impl(rest): update AuthenticationHeader method to return multiple headers

Author: scotthart

google/cloud/internal/curl_rest_client.cc

@@ -124,10 +124,12 @@ StatusOr<std::unique_ptr<CurlImpl>> CurlRestClient::CreateCurlImpl(
   auto impl =
       std::make_unique<CurlImpl>(std::move(handle), handle_factory_, options);
   if (credentials_) {
-    auto auth_header =
-        credentials_->AuthenticationHeader(std::chrono::system_clock::now());
-    if (!auth_header.ok()) return std::move(auth_header).status();
-    impl->SetHeader(HttpHeader(auth_header->first, auth_header->second));
+    auto auth_headers =
+        credentials_->AuthenticationHeaders(std::chrono::system_clock::now());
+    if (!auth_headers.ok()) return std::move(auth_headers).status();
+    for (auto& header : *auth_headers) {
+      impl->SetHeader(std::move(header));
+    }
   }
   impl->SetHeader(HostHeader(options, endpoint_address_));
   impl->SetHeaders(context.headers());

google/cloud/internal/oauth2_api_key_credentials.cc

@@ -27,9 +27,12 @@ StatusOr<AccessToken> ApiKeyCredentials::GetToken(
   return AccessToken{std::string{}, tp};
 }
 
-StatusOr<std::pair<std::string, std::string>>
-ApiKeyCredentials::AuthenticationHeader(std::chrono::system_clock::time_point) {
-  return std::make_pair(std::string{"x-goog-api-key"}, api_key_);
+StatusOr<std::vector<rest_internal::HttpHeader>>
+ApiKeyCredentials::AuthenticationHeaders(
+    std::chrono::system_clock::time_point) {
+  std::vector<rest_internal::HttpHeader> headers;
+  headers.emplace_back("x-goog-api-key", api_key_);
+  return headers;
 }
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END

google/cloud/internal/oauth2_api_key_credentials.h

@@ -37,7 +37,7 @@ class ApiKeyCredentials : public oauth2_internal::Credentials {
   StatusOr<AccessToken> GetToken(
       std::chrono::system_clock::time_point tp) override;
 
-  StatusOr<std::pair<std::string, std::string>> AuthenticationHeader(
+  StatusOr<std::vector<rest_internal::HttpHeader>> AuthenticationHeaders(
       std::chrono::system_clock::time_point) override;
 
  private:

google/cloud/internal/oauth2_api_key_credentials_test.cc

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include "google/cloud/internal/oauth2_api_key_credentials.h"
+#include "google/cloud/internal/http_header.h"
 #include "google/cloud/testing_util/status_matchers.h"
 #include <gmock/gmock.h>
 #include <chrono>
@@ -24,6 +25,7 @@ GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 namespace {
 
 using ::google::cloud::testing_util::IsOkAndHolds;
+using ::testing::Contains;
 using ::testing::IsEmpty;
 using ::testing::Pair;
 
@@ -38,8 +40,9 @@ TEST(ApiKeyCredentials, EmptyToken) {
 TEST(ApiKeyCredentials, SetsXGoogApiKeyHeader) {
   ApiKeyCredentials creds("api-key");
   auto const now = std::chrono::system_clock::now();
-  EXPECT_THAT(creds.AuthenticationHeader(now),
-              IsOkAndHolds(Pair("x-goog-api-key", "api-key")));
+  EXPECT_THAT(creds.AuthenticationHeaders(now),
+              IsOkAndHolds(Contains(
+                  rest_internal::HttpHeader("x-goog-api-key", "api-key"))));
 }
 
 }  // namespace

google/cloud/internal/oauth2_credentials.cc

@@ -16,6 +16,7 @@
 #include "google/cloud/internal/make_status.h"
 #include "google/cloud/internal/oauth2_universe_domain.h"
 #include "absl/strings/str_cat.h"
+#include "absl/strings/str_join.h"
 
 namespace google {
 namespace cloud {
@@ -46,21 +47,26 @@ StatusOr<std::string> Credentials::project_id(
   return project_id();
 }
 
-StatusOr<std::pair<std::string, std::string>> Credentials::AuthenticationHeader(
-    std::chrono::system_clock::time_point tp) {
+StatusOr<std::vector<rest_internal::HttpHeader>>
+Credentials::AuthenticationHeaders(std::chrono::system_clock::time_point tp) {
+  std::vector<rest_internal::HttpHeader> headers;
   auto token = GetToken(tp);
   if (!token) return std::move(token).status();
-  if (token->token.empty()) return std::make_pair(std::string{}, std::string{});
-  return std::make_pair(std::string{"Authorization"},
-                        absl::StrCat("Bearer ", token->token));
+  if (!token->token.empty()) {
+    headers.emplace_back("Authorization",
+                         absl::StrCat("Bearer ", token->token));
+  }
+  return headers;
 }
 
