impl(rest): add unified credential support (googleapis#8409)

* impl(rest): add unified credential support

Author: scotthart

ci/cloudbuild/builds/lib/integration.sh

@@ -74,6 +74,9 @@ function integration::bazel_args() {
     "--test_env=GOOGLE_CLOUD_CPP_BIGTABLE_TEST_SERVICE_ACCOUNT=${GOOGLE_CLOUD_CPP_BIGTABLE_TEST_SERVICE_ACCOUNT}"
     "--test_env=ENABLE_BIGTABLE_ADMIN_INTEGRATION_TESTS=${ENABLE_BIGTABLE_ADMIN_INTEGRATION_TESTS:-no}"
 
+    # Rest
+    "--test_env=GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT=${GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT}"
+
     # Storage
     "--test_env=GOOGLE_CLOUD_CPP_STORAGE_GRPC_CONFIG=${GOOGLE_CLOUD_CPP_STORAGE_GRPC_CONFIG:-}"
     "--test_env=GOOGLE_CLOUD_CPP_STORAGE_TEST_BUCKET_NAME=${GOOGLE_CLOUD_CPP_STORAGE_TEST_BUCKET_NAME}"
@@ -109,6 +112,7 @@ function integration::bazel_args() {
   gsutil cp "${SECRETS_BUCKET}/${key_base}.json" "${KEY_DIR}/${key_base}.json"
   gsutil cp "${SECRETS_BUCKET}/${key_base}.p12" "${KEY_DIR}/${key_base}.p12"
   args+=(
+    "--test_env=GOOGLE_CLOUD_CPP_REST_TEST_KEY_FILE_JSON=${KEY_DIR}/${key_base}.json"
     "--test_env=GOOGLE_CLOUD_CPP_BIGTABLE_TEST_KEY_FILE_JSON=${KEY_DIR}/${key_base}.json"
     "--test_env=GOOGLE_CLOUD_CPP_STORAGE_TEST_KEY_FILE_JSON=${KEY_DIR}/${key_base}.json"
     "--test_env=GOOGLE_CLOUD_CPP_STORAGE_TEST_KEY_FILE_P12=${KEY_DIR}/${key_base}.p12"
@@ -149,6 +153,8 @@ function integration::bazel_with_emulators() {
     "google/cloud/iam/..."
     # Logging integration tests
     "google/cloud/logging/..."
+    # Unified Rest Credentials test
+    "google/cloud:internal_unified_rest_credentials_integration_test"
   )
 
   tag_filters="integration-test"

ci/etc/integration-tests-config.ps1

@@ -70,6 +70,9 @@ $env:GOOGLE_CLOUD_CPP_IAM_CREDENTIALS_TEST_SERVICE_ACCOUNT="iam-credentials-test
 $env:GOOGLE_CLOUD_CPP_IAM_TEST_SERVICE_ACCOUNT="iam-test-sa@${env:GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
 $env:GOOGLE_CLOUD_CPP_IAM_INVALID_TEST_SERVICE_ACCOUNT="invalid-test-account@cloud-cpp-testing-resources.iam.gserviceaccount.com"
 
+# Rest configuration parameters
+$env:GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT="kokoro-run@${env:GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
+
 # To run google/cloud/gameservices' quickstart
 $env:GOOGLE_CLOUD_CPP_GAMESERVICES_TEST_LOCATION="global"
 $env:GOOGLE_CLOUD_CPP_GAMESERVICES_TEST_REALM="test-realm"

ci/etc/integration-tests-config.sh

@@ -92,6 +92,9 @@ export GOOGLE_CLOUD_CPP_TEST_HELLO_WORLD_SERVICE_ACCOUNT="hello-world-caller@${G
 # The URL for the HTTP Hello World service, typically set by the CI scripts
 export GOOGLE_CLOUD_CPP_TEST_HELLO_WORLD_HTTP_URL=""
 
+# Rest configuration parameters
+export GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT="kokoro-run@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com"
+
 # To run google/cloud/gameservices' quickstart
 export GOOGLE_CLOUD_CPP_GAMESERVICES_TEST_LOCATION="global"
 export GOOGLE_CLOUD_CPP_GAMESERVICES_TEST_REALM="test-realm"

google/cloud/BUILD.bazel

@@ -195,7 +195,7 @@ load(":google_cloud_cpp_rest_internal_unit_tests.bzl", "google_cloud_cpp_rest_in
     ],
 ) for test in google_cloud_cpp_rest_internal_unit_tests]
 
