[credentialhelper] Add command-line flag for configuring

Progress on bazelbuild#15856

RELNOTES: TODO(yannic): Add release notes for credential helper.

Author: Yannic

src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java

@@ -131,4 +131,24 @@ public class AuthAndTLSOptions extends OptionsBase {
               + "granularity; it is an error to set a value less than one second. If keep-alive "
               + "pings are disabled, then this setting is ignored.")
   public Duration grpcKeepaliveTimeout;
+
+  @Option(
+      name = "credential_helper",
+      defaultValue = "null",
+      allowMultiple = true,
+      documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
+      effectTags = {OptionEffectTag.UNKNOWN},
+      help = "TODO")
+  public List<String> credentialHelpers;
+
+  @Option(
+      name = "credential_helper_timeout",
+      defaultValue = "5s",
+      converter = DurationConverter.class,
+      documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
+      effectTags = {OptionEffectTag.UNKNOWN},
+      help =
+          "Configures the timeout for the Credential Helper.\n\n"
+              + "Credential Helpers failing to respond within this timeout will fail the invocation.")
+  public Duration credentialHelperTimeout;
 }

src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/BUILD

@@ -17,6 +17,7 @@ java_library(
         "//src/main/java/com/google/devtools/build/lib/events",
         "//src/main/java/com/google/devtools/build/lib/shell",
         "//src/main/java/com/google/devtools/build/lib/vfs",
+        "//third_party:auth",
         "//third_party:auto_value",
         "//third_party:error_prone_annotations",
         "//third_party:gson",

src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelper.java

@@ -49,7 +49,7 @@ public final class CredentialHelper {
   }
 
   @VisibleForTesting
-  Path getPath() {
+  public Path getPath() {
     return path;
   }
 

src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperCredentials.java

@@ -0,0 +1,93 @@
+package com.google.devtools.build.lib.authandtls.credentialhelper;
+
+import com.google.auth.Credentials;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableMap;
+import java.io.IOException;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Implementation of {@link Credentials} which fetches credentials by invoking a {@code credential
+ * helper} as subprocess.
+ */
+public class CredentialHelperCredentials extends Credentials {
+  private final CredentialHelperProvider credentialHelperProvider;
+  private final CredentialHelperEnvironment credentialHelperEnvironment;
+  private final Optional<Credentials> fallbackCredentials;
+
+  public CredentialHelperCredentials(
+      CredentialHelperProvider credentialHelperProvider,
+      CredentialHelperEnvironment credentialHelperEnvironment,
+      Optional<Credentials> fallbackCredentials) {
+    this.credentialHelperProvider = Preconditions.checkNotNull(credentialHelperProvider);
+    this.credentialHelperEnvironment = Preconditions.checkNotNull(credentialHelperEnvironment);
+    this.fallbackCredentials = Preconditions.checkNotNull(fallbackCredentials);
+  }
+
+  @Override
+  public String getAuthenticationType() {
+    if (fallbackCredentials.isPresent()) {
+      return "credential-helper-with-fallback-" + fallbackCredentials.get().getAuthenticationType();
+    }
+
+    return "credential-helper";
+  }
+
+  @Override
+  public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    Preconditions.checkNotNull(uri);
+
+    Optional<Map<String, List<String>>> credentials =
+        getRequestMetadataFromCredentialHelper(uri);
+    if (credentials.isPresent()) {
+      return credentials.get();
+    }
+
+    if (fallbackCredentials.isPresent()) {
+      return fallbackCredentials.get().getRequestMetadata(uri);
+    }
+
+    return ImmutableMap.of();
+  }
+
+  private Optional<Map<String, List<String>>> getRequestMetadataFromCredentialHelper(
+      URI uri) throws IOException {
+    Preconditions.checkNotNull(uri);
+
+    Optional<CredentialHelper> maybeCredentialHelper = credentialHelperProvider.findCredentialHelper(uri);
+    if (!maybeCredentialHelper.isPresent()) {
+      return Optional.empty();
+    }
+    CredentialHelper credentialHelper = maybeCredentialHelper.get();
+
+    GetCredentialsResponse response;
+    try {
+      response = credentialHelper.getCredentials(credentialHelperEnvironment, uri);
+    } catch (InterruptedException e) {
+      throw new RuntimeException(e);
+    }
+
+    // The cast is needed to convert value type of map from `ImmutableList` to `List`.
+    return Optional.of((Map)response.getHeaders());
+  }
+
+  @Override
+  public boolean hasRequestMetadata() {
+    return true;
+  }
+
+  @Override
+  public boolean hasRequestMetadataOnly() {
+    return false;
+  }
+
+  @Override
+  public void refresh() throws IOException {
+    if (fallbackCredentials.isPresent()) {
+      fallbackCredentials.get().refresh();
+    }
+  }
+}

src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperProvider.java

@@ -170,6 +170,17 @@ public Builder add(String pattern, Path helper) throws IOException {
       return this;
     }
 
