impl(v3): switch GCS to use GUAC (#15890)

Author: scotthart

ci/abi-dumps/google_cloud_cpp_storage.expected.abi.dump.gz

@@ -133,7 +133,6 @@ expected_dirs+=(
   ./include/google/cloud/storage/internal/grpc
   ./include/google/cloud/storage/internal/rest
   ./include/google/cloud/storage/mocks
-  ./include/google/cloud/storage/oauth2
   ./include/google/cloud/storage/testing
   # no gRPC services in google/cloud/workflows/type.
   ./include/google/cloud/workflows/type

ci/abi-dumps/google_cloud_cpp_storage_grpc.expected.abi.dump.gz

@@ -628,6 +628,95 @@ void UseRawClient(google::cloud::storage::Client client) {
 
 </details>
 
+<details>
+<summary>Removed deprecated <code>Oauth2CredentialsOption</code></summary>
+
+The `google::cloud::UnifiedCredentialsOption` and the unified credentials API
+documented at
+https://docs.cloud.google.com/cpp/docs/reference/common/latest/group__guac
+should be used instead.
+
+**Before:**
+
+```cpp
+#include "google/cloud/options.h"
+#include "google/cloud/storage/client.h"
+#include "google/cloud/storage/oauth2/google_credentials.h"
+
+namespace gc = ::google::cloud;
+namespace gcs = ::google::cloud::storage;
+namespace oauth2 = ::google::cloud::storage::oauth2;
+
+auto options = gc::Options{}
+    .set<gcs::Oauth2CredentialsOption>(oauth2::CreateAnonymousCredentials());
+auto client = gcs::Client(options);
+```
+
+**After:**
+
+```cpp
+#include "google/cloud/options.h"
+#include "google/cloud/storage/client.h"
+#include "google/cloud/credentials.h"
+
+namespace gc = ::google::cloud;
+namespace gcs = ::google::cloud::storage;
+
+auto options = gc::Options{}
+    .set<gc::UnifiedCredentialsOption>(gc::MakeInsecureCredentials());
+auto client = gcs::Client(options);
+```
+
+</details>
+
+<details>
+<summary>Removed deprecated <code>CreateServiceAccountCredentialsFromFilePath</code></summary>
+
+The `google::cloud::MakeServiceAccountCredentialsFromFile` factory function and
+associated override options `google::cloud::ScopesOption` and
+`google::cloud::subjectOption` should be used instead.
+
+**Before:**
+
+```cpp
+#include "google/cloud/options.h"
+#include "google/cloud/storage/client.h"
+#include "google/cloud/storage/oauth2/google_credentials.h"
+
+namespace gc = ::google::cloud;
+namespace gcs = ::google::cloud::storage;
+namespace oauth2 = ::google::cloud::storage::oauth2;
+
+std::set<std::string> scopes = {"scope1", "scope2"};
+auto credentials = CreateServiceAccountCredentialsFromFilePath(
+    "path-to-file", scopes, "my-subject");
+
+auto options = gc::Options{}
+    .set<gcs::Oauth2CredentialsOption>(credentials);
+auto client = gcs::Client(options);
+```
+
+**After:**
+
+```cpp
+#include "google/cloud/options.h"
+#include "google/cloud/storage/client.h"
+#include "google/cloud/credentials.h"
+
+namespace gc = ::google::cloud;
+namespace gcs = ::google::cloud::storage;
+
+auto options = gc::Options{}
+    .set<gc::ScopesOption>(std::vector<std::string>({"scope1", "scope2"}))
+    .set<gc::SubjectOption>("my-subject");
+
+options = options.set<gc::UnifiedCredentialsOption>(
+    gc::MakeServiceAccountCredentialsFromFile("path-to-file", options));
+auto client = gcs::Client(options);
+```
+
+</details>
+
 ### IAM
 
 <details>

ci/cloudbuild/builds/cmake-install.sh

@@ -346,9 +346,15 @@ std::shared_ptr<Credentials> MakeServiceAccountCredentials(
  * @param file_path path to file containing the service account key
  * Typically applications read this from a file, or download the contents from
  * something like Google's secret manager service.
- * @param opts optional configuration values.  Note that the effect of these
- *     parameters depends on the underlying transport. For example,
- *     `LoggingComponentsOption` is ignored by gRPC-based services.
+ * @param opts optional configuration values.
+ *
+ * `ScopesOption` the scopes to request during the authorization grant. If
+ *     omitted, the cloud-platform scope, defined by
+ *     `GoogleOAuthScopeCloudPlatform()`, is used as a default.
+ * `SubjectOption` for domain-wide delegation; the email address of the user for
+ *     which to request delegated access. If omitted AND no "subject" is defined
+ *     in the provided file, no "subject" attribute is included in the
+ *     authorization grant.
  */
 std::shared_ptr<Credentials> MakeServiceAccountCredentialsFromFile(
     std::string const& file_path, Options opts = {});

doc/v3-migration-guide.md

@@ -133,6 +133,19 @@ StatusOr<ServiceAccountCredentialsInfo> ParseServiceAccountCredentials(
   return info;
 }
 
