impl(oauth2): add method populate AllowedLocationsRequest type to Credentials (#16080)

Author: scotthart

google/cloud/BUILD.bazel

@@ -237,6 +237,8 @@ cc_library(
     name = "google_cloud_cpp_rest_internal",
     srcs = google_cloud_cpp_rest_internal_srcs,
     hdrs = google_cloud_cpp_rest_internal_hdrs,
+    # TODO(#16079): Remove macro definition when GA.
+    cxxopts = ["-DGOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB"],
     linkopts = select({
         "@platforms//os:windows": [
             "-DEFAULTLIB:bcrypt.lib",
@@ -273,6 +275,8 @@ cc_library(
 [cc_test(
     name = test.replace("/", "_").replace(".cc", ""),
     srcs = [test],
+    # TODO(#16079): Remove macro definition when GA.
+    cxxopts = ["-DGOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB"],
     deps = [
         ":google_cloud_cpp_rest_internal",
         "//google/cloud/testing_util:google_cloud_cpp_testing_private",

google/cloud/internal/oauth2_api_key_credentials.cc

@@ -27,12 +27,9 @@ StatusOr<AccessToken> ApiKeyCredentials::GetToken(
   return AccessToken{std::string{}, tp};
 }
 
-StatusOr<std::vector<rest_internal::HttpHeader>>
-ApiKeyCredentials::AuthenticationHeaders(std::chrono::system_clock::time_point,
-                                         std::string_view) {
-  std::vector<rest_internal::HttpHeader> headers;
-  headers.emplace_back("x-goog-api-key", api_key_);
-  return headers;
+StatusOr<rest_internal::HttpHeader> ApiKeyCredentials::Authorization(
+    std::chrono::system_clock::time_point) {
+  return rest_internal::HttpHeader{"x-goog-api-key", api_key_};
 }
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END

google/cloud/internal/oauth2_api_key_credentials.h

@@ -37,9 +37,8 @@ class ApiKeyCredentials : public oauth2_internal::Credentials {
   StatusOr<AccessToken> GetToken(
       std::chrono::system_clock::time_point tp) override;
 
-  StatusOr<std::vector<rest_internal::HttpHeader>> AuthenticationHeaders(
-      std::chrono::system_clock::time_point,
-      std::string_view endpoint) override;
+  StatusOr<rest_internal::HttpHeader> Authorization(
+      std::chrono::system_clock::time_point tp) override;
 
  private:
   std::string api_key_;

google/cloud/internal/oauth2_cached_credentials.cc

@@ -83,6 +83,11 @@ StatusOr<std::string> CachedCredentials::project_id(
   return impl_->project_id(options);
 }
 
+Credentials::AllowedLocationsRequestType
+CachedCredentials::AllowedLocationsRequest() const {
+  return impl_->AllowedLocationsRequest();
+}
+
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace oauth2_internal
 }  // namespace cloud

google/cloud/internal/oauth2_cached_credentials.h

@@ -54,6 +54,8 @@ class CachedCredentials : public Credentials {
   StatusOr<std::string> universe_domain(Options const& options) const override;
   StatusOr<std::string> project_id() const override;
   StatusOr<std::string> project_id(Options const& options) const override;
+  Credentials::AllowedLocationsRequestType AllowedLocationsRequest()
+      const override;
 
  private:
   std::shared_ptr<Credentials> impl_;

google/cloud/internal/oauth2_compute_engine_credentials.cc

@@ -239,6 +239,16 @@ StatusOr<std::string> ComputeEngineCredentials::project_id(
   return RetrieveProjectId(lk, options);
 }
 
+Credentials::AllowedLocationsRequestType
+ComputeEngineCredentials::AllowedLocationsRequest() const {
+  // TODO(#16079): Remove conditional and else clause when GA.
+#ifdef GOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB
+  return ServiceAccountAllowedLocationsRequest{AccountEmail()};
+#else
+  return std::monostate{};
+#endif
+}
+
 StatusOr<std::string> ComputeEngineCredentials::RetrieveUniverseDomain(
     std::lock_guard<std::mutex> const&, Options const& options) const {
   // Fetch the universe domain only once.

google/cloud/internal/oauth2_compute_engine_credentials.h

@@ -118,6 +118,8 @@ class ComputeEngineCredentials : public Credentials {
   StatusOr<std::string> project_id(
       google::cloud::Options const& options) const override;
 
