#gpowerd - Add build targets for auth

These are used for unit tests in g3 only.
Most of the same unit tests are run in the gBMC docker already.

PiperOrigin-RevId: 724471150
Change-Id: I94b016038635a4fdd701371b3c999d8f576a0fca
diff --git a/bmc/auth.cc b/bmc/auth.cc
index a87cebe..870822b 100644
--- a/bmc/auth.cc
+++ b/bmc/auth.cc
@@ -3,81 +3,75 @@
 // actuating power cycles on the machine.
 
 #include "bmc/auth.h"
-#include <gmi/machine_identity.pb.h>
 #include <gpowerd_build_config.h>
 
-#include <grpcpp/grpcpp.h>
+#include <filesystem>  // NOLINT(build/c++17)
+#include <memory>
 #include <string>
-#include <string_view>
-#include <filesystem>  // NOLINT
+#include <system_error>  // NOLINT(build/c++11)
+#include <utility>
+
+#include "bmc/auth_loas3.h"
 #include "bmc/gmi_reader.h"
+#include "absl/log/log.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/str_format.h"
+#include "grpc/grpc_security_constants.h"
+#include "grpcpp/security/authorization_policy_provider.h"
 #include "grpcpp/security/server_credentials.h"
 #include "grpcpp/security/tls_certificate_provider.h"
 #include "grpcpp/security/tls_certificate_verifier.h"
 #include "grpcpp/security/tls_credentials_options.h"
-#include "grpcpp/ext/proto_server_reflection_plugin.h"
-#include "grpcpp/health_check_service_interface.h"
-#include "absl/base/log_severity.h"
-#include "absl/log/log.h"
-#include "absl/strings/str_format.h"
-#include "absl/status/statusor.h"
+#include "grpcpp/server_builder.h"
+#include "grpcpp/support/status.h"
 #include "zatar/generate_self_signed_cert.h"
 
-#include "bmc/auth_loas3.h"
-
 namespace auth {
 
-using ::grpc::experimental::TlsCustomVerificationCheckRequest;
+using ::grpc::experimental::AuthorizationPolicyProviderInterface;
 using ::grpc::experimental::ExternalCertificateVerifier;
-using ::grpc::ServerBuilder;
+using ::grpc::experimental::FileWatcherAuthorizationPolicyProvider;
 using ::grpc::experimental::FileWatcherCertificateProvider;
 using ::grpc::experimental::TlsServerCredentials;
 using ::grpc::experimental::TlsServerCredentialsOptions;
-using ::grpc::experimental::AuthorizationPolicyProviderInterface;
 using ::milotic::authn::SelfSignedCertOptions;
-using ::grpc::experimental::FileWatcherAuthorizationPolicyProvider;
 
-
-absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo()
-{
-  #ifdef LOAS3_AUTH
+absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo() {
+#ifdef LOAS3_AUTH
   SetupLoas3();
-  #else
+#else
   LOG(WARNING) << "LOAS3 is not enabled";
-  #endif
+#endif
 
   std::error_code file_error;
   bool file_exist = std::filesystem::exists(kZatarCertFilePath, file_error);
-  if (file_error)
-  {
+  if (file_error) {
     return absl::NotFoundError("tls file path error: " + file_error.message() +
-                              "file path: "+ std::string(kZatarCertFilePath));
+                               "file path: " + std::string(kZatarCertFilePath));
   }
   std::string keypair_path;
-  if (file_exist)
-  {
+  if (file_exist) {
     keypair_path = std::string(kZatarCertFilePath);
   } else {
-  // cert is not present (self sign a cert)
+    // cert is not present (self sign a cert)
     keypair_path = absl::StrFormat("/tmp/gpowerd_self_signed_%d.pem", getpid());
-    absl::StatusOr<std::string> host_name = gmi_reader::ReadGmiHostName();;
-    {
-      absl::Status errStatus = host_name.status();
-      return absl::NotFoundError("unable to read gmi host name: " +
-                                  std::string(errStatus.message()));
+    absl::StatusOr<std::string> host_name = gmi_reader::ReadGmiHostName();
+    if (!host_name.ok()) {
+      LOG(ERROR) << "unable to read gmi host name: " << host_name.status();
+      return host_name.status();
     }
     SelfSignedCertOptions option;
     option.server_fqdn = *host_name;
     if (absl::Status status =
             GenerateSelfSignedCertAndDump(keypair_path, option);
-        !status.ok())
-    {
-       return absl::UnavailableError("unable to write self signed cert: " +
-                                  std::string(status.message()));
+        !status.ok()) {
+      LOG(ERROR) << "unable to write self signed cert: " << status;
+      return status;
     }
   }
   auto certificateProvider = std::make_shared<FileWatcherCertificateProvider>(
-        keypair_path, keypair_path, std::string(kTrustBundleFilePath),
+      keypair_path, keypair_path, std::string(kTrustBundleFilePath),
       /* refresh_interval_sec */ 30);
 
