deletions b/‎lib/googleauth/credentials.rb‎
Lines changed: 49 additions & 34 deletions
diff --git a/‎lib/googleauth/credentials_loader.rb‎
Lines changed: 15 additions & 0 deletions b/‎lib/googleauth/credentials_loader.rb‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎lib/googleauth/default_credentials.rb‎
Lines changed: 59 additions & 39 deletions b/‎lib/googleauth/default_credentials.rb‎
Lines changed: 59 additions & 39 deletions
diff --git a/‎lib/googleauth/external_account.rb‎
Lines changed: 5 additions & 0 deletions b/‎lib/googleauth/external_account.rb‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎lib/googleauth/service_account.rb‎
Lines changed: 25 additions & 9 deletions b/‎lib/googleauth/service_account.rb‎
Lines changed: 25 additions & 9 deletions
@@ -38,17 +38,19 @@ that exposes common initialization functionality, such as creating credentials f
    - For obtaining authentication tokens from GCE metadata server
    - Used automatically when code is running on Google Compute Engine
    - Fetches tokens from the metadata server with no additional configuration needed
+   - This credential type does not have a supported JSON form
 
 4. **Google::Auth::IAMCredentials < Signet::OAuth2::Client** - `lib/googleauth/iam.rb`
    - For IAM-based authentication (e.g. service-to-service)
    - Implements authentication-as-a-service for systems already authenticated
    - Exchanges existing credentials for a short-lived access token
+   - This credential type does not have a supported JSON form
 
 ## Service Account Authentication
 
 5. **Google::Auth::ServiceAccountCredentials < Signet::OAuth2::Client** - `lib/googleauth/service_account.rb`
    - Authenticates requests using Service Account credentials via an OAuth access token
-   - Created from JSON key file downloaded from Google Cloud Console
+   - Created from JSON key file downloaded from Google Cloud Console. The JSON form of this credential type has a `"type"` field with the value `"service_account"`.
    - Supports both OAuth access tokens and self-signed JWT authentication
    - Can specify scopes for access token requests
 
@@ -64,14 +66,15 @@ that exposes common initialization functionality, such as creating credentials f
    - Allows a GCP principal identified by a set of source credentials to impersonate a service account
    - Useful for delegation of authority and managing permissions across service accounts
    - Source credentials must have the Service Account Token Creator role on the target
+   - This credential type does not have a supported JSON form
 
 ## User Authentication
 
 8. **Google::Auth::UserRefreshCredentials < Signet::OAuth2::Client** - `lib/googleauth/user_refresh.rb`
    - For user refresh token authentication (from 3-legged OAuth flow)
    - Authenticates on behalf of a user who has authorized the application
    - Handles token refresh when original access token expires
-   - Typically obtained through web or installed application flow
+   - Typically obtained through web or installed application flow. The JSON form of this credential type has a `"type"` field with the value `"authorized_user"`.
 
 `Google::Auth::UserAuthorizer` (`lib/googleauth/user_authorizer.rb`) and `Google::Auth::WebUserAuthorizer` (`lib/googleauth/web_user_authorizer.rb`)
  are used to facilitate user authentication. The `UserAuthorizer` handles interactive 3-Legged-OAuth2 (3LO) user consent authorization for command-line applications.
@@ -83,6 +86,7 @@ that exposes common initialization functionality, such as creating credentials f
   types based on credential source (similar to `Google::Auth::get_application_default`).
   It is included in all External Account credentials types, and it itself includes `Google::Auth::BaseClient` module so all External
   Account credentials types include `Google::Auth::BaseClient`.
+  The JSON form of this credential type has a `"type"` field with the value `"external_account"`.
 
