Revert "Remove duplicate credshelper code in re-client"

This reverts commit 51f4875706f1b0ada37f96a4fb7e3ce6bbf38246.

Reason for revert: Causes auth failure on windows when using luci-auth

Bug: na
Test: failure on windows with luci-auth
Change-Id: I1b701eceaf0f2bd82744ee38539a7e3de726cd29
GitOrigin-RevId: 102018bc1e69e0ce3a2c3be5a688dbb8c62b43c5

MODULE.bazel

@@ -192,6 +192,7 @@ use_repo(
     "com_github_googlecloudplatform_protoc_gen_bq_schema",
     "com_github_gorilla_mux",
     "com_github_gosuri_uilive",
+    "com_github_hectane_go_acl",
     "com_github_karrick_godirwalk",
     "com_github_microsoft_go_winio",
     "com_github_pkg_xattr",

cmd/bootstrap/main.go

@@ -54,8 +54,10 @@ import (
 var bootstrapStart = time.Now()
 
 var (
-	homeDir, _ = os.UserHomeDir()
-	logDir     = os.TempDir()
+	homeDir, _   = os.UserHomeDir()
+	gcertErrMsg  = fmt.Sprintf("\nTry restarting the build after running %q\n", "gcert")
+	gcloudErrMsg = fmt.Sprintf("\nTry restarting the build after running %q\n", "gcloud auth login")
+	logDir       = os.TempDir()
 )
 
 var (
@@ -141,15 +143,9 @@ func main() {
 		log.Exitf("Failed to determine the token cache file name: %v", err)
 	}
 	var chCreds *credshelper.Credentials
+	var creds *auth.Credentials
 	var ts *grpcOauth.TokenSource
-	credsArgs := []string{}
 	if !*remoteDisabled {
-		if *experimentalCredentialsHelper != "" && *credentialsHelper == "" {
-			*credentialsHelper = *experimentalCredentialsHelper
-			*credentialsHelperArgs = *experimentalCredentialsHelperArgs
-			credsArgs = append(credsArgs, fmt.Sprintf("--%v=%v", credshelper.CredshelperPathFlag, *credentialsHelper))
-			credsArgs = append(credsArgs, fmt.Sprintf("--%v=%v", credshelper.CredshelperArgsFlag, *credentialsHelperArgs))
-		}
 		if *credentialsHelper != "" {
 			c, err := credshelper.NewExternalCredentials(*credentialsHelper, strings.Fields(*credentialsHelperArgs), cf)
 			if err != nil {
@@ -164,12 +160,15 @@ func main() {
 			chCreds = c
 			ts = c.TokenSource()
 		} else {
-			m := authMechanism()
-			status, err := auth.UpdateStatus(m)
+			c := newCreds(cf)
+			status, err := c.UpdateStatus()
 			if err != nil {
 				log.Errorf("Error obtaining credentials: %v", err)
 				os.Exit(status)
 			}
+			c.SaveToDisk()
+			creds = c
+			ts = c.TokenSource()
 		}
 	}
 
@@ -255,14 +254,14 @@ func main() {
 	currArgs := args[:]
 	if *experimentalCredentialsHelper != "" || *credentialsHelper != "" {
 		currArgs = append(currArgs, "--use_external_auth_token=true")
-		currArgs = append(currArgs, credsArgs...)
 	}
 	msg, exitCode := bootstrapReproxy(currArgs, bootstrapStart)
 	if exitCode == 0 {
 		fmt.Println(msg)
 	} else {
 		fmt.Fprintf(os.Stderr, "\nReproxy failed to start:%s\nCredentials cache file was deleted. Please try again. If this continues to fail, please file a bug.\n", msg)
 		chCreds.RemoveFromDisk()
+		creds.RemoveFromDisk()
 	}
 	log.Flush()
 	os.Exit(exitCode)
@@ -371,17 +370,25 @@ func credsFilePath() (string, error) {
 	return cf, nil
 }
 
-func authMechanism() auth.Mechanism {
+func newCreds(cf string) *auth.Credentials {
 	if *experimentalCredentialsHelper != "" {
-		fmt.Fprintf(os.Stderr, "--experimental_credentials_helper flags are deprecated, please use --credentials_helper flags")
-		os.Exit(auth.ExitCodeExternalTokenAuth)
+		creds, err := auth.NewExternalCredentials(*experimentalCredentialsHelper, strings.Fields(*experimentalCredentialsHelperArgs), cf)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Experimental credentials helper failed. Please try again or use application default credentials:%v", err)
+			os.Exit(auth.ExitCodeExternalTokenAuth)
+		}
+		return creds
 	}
 	m, err := auth.MechanismFromFlags()
 	if err != nil || m == auth.Unknown {
 		log.Errorf("Failed to determine auth mechanism: %v", err)
 		os.Exit(auth.ExitCodeNoAuth)
 	}
-	return m
+	c, err := auth.NewCredentials(m, cf)
+	if err != nil {
+		log.Exitf("Failed to initialize credentials: %v", err)
+	}
+	return c
 }
 
