fix: adjust multi_json usage with forward-compatible API shim

googleauth.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency "google-cloud-env", "~> 2.2"
   gem.add_dependency "google-logging-utils", "~> 0.1"
   gem.add_dependency "jwt", ">= 1.4", "< 4.0"
-  gem.add_dependency "multi_json", "~> 1.11"
+  gem.add_dependency "multi_json", "1.21.0"
   gem.add_dependency "os", ">= 0.9", "< 2.0"
   gem.add_dependency "signet", ">= 0.16", "< 2.a"
 

lib/googleauth/client_id.rb

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "multi_json"
+require "googleauth/json_compat"
 require "googleauth/credentials_loader"
 require "googleauth/errors"
 
@@ -85,7 +85,7 @@ def self.from_file file
         raise InitializationError, "File can not be nil." if file.nil?
         File.open file.to_s do |f|
           json = f.read
-          config = MultiJson.load json
+          config = MultiJSON.parse json
           from_hash config
         end
       end

lib/googleauth/credentials.rb

@@ -16,7 +16,7 @@
 require "json"
 require "pathname"
 require "signet/oauth_2/client"
-require "multi_json"
+require "googleauth/json_compat"
 
 require "googleauth/credentials_loader"
 require "googleauth/errors"
@@ -370,7 +370,7 @@ def disable_universe_domain_check
       #   * Any credentials object that supports the methods this wrapper delegates to an inner client.
       #
       #   If this parameter is an object (`Signet::OAuth2::Client` or other) it will be used as an inner client.
-      #   Otherwise the inner client will be constructed from the JSON keyfile or the contens of the hash.
+      #   Otherwise the inner client will be constructed from the JSON keyfile or the contents of the hash.
       #
       # @param [Hash] options
       #   The options for configuring this wrapper credentials object and the inner client.
@@ -514,7 +514,7 @@ def self.from_io io, options
         json_key, clz = Google::Auth::DefaultCredentials.determine_creds_class creds_input[:json_key_io]
 
         # Re-serialize the parsed JSON and replace the IO stream in creds_input
-        creds_input[:json_key_io] = StringIO.new MultiJson.dump(json_key)
+        creds_input[:json_key_io] = StringIO.new MultiJSON.generate(json_key)
 
         client = clz.make_creds creds_input
         options = options.select { |k, _v| k == :logger }
@@ -531,7 +531,7 @@ def self.init_client hash, options = {}
         json_key, clz = Google::Auth::DefaultCredentials.determine_creds_class io
 
         # Re-serialize the parsed JSON and create a new IO stream.
-        new_io = StringIO.new MultiJson.dump(json_key)
+        new_io = StringIO.new MultiJSON.generate(json_key)
 
         clz.make_creds options.merge!(json_key_io: new_io)
       end

lib/googleauth/credentials_loader.rb

@@ -16,6 +16,7 @@
 require "rbconfig"
 
 require "googleauth/errors"
+require "googleauth/json_compat"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -152,7 +153,7 @@ def load_gcloud_project_id
         gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
         gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
         gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", err: :close, &:read)
-        config = MultiJson.load gcloud_json
+        config = MultiJSON.parse gcloud_json
         config["configuration"]["properties"]["core"]["project"]
       rescue StandardError
         nil
@@ -165,7 +166,7 @@ def load_gcloud_project_id
       # @param expected_type [String] The expected credential type name.
       # @raise [Google::Auth::InitializationError] If the JSON key type does not match the expected type.
       def load_and_verify_json_key_type json_key_io, expected_type
-        json_key = MultiJson.load json_key_io.read
+        json_key = MultiJSON.parse json_key_io.read
         json_key_io.rewind # Rewind the stream so it can be read again.
         return if json_key["type"] == expected_type
         raise Google::Auth::InitializationError,

lib/googleauth/default_credentials.rb

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "multi_json"
+require "googleauth/json_compat"
 require "stringio"
 
 require "googleauth/credentials_loader"
@@ -81,7 +81,7 @@ def self.make_creds options = {}
         json_key_io = options[:json_key_io]
         json_key, clz = determine_creds_class json_key_io
         if json_key
-          io = StringIO.new MultiJson.dump(json_key)
+          io = StringIO.new MultiJSON.generate(json_key)
           clz.make_creds options.merge(json_key_io: io)
         else
           clz.make_creds options
@@ -97,7 +97,7 @@ def self.make_creds options = {}
       #   or if the environment variable is undefined or unsupported.
       def self.determine_creds_class json_key_io = nil
         if json_key_io
-          json_key = MultiJson.load json_key_io.read
+          json_key = MultiJSON.parse json_key_io.read
           key = "type"
           raise InitializationError, "the json is missing the '#{key}' field" unless json_key.key? key
           type = json_key[key]

lib/googleauth/external_account.rb

@@ -62,12 +62,12 @@ def self.make_creds options = {}
           json_key_io, scope = options.values_at :json_key_io, :scope
 