 9. **Google::Auth::ExternalAccount::AwsCredentials** - `lib/googleauth/external_account/aws_credentials.rb`
      - Includes `Google::Auth::BaseClient` module
 
@@ -16,6 +16,7 @@
 require "json"
 require "pathname"
 require "signet/oauth_2/client"
+require "multi_json"
 
 require "googleauth/credentials_loader"
 require "googleauth/errors"
@@ -508,17 +509,61 @@ def self.from_io io, options
           token_credential_uri:   options[:token_credential_uri] || token_credential_uri,
           audience:               options[:audience] || audience
         }
-        client = Google::Auth::DefaultCredentials.make_creds creds_input
+
+        # Determine the class, which consumes the IO stream
+        json_key, clz = Google::Auth::DefaultCredentials.determine_creds_class creds_input[:json_key_io]
+
+        # Re-serialize the parsed JSON and replace the IO stream in creds_input
+        creds_input[:json_key_io] = StringIO.new MultiJson.dump(json_key)
+
+        client = clz.make_creds creds_input
         options = options.select { |k, _v| k == :logger }
         new client, options
       end
 
+      # @private
+      # Initializes the Signet client.
+      def self.init_client hash, options = {}
+        options = update_client_options options
+        io = StringIO.new JSON.generate hash
+
+        # Determine the class, which consumes the IO stream
+        json_key, clz = Google::Auth::DefaultCredentials.determine_creds_class io
+
+        # Re-serialize the parsed JSON and create a new IO stream.
+        new_io = StringIO.new MultiJson.dump(json_key)
+
+        clz.make_creds options.merge!(json_key_io: new_io)
+      end
+
+      # @private
+      # Updates client options with defaults from the credential class
+      #
+      # @param [Hash] options Options to update
+      # @return [Hash] Updated options hash
+      # @raise [ArgumentError] If both scope and target_audience are specified
+      def self.update_client_options options
+        options = options.dup
+
+        # options have higher priority over constructor defaults
+        options[:token_credential_uri] ||= token_credential_uri
+        options[:audience] ||= audience
+        options[:scope] ||= scope
+        options[:target_audience] ||= target_audience
+
+        if !Array(options[:scope]).empty? && options[:target_audience]
+          raise ArgumentError, "Cannot specify both scope and target_audience"
+        end
+        options.delete :scope unless options[:target_audience].nil?
+
+        options
+      end
+
       private_class_method :from_env_vars,
                            :from_default_paths,
                            :from_application_default,
                            :from_io
 
-
       # Creates a duplicate of these credentials. This method tries to create the duplicate of the
       # wrapped credentials if they support duplication and use them as is if they don't.
       #
@@ -571,14 +616,6 @@ def verify_keyfile_exists! keyfile
         raise InitializationError, "The keyfile '#{keyfile}' is not a valid file." unless exists
       end
 
-      # Initializes the Signet client.
-      def init_client hash, options = {}
-        options = update_client_options options
-        io = StringIO.new JSON.generate hash
-        options.merge! json_key_io: io
-        Google::Auth::DefaultCredentials.make_creds options
-      end
-
       # returns a new Hash with string keys instead of symbol keys.
       def stringify_hash_keys hash
         hash.to_h.transform_keys(&:to_s)
@@ -589,28 +626,6 @@ def symbolize_hash_keys hash
         hash.to_h.transform_keys(&:to_sym)
       end
 
-      # Updates client options with defaults from the credential class
-      #
-      # @param [Hash] options Options to update
-      # @return [Hash] Updated options hash
-      # @raise [ArgumentError] If both scope and target_audience are specified
-      def update_client_options options
-        options = options.dup
-
-        # options have higher priority over constructor defaults
-        options[:token_credential_uri] ||= self.class.token_credential_uri
-        options[:audience] ||= self.class.audience
-        options[:scope] ||= self.class.scope
-        options[:target_audience] ||= self.class.target_audience
-
-        if !Array(options[:scope]).empty? && options[:target_audience]
-          raise ArgumentError, "Cannot specify both scope and target_audience"
-        end
-        options.delete :scope unless options[:target_audience].nil?
-
-        options
-      end
-
       def update_from_client client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
@@ -624,7 +639,7 @@ def update_from_hash hash, options
         hash["target_audience"] ||= options[:target_audience]
         @project_id ||= hash["project_id"] || hash["project"]
         @quota_project_id ||= hash["quota_project_id"]
-        @client = init_client hash, options
+        @client = self.class.init_client hash, options
       end
 
       def update_from_filepath path, options
@@ -634,7 +649,7 @@ def update_from_filepath path, options
         json["target_audience"] ||= options[:target_audience]
         @project_id ||= json["project_id"] || json["project"]
         @quota_project_id ||= json["quota_project_id"]
-        @client = init_client json, options
+        @client = self.class.init_client json, options
       end
 