 func parseLogs() ([]*lpb.LogRecord, []*lpb.ProxyInfo) {

cmd/reproxy/main.go

@@ -107,17 +107,19 @@ var (
 	idleTimeout           = flag.Duration("proxy_idle_timeout", 6*time.Hour, "Inactivity period after which the running reproxy process will be killed. Default is 6 hours. When set to 0, idle timeout is disabled.")
 	depsCacheMaxMb        = flag.Int("deps_cache_max_mb", 128, "Maximum size of the deps cache file (for goma input processor only).")
 	// TODO(b/233275188): remove this flag.
-	_                         = flag.Duration("ip_reset_min_delay", 3*time.Minute, "Deprecated. The minimum time after the input processor has been reset before it can be reset again. Negative values disable resetting.")
-	ipTimeout                 = flag.Duration("ip_timeout", 10*time.Minute, "The maximum time to wait for an input processor action. Zero and negative values disable timeout.")
-	metricsProject            = flag.String("metrics_project", "", "If set, action and build metrics are exported to Cloud Monitoring in the specified GCP project")
-	metricsPrefix             = flag.String("metrics_prefix", "", "Prefix of metrics exported to Cloud Monitoring")
-	metricsNamespace          = flag.String("metrics_namespace", "", "Namespace of metrics exported to Cloud Monitoring (e.g. RBE project)")
-	failEarlyMinActionCount   = flag.Int64("fail_early_min_action_count", 0, "Minimum number of actions received by reproxy before the fail early mechanism can take effect. 0 indicates fail early is disabled.")
-	failEarlyMinFallbackRatio = flag.Float64("fail_early_min_fallback_ratio", 0, "Minimum ratio of fallbacks to total actions above which the build terminates early. Ratio is a number in the range [0,1]. 0 indicates fail early is disabled.")
-	failEarlyWindow           = flag.Duration("fail_early_window", 0, "Window of time to consider for fail_early_min_action_count and fail_early_min_fallback_ratio. 0 indicates all datapoints should be used.")
-	racingBias                = flag.Float64("racing_bias", 0.75, "Value between [0,1] to indicate how racing manages the tradeoff of saving bandwidth (0) versus speed (1). The default is to prefer speed over bandwidth.")
-	racingTmp                 = flag.String("racing_tmp_dir", "", "DEPRECATED. Use download_tmp_dir instead.")
-	downloadTmp               = flag.String("download_tmp_dir", "", "Directory where reproxy should store outputs temporarily before moving them to the desired location. This should be on the same device as the output directory for the build. The default is outputs will be written to a subdirectory inside the action's working directory. Note that the download_tmp_dir will only be used if the action has racing as its exec strategy or it explicitly sets EnableAtomicDownloads=true. See proxy.proto for details.")
+	_                                 = flag.Duration("ip_reset_min_delay", 3*time.Minute, "Deprecated. The minimum time after the input processor has been reset before it can be reset again. Negative values disable resetting.")
+	ipTimeout                         = flag.Duration("ip_timeout", 10*time.Minute, "The maximum time to wait for an input processor action. Zero and negative values disable timeout.")
+	metricsProject                    = flag.String("metrics_project", "", "If set, action and build metrics are exported to Cloud Monitoring in the specified GCP project")
+	metricsPrefix                     = flag.String("metrics_prefix", "", "Prefix of metrics exported to Cloud Monitoring")
+	metricsNamespace                  = flag.String("metrics_namespace", "", "Namespace of metrics exported to Cloud Monitoring (e.g. RBE project)")
+	experimentalCredentialsHelper     = flag.String(auth.CredshelperPathFlag, "", "Path to the credentials helper binary. If given execrel://, looks for the `credshelper` binary in the same folder as reproxy")
+	experimentalCredentialsHelperArgs = flag.String(auth.CredshelperArgsFlag, "", "Arguments for the experimental credentials helper, separated by space.")
+	failEarlyMinActionCount           = flag.Int64("fail_early_min_action_count", 0, "Minimum number of actions received by reproxy before the fail early mechanism can take effect. 0 indicates fail early is disabled.")
+	failEarlyMinFallbackRatio         = flag.Float64("fail_early_min_fallback_ratio", 0, "Minimum ratio of fallbacks to total actions above which the build terminates early. Ratio is a number in the range [0,1]. 0 indicates fail early is disabled.")
+	failEarlyWindow                   = flag.Duration("fail_early_window", 0, "Window of time to consider for fail_early_min_action_count and fail_early_min_fallback_ratio. 0 indicates all datapoints should be used.")
+	racingBias                        = flag.Float64("racing_bias", 0.75, "Value between [0,1] to indicate how racing manages the tradeoff of saving bandwidth (0) versus speed (1). The default is to prefer speed over bandwidth.")
+	racingTmp                         = flag.String("racing_tmp_dir", "", "DEPRECATED. Use download_tmp_dir instead.")
+	downloadTmp                       = flag.String("download_tmp_dir", "", "Directory where reproxy should store outputs temporarily before moving them to the desired location. This should be on the same device as the output directory for the build. The default is outputs will be written to a subdirectory inside the action's working directory. Note that the download_tmp_dir will only be used if the action has racing as its exec strategy or it explicitly sets EnableAtomicDownloads=true. See proxy.proto for details.")
 
