From f527577fcc27a06a3db5b9fdc426a71a1b96d5a4 Mon Sep 17 00:00:00 2001 From: Jakob Buchgraber Date: Tue, 19 Dec 2017 06:51:56 -0800 Subject: [PATCH] remote: Allow auth scopes to be a comma-separated list. --auth_scopes can be passed a comma-separated list of authentication scopes. Add "https://www.googleapis.com/auth/devstorage.read_write" to the list of defaults. This scope is used when using Google Cloud Storage (GCS) as a remote caching backend. Change-Id: I62e6fed28b28737823ad6c70cbc5048b3a3190b5 PiperOrigin-RevId: 179548090 --- .../lib/authandtls/AuthAndTLSOptions.java | 21 ++++++++++++++++--- .../build/lib/authandtls/GoogleAuthUtils.java | 10 ++++----- .../build/lib/remote/GrpcRemoteCacheTest.java | 2 +- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java b/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java index 88cae094db7462..2f573f964f55b1 100644 --- a/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java +++ b/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java @@ -14,11 +14,13 @@ package com.google.devtools.build.lib.authandtls; +import com.google.devtools.common.options.Converters.CommaSeparatedOptionListConverter; import com.google.devtools.common.options.Option; import com.google.devtools.common.options.OptionDocumentationCategory; import com.google.devtools.common.options.OptionEffectTag; import com.google.devtools.common.options.OptionMetadataTag; import com.google.devtools.common.options.OptionsBase; +import java.util.List; /** * Common options for authentication and TLS. @@ -37,15 +39,28 @@ public class AuthAndTLSOptions extends OptionsBase { ) public boolean authEnabled; + /** + * Comma-separated list of auth scopes. + * + * + */ @Option( name = "auth_scope", - defaultValue = "https://www.googleapis.com/auth/cloud-source-tools", + defaultValue = + "https://www.googleapis.com/auth/cloud-source-tools," + + "https://www.googleapis.com/auth/devstorage.read_write", + converter = CommaSeparatedOptionListConverter.class, category = "remote", documentationCategory = OptionDocumentationCategory.UNCATEGORIZED, effectTags = {OptionEffectTag.UNKNOWN}, - help = "If server authentication requires a scope, provide it here." + help = "A comma-separated list of authentication scopes." ) - public String authScope; + public List authScope; @Option( name = "auth_credentials", diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java b/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java index 63dda5014b55fd..53fbefd69926f5 100644 --- a/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java +++ b/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java @@ -18,7 +18,6 @@ import com.google.auth.oauth2.GoogleCredentials; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; -import com.google.common.collect.ImmutableList; import io.grpc.CallCredentials; import io.grpc.ManagedChannel; import io.grpc.auth.MoreCallCredentials; @@ -32,6 +31,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.util.List; import javax.annotation.Nullable; /** Utility methods for using {@link AuthAndTLSOptions} with Google Cloud. */ @@ -104,7 +104,7 @@ public static CallCredentials newCallCredentials(AuthAndTLSOptions options) thro @VisibleForTesting public static CallCredentials newCallCredentials( - @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException { + @Nullable InputStream credentialsFile, List authScope) throws IOException { Credentials creds = newCredentials(credentialsFile, authScope); if (creds != null) { return MoreCallCredentials.from(creds); @@ -139,14 +139,14 @@ public static Credentials newCredentials(AuthAndTLSOptions options) throws IOExc } private static Credentials newCredentials( - @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException { + @Nullable InputStream credentialsFile, List authScopes) throws IOException { try { GoogleCredentials creds = credentialsFile == null ? GoogleCredentials.getApplicationDefault() : GoogleCredentials.fromStream(credentialsFile); - if (authScope != null) { - creds = creds.createScoped(ImmutableList.of(authScope)); + if (!authScopes.isEmpty()) { + creds = creds.createScoped(authScopes); } return creds; } catch (IOException e) { diff --git a/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java b/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java index 76a992ab163e68..76d35871e91588 100644 --- a/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java +++ b/src/test/java/com/google/devtools/build/lib/remote/GrpcRemoteCacheTest.java @@ -138,7 +138,7 @@ private GrpcRemoteCache newClient() throws IOException { AuthAndTLSOptions authTlsOptions = Options.getDefaults(AuthAndTLSOptions.class); authTlsOptions.authEnabled = true; authTlsOptions.authCredentials = "/exec/root/creds.json"; - authTlsOptions.authScope = "dummy.scope"; + authTlsOptions.authScope = ImmutableList.of("dummy.scope"); GenericJson json = new GenericJson(); json.put("type", "authorized_user");