-load(":google_cloud_cpp_rest_internal_integration_tests.bzl", "google_cloud_cpp_rest_internal_integration_tests")
+load(":google_cloud_cpp_rest_internal_emulator_integration_tests.bzl", "google_cloud_cpp_rest_internal_emulator_integration_tests")
 
 [cc_test(
     name = test.replace("/", "_").replace(".cc", ""),
@@ -208,4 +208,19 @@ load(":google_cloud_cpp_rest_internal_integration_tests.bzl", "google_cloud_cpp_
         "//google/cloud/testing_util:google_cloud_cpp_testing",
         "@com_google_googletest//:gtest_main",
     ],
-) for test in google_cloud_cpp_rest_internal_integration_tests]
+) for test in google_cloud_cpp_rest_internal_emulator_integration_tests]
+
+load(":google_cloud_cpp_rest_internal_production_integration_tests.bzl", "google_cloud_cpp_rest_internal_production_integration_tests")
+
+[cc_test(
+    name = test.replace("/", "_").replace(".cc", ""),
+    srcs = [test],
+    tags = [
+        "integration-test",
+    ],
+    deps = [
+        ":google_cloud_cpp_rest_internal",
+        "//google/cloud/testing_util:google_cloud_cpp_testing",
+        "@com_google_googletest//:gtest_main",
+    ],
+) for test in google_cloud_cpp_rest_internal_production_integration_tests]

google/cloud/CMakeLists.txt

@@ -750,28 +750,47 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
             internal/rest_response_test.cc
             internal/unified_rest_credentials_test.cc)
 
-        # List the integration tests, then setup the targets and dependencies.
-        set(google_cloud_cpp_rest_internal_integration_tests
+        # List the emulator integration tests, then setup the targets and
+        # dependencies.
+        set(google_cloud_cpp_rest_internal_emulator_integration_tests
             # cmake-format: sort
             internal/rest_client_integration_test.cc)
 
+        # List the production integration tests, then setup the targets and
+        # dependencies.
+        set(google_cloud_cpp_rest_internal_production_integration_tests
+            # cmake-format: sort
+            internal/unified_rest_credentials_integration_test.cc)
+
         # Export the list of unit and integration tests so the Bazel BUILD file
         # can pick them up.
         export_list_to_bazel(
             "google_cloud_cpp_rest_internal_unit_tests.bzl"
             "google_cloud_cpp_rest_internal_unit_tests" YEAR 2021)
         export_list_to_bazel(
-            "google_cloud_cpp_rest_internal_integration_tests.bzl"
-            "google_cloud_cpp_rest_internal_integration_tests" YEAR 2022)
+            "google_cloud_cpp_rest_internal_emulator_integration_tests.bzl"
+            "google_cloud_cpp_rest_internal_emulator_integration_tests" YEAR
+            2022)
+        export_list_to_bazel(
+            "google_cloud_cpp_rest_internal_production_integration_tests.bzl"
+            "google_cloud_cpp_rest_internal_production_integration_tests" YEAR
+            2022)
 
         foreach (fname ${google_cloud_cpp_rest_internal_unit_tests})
             google_cloud_cpp_rest_internal_add_test("${fname}" "")
         endforeach ()
 
-        foreach (fname ${google_cloud_cpp_rest_internal_integration_tests})
+        foreach (fname
+                 ${google_cloud_cpp_rest_internal_emulator_integration_tests})
             google_cloud_cpp_rest_internal_add_test(
                 "${fname}" "integration-test;integration-test-emulator")
         endforeach ()
+
+        foreach (fname
+                 ${google_cloud_cpp_rest_internal_production_integration_tests})
+            google_cloud_cpp_rest_internal_add_test(
+                "${fname}" "integration-test;integration-test-production")
+        endforeach ()
     endif ()
 
