impl(common): file-sourced subject tokens (#10277)

coryan · web-flow · commit 2cef6b6bda3c · 2022-11-19T17:30:47.000Z
To support external accounts credentials (aka BYOID) we need to support
reading the subject token from a file. The file itself can be in either
text or JSON format.
diff --git a/google/cloud/google_cloud_cpp_rest_internal.bzl b/google/cloud/google_cloud_cpp_rest_internal.bzl
@@ -27,6 +27,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/curl_rest_response.h",
     "internal/curl_wrappers.h",
     "internal/external_account_parsing.h",
+    "internal/external_account_token_source_file.h",
     "internal/http_payload.h",
     "internal/make_jwt_assertion.h",
     "internal/oauth2_access_token_credentials.h",
@@ -36,6 +37,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/oauth2_credential_constants.h",
     "internal/oauth2_credentials.h",
     "internal/oauth2_error_credentials.h",
+    "internal/oauth2_external_account_token_source.h",
     "internal/oauth2_google_application_default_credentials_file.h",
     "internal/oauth2_google_credentials.h",
     "internal/oauth2_impersonate_service_account_credentials.h",
@@ -63,6 +65,7 @@ google_cloud_cpp_rest_internal_srcs = [
     "internal/curl_rest_response.cc",
     "internal/curl_wrappers.cc",
     "internal/external_account_parsing.cc",
+    "internal/external_account_token_source_file.cc",
     "internal/make_jwt_assertion.cc",
     "internal/oauth2_access_token_credentials.cc",
     "internal/oauth2_anonymous_credentials.cc",
diff --git a/google/cloud/google_cloud_cpp_rest_internal.cmake b/google/cloud/google_cloud_cpp_rest_internal.cmake
@@ -40,6 +40,8 @@ add_library(
     internal/curl_wrappers.h
     internal/external_account_parsing.cc
     internal/external_account_parsing.h
+    internal/external_account_token_source_file.cc
+    internal/external_account_token_source_file.h
     internal/http_payload.h
     internal/make_jwt_assertion.cc
     internal/make_jwt_assertion.h
@@ -56,6 +58,7 @@ add_library(
     internal/oauth2_credentials.h
     internal/oauth2_error_credentials.cc
     internal/oauth2_error_credentials.h
+    internal/oauth2_external_account_token_source.h
     internal/oauth2_google_application_default_credentials_file.cc
     internal/oauth2_google_application_default_credentials_file.h
     internal/oauth2_google_credentials.cc
@@ -195,6 +198,7 @@ if (BUILD_TESTING)
         internal/curl_wrappers_locking_enabled_test.cc
         internal/curl_wrappers_test.cc
         internal/external_account_parsing_test.cc
+        internal/external_account_token_source_file_test.cc
         internal/make_jwt_assertion_test.cc
         internal/oauth2_access_token_credentials_test.cc
         internal/oauth2_anonymous_credentials_test.cc
diff --git a/google/cloud/google_cloud_cpp_rest_internal_unit_tests.bzl b/google/cloud/google_cloud_cpp_rest_internal_unit_tests.bzl
@@ -30,6 +30,7 @@ google_cloud_cpp_rest_internal_unit_tests = [
     "internal/curl_wrappers_locking_enabled_test.cc",
     "internal/curl_wrappers_test.cc",
     "internal/external_account_parsing_test.cc",
+    "internal/external_account_token_source_file_test.cc",
     "internal/make_jwt_assertion_test.cc",
     "internal/oauth2_access_token_credentials_test.cc",
     "internal/oauth2_anonymous_credentials_test.cc",
diff --git a/google/cloud/internal/external_account_token_source_file.cc b/google/cloud/internal/external_account_token_source_file.cc
@@ -0,0 +1,133 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/external_account_token_source_file.h"
+#include "google/cloud/internal/absl_str_cat_quiet.h"
+#include "google/cloud/internal/external_account_parsing.h"
+#include "google/cloud/internal/make_status.h"
+#include <fstream>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+Status BadFile(internal::ErrorContext const& ec) {
+  return InvalidArgumentError("error reading subject token file",
+                              GCP_ERROR_INFO().WithContext(ec));
+}
+
+StatusOr<internal::SubjectToken> TextFileReader(
+    std::string const& filename, internal::ErrorContext const& ec) {
+  std::ifstream is(filename);
+  auto contents = std::string{std::istreambuf_iterator<char>(is.rdbuf()), {}};
+  if (!is.is_open() || is.bad()) return BadFile(ec);
+  return internal::SubjectToken{std::move(contents)};
+}
+
+StatusOr<internal::SubjectToken> JsonFileReader(
+    std::string const& filename, std::string const& field_name,
+    internal::ErrorContext const& ec) {
+  std::ifstream is(filename);
+  auto contents = std::string{std::istreambuf_iterator<char>(is.rdbuf()), {}};
+  if (!is.is_open() || is.bad()) return BadFile(ec);
+  auto json = nlohmann::json::parse(contents, nullptr, false);
+  auto error_details = [&](std::string const& msg) {
+    return msg + " in JSON object loaded from `" + filename +
+           "`, with subject_token_field `" + field_name + "`";
+  };
+  if (!json.is_object()) {
+    return InvalidArgumentError(error_details("parse error"),
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  auto it = json.find(field_name);
+  if (it == json.end()) {
