fix(storage): cache legacy credentials (#11333)

I think we missed the caching feature during the multiple refactorings.
The test is (maybe) not ideal, but the API is not easy to test, and we
do not want to change it.

This is a backport from `main`, with changes to work without
`IsOkAndHolds()`.

Author: coryan

google/cloud/storage/oauth2/service_account_credentials.cc

@@ -16,6 +16,7 @@
 #include "google/cloud/storage/internal/make_jwt_assertion.h"
 #include "google/cloud/storage/internal/openssl_util.h"
 #include "google/cloud/internal/absl_str_join_quiet.h"
+#include "google/cloud/internal/oauth2_cached_credentials.h"
 #include "google/cloud/internal/oauth2_service_account_credentials.h"
 #include <nlohmann/json.hpp>
 #include <openssl/err.h>
@@ -122,12 +123,13 @@ ServiceAccountCredentials<storage::internal::CurlRequestBuilder,
                           std::chrono::system_clock>::
     ServiceAccountCredentials(ServiceAccountCredentialsInfo info,
                               ChannelOptions const& options)
-    : impl_(std::make_unique<oauth2_internal::ServiceAccountCredentials>(
-          internal::MapServiceAccountCredentialsInfo(std::move(info)),
-          Options{}.set<CARootsFilePathOption>(options.ssl_root_path()),
-          [](Options const& o) {
-            return rest_internal::MakeDefaultRestClient(std::string{}, o);
-          })) {}
+    : impl_(std::make_unique<oauth2_internal::CachedCredentials>(
+          std::make_unique<oauth2_internal::ServiceAccountCredentials>(
+              internal::MapServiceAccountCredentialsInfo(std::move(info)),
+              Options{}.set<CARootsFilePathOption>(options.ssl_root_path()),
+              [](Options const& o) {
+                return rest_internal::MakeDefaultRestClient(std::string{}, o);
+              }))) {}
 
 }  // namespace oauth2
 

google/cloud/storage/oauth2/service_account_credentials.h

@@ -243,7 +243,12 @@ class ServiceAccountCredentials<storage::internal::CurlRequestBuilder,
   std::string KeyId() const override { return impl_->KeyId(); }
 
  private:
-  std::unique_ptr<oauth2_internal::ServiceAccountCredentials> impl_;
+  friend struct ServiceAccountCredentialsTester;
+  StatusOr<std::string> AuthorizationHeaderForTesting(
+      std::chrono::system_clock::time_point tp) {
+    return oauth2_internal::AuthorizationHeaderJoined(*impl_, tp);
+  }
+  std::unique_ptr<oauth2_internal::Credentials> impl_;
 };
 
 /// @copydoc ServiceAccountCredentials

google/cloud/storage/oauth2/service_account_credentials_test.cc

@@ -36,6 +36,16 @@ namespace cloud {
 namespace storage {
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 namespace oauth2 {
+
+// Define a helper to test the specialization.
+struct ServiceAccountCredentialsTester {
+  static StatusOr<std::string> Header(
+      ServiceAccountCredentials<>& tested,
+      std::chrono::system_clock::time_point tp) {
+    return tested.AuthorizationHeaderForTesting(tp);
+  }
+};
+
 namespace {
 
 using ::google::cloud::internal::SignUsingSha256;
@@ -821,6 +831,33 @@ TEST_F(ServiceAccountCredentialsTest, UseOauth) {
   }
 }
 
+TEST_F(ServiceAccountCredentialsTest, CachingWithSelfSignedJwt) {
+  auto clear = ScopedEnvironment(
+      "GOOGLE_CLOUD_CPP_EXPERIMENTAL_DISABLE_SELF_SIGNED_JWT", absl::nullopt);
+  auto info = ParseServiceAccountCredentials(MakeTestContents(), "test");
+  ASSERT_STATUS_OK(info);
+
+  ServiceAccountCredentials<> tested(*info);
+  auto tp = std::chrono::system_clock::now();
+  auto initial = ServiceAccountCredentialsTester::Header(tested, tp);
+  ASSERT_STATUS_OK(initial);
+
+  auto cached = ServiceAccountCredentialsTester::Header(
+      tested, tp + std::chrono::seconds(30));
+  ASSERT_STATUS_OK(cached);
+  EXPECT_THAT(*cached, *initial);
+
+  cached = ServiceAccountCredentialsTester::Header(
+      tested, tp + std::chrono::seconds(300));
+  ASSERT_STATUS_OK(cached);
+  EXPECT_THAT(*cached, *initial);
+
+  auto uncached = ServiceAccountCredentialsTester::Header(
+      tested, tp + std::chrono::hours(2));
+  ASSERT_STATUS_OK(uncached);
+  EXPECT_NE(*initial, *uncached);
+}
+
 }  // namespace
 }  // namespace oauth2
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END