-StatusOr<std::string> AuthenticationHeaderJoined(
+StatusOr<std::string> AuthenticationHeadersJoined(
     Credentials& credentials, std::chrono::system_clock::time_point tp) {
-  auto header = credentials.AuthenticationHeader(tp);
-  if (!header) return std::move(header).status();
-  if (header->first.empty()) return std::string{};
-  return absl::StrCat(header->first, ": ", header->second);
+  auto headers = credentials.AuthenticationHeaders(tp);
+  if (!headers) return std::move(headers).status();
+  return absl::StrJoin(*headers, ";",
+                       [](std::string* s, rest_internal::HttpHeader const& h) {
+                         *s += std::string{h};
+                       });
 }
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END

google/cloud/internal/oauth2_credentials.h

@@ -16,6 +16,7 @@
 #define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_OAUTH2_CREDENTIALS_H
 
 #include "google/cloud/access_token.h"
+#include "google/cloud/internal/http_header.h"
 #include "google/cloud/options.h"
 #include "google/cloud/status.h"
 #include "google/cloud/status_or.h"
@@ -109,33 +110,36 @@ class Credentials {
   virtual StatusOr<std::string> project_id(Options const&) const;
 
   /**
-   * Returns a header pair used for authentication.
+   * Returns header pairs used for authentication.
    *
    * In most cases, this is the "Authorization" HTTP header. For API key
-   * credentials, it is the "X-Goog-Api-Key" header.
+   * credentials, it is the "X-Goog-Api-Key" header. It may also include the
+   * "x-allowed-locations" header if applicable.
    *
    * If unable to obtain a value for the header, which could happen for
    * `Credentials` that need to be periodically refreshed, the underlying
    * `Status` will indicate failure details from the refresh HTTP request.
    * Otherwise, the returned value will contain the header pair to be used in
    * HTTP requests.
    */
-  virtual StatusOr<std::pair<std::string, std::string>> AuthenticationHeader(
-      std::chrono::system_clock::time_point tp);
+  virtual StatusOr<std::vector<rest_internal::HttpHeader>>
+  AuthenticationHeaders(std::chrono::system_clock::time_point tp);
 };
 
 /**
- * Returns a header pair as a single string to be used for authentication.
+ * Returns header pairs as a single string to be used for authentication.
  *
  * In most cases, this is the "Authorization" HTTP header. For API key
- * credentials, it is the "X-Goog-Api-Key" header.
+ * credentials, it is the "X-Goog-Api-Key" header. It may also include the
+ * "x-allowed-locations" header if applicable.
+ *
  *
  * If unable to obtain a value for the header, which could happen for
  * `Credentials` that need to be periodically refreshed, the underlying `Status`
  * will indicate failure details from the refresh HTTP request. Otherwise, the
  * returned value will contain the header pair to be used in HTTP requests.
  */
-StatusOr<std::string> AuthenticationHeaderJoined(
+StatusOr<std::string> AuthenticationHeadersJoined(
     Credentials& credentials, std::chrono::system_clock::time_point tp =
                                   std::chrono::system_clock::now());
 

google/cloud/internal/oauth2_credentials_test.cc

@@ -26,6 +26,7 @@ namespace {
 using ::google::cloud::internal::UnavailableError;
 using ::google::cloud::testing_util::IsOk;
 using ::google::cloud::testing_util::IsOkAndHolds;
+using ::testing::Contains;
 using ::testing::IsEmpty;
 using ::testing::Not;
 using ::testing::Pair;
@@ -43,8 +44,9 @@ TEST(Credentials, AuthorizationHeaderSuccess) {
   auto const expiration = now + std::chrono::seconds(3600);
   EXPECT_CALL(mock, GetToken(now))
       .WillOnce(Return(AccessToken{"test-token", expiration}));
-  auto actual = mock.AuthenticationHeader(now);
-  EXPECT_THAT(actual, IsOkAndHolds(Pair("Authorization", "Bearer test-token")));
+  auto actual = mock.AuthenticationHeaders(now);
+  EXPECT_THAT(actual, IsOkAndHolds(Contains(rest_internal::HttpHeader(
+                          "authorization", "Bearer test-token"))));
 }
 
