impl(oauth2): port service account credential prerequisites

.typos.toml

@@ -14,6 +14,7 @@ extend-exclude = [
     # Files with crypto-keys in them
     "google/cloud/internal/rest_client_integration_test.cc",
     "google/cloud/internal/grpc_service_account_authentication_test.cc",
+    "google/cloud/testing_util/credentials_constants.h",
     "google/cloud/storage/client_options_test.cc",
     "google/cloud/storage/client_sign_policy_document_test.cc",
     "google/cloud/storage/client_sign_url_test.cc",

google/cloud/CMakeLists.txt

@@ -622,6 +622,7 @@ endif ()
 if (GOOGLE_CLOUD_CPP_ENABLE_REST)
     include(IncludeNlohmannJson)
     include(FindCurlWithTargets)
+    find_package(OpenSSL REQUIRED)
 
     # the library
     add_library(
@@ -639,6 +640,8 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
         internal/curl_wrappers.h
         internal/http_payload.cc
         internal/http_payload.h
+        internal/make_jwt_assertion.cc
+        internal/make_jwt_assertion.h
         internal/oauth2_access_token_credentials.cc
         internal/oauth2_access_token_credentials.h
         internal/oauth2_anonymous_credentials.cc
@@ -654,6 +657,8 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
         internal/oauth2_error_credentials.h
         internal/oauth2_refreshing_credentials_wrapper.cc
         internal/oauth2_refreshing_credentials_wrapper.h
+        internal/openssl_util.cc
+        internal/openssl_util.h
         internal/rest_client.cc
         internal/rest_client.h
         internal/rest_options.h
@@ -664,7 +669,7 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
     target_link_libraries(
         google_cloud_cpp_rest_internal
         PUBLIC absl::span google-cloud-cpp::common CURL::libcurl
-               nlohmann_json::nlohmann_json)
+               nlohmann_json::nlohmann_json OpenSSL::SSL OpenSSL::Crypto)
     google_cloud_cpp_add_common_options(google_cloud_cpp_rest_internal)
     target_include_directories(
         google_cloud_cpp_rest_internal
@@ -716,11 +721,13 @@ if (GOOGLE_CLOUD_CPP_ENABLE_REST)
             internal/curl_impl_test.cc
             internal/curl_wrappers_test.cc
             internal/http_payload_test.cc
+            internal/make_jwt_assertion_test.cc
             internal/oauth2_access_token_credentials_test.cc
             internal/oauth2_anonymous_credentials_test.cc
             internal/oauth2_authorized_user_credentials_test.cc
             internal/oauth2_compute_engine_credentials_test.cc
             internal/oauth2_refreshing_credentials_wrapper_test.cc
+            internal/openssl_util_test.cc
             internal/rest_client_test.cc
             internal/rest_request_test.cc
             internal/rest_response_test.cc)

google/cloud/google_cloud_cpp_rest_internal.bzl

@@ -24,6 +24,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/curl_options.h",
     "internal/curl_wrappers.h",
     "internal/http_payload.h",
+    "internal/make_jwt_assertion.h",
     "internal/oauth2_access_token_credentials.h",
     "internal/oauth2_anonymous_credentials.h",
     "internal/oauth2_authorized_user_credentials.h",
@@ -32,6 +33,7 @@ google_cloud_cpp_rest_internal_hdrs = [
     "internal/oauth2_credentials.h",
     "internal/oauth2_error_credentials.h",
     "internal/oauth2_refreshing_credentials_wrapper.h",
+    "internal/openssl_util.h",
     "internal/rest_client.h",
     "internal/rest_options.h",
     "internal/rest_request.h",
@@ -45,13 +47,15 @@ google_cloud_cpp_rest_internal_srcs = [
     "internal/curl_impl.cc",
     "internal/curl_wrappers.cc",
     "internal/http_payload.cc",
+    "internal/make_jwt_assertion.cc",
     "internal/oauth2_access_token_credentials.cc",
     "internal/oauth2_anonymous_credentials.cc",
     "internal/oauth2_authorized_user_credentials.cc",
     "internal/oauth2_compute_engine_credentials.cc",
     "internal/oauth2_credentials.cc",
     "internal/oauth2_error_credentials.cc",
     "internal/oauth2_refreshing_credentials_wrapper.cc",
+    "internal/openssl_util.cc",
     "internal/rest_client.cc",
     "internal/rest_request.cc",
     "internal/rest_response.cc",

