googleapis · coryan · Dec 13, 2022 · Dec 13, 2022 · Dec 13, 2022
@@ -27,6 +27,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/curl_rest_response.h",
     "internal/curl_wrappers.h",
     "internal/external_account_source_format.h",
+    "internal/external_account_token_source_aws.h",
     "internal/external_account_token_source_file.h",
     "internal/external_account_token_source_url.h",
     "internal/http_payload.h",
@@ -72,6 +73,7 @@ google_cloud_cpp_rest_internal_srcs = [
     "internal/curl_rest_response.cc",
     "internal/curl_wrappers.cc",
     "internal/external_account_source_format.cc",
+    "internal/external_account_token_source_aws.cc",
     "internal/external_account_token_source_file.cc",
     "internal/external_account_token_source_url.cc",
     "internal/json_parsing.cc",

@@ -40,6 +40,8 @@ add_library(
     internal/curl_wrappers.h
     internal/external_account_source_format.cc
     internal/external_account_source_format.h
+    internal/external_account_token_source_aws.cc
+    internal/external_account_token_source_aws.h
     internal/external_account_token_source_file.cc
     internal/external_account_token_source_file.h
     internal/external_account_token_source_url.cc
@@ -211,6 +213,7 @@ if (BUILD_TESTING)
         internal/curl_wrappers_locking_enabled_test.cc
         internal/curl_wrappers_test.cc
         internal/external_account_source_format_test.cc
+        internal/external_account_token_source_aws_test.cc
         internal/external_account_token_source_file_test.cc
         internal/external_account_token_source_url_test.cc
         internal/json_parsing_test.cc

@@ -30,6 +30,7 @@ google_cloud_cpp_rest_internal_unit_tests = [
     "internal/curl_wrappers_locking_enabled_test.cc",
     "internal/curl_wrappers_test.cc",
     "internal/external_account_source_format_test.cc",
+    "internal/external_account_token_source_aws_test.cc",
     "internal/external_account_token_source_file_test.cc",
     "internal/external_account_token_source_url_test.cc",
     "internal/json_parsing_test.cc",

@@ -0,0 +1,87 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/external_account_token_source_aws.h"
+#include "google/cloud/internal/absl_str_cat_quiet.h"
+#include "google/cloud/internal/external_account_source_format.h"
+#include "google/cloud/internal/json_parsing.h"
+#include "google/cloud/internal/make_status.h"
+#include "absl/strings/match.h"
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+auto constexpr kDefaultUrl =
+    "http://169.254.169.254/latest/meta-data/iam/security-credentials";
+
+using ::google::cloud::internal::InvalidArgumentError;
+
+}  // namespace
+
+StatusOr<ExternalAccountTokenSource> MakeExternalAccountTokenSourceAws(
+    nlohmann::json const& /*credentials_source*/,
+    internal::ErrorContext const& ec) {
+  return internal::UnimplementedError("WIP", GCP_ERROR_INFO().WithContext(ec));
+}
+
+StatusOr<ExternalAccountTokenSourceAwsInfo> ParseExternalAccountTokenSourceAws(
+    nlohmann::json const& credentials_source,
+    internal::ErrorContext const& ec) {
+  auto environment_id = ValidateStringField(
+      credentials_source, "environment_id", "credentials-source", ec);
+  if (!environment_id) return std::move(environment_id).status();
+  if (!absl::StartsWith(*environment_id, "aws")) {
+    return InvalidArgumentError("`environment_id` does not start with `aws`",
+                                GCP_ERROR_INFO().WithContext(ec));
+  }
+  if (*environment_id != "aws1") {
+    return InvalidArgumentError(
+        absl::StrCat(
+            "only `environment_id=aws1` is supported, but got environment_id=",
+            *environment_id,
+            ". Consider updating `google-cloud-cpp`, as a new version may",
+            " support this environment. If you find this is not the case,",
+            " please file a feature at"
+            " https://github.com/googleapis/google-cloud-cpp/issues"),
+        GCP_ERROR_INFO().WithContext(ec));
+  }
+  auto region_url = ValidateStringField(credentials_source, "region_url",
+                                        "credentials-source", ec);
+  if (!region_url) return std::move(region_url).status();
+  auto url = ValidateStringField(credentials_source, "url",
+                                 "credentials-source", kDefaultUrl, ec);
+  if (!url) return std::move(url).status();
+  auto regional_url =
+      ValidateStringField(credentials_source, "regional_cred_verification_url",
+                          "credentials-source", ec);
+  if (!regional_url) return std::move(regional_url).status();
+  auto imdsv2 =
+      ValidateStringField(credentials_source, "imdsv2_session_token_url",
+                          "credentials-source", std::string{}, ec);
+  if (!imdsv2) return std::move(imdsv2).status();
+  return ExternalAccountTokenSourceAwsInfo{
+      /*environment_id=*/*std::move(environment_id),
+      /*region_url=*/*std::move(region_url),
+      /*url=*/*std::move(url),
+      /*regional_cred_verification_url=*/*std::move(regional_url),
+      /*imdsv2_session_token_url=*/*std::move(imdsv2)};
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
@@ -0,0 +1,76 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_AWS_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_AWS_H
+
+#include "google/cloud/internal/error_context.h"
+#include "google/cloud/internal/oauth2_external_account_token_source.h"
+#include "google/cloud/version.h"
+#include <nlohmann/json.hpp>
+#include <functional>
+
+namespace google {
+namespace cloud {
+namespace oauth2_internal {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+/**
+ * Creates an `ExternalAccountTokenSource` for AWS credential sources.
+ *
+ * External accounts credentials use [OAuth 2.0 Token Exchange][RFC 8693] to
+ * convert a "subject token" into an "access token". The latter is used (as one
+ * would expect) to access GCP services.
+ *
+ * External accounts may obtain the subject tokens from several different
+ * sources. In particular, [AWS][aws-sourced] has a fairly unique protocol to
+ * acquire tokens. This function validates the configuration for AWS-sourced
+ * subject tokens, and returns (if the validation is successful) a functor to
+ * fetch the token.
+ *
+ * Note that fetching the token may fail after this function returns
+ * successfully. For example, some of the involved servers may be unreachable,
+ * or the returned payload may fail to parse.
+ *
+ * [RFC 8693]: https://www.rfc-editor.org/rfc/rfc8693.html
+ * [aws-sourced]:
+ * https://google.aip.dev/auth/4117#determining-the-subject-token-in-aws
+ */
+StatusOr<ExternalAccountTokenSource> MakeExternalAccountTokenSourceAws(
+    nlohmann::json const& credentials_source, internal::ErrorContext const& ec);
+
+/**
+ * Represents the AWS token source configuration.
+ *
+ * In other token sources we do not expose similar types because a simple
+ * functor is easy enough to test.  The AWS token source is sufficiently complex
+ * that it is better to test its implementation in smaller functions.
+ */
+struct ExternalAccountTokenSourceAwsInfo {
+  std::string environment_id;
+  std::string region_url;
+  std::string url;
+  std::string regional_cred_verification_url;
+  std::string imdsv2_session_token_url;
+};
+
+StatusOr<ExternalAccountTokenSourceAwsInfo> ParseExternalAccountTokenSourceAws(
+    nlohmann::json const& credentials_source, internal::ErrorContext const& ec);
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace oauth2_internal
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_EXTERNAL_ACCOUNT_TOKEN_SOURCE_AWS_H