   TlsServerCredentialsOptions options(certificateProvider);
@@ -86,37 +80,32 @@
   options.watch_identity_key_cert_pairs();
   options.set_cert_request_type(
       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
-  #ifdef LOAS3_AUTH
+#ifdef LOAS3_AUTH
   auto cert_verifier = ExternalCertificateVerifier::Create<PeerVerifier>();
   options.set_certificate_verifier(std::move(cert_verifier));
-  #endif
+#endif
   std::shared_ptr<grpc::ServerCredentials> tlsServerCredentials =
-    TlsServerCredentials(options);
-  if (tlsServerCredentials == nullptr)
-  {
-     LOG(ERROR) << "tls Server Credentials error:";
+      TlsServerCredentials(options);
+  if (tlsServerCredentials == nullptr) {
+    LOG(ERROR) << "tls Server Credentials error:";
     return absl::NotFoundError("tls Server Credentials error");
   }
   return tlsServerCredentials;
 }
 
 absl::StatusOr<std::shared_ptr<AuthorizationPolicyProviderInterface>>
-  GetAuthPolicy()
-{
-    grpc::Status policy_status;
-    std::shared_ptr<AuthorizationPolicyProviderInterface> policy =
-        FileWatcherAuthorizationPolicyProvider::Create(
-            std::string(kGpowerDCertAuthZPolicy),
-            /* policy refresh_interval_sec = 30 */ 30, &policy_status);
-    if (!policy_status.ok())
-    {
-      return absl::NotFoundError("failed to load policy file error: " +
-                                policy_status.error_message() +
-                                "file path:" +
-                                std::string(kGpowerDCertAuthZPolicy));
-    }
-    return policy;
+GetAuthPolicy() {
+  grpc::Status policy_status;
+  std::shared_ptr<AuthorizationPolicyProviderInterface> policy =
+      FileWatcherAuthorizationPolicyProvider::Create(
+          std::string(kGpowerDCertAuthZPolicy),
+          /* policy refresh_interval_sec = 30 */ 30, &policy_status);
+  if (!policy_status.ok()) {
+    return absl::NotFoundError(
+        "failed to load policy file error: " + policy_status.error_message() +
+        "file path:" + std::string(kGpowerDCertAuthZPolicy));
+  }
+  return policy;
 }
 
 }  // namespace auth
-
diff --git a/bmc/auth.h b/bmc/auth.h
index 2fed7bc..fcfa9c9 100644
--- a/bmc/auth.h
+++ b/bmc/auth.h
@@ -1,36 +1,28 @@
 #ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_
 #define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_
 
-#include <grpcpp/grpcpp.h>
+#include <memory>
 
-#include <string>
-#include <string_view>
-
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "grpcpp/security/authorization_policy_provider.h"
 #include "grpcpp/security/server_credentials.h"
-#include "grpcpp/security/tls_certificate_provider.h"
-#include "grpcpp/security/tls_certificate_verifier.h"
-#include "grpcpp/security/tls_credentials_options.h"
-#include "grpcpp/ext/proto_server_reflection_plugin.h"
-#include "grpcpp/health_check_service_interface.h"
 
 namespace auth {
 
-using ::grpc::experimental::AuthorizationPolicyProviderInterface;
+constexpr absl::string_view kZatarCertFilePath =
+    "/var/volatile/prodid/server.pem";
+constexpr absl::string_view kGpowerDCertAuthZPolicy =
+    "/var/google/authz_policies/gpowerd_authz_policy.json";
+constexpr absl::string_view kTrustBundleFilePath =
+    "/var/google/trust_bundle/trust_bundle.pem";
 
-constexpr absl::string_view kZatarCertFilePath
-    = "/var/volatile/prodid/server.pem";
-constexpr absl::string_view kGpowerDCertAuthZPolicy
-    = "/var/google/authz_policies/gpowerd_authz_policy.json";
-constexpr absl::string_view kTrustBundleFilePath
-    = "/var/google/trust_bundle/trust_bundle.pem";
+absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo();
 
-absl::StatusOr<std::shared_ptr<grpc::ServerCredentials> > GetCredsInfo();
-
-absl::StatusOr<std::shared_ptr<AuthorizationPolicyProviderInterface> >
-  GetAuthPolicy();
+absl::StatusOr<
+    std::shared_ptr<::grpc::experimental::AuthorizationPolicyProviderInterface>>
+GetAuthPolicy();
 
 }  // namespace auth
 
-
-
 #endif  // PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_
diff --git a/bmc/auth_loas3.h b/bmc/auth_loas3.h
index 2efb89a..78b68a2 100644
--- a/bmc/auth_loas3.h
+++ b/bmc/auth_loas3.h
@@ -1,81 +1,73 @@
 #ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_
 #define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_
 