google/cloud/google_cloud_cpp_rest_internal_unit_tests.bzl

@@ -23,11 +23,13 @@ google_cloud_cpp_rest_internal_unit_tests = [
     "internal/curl_impl_test.cc",
     "internal/curl_wrappers_test.cc",
     "internal/http_payload_test.cc",
+    "internal/make_jwt_assertion_test.cc",
     "internal/oauth2_access_token_credentials_test.cc",
     "internal/oauth2_anonymous_credentials_test.cc",
     "internal/oauth2_authorized_user_credentials_test.cc",
     "internal/oauth2_compute_engine_credentials_test.cc",
     "internal/oauth2_refreshing_credentials_wrapper_test.cc",
+    "internal/openssl_util_test.cc",
     "internal/rest_client_test.cc",
     "internal/rest_request_test.cc",
     "internal/rest_response_test.cc",

google/cloud/internal/make_jwt_assertion.cc

@@ -0,0 +1,36 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/make_jwt_assertion.h"
+#include "google/cloud/internal/openssl_util.h"
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+StatusOr<std::string> MakeJWTAssertionNoThrow(std::string const& header,
+                                              std::string const& payload,
+                                              std::string const& pem_contents) {
+  auto const body =
+      UrlsafeBase64Encode(header) + '.' + UrlsafeBase64Encode(payload);
+  auto pem_signature = internal::SignUsingSha256(body, pem_contents);
+  if (!pem_signature) return std::move(pem_signature).status();
+  return body + '.' + UrlsafeBase64Encode(*pem_signature);
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google

google/cloud/internal/make_jwt_assertion.h

@@ -0,0 +1,35 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_MAKE_JWT_ASSERTION_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_MAKE_JWT_ASSERTION_H
+
+#include "google/cloud/status_or.h"
+#include "google/cloud/version.h"
+#include <string>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+StatusOr<std::string> MakeJWTAssertionNoThrow(std::string const& header,
+                                              std::string const& payload,
+                                              std::string const& pem_contents);
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_MAKE_JWT_ASSERTION_H

google/cloud/internal/make_jwt_assertion_test.cc

@@ -0,0 +1,67 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/make_jwt_assertion.h"
+#include "google/cloud/testing_util/credentials_constants.h"
+#include "google/cloud/testing_util/status_matchers.h"
+#include "absl/strings/str_split.h"
+#include <gmock/gmock.h>
+#include <nlohmann/json.hpp>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+namespace {
+
+using ::google::cloud::testing_util::IsOk;
+
+TEST(MakeJWTAssertionNoThrow, Basic) {
+  auto header = nlohmann::json{
+      {"alg", "HS256"}, {"typ", "JWT"}, {"kid", "test-key-name"}};
+  auto payload = nlohmann::json{
+      {"iss", "[email protected]"},
+      {"sub", "[email protected]"},
+      {"aud", "https//not-a-service.googleapis.com"},
+      {"iat", "1511900000"},
+      {"exp", "1511903600"},
+  };
+  auto const assertion = MakeJWTAssertionNoThrow(
+      header.dump(), payload.dump(), testing_util::kWellFormattedKey);
+  ASSERT_THAT(assertion, IsOk());
+
+  std::vector<std::string> components = absl::StrSplit(*assertion, '.');
+  EXPECT_EQ(components.size(), 3);
+}
+
+TEST(MakeJWTAssertionNoThrow, InvalidKey) {
+  auto header = nlohmann::json{
+      {"alg", "HS256"}, {"typ", "JWT"}, {"kid", "test-key-name"}};
+  auto payload = nlohmann::json{
+      {"iss", "[email protected]"},
+      {"sub", "[email protected]"},
+      {"aud", "https//not-a-service.googleapis.com"},
+      {"iat", "1511900000"},
+      {"exp", "1511903600"},
+  };
+  auto const assertion =
+      MakeJWTAssertionNoThrow(header.dump(), payload.dump(), "invalid-key");
+  ASSERT_THAT(assertion, Not(IsOk()));
+}
+
+}  // namespace
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google