+    public Builder add(Optional<String> pattern, Path helper) throws IOException {
+      Preconditions.checkNotNull(pattern);
+      Preconditions.checkNotNull(helper);
+
+      if (pattern.isPresent()) {
+        return add(pattern.get(), helper);
+      } else {
+        return add(helper);
+      }
+    }
+
     /** Converts a pattern to Punycode (see https://en.wikipedia.org/wiki/Punycode). */
     private final String toPunycodePattern(String pattern) {
       Preconditions.checkNotNull(pattern);

src/main/java/com/google/devtools/build/lib/remote/BUILD

@@ -59,6 +59,7 @@ java_library(
         "//src/main/java/com/google/devtools/build/lib/analysis:top_level_artifact_context",
         "//src/main/java/com/google/devtools/build/lib/analysis/platform:platform_utils",
         "//src/main/java/com/google/devtools/build/lib/authandtls",
+        "//src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper",
         "//src/main/java/com/google/devtools/build/lib/bazel/repository/downloader",
         "//src/main/java/com/google/devtools/build/lib/buildeventstream",
         "//src/main/java/com/google/devtools/build/lib/clock",
@@ -90,6 +91,7 @@ java_library(
         "//src/main/java/com/google/devtools/build/lib/sandbox:sandbox_helpers",
         "//src/main/java/com/google/devtools/build/lib/skyframe:mutable_supplier",
         "//src/main/java/com/google/devtools/build/lib/skyframe:tree_artifact_value",
+        "//src/main/java/com/google/devtools/build/lib/util",
         "//src/main/java/com/google/devtools/build/lib/util:abrupt_exit_exception",
         "//src/main/java/com/google/devtools/build/lib/util:detailed_exit_code",
         "//src/main/java/com/google/devtools/build/lib/util:exit_code",
@@ -102,6 +104,7 @@ java_library(
         "//src/main/java/com/google/devtools/common/options",
         "//src/main/protobuf:failure_details_java_proto",
         "//third_party:auth",
+        "//third_party:auto_value",
         "//third_party:caffeine",
         "//third_party:flogger",
         "//third_party:guava",

src/main/java/com/google/devtools/build/lib/remote/RemoteModule.java

@@ -19,6 +19,7 @@
 import build.bazel.remote.execution.v2.DigestFunction;
 import build.bazel.remote.execution.v2.ServerCapabilities;
 import com.google.auth.Credentials;
+import com.google.auto.value.AutoValue;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Ascii;
 import com.google.common.base.Preconditions;
@@ -50,6 +51,9 @@
 import com.google.devtools.build.lib.authandtls.Netrc;
 import com.google.devtools.build.lib.authandtls.NetrcCredentials;
 import com.google.devtools.build.lib.authandtls.NetrcParser;
+import com.google.devtools.build.lib.authandtls.credentialhelper.CredentialHelperCredentials;
+import com.google.devtools.build.lib.authandtls.credentialhelper.CredentialHelperEnvironment;
+import com.google.devtools.build.lib.authandtls.credentialhelper.CredentialHelperProvider;
 import com.google.devtools.build.lib.bazel.repository.downloader.Downloader;
 import com.google.devtools.build.lib.buildeventstream.BuildEventArtifactUploader;
 import com.google.devtools.build.lib.buildeventstream.LocalFilesArtifactUploader;
@@ -78,6 +82,7 @@
 import com.google.devtools.build.lib.runtime.BuildEventArtifactUploaderFactory;
 import com.google.devtools.build.lib.runtime.Command;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
+import com.google.devtools.build.lib.runtime.CommandLinePathFactory;
 import com.google.devtools.build.lib.runtime.RepositoryRemoteExecutor;
 import com.google.devtools.build.lib.runtime.RepositoryRemoteExecutorFactory;
 import com.google.devtools.build.lib.runtime.ServerBuilder;
@@ -103,7 +108,6 @@
 import io.reactivex.rxjava3.plugins.RxJavaPlugins;
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -217,12 +221,12 @@ private void initHttpAndDiskCache(
     try {
       creds =
           newCredentials(
-              env.getClientEnv(),
+              env.getCommandLinePathFactory(),
+              newCredentialHelperEnvironment(env, authAndTlsOptions),
               env.getRuntime().getFileSystem(),
-              env.getReporter(),
               authAndTlsOptions,
               remoteOptions);
-    } catch (IOException e) {
+    } catch (IOException | IllegalArgumentException e) {
       handleInitFailure(env, e, Code.CREDENTIALS_INIT_FAILURE);
       return;
     }
@@ -432,12 +436,12 @@ public void beforeCommand(CommandEnvironment env) throws AbruptExitException {
       callCredentialsProvider =
           GoogleAuthUtils.newCallCredentialsProvider(
               newCredentials(
-                  env.getClientEnv(),
+                  env.getCommandLinePathFactory(),
+                  newCredentialHelperEnvironment(env, authAndTlsOptions),
                   env.getRuntime().getFileSystem(),
-                  env.getReporter(),
                   authAndTlsOptions,
                   remoteOptions));
-    } catch (IOException e) {
+    } catch (IOException | IllegalArgumentException e) {
       handleInitFailure(env, e, Code.CREDENTIALS_INIT_FAILURE);
       return;
     }
@@ -645,7 +649,7 @@ public void beforeCommand(CommandEnvironment env) throws AbruptExitException {
   }
 
