impl: parse impersonated ADC json (#14809)

dbolduc · web-flow · commit a41a13674881 · 2024-10-31T12:23:51.000-04:00
diff --git a/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc b/google/cloud/internal/oauth2_impersonate_service_account_credentials.cc
@@ -13,8 +13,11 @@
 // limitations under the License.
 
 #include "google/cloud/internal/oauth2_impersonate_service_account_credentials.h"
+#include "google/cloud/internal/make_status.h"
 #include "google/cloud/internal/oauth2_credential_constants.h"
 #include "google/cloud/internal/unified_rest_credentials.h"
+#include "absl/strings/strip.h"
+#include <nlohmann/json.hpp>
 
 namespace google {
 namespace cloud {
@@ -34,6 +37,103 @@ GenerateAccessTokenRequest MakeRequest(
 
 }  // namespace
 
+StatusOr<ImpersonatedServiceAccountCredentialsInfo>
+ParseImpersonatedServiceAccountCredentials(std::string const& content,
+                                           std::string const& source) {
+  auto credentials = nlohmann::json::parse(content, nullptr, false);
+  if (credentials.is_discarded()) {
+    return internal::InvalidArgumentError(
+        "Invalid ImpersonateServiceAccountCredentials, parsing failed on data "
+        "from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+
+  ImpersonatedServiceAccountCredentialsInfo info;
+
+  auto it = credentials.find("service_account_impersonation_url");
+  if (it == credentials.end()) {
+    return internal::InvalidArgumentError(
+        "Missing `service_account_impersonation_url` field on data from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  if (!it->is_string()) {
+    return internal::InvalidArgumentError(
+        "Malformed `service_account_impersonation_url` field is not a string "
+        "on data from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  // We strip the service account from the path URL.
+  auto url = it->get<std::string>();
+  auto colon = url.rfind(':');
+  if (colon == std::string::npos) {
+    return internal::InvalidArgumentError(
+        "Malformed `service_account_impersonation_url` field contents on data "
+        "from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  if (url.substr(colon) != ":generateAccessToken") {
+    // While `generateIdToken` is a valid RPC, we do not currently support ID
+    // token flow. So we might as well error when parsing the credentials.
+    return internal::InvalidArgumentError(
+        "Only access token authentication is supported for impersonated "
+        "service accounts from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  auto slash = url.rfind('/', colon);
+  if (slash == std::string::npos) {
+    return internal::InvalidArgumentError(
+        "Malformed `service_account_impersonation_url` field contents on data "
+        "from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  info.service_account = std::string{url.substr(slash + 1, colon - slash - 1)};
+
+  it = credentials.find("delegates");
+  if (it != credentials.end()) {
+    if (!it->is_array()) {
+      return internal::InvalidArgumentError(
+          "Malformed `delegates` field is not an array on data from " + source,
+          GCP_ERROR_INFO());
+    }
+    for (auto const& delegate : it->items()) {
+      info.delegates.push_back(delegate.value().get<std::string>());
+    }
+  }
+
+  it = credentials.find("quota_project_id");
+  if (it != credentials.end()) {
+    if (!it->is_string()) {
+      return internal::InvalidArgumentError(
+          "Malformed `quota_project_id` field is not a string on data from " +
+              source,
+          GCP_ERROR_INFO());
+    }
+    info.quota_project_id = it->get<std::string>();
+  }
+
+  it = credentials.find("source_credentials");
+  if (it == credentials.end()) {
+    return internal::InvalidArgumentError(
+        "Missing `source_credentials` field on data from " + source,
+        GCP_ERROR_INFO());
+  }
+  if (!it->is_object()) {
+    return internal::InvalidArgumentError(
+        "Malformed `source_credentials` field is not an object on data from " +
+            source,
+        GCP_ERROR_INFO());
+  }
+  info.source_credentials = it->dump();
+
+  return info;
+}
+
 ImpersonateServiceAccountCredentials::ImpersonateServiceAccountCredentials(
     google::cloud::internal::ImpersonateServiceAccountConfig const& config,
     HttpClientFactory client_factory)
diff --git a/google/cloud/internal/oauth2_impersonate_service_account_credentials.h b/google/cloud/internal/oauth2_impersonate_service_account_credentials.h
@@ -26,6 +26,19 @@ namespace cloud {
 namespace oauth2_internal {
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 
+struct ImpersonatedServiceAccountCredentialsInfo {
+  std::string service_account;
+  std::vector<std::string> delegates;
+  absl::optional<std::string> quota_project_id;
+  std::string source_credentials;
+};
+
+/// Parses the contents of a JSON keyfile into an
+/// ImpersonatedServiceAccountCredentialsInfo.
+StatusOr<ImpersonatedServiceAccountCredentialsInfo>
+ParseImpersonatedServiceAccountCredentials(std::string const& content,
+                                           std::string const& source);
+
 /**
  * Provides Credentials when impersonating an existing service account.
  */
diff --git a/google/cloud/internal/oauth2_impersonate_service_account_credentials_test.cc b/google/cloud/internal/oauth2_impersonate_service_account_credentials_test.cc
@@ -15,6 +15,7 @@
 #include "google/cloud/internal/oauth2_impersonate_service_account_credentials.h"
 #include "google/cloud/testing_util/status_matchers.h"
 #include <gmock/gmock.h>
+#include <nlohmann/json.hpp>
 #include <memory>
 