       def setup_logging logger: :default
 
@@ -158,6 +158,21 @@ def load_gcloud_project_id
         nil
       end
 
+      # @private
+      # Loads a JSON key from an IO object, verifies its type, and rewinds the IO.
+      #
+      # @param json_key_io [IO] An IO object containing the JSON key.
+      # @param expected_type [String] The expected credential type name.
+      # @raise [Google::Auth::InitializationError] If the JSON key type does not match the expected type.
+      def load_and_verify_json_key_type json_key_io, expected_type
+        json_key = MultiJson.load json_key_io.read
+        json_key_io.rewind # Rewind the stream so it can be read again.
+        return if json_key["type"] == expected_type
+        raise Google::Auth::InitializationError,
+              "The provided credentials were not of type '#{expected_type}'. " \
+              "Instead, the type was '#{json_key['type']}'."
+      end
+
       private
 
       def interpret_options scope, options
 
@@ -43,61 +43,81 @@ class DefaultCredentials
       # information, refer to [Validate credential configurations from external
       # sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
       #
+      # @deprecated This method is deprecated and will be removed in a future version.
+      #   Please use the `make_creds` method on the specific credential class you intend to load,
+      #   e.g., `Google::Auth::ServiceAccountCredentials.make_creds`.
+      #
+      #   This method does not validate the credential configuration. The security
+      #   risk occurs when a credential configuration is accepted from a source that
+      #   is not under your control and used without validation on your side.
+      #
+      #   If you know that you will be loading credential configurations of a
+      #   specific type, it is recommended to use a credential-type-specific
+      #   `make_creds` method.
+      #   This will ensure that an unexpected credential type with potential for
+      #   malicious intent is not loaded unintentionally. You might still have to do
+      #   validation for certain credential types. Please follow the recommendation
+      #   for that method. For example, if you want to load only service accounts,
+      #   you can use:
+      #   ```
+      #   creds = Google::Auth::ServiceAccountCredentials.make_creds
+      #   ```
+      #   @see Google::Auth::ServiceAccountCredentials.make_creds
+      #
+      #   If you are loading your credential configuration from an untrusted source and have
+      #   not mitigated the risks (e.g. by validating the configuration yourself), make
+      #   these changes as soon as possible to prevent security risks to your environment.
+      #
+      #   Regardless of the method used, it is always your responsibility to validate
+      #   configurations received from external sources.
+      #
+      #   See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+      #
       # @param options [Hash] Options for creating the credentials
       # @return [Google::Auth::Credentials] The credentials instance
       # @raise [Google::Auth::InitializationError] If the credentials cannot be determined
       def self.make_creds options = {}
         json_key_io = options[:json_key_io]
-        if json_key_io
-          json_key, clz = determine_creds_class json_key_io
+        json_key, clz = determine_creds_class json_key_io
+        if json_key
           io = StringIO.new MultiJson.dump(json_key)
           clz.make_creds options.merge(json_key_io: io)
         else
-          clz = read_creds
           clz.make_creds options
         end
       end
 