     # Install the libraries and headers in the locations determined by

google/cloud/google_cloud_cpp_rest_internal_emulator_integration_tests.bzl

@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DO NOT EDIT -- GENERATED BY CMake -- Change the CMakeLists.txt file if needed
+
+"""Automatically generated unit tests list - DO NOT EDIT."""
+
+google_cloud_cpp_rest_internal_emulator_integration_tests = [
+    "internal/rest_client_integration_test.cc",
+]

google/cloud/google_cloud_cpp_rest_internal_production_integration_tests.bzl

@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# DO NOT EDIT -- GENERATED BY CMake -- Change the CMakeLists.txt file if needed
+
+"""Automatically generated unit tests list - DO NOT EDIT."""
+
+google_cloud_cpp_rest_internal_production_integration_tests = [
+    "internal/unified_rest_credentials_integration_test.cc",
+]

google/cloud/internal/rest_client.cc

@@ -20,7 +20,9 @@
 #include "google/cloud/internal/curl_handle_factory.h"
 #include "google/cloud/internal/curl_impl.h"
 #include "google/cloud/internal/curl_options.h"
+#include "google/cloud/internal/oauth2_google_credentials.h"
 #include "google/cloud/internal/rest_options.h"
+#include "google/cloud/internal/unified_rest_credentials.h"
 #include "google/cloud/log.h"
 #include "absl/strings/match.h"
 #include "absl/strings/strip.h"
@@ -99,7 +101,12 @@ StatusOr<std::unique_ptr<CurlImpl>> CurlRestClient::CreateCurlImpl(
   auto handle = GetCurlHandle(handle_factory_);
   auto impl =
       absl::make_unique<CurlImpl>(std::move(handle), handle_factory_, options_);
-  // TODO(#8130): Add Authorization header from UnifiedCredentialsOption
+  if (options_.has<UnifiedCredentialsOption>()) {
+    auto credentials = MapCredentials(options_.get<UnifiedCredentialsOption>());
+    auto auth_header = credentials->AuthorizationHeader();
+    if (!auth_header.ok()) return std::move(auth_header).status();
+    impl->SetHeader(auth_header.value());
+  }
   impl->SetHeader(HostHeader(options_, endpoint_address_));
   impl->SetHeader(x_goog_api_client_header_);
   impl->SetHeaders(request);