+    return InvalidArgumentError(error_details("subject token field not found"),
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  if (!it->is_string()) {
+    return InvalidArgumentError(error_details("invalid type for token field"),
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  return internal::SubjectToken{it->get<std::string>()};
+}
+
+struct Format {
+  std::string type;
+  std::string subject_token_field_name;
+};
+
+StatusOr<Format> ParseFormat(nlohmann::json const& credentials_source,
+                             internal::ErrorContext const& ec) {
+  auto it = credentials_source.find("format");
+  if (it == credentials_source.end()) return Format{"text", {}};
+  if (!it->is_object()) {
+    return InvalidArgumentError(
+        "invalid type for `format` field in `credentials_source`",
+        GCP_ERROR_INFO().WithContext(ec));
+  }
+  auto const& format = *it;
+  auto type = ValidateStringField(format, "type", "credentials_source.format",
+                                  "text", ec);
+  if (!type) return std::move(type).status();
+  if (*type == "text") return Format{"text", {}};
+  if (*type != "json") {
+    return InvalidArgumentError(
+        absl::StrCat("invalid file type <", *type, "> in `credentials_source`"),
+        GCP_ERROR_INFO().WithContext(ec));
+  }
+  auto field = ValidateStringField(format, "subject_token_field_name",
+                                   "credentials_source.format", ec);
+  if (!field) return std::move(field).status();
+  return Format{*std::move(type), *std::move(field)};
+}
+
+}  // namespace
+
+StatusOr<ExternalAccountTokenSource> MakeExternalAccountTokenSourceFile(
+    nlohmann::json const& credentials_source,
+    internal::ErrorContext const& ec) {
+  auto file =
+      ValidateStringField(credentials_source, "file", "credentials_source", ec);
+  if (!file) return std::move(file).status();
+
+  // Make a copy. Most of the time this function should succeed, and we need the
+  // copy for the lambda captures.
+  auto context = ec;
+  context.emplace_back("credentials_source.type", "file");
+  context.emplace_back("credentials_source.file.filename", *file);
+  auto format = ParseFormat(credentials_source, context);
+  if (!format) return std::move(format).status();
+  if (format->type == "text") {
+    context.emplace_back("credentials_source.file.type", "text");
+    return ExternalAccountTokenSource{
+        [f = *std::move(file), ec = std::move(context)](Options const&) {
+          return TextFileReader(f, ec);
+        }};
+  }
+  context.emplace_back("credentials_source.file.type", "json");
+  context.emplace_back("credentials_source.file.source_token_field_name",
+                       format->subject_token_field_name);
+  return ExternalAccountTokenSource{[f = *std::move(file),
+                                     field = format->subject_token_field_name,
+                                     ec = std::move(context)](Options const&) {
+    return JsonFileReader(f, field, ec);
+  }};
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
diff --git a/google/cloud/internal/external_account_token_source_file.h b/google/cloud/internal/external_account_token_source_file.h
@@ -0,0 +1,58 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_FILE_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_FILE_H
+
+#include "google/cloud/internal/error_metadata.h"
+#include "google/cloud/internal/oauth2_external_account_token_source.h"
+#include "google/cloud/version.h"
+#include <nlohmann/json.hpp>
+#include <functional>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+/**
+ * Creates an `ExternalAccountTokenSource` for URL-based credential sources.
+ *
+ * External accounts credentials use [OAuth 2.0 Token Exchange][RFC 8693] to
+ * convert a "subject token" into an "access token". The latter is used (as one
+ * would expect) to access GCP services.
+ *
+ * External accounts may obtain the subject tokens from several different
+ * sources. Tokens may be [file-sourced], meaning the client library needs to
+ * fetch the subject token from a local file. This function validates the
+ * configuration for file-sourced subject tokens, and returns (if the validation
+ * is successful) a functor to fetch the token from the URL.
+ *
+ * Note that reading the file may fail after this function returns successfully.
+ * For example, the file may be deleted, or its contents fail to parse after
+ * the initial read.
+ *
+ * [RFC 8693]: https://www.rfc-editor.org/rfc/rfc8693.html
+ * [file-sourced]:
+ * https://google.aip.dev/auth/4117#determining-the-subject-token-in-file-sourced-credentials
+ */
+StatusOr<ExternalAccountTokenSource> MakeExternalAccountTokenSourceFile(
+    nlohmann::json const& credentials_source, internal::ErrorContext const& ec);
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_FILE_H
diff --git a/google/cloud/internal/external_account_token_source_file_test.cc b/google/cloud/internal/external_account_token_source_file_test.cc
diff --git a/google/cloud/internal/oauth2_external_account_token_source.h b/google/cloud/internal/oauth2_external_account_token_source.h
