impl(common): a wrapper for subject tokens (#10267)

Author: coryan

google/cloud/google_cloud_cpp_common.bzl

@@ -68,6 +68,7 @@ google_cloud_cpp_common_hdrs = [
     "internal/sha256_hash.h",
     "internal/status_payload_keys.h",
     "internal/strerror.h",
+    "internal/subject_token.h",
     "internal/throw_delegate.h",
     "internal/tuple.h",
     "internal/type_list.h",
@@ -112,6 +113,7 @@ google_cloud_cpp_common_srcs = [
     "internal/sha256_hash.cc",
     "internal/status_payload_keys.cc",
     "internal/strerror.cc",
+    "internal/subject_token.cc",
     "internal/throw_delegate.cc",
     "internal/user_agent_prefix.cc",
     "kms_key_name.cc",

google/cloud/google_cloud_cpp_common.cmake

@@ -102,6 +102,8 @@ add_library(
     internal/status_payload_keys.h
     internal/strerror.cc
     internal/strerror.h
+    internal/subject_token.cc
+    internal/subject_token.h
     internal/throw_delegate.cc
     internal/throw_delegate.h
     internal/tuple.h
@@ -308,6 +310,7 @@ if (BUILD_TESTING)
         internal/sha256_hash_test.cc
         internal/status_payload_keys_test.cc
         internal/strerror_test.cc
+        internal/subject_token_test.cc
         internal/throw_delegate_test.cc
         internal/tuple_test.cc
         internal/type_list_test.cc

google/cloud/google_cloud_cpp_common_unit_tests.bzl

@@ -47,6 +47,7 @@ google_cloud_cpp_common_unit_tests = [
     "internal/sha256_hash_test.cc",
     "internal/status_payload_keys_test.cc",
     "internal/strerror_test.cc",
+    "internal/subject_token_test.cc",
     "internal/throw_delegate_test.cc",
     "internal/tuple_test.cc",
     "internal/type_list_test.cc",

google/cloud/internal/subject_token.cc

@@ -0,0 +1,35 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/subject_token.h"
+#include <ostream>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+std::ostream& operator<<(std::ostream& os, SubjectToken const& rhs) {
+  // Tokens are truncated because they contain security secrets.
+  return os << "token=<" << rhs.token.substr(0, 32) << ">";
+}
+
+bool operator==(SubjectToken const& lhs, SubjectToken const& rhs) {
+  return lhs.token == rhs.token;
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google

google/cloud/internal/subject_token.h

@@ -0,0 +1,56 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_SUBJECT_TOKEN_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_SUBJECT_TOKEN_H
+
+#include "google/cloud/version.h"
+#include <chrono>
+#include <iosfwd>
+#include <string>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+/**
+ * A slightly more type-safe representation for subject tokens.
+ *
+ * External accounts credentials use [OAuth 2.0 Token Exchange][RFC 8693] to
+ * convert a "subject token" into an "access token". The latter is used (as one
+ * would expect) to access GCP services. Tokens are just strings. It is too easy
+ * to confuse their roles. A struct to wrap them provides enough type
+ * annotations to avoid most mistakes.
+ *
+ * [RFC 8693]: https://www.rfc-editor.org/rfc/rfc8693.html
+ */
+struct SubjectToken {
+  std::string token;
+};
+
+std::ostream& operator<<(std::ostream& os, SubjectToken const& rhs);
+
+bool operator==(SubjectToken const& lhs, SubjectToken const& rhs);
+
+inline bool operator!=(SubjectToken const& lhs, SubjectToken const& rhs) {
+  return !(lhs == rhs);
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_SUBJECT_TOKEN_H

google/cloud/internal/subject_token_test.cc

@@ -0,0 +1,56 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/subject_token.h"
+#include <gmock/gmock.h>
+#include <sstream>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+using ::testing::HasSubstr;
+
+TEST(SubjectToken, Compare) {
+  auto const a = SubjectToken{"a"};
+  auto const b = SubjectToken{"b"};
+  auto const c = SubjectToken{"b"};
+  EXPECT_EQ(a, a);
+  EXPECT_EQ(b, c);
+  EXPECT_NE(a, b);
+  EXPECT_NE(a, c);
+}
+
+TEST(SubjectToken, Stream) {
+  auto const token = std::string{
+      "123456789a"
+      "123456789b"
+      "123456789c"
+      "123456789d"};
+  auto const input = SubjectToken{token};
+  std::ostringstream os;
+  os << input;
+  auto const actual = std::move(os).str();
+  EXPECT_THAT(actual, HasSubstr("token=<"
+                                "123456789a"
+                                "123456789b"
+                                "123456789c"
+                                "12>"));
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google