google/cloud/internal/unified_rest_credentials_integration_test.cc

@@ -0,0 +1,150 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/credentials.h"
+#include "google/cloud/internal/curl_options.h"
+#include "google/cloud/internal/getenv.h"
+#include "google/cloud/internal/oauth2_google_credentials.h"
+#include "google/cloud/internal/oauth2_minimal_iam_credentials_rest.h"
+#include "google/cloud/internal/rest_client.h"
+#include "google/cloud/internal/setenv.h"
+#include "google/cloud/log.h"
+#include "google/cloud/testing_util/scoped_environment.h"
+#include "google/cloud/testing_util/status_matchers.h"
+#include "absl/strings/str_split.h"
+#include <gmock/gmock.h>
+#include <nlohmann/json.hpp>
+#include <fstream>
+
+namespace google {
+namespace cloud {
+namespace rest_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+using ::google::cloud::testing_util::IsOk;
+using ::google::cloud::testing_util::ScopedEnvironment;
+using ::google::cloud::testing_util::StatusIs;
+
+StatusOr<std::unique_ptr<RestResponse>> RetryRestRequest(
+    std::function<StatusOr<std::unique_ptr<RestResponse>>()> const& request,
+    StatusCode expected_status = StatusCode::kOk) {
+  auto delay = std::chrono::seconds(1);
+  StatusOr<std::unique_ptr<RestResponse>> response;
+  for (auto i = 0; i != 3; ++i) {
+    response = request();
+    if (response.status().code() == expected_status) return response;
+    std::this_thread::sleep_for(delay);
+    delay *= 2;
+  }
+  return response;
+}
+
+void MakeRestRpcCall(StatusCode expected_status, Options options = {}) {
+  std::string bigquery_endpoint = "https://bigquery.googleapis.com";
+  auto client = GetPooledRestClient(bigquery_endpoint, std::move(options));
+  RestRequest request;
+  request.SetPath("bigquery/v2/projects/bigquery-public-data/datasets");
+  request.AddQueryParameter({"maxResults", "10"});
+  auto response = RetryRestRequest([&] { return client->Get(request); });
+  ASSERT_THAT(response, IsOk());
+  auto response_payload = std::move(**response).ExtractPayload();
+  auto response_json = ReadAll(std::move(response_payload));
+  ASSERT_THAT(response_json, StatusIs(expected_status));
+  if (response_json.ok()) {
+    auto parsed_response =
+        nlohmann::json::parse(*response_json, nullptr, false);
+    ASSERT_TRUE(parsed_response.is_object());
+    auto kind = parsed_response.find("kind");
+    ASSERT_NE(kind, parsed_response.end());
+    EXPECT_EQ(std::string(kind.value()), "bigquery#datasetList");
+  }
+}
+
+TEST(UnifiedRestCredentialsIntegrationTest, InsecureCredentials) {
+  std::string bigquery_endpoint = "https://bigquery.googleapis.com";
+  auto client = GetPooledRestClient(
+      bigquery_endpoint,
+      Options{}.set<UnifiedCredentialsOption>(MakeInsecureCredentials()));
+  RestRequest request;
+  request.SetPath("bigquery/v2/projects/bigquery-public-data/datasets");
+  request.AddQueryParameter({"maxResults", "10"});
+  auto response = RetryRestRequest([&] { return client->Get(request); });
+  EXPECT_THAT(response, StatusIs(StatusCode::kOk));
+  auto response_payload = std::move(**response).ExtractPayload();
+  auto response_json = ReadAll(std::move(response_payload));
+  ASSERT_THAT(response_json, StatusIs(StatusCode::kUnauthenticated));
+}
+
+TEST(UnifiedRestCredentialsIntegrationTest, GoogleDefaultCredentials) {
+  MakeRestRpcCall(StatusCode::kOk, Options{}.set<UnifiedCredentialsOption>(
+                                       MakeGoogleDefaultCredentials()));
+}
+
+TEST(UnifiedRestCredentialsIntegrationTest, AccessTokenCredentials) {
+  auto env = internal::GetEnv("GOOGLE_CLOUD_CPP_REST_TEST_KEY_FILE_JSON");
+  ASSERT_TRUE(env.has_value());
+  std::string key_file = std::move(*env);
+  ScopedEnvironment google_app_creds_override_env_var(
+      "GOOGLE_APPLICATION_CREDENTIALS", key_file);
+  auto default_creds = oauth2_internal::GoogleDefaultCredentials();
+  ASSERT_THAT(default_creds, IsOk());
+  auto iam_creds =
+      oauth2_internal::MakeMinimalIamCredentialsRestStub(*default_creds);
+  oauth2_internal::GenerateAccessTokenRequest request;
+  request.lifetime = std::chrono::hours(1);
+  auto service_account =
+      internal::GetEnv("GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT");
+  ASSERT_TRUE(service_account.has_value());
+  request.service_account = std::move(*service_account);
+  request.scopes.emplace_back("https://www.googleapis.com/auth/cloud-platform");
+  auto token = iam_creds->GenerateAccessToken(request);
+  auto expiration = std::chrono::system_clock::now() + std::chrono::hours(1);
+  MakeRestRpcCall(StatusCode::kOk,
+                  Options{}.set<UnifiedCredentialsOption>(
+                      MakeAccessTokenCredentials(token->token, expiration)));
+}
+
+TEST(UnifiedRestCredentialsIntegrationTest,
+     ImpersonateServiceAccountCredentials) {
+  auto env = internal::GetEnv("GOOGLE_CLOUD_CPP_REST_TEST_KEY_FILE_JSON");
+  ASSERT_TRUE(env.has_value());
+  std::string key_file = std::move(*env);
+  ScopedEnvironment google_app_creds_override_env_var(
+      "GOOGLE_APPLICATION_CREDENTIALS", key_file);
+  auto service_account =
+      internal::GetEnv("GOOGLE_CLOUD_CPP_REST_TEST_SIGNING_SERVICE_ACCOUNT");
+  ASSERT_TRUE(service_account.has_value());
+  MakeRestRpcCall(StatusCode::kOk,
+                  Options{}.set<UnifiedCredentialsOption>(
+                      MakeImpersonateServiceAccountCredentials(
+                          MakeGoogleDefaultCredentials(), *service_account)));
+}
+
+TEST(UnifiedRestCredentialsIntegrationTest, ServiceAccountCredentials) {
+  auto env = internal::GetEnv("GOOGLE_CLOUD_CPP_REST_TEST_KEY_FILE_JSON");
+  ASSERT_TRUE(env.has_value());
+  std::string key_file = std::move(*env);
+  std::ifstream is(key_file);
+  auto contents = std::string{std::istreambuf_iterator<char>{is}, {}};
+  MakeRestRpcCall(StatusCode::kOk,
+                  Options{}.set<UnifiedCredentialsOption>(
+                      MakeServiceAccountCredentials(contents)));
+}
+
+}  // namespace
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace rest_internal
+}  // namespace cloud
+}  // namespace google