remote: Allow auth scopes to be a comma-separated list.

--auth_scopes can be passed a comma-separated list of authentication scopes. Add "https://www.googleapis.com/auth/devstorage.read_write" to the list of defaults. This scope is used when using Google Cloud Storage (GCS) as a remote caching backend. Change-Id: I62e6fed28b28737823ad6c70cbc5048b3a3190b5 PiperOrigin-RevId: 179548090
agoulti · Dec 19, 2017 · f527577 · f527577
1 parent 905e307
commit f527577
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java b/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java
@@ -14,11 +14,13 @@
 
 package com.google.devtools.build.lib.authandtls;
 
+import com.google.devtools.common.options.Converters.CommaSeparatedOptionListConverter;
 import com.google.devtools.common.options.Option;
 import com.google.devtools.common.options.OptionDocumentationCategory;
 import com.google.devtools.common.options.OptionEffectTag;
 import com.google.devtools.common.options.OptionMetadataTag;
 import com.google.devtools.common.options.OptionsBase;
+import java.util.List;
 
 /**
  * Common options for authentication and TLS.
@@ -37,15 +39,28 @@ public class AuthAndTLSOptions extends OptionsBase {
   )
   public boolean authEnabled;
 
+  /**
+   * Comma-separated list of auth scopes.
+   *
+   * <ul>
+   *   <li><b>https://www.googleapis.com/auth/cloud-source-tools</b> is the auth scope for Build
+   *       Event Service (BES) and Remote Build Execution (RBE).
+   *   <li><b>https://www.googleapis.com/auth/devstorage.read_write</b> is the auth scope for Google
+   *       Cloud Storage (GCS).
+   * </ul>
+   */
   @Option(
     name = "auth_scope",
-    defaultValue = "https://www.googleapis.com/auth/cloud-source-tools",
+    defaultValue =
+        "https://www.googleapis.com/auth/cloud-source-tools,"
+            + "https://www.googleapis.com/auth/devstorage.read_write",
+    converter = CommaSeparatedOptionListConverter.class,
     category = "remote",
     documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
     effectTags = {OptionEffectTag.UNKNOWN},
-    help = "If server authentication requires a scope, provide it here."
+    help = "A comma-separated list of authentication scopes."
   )
-  public String authScope;
+  public List<String> authScope;
 
   @Option(
     name = "auth_credentials",

diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java b/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java
@@ -18,7 +18,6 @@
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableList;
 import io.grpc.CallCredentials;
 import io.grpc.ManagedChannel;
 import io.grpc.auth.MoreCallCredentials;
@@ -32,6 +31,7 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.List;
 import javax.annotation.Nullable;
 
 /** Utility methods for using {@link AuthAndTLSOptions} with Google Cloud. */
@@ -104,7 +104,7 @@ public static CallCredentials newCallCredentials(AuthAndTLSOptions options) thro
 
   @VisibleForTesting
   public static CallCredentials newCallCredentials(
-      @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException {
+      @Nullable InputStream credentialsFile, List<String> authScope) throws IOException {
     Credentials creds = newCredentials(credentialsFile, authScope);
     if (creds != null) {
       return MoreCallCredentials.from(creds);
@@ -139,14 +139,14 @@ public static Credentials newCredentials(AuthAndTLSOptions options) throws IOExc
   }
 
   private static Credentials newCredentials(
-      @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException {
+      @Nullable InputStream credentialsFile, List<String> authScopes) throws IOException {
     try {
       GoogleCredentials creds =
           credentialsFile == null
               ? GoogleCredentials.getApplicationDefault()
               : GoogleCredentials.fromStream(credentialsFile);
-      if (authScope != null) {
-        creds = creds.createScoped(ImmutableList.of(authScope));
+      if (!authScopes.isEmpty()) {
+        creds = creds.createScoped(authScopes);
       }
       return creds;
     } catch (IOException e) {

diff --git a/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java b/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java
@@ -138,7 +138,7 @@ private GrpcRemoteCache newClient() throws IOException {
     AuthAndTLSOptions authTlsOptions = Options.getDefaults(AuthAndTLSOptions.class);
     authTlsOptions.authEnabled = true;
     authTlsOptions.authCredentials = "/exec/root/creds.json";
-    authTlsOptions.authScope = "dummy.scope";
+    authTlsOptions.authScope = ImmutableList.of("dummy.scope");
 
     GenericJson json = new GenericJson();
     json.put("type", "authorized_user");