impl(common): helper functions to parse JSON configuration (#10274)

To support workload/workforce identity federation (aka BYOID,
aka external accounts) we will need to valid the JSON configuration.
This involves a lot of "is this field there and is it a string", or "if
the field is not there use this default, otherwise it must be a
string". These two functions save a lot of repetition in the validation
code.

Author: coryan

google/cloud/google_cloud_cpp_rest_internal.bzl

@@ -26,6 +26,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/curl_rest_client.h",
     "internal/curl_rest_response.h",
     "internal/curl_wrappers.h",
+    "internal/external_account_parsing.h",
     "internal/http_payload.h",
     "internal/make_jwt_assertion.h",
     "internal/oauth2_access_token_credentials.h",
@@ -61,6 +62,7 @@ google_cloud_cpp_rest_internal_srcs = [
     "internal/curl_rest_client.cc",
     "internal/curl_rest_response.cc",
     "internal/curl_wrappers.cc",
+    "internal/external_account_parsing.cc",
     "internal/make_jwt_assertion.cc",
     "internal/oauth2_access_token_credentials.cc",
     "internal/oauth2_anonymous_credentials.cc",

google/cloud/google_cloud_cpp_rest_internal.cmake

@@ -38,6 +38,8 @@ add_library(
     internal/curl_rest_response.h
     internal/curl_wrappers.cc
     internal/curl_wrappers.h
+    internal/external_account_parsing.cc
+    internal/external_account_parsing.h
     internal/http_payload.h
     internal/make_jwt_assertion.cc
     internal/make_jwt_assertion.h
@@ -192,6 +194,7 @@ if (BUILD_TESTING)
         internal/curl_wrappers_locking_disabled_test.cc
         internal/curl_wrappers_locking_enabled_test.cc
         internal/curl_wrappers_test.cc
+        internal/external_account_parsing_test.cc
         internal/make_jwt_assertion_test.cc
         internal/oauth2_access_token_credentials_test.cc
         internal/oauth2_anonymous_credentials_test.cc

google/cloud/google_cloud_cpp_rest_internal_unit_tests.bzl

@@ -29,6 +29,7 @@ google_cloud_cpp_rest_internal_unit_tests = [
     "internal/curl_wrappers_locking_disabled_test.cc",
     "internal/curl_wrappers_locking_enabled_test.cc",
     "internal/curl_wrappers_test.cc",
+    "internal/external_account_parsing_test.cc",
     "internal/make_jwt_assertion_test.cc",
     "internal/oauth2_access_token_credentials_test.cc",
     "internal/oauth2_anonymous_credentials_test.cc",

google/cloud/internal/external_account_parsing.cc

@@ -0,0 +1,60 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/external_account_parsing.h"
+#include "google/cloud/internal/absl_str_cat_quiet.h"
+#include "google/cloud/internal/make_status.h"
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+StatusOr<std::string> ValidateStringField(nlohmann::json const& json,
+                                          absl::string_view name,
+                                          absl::string_view object_name,
+                                          internal::ErrorContext const& ec) {
+  auto it = json.find(std::string{name});
+  if (it == json.end()) {
+    return InvalidArgumentError(
+        absl::StrCat("cannot find `", name, "` field in `", object_name, "`"),
+        GCP_ERROR_INFO().WithContext(ec));
+  }
+  if (!it->is_string()) {
+    return InvalidArgumentError(absl::StrCat("invalid type for `", name,
+                                             "` field in `", object_name, "`"),
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  return it->get<std::string>();
+}
+
+StatusOr<std::string> ValidateStringField(nlohmann::json const& json,
+                                          absl::string_view name,
+                                          absl::string_view object_name,
+                                          absl::string_view default_value,
+                                          internal::ErrorContext const& ec) {
+  auto it = json.find(std::string{name});
+  if (it == json.end()) return std::string{default_value};
+  if (!it->is_string()) {
+    return InvalidArgumentError(absl::StrCat("invalid type for `", name,
+                                             "` field in `", object_name, "`"),
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  return it->get<std::string>();
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google