+// THIS FILE IS NOT SUPPORTED BY THE gbmc-docker UT ENVIRONMENT
+#ifdef LOAS3_AUTH
 
-// THIS FILE IS NOT SUPPORTED BY THE UT ENVIRONMENT
-#if LOAS3_AUTH
+#include <cstddef>
+#include <functional>
+#include <ostream>
+#include <vector>
+
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "grpcpp/support/status.h"
+#include "grpcpp/support/string_ref.h"
 
 // this file is not supported by the gBMC unit test framework,
-// but it is supported by the bitbake firmaware builds
+// but it is supported by the bitbake firmware builds
 #include <gpowerd_build_config.h>
 
-#include <grpcpp/grpcpp.h>
-#include <string>
-#include <string_view>
-#include "bmc/gmi_reader.h"
-#include "grpcpp/security/server_credentials.h"
-#include "grpcpp/security/tls_certificate_provider.h"
 #include "grpcpp/security/tls_certificate_verifier.h"
-#include "grpcpp/security/tls_credentials_options.h"
-#include "grpcpp/ext/proto_server_reflection_plugin.h"
-#include "absl/base/log_severity.h"
 #include "absl/log/log.h"
 
-// This header does not exist in the ut environment
+// This header does not exist in the gBMC unit test framework ut environment
 #include "security/zatar/loas3_validation/validation/validation.h"
 
-
 namespace auth {
 
-using ::grpc::experimental::TlsCustomVerificationCheckRequest;
 using ::grpc::experimental::ExternalCertificateVerifier;
+using ::grpc::experimental::TlsCustomVerificationCheckRequest;
 
-void SetupLoas3(){
+static inline void SetupLoas3() {
   LOG(INFO) << "Setting up LOAS3";
   security::SetCertificateAuthorityPolicyFilePath(
-        "/var/google/loas3/policy.pb");
+      "/var/google/loas3/policy.pb");
 }
 
-std::vector<std::string_view>
-    ToStringViewVector(const std::vector<grpc::string_ref>& string_refs)
-{
-    std::vector<std::string_view> strs(string_refs.size());
-    for (size_t i = 0; i < string_refs.size(); ++i)
-    {
-        strs[i] =
-            std::string_view(string_refs[i].data(), string_refs[i].size());
-    }
-    return strs;
+static std::vector<absl::string_view> ToStringViewVector(
+    const std::vector<grpc::string_ref>& string_refs) {
+  std::vector<absl::string_view> strs(string_refs.size());
+  for (size_t i = 0; i < string_refs.size(); ++i) {
+    strs[i] = absl::string_view(string_refs[i].data(), string_refs[i].size());
+  }
+  return strs;
 }
 
-class PeerVerifier : public ExternalCertificateVerifier
-{
+class PeerVerifier : public ExternalCertificateVerifier {
  public:
-    PeerVerifier() = default;
-    ~PeerVerifier() override = default;
-    bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request,
-                std::function<void(grpc::Status)>,
-                grpc::Status* sync_status) override
-    {
-        std::vector<std::string_view> peer_uri_names =
-            ToStringViewVector(request->uri_names());
-        std::vector<std::string_view> peer_dns_names =
-            ToStringViewVector(request->dns_names());
-        absl::Status status = security::ValidatePeer(
-            peer_uri_names, peer_dns_names,
-            request->verified_root_cert_subject().data());
-        if (!status.ok())
-        {
-            *sync_status =
-                grpc::Status(grpc::StatusCode::PERMISSION_DENIED,
-                             // This is from Federation policy check
-                             absl::StrCat("From Federation policy check: ",
-                                          status.message()));
-            LOG(ERROR) << status.message() << std::endl;
-        }
-        return true;
+  PeerVerifier() = default;
+  ~PeerVerifier() override = default;
+  bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request,
+              std::function<void(grpc::Status)>,
+              grpc::Status* sync_status) override {
+    std::vector<absl::string_view> peer_uri_names =
+        ToStringViewVector(request->uri_names());
+    std::vector<absl::string_view> peer_dns_names =
+        ToStringViewVector(request->dns_names());
+    absl::Status status =
+        security::ValidatePeer(peer_uri_names, peer_dns_names,
+                               request->verified_root_cert_subject().data());
+    if (!status.ok()) {
+      *sync_status = grpc::Status(
+          grpc::StatusCode::PERMISSION_DENIED,
+          // This is from Federation policy check
+          absl::StrCat("From Federation policy check: ", status.message()));
+      LOG(ERROR) << status.message() << std::endl;
     }
-    void Cancel(TlsCustomVerificationCheckRequest*) override {}
+    return true;
+  }
+  void Cancel(TlsCustomVerificationCheckRequest*) override {}
 };
 
 }  // namespace auth