 namespace google {
@@ -30,8 +31,83 @@ using ::google::cloud::testing_util::IsOkAndHolds;
 using ::google::cloud::testing_util::StatusIs;
 using ::std::chrono::minutes;
 using ::std::chrono::seconds;
+using ::testing::AllOf;
+using ::testing::ElementsAre;
+using ::testing::HasSubstr;
+using ::testing::Optional;
 using ::testing::Return;
 
+auto constexpr kFullValidConfig = R"""({
+  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa3@developer.gserviceaccount.com:generateAccessToken",
+  "delegates": [
+    "sa1@developer.gserviceaccount.com",
+    "sa2@developer.gserviceaccount.com"
+  ],
+  "quota_project_id": "my-project",
+  "source_credentials": {
+    "type": "authorized_user"
+  },
+  "type": "impersonated_service_account"
+})""";
+
+TEST(ParseImpersonatedServiceAccountCredentials, Success) {
+  auto actual =
+      ParseImpersonatedServiceAccountCredentials(kFullValidConfig, "test-data");
+  ASSERT_STATUS_OK(actual);
+  EXPECT_EQ(actual->service_account, "sa3@developer.gserviceaccount.com");
+  EXPECT_THAT(actual->delegates,
+              ElementsAre("sa1@developer.gserviceaccount.com",
+                          "sa2@developer.gserviceaccount.com"));
+  EXPECT_THAT(actual->quota_project_id, Optional<std::string>("my-project"));
+  EXPECT_THAT(actual->source_credentials,
+              AllOf(HasSubstr("type"), HasSubstr("authorized_user")));
+}
+
+TEST(ParseImpersonatedServiceAccountCredentials, MissingRequiredFieldsError) {
+  for (auto const& required_field :
+       {"service_account_impersonation_url", "source_credentials"}) {
+    auto json = nlohmann::json::parse(kFullValidConfig);
+    json.erase(required_field);
+    auto actual = ParseImpersonatedServiceAccountCredentials(json.dump(), "");
+    EXPECT_THAT(actual, StatusIs(StatusCode::kInvalidArgument,
+                                 AllOf(HasSubstr("Missing"),
+                                       HasSubstr(required_field))));
+  }
+}
+
+TEST(ParseImpersonatedServiceAccountCredentials, MissingOptionalFieldsIsOk) {
+  for (auto const& optional_field : {"delegates", "quota_project_id"}) {
+    auto json = nlohmann::json::parse(kFullValidConfig);
+    json.erase(optional_field);
+    auto actual = ParseImpersonatedServiceAccountCredentials(json.dump(), "");
+    EXPECT_STATUS_OK(actual);
+  }
+}
+
+TEST(ParseImpersonatedServiceAccountCredentials, MalformedServiceAccountPath) {
+  auto json = nlohmann::json::parse(kFullValidConfig);
+  json["service_account_impersonation_url"] = "not-a-valid-url-path";
+  auto actual = ParseImpersonatedServiceAccountCredentials(json.dump(), "");
+  EXPECT_THAT(actual,
+              StatusIs(StatusCode::kInvalidArgument,
+                       AllOf(HasSubstr("Malformed"),
+                             HasSubstr("service_account_impersonation_url"),
+                             HasSubstr("contents"))));
+}
+
+TEST(ParseImpersonatedServiceAccountCredentials, MalformedJsonFields) {
+  for (auto const& non_int_field :
+       {"service_account_impersonation_url", "delegates", "quota_project_id",
+        "source_credentials"}) {
+    auto json = nlohmann::json::parse(kFullValidConfig);
+    json[non_int_field] = 0;  // Provide an unexpected JSON type
+    auto actual = ParseImpersonatedServiceAccountCredentials(json.dump(), "");
+    EXPECT_THAT(actual, StatusIs(StatusCode::kInvalidArgument,
+                                 AllOf(HasSubstr("Malformed"),
+                                       HasSubstr(non_int_field))));
+  }
+}
+
 class MockMinimalIamCredentialsRest : public MinimalIamCredentialsRest {
  public:
   MOCK_METHOD(StatusOr<google::cloud::AccessToken>, GenerateAccessToken,