 	debugPort   = flag.Int("pprof_port", 0, "Enable pprof http server if not zero")
 	cpuProfFile = flag.String("pprof_file", "", "Enable cpu pprof if not empty. Will not work on windows as reproxy shutdowns through an uncatchable sigkill.")
@@ -286,6 +288,10 @@ func main() {
 			}
 			defer c.SaveToDisk()
 			ts = c.TokenSource()
+		} else {
+			c := mustBuildCredentials()
+			defer c.SaveToDisk()
+			ts = c.TokenSource()
 		}
 	}
 	var e *monitoring.Exporter
@@ -471,6 +477,32 @@ func formatAuthError(ce *client.InitError) error {
 	return status.Errorf(codes.Unauthenticated, errMsg+"\n%s", ce.Error())
 }
 
+// mustBuildCredentials either returns a valid auth.Credentials struct or exits
+func mustBuildCredentials() *auth.Credentials {
+	if *experimentalCredentialsHelper != "" {
+		creds, err := auth.NewExternalCredentials(*experimentalCredentialsHelper, strings.Fields(*experimentalCredentialsHelperArgs), *credsFile)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Experimental credentials helper failed. Please try again or use application default credentials:%v", err)
+			os.Exit(auth.ExitCodeExternalTokenAuth)
+		}
+		return creds
+	}
+	m, err := auth.MechanismFromFlags()
+	if err != nil || m == auth.Unknown {
+		log.Errorf("Failed to determine auth mechanism: %v", err)
+		os.Exit(auth.ExitCodeNoAuth)
+	}
+	c, err := auth.NewCredentials(m, *credsFile)
+	if err != nil {
+		log.Errorf("Failed to initialize credentials: %v", err)
+		if aerr, ok := err.(*auth.Error); ok {
+			os.Exit(aerr.ExitCode)
+		}
+		os.Exit(auth.ExitCodeUnknown)
+	}
+	return c
+}
+
 func initializeLogger(mi *ignoremismatch.MismatchIgnorer, e *monitoring.Exporter) (*logger.Logger, error) {
 	u := usage.New()
 	if *auxiliaryMetadataPath != "" {

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.1
 	github.com/gosuri/uilive v0.0.4
+	github.com/hectane/go-acl v0.0.0-20230122075934-ca0b05cb1adb
 	github.com/karrick/godirwalk v1.17.0
 	github.com/pkg/xattr v0.4.4
 	github.com/shirou/gopsutil/v3 v3.24.4
@@ -56,7 +57,6 @@ require (
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/hectane/go-acl v0.0.0-20230122075934-ca0b05cb1adb // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/asmfmt v1.3.2 // indirect
 	github.com/klauspost/compress v1.17.8 // indirect

internal/pkg/auth/BUILD.bazel

@@ -2,11 +2,22 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "auth",
-    srcs = ["auth.go"],
+    srcs = [
+        "auth.go",
+        "cache.go",
+    ],
     importpath = "github.com/bazelbuild/reclient/internal/pkg/auth",
     visibility = ["//:__subpackages__"],
     deps = [
+        "//api/auth",
+        "//internal/pkg/features",
+        "//internal/pkg/pathtranslator",
+        "@com_github_bazelbuild_remote_apis_sdks//go/pkg/digest",
         "@com_github_golang_glog//:glog",
+        "@com_github_hectane_go_acl//:go-acl",
+        "@org_golang_google_grpc//credentials/oauth",
+        "@org_golang_google_protobuf//encoding/prototext",
+        "@org_golang_google_protobuf//types/known/timestamppb",
         "@org_golang_x_oauth2//:oauth2",
         "@org_golang_x_oauth2//google",
     ],
@@ -16,4 +27,8 @@ go_test(
     name = "auth_test",
     srcs = ["auth_test.go"],
     embed = [":auth"],
+    deps = [
+        "@org_golang_google_grpc//credentials/oauth",
+        "@org_golang_x_oauth2//:oauth2",
+    ],
 )