+void ApplyServiceAccountCredentialsInfoOverrides(
+    Options const& options, ServiceAccountCredentialsInfo& info) {
+  if (options.has<ScopesOption>()) {
+    auto const& s = options.get<ScopesOption>();
+    std::set<std::string> scopes{s.begin(), s.end()};
+    info.scopes = std::move(scopes);
+  }
+
+  if (options.has<SubjectOption>()) {
+    info.subject = options.get<SubjectOption>();
+  }
+}
+
 std::pair<std::string, std::string> AssertionComponentsFromInfo(
     ServiceAccountCredentialsInfo const& info,
     std::chrono::system_clock::time_point now) {
@@ -249,17 +262,7 @@ CreateServiceAccountCredentialsFromJsonContents(
     HttpClientFactory client_factory) {
   auto info = ParseServiceAccountCredentials(contents, "memory");
   if (!info) return info.status();
-
-  if (options.has<ScopesOption>()) {
-    auto const& s = options.get<ScopesOption>();
-    std::set<std::string> scopes{s.begin(), s.end()};
-    info->scopes = std::move(scopes);
-  }
-
-  if (options.has<SubjectOption>()) {
-    info->subject = options.get<SubjectOption>();
-  }
-
+  ApplyServiceAccountCredentialsInfoOverrides(options, *info);
   // Verify this is usable before returning it.
   auto const tp = std::chrono::system_clock::time_point{};
   auto const components = AssertionComponentsFromInfo(*info, tp);
@@ -293,17 +296,7 @@ CreateServiceAccountCredentialsFromP12FilePath(
     HttpClientFactory client_factory) {
   auto info = ParseServiceAccountP12File(path);
   if (!info) return std::move(info).status();
-
-  if (options.has<ScopesOption>()) {
-    auto const& s = options.get<ScopesOption>();
-    std::set<std::string> scopes{s.begin(), s.end()};
-    info->scopes = std::move(scopes);
-  }
-
-  if (options.has<SubjectOption>()) {
-    info->subject = options.get<SubjectOption>();
-  }
-
+  ApplyServiceAccountCredentialsInfoOverrides(options, *info);
   return StatusOr<std::shared_ptr<Credentials>>(
       std::make_shared<ServiceAccountCredentials>(*info, options,
                                                   std::move(client_factory)));

google/cloud/credentials.h

@@ -66,6 +66,10 @@ StatusOr<ServiceAccountCredentialsInfo> ParseServiceAccountCredentials(
     std::string const& content, std::string const& source,
     std::string const& default_token_uri = GoogleOAuthRefreshEndpoint());
 
+/// Applies any overrides contained in `ScopesOption` or `SubjectOption`.
+void ApplyServiceAccountCredentialsInfoOverrides(
+    Options const& options, ServiceAccountCredentialsInfo& info);
+
 /// Parses a refresh response JSON string to create an access token.
 StatusOr<AccessToken> ParseServiceAccountRefreshResponse(
     rest_internal::RestResponse& response,

google/cloud/internal/oauth2_service_account_credentials.cc

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include "google/cloud/internal/oauth2_service_account_credentials.h"
+#include "google/cloud/credentials.h"
 #include "google/cloud/internal/base64_transforms.h"
 #include "google/cloud/internal/oauth2_credential_constants.h"
 #include "google/cloud/internal/oauth2_universe_domain.h"
@@ -896,6 +897,61 @@ TEST(ServiceAccountCredentialsTest, ParseServiceAccountRefreshResponse) {
   EXPECT_EQ(token.token, "access-token-r1");
 }
 