google/cloud/internal/openssl_util.cc

@@ -0,0 +1,152 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/openssl_util.h"
+#include "google/cloud/internal/base64_transforms.h"
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+#include <openssl/opensslv.h>
+#include <openssl/pem.h>
+#include <memory>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+namespace {
+// The name of the function to free an EVP_MD_CTX changed in OpenSSL 1.1.0.
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)  // Older than version 1.1.0.
+inline std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_destroy)>
+GetDigestCtx() {
+  return std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_destroy)>(
+      EVP_MD_CTX_create(), &EVP_MD_CTX_destroy);
+};
+#else
+inline std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> GetDigestCtx() {
+  return std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>(
+      EVP_MD_CTX_new(), &EVP_MD_CTX_free);
+};
+#endif
+}  // namespace
+
+StatusOr<std::vector<std::uint8_t>> SignUsingSha256(
+    std::string const& str, std::string const& pem_contents) {
+  auto digest_ctx = GetDigestCtx();
+  if (!digest_ctx) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not create context for OpenSSL digest. ");
+  }
+
+  EVP_MD const* digest_type = EVP_sha256();
+  if (digest_type == nullptr) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not find specified digest in OpenSSL. ");
+  }
+
+  auto pem_buffer = std::unique_ptr<BIO, decltype(&BIO_free)>(
+      BIO_new_mem_buf(pem_contents.data(),
+                      static_cast<int>(pem_contents.length())),
+      &BIO_free);
+  if (!pem_buffer) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not create PEM buffer. ");
+  }
+
+  auto private_key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(
+      PEM_read_bio_PrivateKey(
+          pem_buffer.get(),
+          nullptr,  // EVP_PKEY **x
+          nullptr,  // pem_password_cb *cb -- a custom callback.
+          // void *u -- this represents the password for the PEM (only
+          // applicable for formats such as PKCS12 (.p12 files) that use
+          // a password, which we don't currently support.
+          nullptr),
+      &EVP_PKEY_free);
+  if (!private_key) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not parse PEM to get private key ");
+  }
+
+  int const digest_sign_success_code = 1;
+  if (digest_sign_success_code !=
+      EVP_DigestSignInit(digest_ctx.get(),
+                         nullptr,  // `EVP_PKEY_CTX **pctx`
+                         digest_type,
+                         nullptr,  // `ENGINE *e`
+                         private_key.get())) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not initialize PEM digest. ");
+  }
+
+  if (digest_sign_success_code !=
+      EVP_DigestSignUpdate(digest_ctx.get(), str.data(), str.length())) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not update PEM digest. ");
+  }
+
+  std::size_t signed_str_size = 0;
+  // Calling this method with a nullptr buffer will populate our size var
+  // with the resulting buffer's size. This allows us to then call it again,
+  // with the correct buffer and size, which actually populates the buffer.
+  if (digest_sign_success_code !=
+      EVP_DigestSignFinal(digest_ctx.get(),
+                          nullptr,  // unsigned char *sig
+                          &signed_str_size)) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not finalize PEM digest (1/2). ");
+  }
+
+  std::vector<unsigned char> signed_str(signed_str_size);
+  if (digest_sign_success_code != EVP_DigestSignFinal(digest_ctx.get(),
+                                                      signed_str.data(),
+                                                      &signed_str_size)) {
+    return Status(StatusCode::kInvalidArgument,
+                  "Invalid ServiceAccountCredentials: "
+                  "could not finalize PEM digest (2/2). ");
+  }
+
+  return StatusOr<std::vector<unsigned char>>(
+      {signed_str.begin(), signed_str.end()});
+}
+
+StatusOr<std::vector<std::uint8_t>> UrlsafeBase64Decode(
+    std::string const& str) {
+  if (str.empty()) return std::vector<std::uint8_t>{};
+  std::string b64str = str;
+  std::replace(b64str.begin(), b64str.end(), '-', '+');
+  std::replace(b64str.begin(), b64str.end(), '_', '/');
+  // To restore the padding there are only two cases:
+  //    https://en.wikipedia.org/wiki/Base64#Decoding_Base64_without_padding
+  if (b64str.length() % 4 == 2) {
+    b64str.append("==");
+  } else if (b64str.length() % 4 == 3) {
+    b64str.append("=");
+  }
+  return Base64DecodeToBytes(b64str);
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google