           raise InitializationError, "A json file is required for external account credentials." unless json_key_io
-          json_key = MultiJson.load json_key_io.read, symbolize_keys: true
+          json_key = MultiJSON.parse json_key_io.read, symbolize_names: true
           if json_key.key? :type
             json_key_io.rewind
           else # Defaults to class credential 'type' if missing.
             json_key[:type] = CREDENTIAL_TYPE_NAME
-            json_key_io = StringIO.new MultiJson.dump(json_key)
+            json_key_io = StringIO.new MultiJSON.generate(json_key)
           end
           CredentialsLoader.load_and_verify_json_key_type json_key_io, CREDENTIAL_TYPE_NAME
           user_creds = read_json_key json_key_io
@@ -86,7 +86,7 @@ def self.make_creds options = {}
         # @return [Hash] The parsed JSON key
         # @raise [Google::Auth::InitializationError] If the JSON is missing required fields
         def self.read_json_key json_key_io
-          json_key = MultiJson.load json_key_io.read, symbolize_keys: true
+          json_key = MultiJSON.parse json_key_io.read, symbolize_names: true
           wanted = [
             :audience, :subject_token_type, :token_url, :credential_source
           ]

lib/googleauth/external_account/aws_credentials.rb

@@ -226,7 +226,7 @@ def fetch_metadata_role_name
         # Retrieves the AWS security credentials required for signing AWS requests from the AWS metadata server.
         def fetch_metadata_security_credentials role_name
           response = get_aws_resource "#{@credential_verification_url}/#{role_name}", "credentials"
-          MultiJson.load response.body
+          MultiJSON.parse response.body
         end
 
         # Reads the name of the AWS region from the environment

lib/googleauth/external_account/base_credentials.rb

@@ -190,7 +190,7 @@ def get_impersonated_access_token token, _options = {}
           response = connection.post @service_account_impersonation_url do |req|
             req.headers["Authorization"] = "Bearer #{token}"
             req.headers["Content-Type"] = "application/json"
-            req.body = MultiJson.dump({ scope: @scope })
+            req.body = MultiJSON.generate({ scope: @scope })
           end
 
           if response.status != 200
@@ -201,7 +201,7 @@ def get_impersonated_access_token token, _options = {}
             )
           end
 
-          MultiJson.load response.body
+          MultiJSON.parse response.body
         end
 
         def log_impersonated_token_request original_token

lib/googleauth/external_account/external_account_utils.rb

@@ -54,7 +54,7 @@ def project_id
           end
 
           if response.status == 200
-            response_data = MultiJson.load response.body, symbolize_names: true
+            response_data = MultiJSON.parse response.body, symbolize_names: true
             @project_id = response_data[:projectId]
           end
 

lib/googleauth/external_account/identity_pool_credentials.rb

@@ -63,7 +63,7 @@ def retrieve_subject_token!
             token = content
           else
             begin
-              response_data = MultiJson.load content, symbolize_keys: true
+              response_data = MultiJSON.parse content, symbolize_names: true
               token = response_data[@credential_source_field_name.to_sym]
             rescue StandardError
               raise CredentialsError, "Unable to parse subject_token from JSON resource #{resource_name} " \

lib/googleauth/external_account/pluggable_credentials.rb

@@ -88,7 +88,7 @@ def retrieve_subject_token!
           env = inject_environment_variables
           output = subprocess_with_timeout env, @credential_source_executable_command,
                                            @credential_source_executable_timeout_millis
-          response = MultiJson.load output, symbolize_keys: true
+          response = MultiJSON.parse output, symbolize_names: true
           parse_subject_token response
         end
 
@@ -99,7 +99,7 @@ def load_subject_token_from_output_file
           return nil unless File.exist? @credential_source_executable_output_file
           begin
             content = File.read @credential_source_executable_output_file, encoding: "utf-8"
-            response = MultiJson.load content, symbolize_keys: true
+            response = MultiJSON.parse content, symbolize_names: true
           rescue StandardError
             return nil
           end

lib/googleauth/iam.rb

@@ -14,7 +14,7 @@
 
 require "googleauth/signet"
 require "googleauth/credentials_loader"
-require "multi_json"
+require "googleauth/json_compat"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization

lib/googleauth/impersonated_service_account.rb

@@ -15,6 +15,7 @@
 require "googleauth/base_client"
 require "googleauth/errors"
 require "googleauth/helpers/connection"
+require "googleauth/json_compat"
 
 module Google
   module Auth
@@ -117,7 +118,7 @@ def self.make_creds_from_json options
         end
 
         require "googleauth/default_credentials"
-        impersonated_json = MultiJson.load json_key_io.read
+        impersonated_json = MultiJSON.parse json_key_io.read
         source_credentials_info = impersonated_json["source_credentials"]
 
         if source_credentials_info["type"] == CREDENTIAL_TYPE_NAME
@@ -127,7 +128,7 @@ def self.make_creds_from_json options
         end
 
         source_credentials = DefaultCredentials.make_creds(
-          json_key_io: StringIO.new(MultiJson.dump(source_credentials_info))
+          json_key_io: StringIO.new(MultiJSON.generate(source_credentials_info))
         )
 
         impersonation_url = impersonated_json["service_account_impersonation_url"]
@@ -279,7 +280,7 @@ def fetch_access_token! _options = {}
 