google/cloud/internal/external_account_parsing.h

@@ -0,0 +1,50 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_PARSING_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_PARSING_H
+
+#include "google/cloud/internal/error_metadata.h"
+#include "google/cloud/status_or.h"
+#include "google/cloud/version.h"
+#include "absl/strings/string_view.h"
+#include <nlohmann/json.hpp>
+#include <string>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+/// Returns the string value for `json[name]` (which must exist) or a
+/// descriptive error.
+StatusOr<std::string> ValidateStringField(nlohmann::json const& json,
+                                          absl::string_view name,
+                                          absl::string_view object_name,
+                                          internal::ErrorContext const& ec);
+
+/// Returns the string value for `json[name]`, a default value if it does not
+/// exist, or a descriptive error if it exists but it is not a string.
+StatusOr<std::string> ValidateStringField(nlohmann::json const& json,
+                                          absl::string_view name,
+                                          absl::string_view object_name,
+                                          absl::string_view default_value,
+                                          internal::ErrorContext const& ec);
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_PARSING_H

google/cloud/internal/external_account_parsing_test.cc

@@ -0,0 +1,106 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/external_account_parsing.h"
+#include "google/cloud/testing_util/status_matchers.h"
+#include <gmock/gmock.h>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+using ::google::cloud::testing_util::StatusIs;
+using ::testing::AllOf;
+using ::testing::Contains;
+using ::testing::HasSubstr;
+using ::testing::Pair;
+
+TEST(ExternalAccountParsing, ValidateStringFieldSuccess) {
+  auto const json = nlohmann::json{{"someField", "value"}};
+  auto actual = ValidateStringField(
+      json, "someField", "test-object",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  ASSERT_STATUS_OK(actual);
+  EXPECT_EQ(*actual, "value");
+}
+
+TEST(ExternalAccountParsing, ValidateStringFieldMissing) {
+  auto const json = nlohmann::json{{"some-field", "value"}};
+  auto actual = ValidateStringField(
+      json, "missingField", "test-object",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  EXPECT_THAT(actual, StatusIs(StatusCode::kInvalidArgument,
+                               AllOf(HasSubstr("missingField"),
+                                     HasSubstr("test-object"))));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("filename", "/dev/null")));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("origin", "test")));
+}
+
+TEST(ExternalAccountParsing, ValidateStringFieldNotString) {
+  auto const json =
+      nlohmann::json{{"some-field", "value"}, {"wrongType", true}};
+  auto actual = ValidateStringField(
+      json, "wrongType", "test-object",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  EXPECT_THAT(actual, StatusIs(StatusCode::kInvalidArgument,
+                               AllOf(HasSubstr("wrongType"),
+                                     HasSubstr("test-object"))));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("filename", "/dev/null")));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("origin", "test")));
+}
+
+TEST(ExternalAccountParsing, ValidateStringFieldDefaultSuccess) {
+  auto const json = nlohmann::json{{"someField", "value"}};
+  auto actual = ValidateStringField(
+      json, "someField", "test-object", "default-value",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  ASSERT_STATUS_OK(actual);
+  EXPECT_EQ(*actual, "value");
+}
+
+TEST(ExternalAccountParsing, ValidateStringFieldDefaultMissing) {
+  auto const json = nlohmann::json{{"anotherField", "value"}};
+  auto actual = ValidateStringField(
+      json, "someField", "test-object", "default-value",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  ASSERT_STATUS_OK(actual);
+  EXPECT_EQ(*actual, "default-value");
+}
+
+TEST(ExternalAccountParsing, ValidateStringFieldDefaultNotString) {
+  auto const json =
+      nlohmann::json{{"some-field", "value"}, {"wrongType", true}};
+  auto actual = ValidateStringField(
+      json, "wrongType", "test-object", "default-value",
+      internal::ErrorContext({{"origin", "test"}, {"filename", "/dev/null"}}));
+  EXPECT_THAT(actual, StatusIs(StatusCode::kInvalidArgument,
+                               AllOf(HasSubstr("wrongType"),
+                                     HasSubstr("test-object"))));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("filename", "/dev/null")));
+  EXPECT_THAT(actual.status().error_info().metadata(),
+              Contains(Pair("origin", "test")));
+}
+
+}  // namespace
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google