-      # Reads the credential type from environment and returns the appropriate class
-      #
-      # @return [Class] The credential class to use
-      # @raise [Google::Auth::InitializationError] If the credentials type is undefined or unsupported
-      def self.read_creds
-        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
-        type = ENV[env_var]
-        raise InitializationError, "#{env_var} is undefined in env" unless type
-        case type
-        when "service_account"
-          ServiceAccountCredentials
-        when "authorized_user"
-          UserRefreshCredentials
-        when "external_account"
-          ExternalAccount::Credentials
-        else
-          raise InitializationError, "credentials type '#{type}' is not supported"
-        end
-      end
-
       # Reads the input json and determines which creds class to use.
       #
-      # @param json_key_io [IO] An IO object containing the JSON key
-      # @return [Array(Hash, Class)] The JSON key and the credential class to use
-      # @raise [Google::Auth::InitializationError] If the JSON is missing the type field or has an unsupported type
-      def self.determine_creds_class json_key_io
-        json_key = MultiJson.load json_key_io.read
-        key = "type"
-        raise InitializationError, "the json is missing the '#{key}' field" unless json_key.key? key
-        type = json_key[key]
-        case type
-        when "service_account"
-          [json_key, ServiceAccountCredentials]
-        when "authorized_user"
-          [json_key, UserRefreshCredentials]
-        when "external_account"
-          [json_key, ExternalAccount::Credentials]
+      # @param json_key_io [IO, nil] An optional IO object containing the JSON key.
+      #   If nil, the credential type is determined from environment variables.
+      # @return [Array(Hash, Class)] The JSON key (or nil if from environment) and the credential class to use
+      # @raise [Google::Auth::InitializationError] If the JSON is missing the type field or has an unsupported type,
+      #   or if the environment variable is undefined or unsupported.
+      def self.determine_creds_class json_key_io = nil
+        if json_key_io
+          json_key = MultiJson.load json_key_io.read
+          key = "type"
+          raise InitializationError, "the json is missing the '#{key}' field" unless json_key.key? key
+          type = json_key[key]
         else
-          raise InitializationError, "credentials type '#{type}' is not supported"
+          env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+          type = ENV[env_var]
+          raise InitializationError, "#{env_var} is undefined in env" unless type
+          json_key = nil
         end
+
+        clz = case type
+              when ServiceAccountCredentials::CREDENTIAL_TYPE_NAME
+                ServiceAccountCredentials
+              when UserRefreshCredentials::CREDENTIAL_TYPE_NAME
+                UserRefreshCredentials
+              when ExternalAccount::Credentials::CREDENTIAL_TYPE_NAME
+                ExternalAccount::Credentials
+              else
+                raise InitializationError, "credentials type '#{type}' is not supported"
+              end
+        [json_key, clz]
       end
     end
   end
 
@@ -34,6 +34,10 @@ class Credentials
         MISSING_CREDENTIAL_SOURCE = "missing credential source for external account".freeze
         INVALID_EXTERNAL_ACCOUNT_TYPE = "credential source is not supported external account type".freeze
 
+        # @private
+        # @type [::String] The type name for this credential.
+        CREDENTIAL_TYPE_NAME = "external_account".freeze
+
         # Create a ExternalAccount::Credentials
         #
         # @param options [Hash] Options for creating credentials
@@ -49,6 +53,7 @@ def self.make_creds options = {}
           json_key_io, scope = options.values_at :json_key_io, :scope
 
           raise InitializationError, "A json file is required for external account credentials." unless json_key_io
+          CredentialsLoader.load_and_verify_json_key_type json_key_io, CREDENTIAL_TYPE_NAME
           user_creds = read_json_key json_key_io
 
           # AWS credentials is determined by aws subject token type
 
@@ -41,6 +41,10 @@ class ServiceAccountCredentials < Signet::OAuth2::Client
       attr_reader :project_id
       attr_reader :quota_project_id
 
+      # @private
+      # @type [::String] The type name for this credential.
+      CREDENTIAL_TYPE_NAME = "service_account".freeze
+
       def enable_self_signed_jwt?
         # Use a self-singed JWT if there's no information that can be used to
         # obtain an OAuth token, OR if there are scopes but also an assertion
@@ -60,15 +64,13 @@ def self.make_creds options = {}
                             :audience, :token_credential_uri
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
-        if json_key_io
-          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
-        else
-          private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
-          quota_project_id = nil
-          universe_domain = nil
-        end
+        private_key, client_email, project_id, quota_project_id, universe_domain =
+          if json_key_io
+            CredentialsLoader.load_and_verify_json_key_type json_key_io, CREDENTIAL_TYPE_NAME
+            read_json_key json_key_io
+          else
+            creds_from_env
+          end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
         new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
@@ -190,6 +192,20 @@ def apply_self_signed_jwt! a_hash
         alt.logger = logger
         alt.apply! a_hash
       end
+
+      # @private
+      # Loads service account credential details from environment variables.
+      #
+      # @return [Array<String, String, String, nil, nil>] An array containing private_key,
+      #   client_email, project_id, quota_project_id, and universe_domain.
+      def self.creds_from_env
+        private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
+        client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
+        project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+        [private_key, client_email, project_id, nil, nil]
+      end
+
+      private_class_method :creds_from_env
     end
   end
 end