+  AllowedLocationsRequestType AllowedLocationsRequest() const override;
+
   /**
    * Returns the email or alias of this credential's service account.
    *

google/cloud/internal/oauth2_compute_engine_credentials_test.cc

@@ -53,6 +53,7 @@ using ::testing::Property;
 using ::testing::Return;
 using ::testing::UnorderedElementsAre;
 using ::testing::UnorderedElementsAreArray;
+using ::testing::VariantWith;
 
 using MockHttpClientFactory =
     ::testing::MockFunction<std::unique_ptr<rest_internal::RestClient>(
@@ -387,6 +388,10 @@ TEST(ComputeEngineCredentialsTest, FailedRefresh) {
                        HasSubstr("Could not find all required fields")));
 }
 
+MATCHER_P(RequestServiceAccountEmailIs, email, "has service account email") {
+  return email == arg.service_account_email;
+}
+
 /// @test Verify that we can force a refresh of the service account email.
 TEST(ComputeEngineCredentialsTest, AccountEmail) {
   auto const alias = std::string{"default"};
@@ -416,6 +421,15 @@ TEST(ComputeEngineCredentialsTest, AccountEmail) {
   auto refreshed_email = credentials.AccountEmail();
   EXPECT_EQ(email, refreshed_email);
   EXPECT_EQ(credentials.service_account_email(), refreshed_email);
+  // TODO(#16079): Remove conditional and else clause when GA.
+#ifdef GOOGLE_CLOUD_CPP_TESTING_ENABLE_RAB
+  EXPECT_THAT(credentials.AllowedLocationsRequest(),
+              VariantWith<ServiceAccountAllowedLocationsRequest>(
+                  RequestServiceAccountEmailIs(email)));
+#else
+  EXPECT_THAT(credentials.AllowedLocationsRequest(),
+              VariantWith<std::monostate>(std::monostate()));
+#endif
 }
 
 auto expected_universe_domain_request = []() {

google/cloud/internal/oauth2_credentials.cc

@@ -31,8 +31,9 @@ Credentials::AuthenticationHeaders(std::chrono::system_clock::time_point tp,
   if (!authorization->empty()) headers.push_back(*std::move(authorization));
 
   auto allowed_locations = AllowedLocations(tp, endpoint);
-  // Not all credential types support the x-allowed-locations header. For those
-  // that do, if there is a problem retrieving the header, omit the header.
+  // Not all credential types support the x-allowed-locations header. For
+  // those that do, if there is a problem retrieving the header, omit the
+  // header.
   if (allowed_locations.ok() && !allowed_locations->empty()) {
     headers.push_back(*std::move(allowed_locations));
   }

google/cloud/internal/oauth2_credentials.h

@@ -22,13 +22,27 @@
 #include "google/cloud/version.h"
 #include <chrono>
 #include <string>
+#include <variant>
 #include <vector>
 
 namespace google {
 namespace cloud {
 namespace oauth2_internal {
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 
+struct ServiceAccountAllowedLocationsRequest {
+  std::string service_account_email;
+};
+
+struct WorkloadIdentityAllowedLocationsRequest {
+  std::string project_id;
+  std::string pool_id;
+};
+
+struct WorkforceIdentityAllowedLocationsRequest {
+  std::string pool_id;
+};
+
 /**
  * Interface for OAuth 2.0 credentials for use with Google's Unified Auth Client
  * (GUAC) library. Internally, GUAC credentials are mapped to the appropriate
@@ -69,9 +83,8 @@ class Credentials {
    * @param endpoint the endpoint of the GCP service the RPC request will be
    *     sent to.
    */
-  virtual StatusOr<std::vector<rest_internal::HttpHeader>>
-  AuthenticationHeaders(std::chrono::system_clock::time_point tp,
-                        std::string_view endpoint);
+  StatusOr<std::vector<rest_internal::HttpHeader>> AuthenticationHeaders(
+      std::chrono::system_clock::time_point tp, std::string_view endpoint);
 
   /**
    * Try to sign @p string_to_sign using @p service_account.
@@ -160,6 +173,20 @@ class Credentials {
    */
   virtual StatusOr<AccessToken> GetToken(
       std::chrono::system_clock::time_point tp) = 0;
+
+  using AllowedLocationsRequestType =
+      std::variant<std::monostate, ServiceAccountAllowedLocationsRequest,
+                   WorkforceIdentityAllowedLocationsRequest,
+                   WorkloadIdentityAllowedLocationsRequest>;
+  /**
+   * Obtains the request type from the underlying credential, if supported.
+   *
+   * Not all credential types support the `x-allowed-locations` header, but
+   * those that do vary in the data needed to format the request to IAM.
+   */
+  virtual AllowedLocationsRequestType AllowedLocationsRequest() const {
+    return std::monostate{};
+  }
 };
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END