fix(oauth2): compute engine credential query (googleapis#8421)

scotthart · web-flow · commit 033fcd3890ff · 2022-02-19T21:44:44.000Z
* fix(oauth2): compute engine credential query
diff --git a/google/cloud/internal/curl_impl.cc b/google/cloud/internal/curl_impl.cc
@@ -654,6 +654,8 @@ Status CurlImpl::MakeRequest(CurlImpl::HttpMethod method,
   using HttpMethod = CurlImpl::HttpMethod;
   handle_.SetOption(CURLOPT_CUSTOMREQUEST, HttpMethodAsChar(method));
   handle_.SetOption(CURLOPT_UPLOAD, 0L);
+  handle_.SetOption(CURLOPT_FOLLOWLOCATION,
+                    options_.get<CurlFollowLocationOption>() ? 1L : 0L);
 
   if (method == HttpMethod::kGet) {
     handle_.SetOption(CURLOPT_NOPROGRESS, 1L);
diff --git a/google/cloud/internal/curl_options.h b/google/cloud/internal/curl_options.h
@@ -117,10 +117,18 @@ struct MaximumCurlSocketSendSizeOption {
   using Type = std::size_t;
 };
 
+/**
+ * Issue a new request to any Location header specified in a HTTP 3xx response.
+ */
+struct CurlFollowLocationOption {
+  using Type = bool;
+};
+
 using CurlOptionList = ::google::cloud::OptionList<
     ConnectionPoolSizeOption, EnableCurlSslLockingOption,
     EnableCurlSigpipeHandlerOption, MaximumCurlSocketRecvSizeOption,
-    MaximumCurlSocketSendSizeOption, CAPathOption, HttpVersionOption>;
+    MaximumCurlSocketSendSizeOption, CAPathOption, HttpVersionOption,
+    CurlFollowLocationOption>;
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace rest_internal
diff --git a/google/cloud/internal/oauth2_compute_engine_credentials.cc b/google/cloud/internal/oauth2_compute_engine_credentials.cc
@@ -14,6 +14,7 @@
 
 #include "google/cloud/internal/oauth2_compute_engine_credentials.h"
 #include "google/cloud/internal/compute_engine_util.h"
+#include "google/cloud/internal/curl_options.h"
 #include "google/cloud/internal/getenv.h"
 #include "google/cloud/internal/oauth2_credential_constants.h"
 #include "google/cloud/internal/oauth2_credentials.h"
@@ -91,6 +92,7 @@ ComputeEngineCredentials::ComputeEngineCredentials(
       service_account_email_(std::move(service_account_email)),
       options_(std::move(options)) {
   if (!rest_client_) {
+    options_.set<rest_internal::CurlFollowLocationOption>(true);
     rest_client_ = rest_internal::GetDefaultRestClient(
         "http://" + google::cloud::internal::GceMetadataHostname(), options_);
   }
@@ -127,14 +129,13 @@ ComputeEngineCredentials::DoMetadataServerGetRequest(std::string const& path,
   request.SetPath(path);
   request.AddHeader("metadata-flavor", "Google");
   if (recursive) request.AddQueryParameter("recursive", "true");
-  return rest_client_->Post(request,
-                            std::vector<std::pair<std::string, std::string>>{});
+  return rest_client_->Get(request);
 }
 
 Status ComputeEngineCredentials::RetrieveServiceAccountInfo() const {
   auto response = DoMetadataServerGetRequest(
-      "/computeMetadata/v1/instance/service-accounts/" +
-          service_account_email_ + "/",
+      "computeMetadata/v1/instance/service-accounts/" + service_account_email_ +
+          "/",
       true);
   if (!response) {
     return std::move(response).status();
@@ -160,8 +161,8 @@ ComputeEngineCredentials::Refresh() const {
   }
 
   auto response = DoMetadataServerGetRequest(
-      "/computeMetadata/v1/instance/service-accounts/" +
-          service_account_email_ + "/token",
+      "computeMetadata/v1/instance/service-accounts/" + service_account_email_ +
+          "/token",
       false);
   if (!response) {
     return std::move(response).status();
diff --git a/google/cloud/internal/oauth2_compute_engine_credentials_test.cc b/google/cloud/internal/oauth2_compute_engine_credentials_test.cc
@@ -38,7 +38,6 @@ using ::google::cloud::testing_util::MockHttpPayload;
 using ::google::cloud::testing_util::MockRestClient;
 using ::google::cloud::testing_util::MockRestResponse;
 using ::google::cloud::testing_util::StatusIs;
-using ::testing::A;
 using ::testing::ByMove;
 using ::testing::Contains;
 using ::testing::Eq;
@@ -102,26 +101,21 @@ TEST_F(ComputeEngineCredentialsTest,
     return std::unique_ptr<HttpPayload>(std::move(mock_http_payload));
   });
 