         case resp.status
         when 200
-          response = MultiJson.load resp.body
+          response = MultiJSON.parse resp.body
           self.expires_at = response["expireTime"]
           @access_token = response["accessToken"]
           access_token
@@ -310,7 +311,7 @@ def make_impersonation_request auth_header
         connection.post @impersonation_url do |req|
           req.headers.merge! auth_header
           req.headers["Content-Type"] = "application/json"
-          req.body = MultiJson.dump({ scope: @scope })
+          req.body = MultiJSON.generate({ scope: @scope })
         end
       end
 

lib/googleauth/json_compat.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "multi_json"
+
+# MultiJSON was introduced as the canonical all-caps constant in multi_json 1.21.0,
+# along with parse/generate (replacing load/dump) and symbolize_names: (replacing
+# symbolize_keys:). For older versions we define a shim so all call sites can use
+# the 1.21+ API uniformly.
+# To be removed when we drop support for multi_json < 1.21.0
+unless defined?(::MultiJSON)
+  module ::MultiJSON # rubocop:disable Style/Documentation
+    def self.parse str, opts = {}
+      opts[:symbolize_keys] = opts.delete(:symbolize_names) if opts.key? :symbolize_names
+      MultiJson.load str, opts
+    end
+
+    def self.generate obj, opts = {}
+      MultiJson.dump obj, opts
+    end
+
+    ParseError = MultiJson::ParseError
+  end
+end

lib/googleauth/json_key_reader.rb

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 require "googleauth/errors"
+require "googleauth/json_compat"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -29,7 +30,7 @@ module JsonKeyReader
       # @raise [Google::Auth::InitializationError] If client_email or private_key
       #   fields are missing from the JSON
       def read_json_key json_key_io
-        json_key = MultiJson.load json_key_io.read
+        json_key = MultiJSON.parse json_key_io.read
         raise InitializationError, "missing client_email" unless json_key.key? "client_email"
         raise InitializationError, "missing private_key" unless json_key.key? "private_key"
         [

lib/googleauth/oauth2/sts_client.rb

@@ -14,6 +14,7 @@
 
 require "googleauth/errors"
 require "googleauth/helpers/connection"
+require "googleauth/json_compat"
 
 module Google
   module Auth
@@ -89,7 +90,7 @@ def exchange_token options = {}
             raise AuthorizationError, "Token exchange failed with status #{response.status}"
           end
 
-          MultiJson.load response.body
+          MultiJSON.parse response.body
         end
 
         private
@@ -104,7 +105,7 @@ def make_request options = {}
             subject_token_type: options[:subject_token_type]
           }
           unless options[:additional_options].nil?
-            request_body[:options] = CGI.escape MultiJson.dump(options[:additional_options], symbolize_name: true)
+            request_body[:options] = CGI.escape MultiJSON.generate(options[:additional_options])
           end
           request_body
         end

lib/googleauth/scope_util.rb

@@ -14,7 +14,7 @@
 
 require "googleauth/signet"
 require "googleauth/credentials_loader"
-require "multi_json"
+require "googleauth/json_compat"
 
 module Google
   module Auth

lib/googleauth/service_account.rb

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 require "jwt"
-require "multi_json"
+require "googleauth/json_compat"
 require "stringio"
 
 require "google/logging/message"
@@ -66,12 +66,12 @@ def self.make_creds options = {} # rubocop:disable Metrics/MethodLength
 
         private_key, client_email, project_id, quota_project_id, universe_domain =
           if json_key_io
-            json_key = MultiJson.load json_key_io.read
+            json_key = MultiJSON.parse json_key_io.read
             if json_key.key? "type"
               json_key_io.rewind
             else # Defaults to class credential 'type' if missing.
               json_key["type"] = CREDENTIAL_TYPE_NAME
-              json_key_io = StringIO.new MultiJson.dump(json_key)
+              json_key_io = StringIO.new MultiJSON.generate(json_key)
             end
             CredentialsLoader.load_and_verify_json_key_type json_key_io, CREDENTIAL_TYPE_NAME
             read_json_key json_key_io

lib/googleauth/user_authorizer.rb

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 require "uri"
-require "multi_json"
+require "googleauth/json_compat"
 require "googleauth/signet"
 require "googleauth/user_refresh"
 require "securerandom"
@@ -140,7 +140,7 @@ def get_authorization_url options = {}
       def get_credentials user_id, scope = nil
         saved_token = stored_token user_id
         return nil if saved_token.nil?
-        data = MultiJson.load saved_token
+        data = MultiJSON.parse saved_token
 
         if data.fetch("client_id", @client_id.id) != @client_id.id
           raise CredentialsError.with_details(
@@ -250,7 +250,7 @@ def revoke_authorization user_id
       # @return [Google::Auth::UserRefreshCredentials]
       #  The stored credentials
       def store_credentials user_id, credentials
-        json = MultiJson.dump(
+        json = MultiJSON.generate(
           client_id:              credentials.client_id,
           access_token:           credentials.access_token,
           refresh_token:          credentials.refresh_token,