impl(oauth2): relocate base oauth credentials (#8220)

scotthart · web-flow · commit d5d0977b2088 · 2022-02-04T16:47:50.000-05:00
diff --git a/google/cloud/CMakeLists.txt b/google/cloud/CMakeLists.txt
@@ -634,6 +634,10 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
         internal/curl_wrappers.h
         internal/http_payload.cc
         internal/http_payload.h
+        internal/oauth2_credentials.cc
+        internal/oauth2_credentials.h
+        internal/oauth2_error_credentials.cc
+        internal/oauth2_error_credentials.h
         internal/rest_client.cc
         internal/rest_client.h
         internal/rest_options.h
diff --git a/google/cloud/google_cloud_cpp_rest_internal.bzl b/google/cloud/google_cloud_cpp_rest_internal.bzl
@@ -24,6 +24,8 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/curl_options.h",
     "internal/curl_wrappers.h",
     "internal/http_payload.h",
+    "internal/oauth2_credentials.h",
+    "internal/oauth2_error_credentials.h",
     "internal/rest_client.h",
     "internal/rest_options.h",
     "internal/rest_request.h",
@@ -37,6 +39,8 @@ google_cloud_cpp_rest_internal_srcs = [
     "internal/curl_impl.cc",
     "internal/curl_wrappers.cc",
     "internal/http_payload.cc",
+    "internal/oauth2_credentials.cc",
+    "internal/oauth2_error_credentials.cc",
     "internal/rest_client.cc",
     "internal/rest_request.cc",
     "internal/rest_response.cc",
diff --git a/google/cloud/internal/oauth2_credentials.cc b/google/cloud/internal/oauth2_credentials.cc
@@ -0,0 +1,31 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/oauth2_credentials.h"
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+StatusOr<std::vector<std::uint8_t>> Credentials::SignBlob(
+    std::string const&, std::string const&) const {
+  return Status(StatusCode::kUnimplemented,
+                "The current credentials cannot sign blobs locally");
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
diff --git a/google/cloud/internal/oauth2_credentials.h b/google/cloud/internal/oauth2_credentials.h
@@ -0,0 +1,79 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_CREDENTIALS_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_CREDENTIALS_H
+
+#include "google/cloud/status.h"
+#include "google/cloud/status_or.h"
+#include "google/cloud/version.h"
+#include <string>
+#include <vector>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+/**
+ * Interface for OAuth 2.0 credentials for use with Google's Unified Auth Client
+ * (GUAC) library. Internally, GUAC credentials are mapped to the appropriate
+ * OAuth 2.0 credential for use with GCP services with a REST API.
+ *
+ * Instantiating a specific kind of `Credentials` should usually be done via the
+ * GUAC convenience methods declared in google/cloud/credentials.h.
+ *
+ * @see https://cloud.google.com/docs/authentication/ for an overview of
+ * authenticating to Google Cloud Platform APIs.
+ */
+class Credentials {
+ public:
+  virtual ~Credentials() = default;
+
+  /**
+   * Attempts to obtain a value for the Authorization HTTP header.
+   *
+   * If unable to obtain a value for the Authorization header, which could
+   * happen for `Credentials` that need to be periodically refreshed, the
+   * underlying `Status` will indicate failure details from the refresh HTTP
+   * request. Otherwise, the returned value will contain the Authorization
+   * header to be used in HTTP requests.
+   */
+  virtual StatusOr<std::pair<std::string, std::string>>
+  AuthorizationHeader() = 0;
+
+  /**
+   * Try to sign @p string_to_sign using @p service_account.
+   *
+   * Some %Credentials types can locally sign a blob, most often just on behalf
+   * of an specific service account. This function returns an error if the
+   * credentials cannot sign the blob at all, or if the service account is a
+   * mismatch.
+   */
+  virtual StatusOr<std::vector<std::uint8_t>> SignBlob(
+      std::string const& signing_service_account,
+      std::string const& string_to_sign) const;
+
+  /// Return the account's email associated with these credentials, if any.
+  virtual std::string AccountEmail() const { return std::string{}; }
+
+  /// Return the account's key_id associated with these credentials, if any.
+  virtual std::string KeyId() const { return std::string{}; }
+};
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_CREDENTIALS_H
diff --git a/google/cloud/internal/oauth2_error_credentials.cc b/google/cloud/internal/oauth2_error_credentials.cc
@@ -0,0 +1,30 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/oauth2_error_credentials.h"
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+StatusOr<std::pair<std::string, std::string>>
+ErrorCredentials::AuthorizationHeader() {
+  return status_;
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
diff --git a/google/cloud/internal/oauth2_error_credentials.h b/google/cloud/internal/oauth2_error_credentials.h
@@ -0,0 +1,62 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_ERROR_CREDENTIALS_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_ERROR_CREDENTIALS_H
+
+#include "google/cloud/internal/oauth2_credentials.h"
+#include "google/cloud/version.h"
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+/**
+ * Report errors loading credentials when the RPC is called.
+ *
+ * With the "unified authentication client" approach the application just
+ * declares its *intent*, e.g., "load the default credentials", the actual work
+ * is delayed and depends on how the client library is implemented. We also want
+ * the behavior with gRPC and REST to be as similar as possible.
+ *
+ * For some credential types (e.g. service account impersonation) there may be
+ * problems with the credentials that are not manifest until after several RPCs
+ * succeed.
+ *
+ * For gRPC, creating the credentials always succeeds, but using them may fail.
+ *
+ * With REST we typically validate the credentials when loaded, and then again
+ * when we try to use them.
+ *
+ * This last approach was problematic, because it made some credentials fail
+ * early. This class allows us to treat all credentials, including REST
+ * credentials that failed to load as "evaluated at RPC time".
+ */
+class ErrorCredentials : public oauth2_internal::Credentials {
+ public:
+  explicit ErrorCredentials(Status status) : status_(std::move(status)) {}
+
+  StatusOr<std::pair<std::string, std::string>> AuthorizationHeader() override;
+
+ private:
+  Status status_;
+};
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_ERROR_CREDENTIALS_H
