"expires" field from credential helper causes re-invocation of helper too often

[nataliejameson]

Description of the bug:

It looks like in #21429 bazel started respecting the "expires" field from the json of credential_helper. We noticed after upgrading to bazel 7 that this caused our helper to be invoked hundreds to thousands of times in a build. Removing the "expires" field from the emitted json led to only being called a few times during a build. Looking at that PR, it looks like the ordering of Duration.between()'s parameters here are incorrect. Testing locally, if I reversed those parameters, there were not a ton of invocations as we were seeing before.

Which category does this issue belong to?

Remote Execution

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Add the following to .bazelrc

# build --credential_helper="%workspace%/cred_helper_no_expires.sh"
# build --credential_helper="%workspace%/cred_helper_expires.sh"
build --credential_helper_timeout=30s
build --credential_helper_cache_duration=5m

Have cred_helper_no_expires.sh have something like:

#!/bin/bash
date >> /tmp/bazel_invocations
echo '{"headers": {"Authorization": ["<some token here>"]}}'

Have cred_helper_expires.sh have something like:

#!/bin/bash
date >> /tmp/bazel_invocations
echo '{"expires": "2024-08-26T21:44:34+00:00", "headers": {"Authorization": ["<some token here>"]}}'

Run a clean, then run a build with both the expires and the no_expires helper, removing /tmp/bazel_invocations before each call, and then after the build do wc -l on that file. The one with an expires field should have been invoked many more times.

This fix appears to fix the behavior:

diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialCacheExpiry.java b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialCacheExpiry.java
index 2a8f385260..f09cdcb040 100644
--- a/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialCacheExpiry.java
+++ b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialCacheExpiry.java
@@ -41,7 +41,7 @@ final class CredentialCacheExpiry implements Expiry<URI, GetCredentialsResponse>
     }

     var now = Instant.now();
-    return Duration.between(expires.get(), now);
+    return Duration.between(now, expires.get());
   }

   @Override

Which operating system are you running Bazel on?

macos, linux

What is the output of bazel info release?

release 7.2.1

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

No response

If this is a regression, please try to identify the Bazel commit where the bug was introduced with bazelisk --bisect.

No response

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response

[tjgq]

Oof, that's embarrassing. Thanks for investigating! I'll submit the fix (and see if I can write a test for it).

[tjgq]

@bazel-io flag 7.4.0

[iancha1992]

@bazel-io fork 7.4.0

[iancha1992]

A fix for this issue has been included in Bazel 7.4.0 RC1. Please test out the release candidate and report any issues as soon as possible.
If you're using Bazelisk, you can point to the latest RC by setting USE_BAZEL_VERSION=7.4.0rc1. Thanks!