 TEST(Credentials, AuthenticationHeaderJoinedSuccess) {
@@ -53,8 +55,8 @@ TEST(Credentials, AuthenticationHeaderJoinedSuccess) {
   auto const expiration = now + std::chrono::seconds(3600);
   EXPECT_CALL(mock, GetToken(now))
       .WillOnce(Return(AccessToken{"test-token", expiration}));
-  auto actual = AuthenticationHeaderJoined(mock, now);
-  EXPECT_THAT(actual, IsOkAndHolds("Authorization: Bearer test-token"));
+  auto actual = AuthenticationHeadersJoined(mock, now);
+  EXPECT_THAT(actual, IsOkAndHolds("authorization: Bearer test-token"));
 }
 
 TEST(Credentials, AuthenticationHeaderJoinedEmpty) {
@@ -63,21 +65,21 @@ TEST(Credentials, AuthenticationHeaderJoinedEmpty) {
   auto const expiration = now + std::chrono::seconds(3600);
   EXPECT_CALL(mock, GetToken(now))
       .WillOnce(Return(AccessToken{"", expiration}));
-  auto actual = AuthenticationHeaderJoined(mock, now);
+  auto actual = AuthenticationHeadersJoined(mock, now);
   EXPECT_THAT(actual, IsOkAndHolds(IsEmpty()));
 }
 
 TEST(Credentials, AuthenticationHeaderError) {
   MockCredentials mock;
   EXPECT_CALL(mock, GetToken).WillOnce(Return(UnavailableError("try-again")));
-  auto actual = mock.AuthenticationHeader(std::chrono::system_clock::now());
+  auto actual = mock.AuthenticationHeaders(std::chrono::system_clock::now());
   EXPECT_EQ(actual.status(), UnavailableError("try-again"));
 }
 
 TEST(Credentials, AuthenticationHeaderJoinedError) {
   MockCredentials mock;
   EXPECT_CALL(mock, GetToken).WillOnce(Return(UnavailableError("try-again")));
-  auto actual = AuthenticationHeaderJoined(mock);
+  auto actual = AuthenticationHeadersJoined(mock);
   EXPECT_EQ(actual.status(), UnavailableError("try-again"));
 }
 

google/cloud/internal/oauth2_minimal_iam_credentials_rest.cc

@@ -46,12 +46,13 @@ MinimalIamCredentialsRestStub::MinimalIamCredentialsRestStub(
 StatusOr<google::cloud::AccessToken>
 MinimalIamCredentialsRestStub::GenerateAccessToken(
     GenerateAccessTokenRequest const& request) {
-  auto auth_header =
-      credentials_->AuthenticationHeader(std::chrono::system_clock::now());
-  if (!auth_header) return std::move(auth_header).status();
-
+  auto auth_headers =
+      credentials_->AuthenticationHeaders(std::chrono::system_clock::now());
+  if (!auth_headers) return std::move(auth_headers).status();
   rest_internal::RestRequest rest_request;
-  rest_request.AddHeader(rest_internal::HttpHeader(auth_header.value()));
+  for (auto const& auth_header : *auth_headers) {
+    rest_request.AddHeader(auth_header);
+  }
   rest_request.AddHeader("Content-Type", "application/json");
   rest_request.SetPath(MakeRequestPath(request));
   nlohmann::json payload{

google/cloud/internal/unified_rest_credentials_test.cc

@@ -470,8 +470,9 @@ TEST(UnifiedRestCredentialsTest, ApiKey) {
   ASSERT_THAT(oauth2_creds, NotNull());
 
   auto header =
-      oauth2_creds->AuthenticationHeader(std::chrono::system_clock::now());
-  EXPECT_THAT(header, IsOkAndHolds(Pair("x-goog-api-key", "api-key")));
+      oauth2_creds->AuthenticationHeaders(std::chrono::system_clock::now());
+  EXPECT_THAT(header,
+              IsOkAndHolds(Contains(HttpHeader("x-goog-api-key", "api-key"))));
 }
 
 TEST(UnifiedRestCredentialsTest, LoadError) {

google/cloud/storage/client.cc

@@ -59,7 +59,7 @@ class WrapRestCredentials {
       : impl_(std::move(impl)) {}
 
   StatusOr<std::string> AuthorizationHeader() {
-    return oauth2_internal::AuthenticationHeaderJoined(*impl_);
+    return oauth2_internal::AuthenticationHeadersJoined(*impl_);
   }
 
   StatusOr<std::vector<std::uint8_t>> SignBlob(