+TEST(ServiceAccountCredentialsTest,
+     ApplyServiceAccountCredentialsInfoOverrides) {
+  auto info = ParseServiceAccountCredentials(MakeTestContents(), "test");
+  ASSERT_STATUS_OK(info);
+
+  auto options = Options{}
+                     .set<google::cloud::ScopesOption>(std::vector<std::string>(
+                         {"https://www.googleapis.com/auth/userinfo.email",
+                          "https://www.googleapis.com/auth/cloud-platform"}))
+                     .set<google::cloud::SubjectOption>("my-subject");
+
+  ApplyServiceAccountCredentialsInfoOverrides(options, *info);
+
+  auto const tp = std::chrono::system_clock::from_time_t(kFixedJwtTimestamp);
+  auto components = AssertionComponentsFromInfo(*info, tp);
+  auto assertion =
+      MakeJWTAssertion(components.first, components.second, info->private_key);
+
+  std::vector<std::string> actual_tokens = absl::StrSplit(assertion, '.');
+  ASSERT_EQ(actual_tokens.size(), 3);
+  std::vector<std::vector<std::uint8_t>> decoded(actual_tokens.size());
+  std::transform(
+      actual_tokens.begin(), actual_tokens.end(), decoded.begin(),
+      [](std::string const& e) { return UrlsafeBase64Decode(e).value(); });
+
+  // Verify this is a valid key.
+  auto const signature =
+      SignUsingSha256(actual_tokens[0] + '.' + actual_tokens[1], kPrivateKey);
+  ASSERT_STATUS_OK(signature);
+  EXPECT_EQ(*signature, decoded[2]);
+
+  // Verify the header and payloads are valid.
+  auto const header =
+      nlohmann::json::parse(decoded[0].begin(), decoded[0].end());
+  auto const expected_header =
+      nlohmann::json{{"alg", "RS256"}, {"typ", "JWT"}, {"kid", kPrivateKeyId}};
+  EXPECT_EQ(header, expected_header);
+
+  auto const payload = nlohmann::json::parse(decoded[1]);
+  auto const iat = static_cast<std::intmax_t>(kFixedJwtTimestamp);
+  auto const exp = iat + 3600;
+  auto const expected_payload = nlohmann::json{
+      {"iss", kClientEmail},
+      {"scope",
+       "https://www.googleapis.com/auth/cloud-platform "
+       "https://www.googleapis.com/auth/userinfo.email"},
+      {"aud", kTokenUri},
+      {"iat", iat},
+      {"exp", exp},
+      {"sub", "my-subject"},
+  };
+
+  EXPECT_EQ(payload, expected_payload);
+}
+
 }  // namespace
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace oauth2_internal

google/cloud/internal/oauth2_service_account_credentials.h

@@ -16,6 +16,7 @@
 #include "google/cloud/storage/benchmarks/benchmark_utils.h"
 #include "google/cloud/storage/client.h"
 #include "google/cloud/internal/make_status.h"
+#include "google/cloud/internal/unified_rest_credentials.h"
 #if GOOGLE_CLOUD_CPP_STORAGE_HAVE_GRPC
 #include "google/cloud/storage/internal/grpc/ctype_cord_workaround.h"
 #include "google/cloud/grpc_error_delegate.h"
@@ -260,8 +261,7 @@ class DownloadObjectLibcurl : public ThroughputExperiment {
       : endpoint_(options.rest_options.get<gcs::RestEndpointOption>()),
         target_api_version_path_(
             options.rest_options.get<gcs::internal::TargetApiVersionOption>()),
-        creds_(google::cloud::storage::oauth2::GoogleDefaultCredentials()
-                   .value()) {
+        creds_(rest_internal::MapCredentials(*MakeGoogleDefaultCredentials())) {
     if (target_api_version_path_.empty()) {
       target_api_version_path_ = "v1";
     }
@@ -271,13 +271,14 @@ class DownloadObjectLibcurl : public ThroughputExperiment {
   ThroughputResult Run(std::string const& bucket_name,
                        std::string const& object_name,
                        ThroughputExperimentConfig const& config) override {
-    auto header = creds_->AuthorizationHeader();
-    if (!header) return {};
+    auto token = creds_->GetToken(std::chrono::system_clock::now());
+    if (!token) return {};
+    auto header = std::string{"Authorization: "} + token->token;
 
     auto const start = std::chrono::system_clock::now();
     auto timer = Timer::PerThread();
     struct curl_slist* slist1 = nullptr;
-    slist1 = curl_slist_append(slist1, header->c_str());
+    slist1 = curl_slist_append(slist1, header.c_str());
 
     auto* hnd = curl_easy_init();
     curl_easy_setopt(hnd, CURLOPT_BUFFERSIZE, 102400L);
@@ -339,7 +340,7 @@ class DownloadObjectLibcurl : public ThroughputExperiment {
  private:
   std::string endpoint_;
   std::string target_api_version_path_;
-  std::shared_ptr<google::cloud::storage::oauth2::Credentials> creds_;
+  std::shared_ptr<oauth2_internal::Credentials> creds_;
 };
 
 #if GOOGLE_CLOUD_CPP_STORAGE_HAVE_GRPC