-  EXPECT_CALL(
-      *mock_rest_client_,
-      Post(A<RestRequest>(),
-           A<std::vector<std::pair<std::string, std::string>> const&>()))
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+  EXPECT_CALL(*mock_rest_client_, Get)
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response1));
       })
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/token"));
         return std::unique_ptr<RestResponse>(std::move(mock_response2));
       });
@@ -348,37 +342,31 @@ TEST_F(ComputeEngineCredentialsTest, FailedRetrieveServiceAccountInfo) {
     return std::unique_ptr<HttpPayload>(std::move(mock_http_payload));
   });
 
-  EXPECT_CALL(
-      *mock_rest_client_,
-      Post(A<RestRequest>(),
-           A<std::vector<std::pair<std::string, std::string>> const&>()))
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+  EXPECT_CALL(*mock_rest_client_, Get)
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return Status{StatusCode::kAborted, "Fake Curl error", {}};
       })
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response2));
       })
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response3));
       });
@@ -485,88 +473,78 @@ TEST_F(ComputeEngineCredentialsTest, FailedRefresh) {
   });
 
   // Fail the first call to RetrieveServiceAccountInfo immediately.
-  EXPECT_CALL(
-      *mock_rest_client_,
-      Post(A<RestRequest>(),
-           A<std::vector<std::pair<std::string, std::string>> const&>()))
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+  EXPECT_CALL(*mock_rest_client_, Get)
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         // For the first expected failures, the alias is used until the metadata
         // request succeeds.
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return Status{StatusCode::kAborted, "Fake Curl error", {}};
       })
       // Make the call to RetrieveServiceAccountInfo return a good response,
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         // For the first expected failures, the alias is used until the metadata
         // request succeeds.
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response2));
       })
       // but fail the token request immediately.
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/token"));
         return Status{StatusCode::kAborted, "Fake Curl error", {}};
       })
       // Make the call to RetrieveServiceAccountInfo return a good response,
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         // Now that the first request has succeeded and the metadata has been
         // retrieved, the the email is used for refresh.
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response4));
       })
       // but fail the token request with a bad HTTP error code.
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/token"));
         return std::unique_ptr<RestResponse>(std::move(mock_response5));
       })
       // Make the call to RetrieveServiceAccountInfo return a good response,
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         // Now that the first request has succeeded and the metadata has been
         // retrieved, the the email is used for refresh.
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response6));
       })
       // but, parse with an invalid token response.
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                email + "/token"));
         return std::unique_ptr<RestResponse>(std::move(mock_response7));
       });
@@ -614,17 +592,13 @@ TEST_F(ComputeEngineCredentialsTest, AccountEmail) {
     return std::unique_ptr<HttpPayload>(std::move(mock_http_payload));
   });
 
-  EXPECT_CALL(
-      *mock_rest_client_,
-      Post(A<RestRequest>(),
-           A<std::vector<std::pair<std::string, std::string>> const&>()))
-      .WillOnce([&](RestRequest const& request,
-                    std::vector<std::pair<std::string, std::string>> const&) {
+  EXPECT_CALL(*mock_rest_client_, Get)
+      .WillOnce([&](RestRequest const& request) {
         EXPECT_THAT(request.GetHeader("metadata-flavor"), Contains("Google"));
         EXPECT_THAT(request.GetQueryParameter("recursive"), Contains("true"));
         EXPECT_THAT(
             request.path(),
-            Eq(std::string("/computeMetadata/v1/instance/service-accounts/") +
+            Eq(std::string("computeMetadata/v1/instance/service-accounts/") +
                alias + "/"));
         return std::unique_ptr<RestResponse>(std::move(mock_response1));
       });
diff --git a/google/cloud/internal/oauth2_google_credentials_test.cc b/google/cloud/internal/oauth2_google_credentials_test.cc
@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include "google/cloud/internal/oauth2_google_credentials.h"
+#include "google/cloud/internal/compute_engine_util.h"
 #include "google/cloud/internal/filesystem.h"
 #include "google/cloud/internal/oauth2_anonymous_credentials.h"
 #include "google/cloud/internal/oauth2_authorized_user_credentials.h"
@@ -281,6 +282,8 @@ TEST_F(GoogleCredentialsTest, MissingCredentialsViaGcloudFilePath) {
   // eventually finding no valid credentials and hitting a runtime error.
   ScopedEnvironment gcloud_path_override_env_var(GoogleGcloudAdcFileEnvVar(),
                                                  filename);
+  ScopedEnvironment gcloud_metadata_host_override_env_var(
+      internal::GceMetadataHostnameEnvVar(), "nowhere.com");
 
   auto creds = GoogleDefaultCredentials();
   EXPECT_THAT(creds, StatusIs(Not(StatusCode::kOk),