   private static void handleInitFailure(
-      CommandEnvironment env, IOException e, Code remoteExecutionCode) {
+      CommandEnvironment env, Exception e, Code remoteExecutionCode) {
     env.getReporter().handle(Event.error(e.getMessage()));
     env.getBlazeModuleEnvironment()
         .exit(
@@ -1096,38 +1100,108 @@ static Credentials newCredentialsFromNetrc(Map<String, String> clientEnv, FileSy
    */
   @VisibleForTesting
   static Credentials newCredentials(
-      Map<String, String> clientEnv,
+      CommandLinePathFactory commandLinePathFactory,
+      CredentialHelperEnvironment credentialHelperEnvironment,
       FileSystem fileSystem,
-      Reporter reporter,
       AuthAndTLSOptions authAndTlsOptions,
       RemoteOptions remoteOptions)
       throws IOException {
-    Credentials creds = GoogleAuthUtils.newCredentials(authAndTlsOptions);
+    // TODO(yannic): Change `GoogleAuthUtils.newCredentials` to return `Optional`.
+    Optional<Credentials> creds = Optional.ofNullable(GoogleAuthUtils.newCredentials(authAndTlsOptions));
+    creds = creds.or(() -> {
+      // Fallback to .netrc if it exists.
 
-    // Fallback to .netrc if it exists
-    if (creds == null) {
       try {
-        creds = newCredentialsFromNetrc(clientEnv, fileSystem);
+        // TODO(yannic): Change `newCredentialsFromNetrc` to return `Optional`.
+        return Optional.ofNullable(
+            newCredentialsFromNetrc(
+                credentialHelperEnvironment.getClientEnvironment(), fileSystem));
       } catch (IOException e) {
-        reporter.handle(Event.warn(e.getMessage()));
+        credentialHelperEnvironment.getEventReporter().handle(Event.warn(e.getMessage()));
+        return Optional.empty();
       }
-
-      try {
-        if (creds != null
-            && remoteOptions.remoteCache != null
-            && Ascii.toLowerCase(remoteOptions.remoteCache).startsWith("http://")
-            && !creds.getRequestMetadata(new URI(remoteOptions.remoteCache)).isEmpty()) {
-          reporter.handle(
-              Event.warn(
-                  "Username and password from .netrc is transmitted in plaintext to "
-                      + remoteOptions.remoteCache
-                      + ". Please consider using an HTTPS endpoint."));
-        }
-      } catch (URISyntaxException e) {
-        throw new IOException(e.getMessage(), e);
+    });
+
+    if (creds.isPresent()) {
+      if (remoteOptions.remoteCache != null
+          && Ascii.toLowerCase(remoteOptions.remoteCache).startsWith("http://")
+          && !creds.get().getRequestMetadata(URI.create(remoteOptions.remoteCache)).isEmpty()) {
+        credentialHelperEnvironment.getEventReporter().handle(
+            Event.warn(
+                "Username and password from .netrc is transmitted in plaintext to "
+                    + remoteOptions.remoteCache
+                    + ". Please consider using an HTTPS endpoint."));
       }
     }
 
-    return creds;
+    CredentialHelperProvider credentialHelperProvider =
+        newCredentialHelperProvider(
+            credentialHelperEnvironment,
+            commandLinePathFactory,
+            authAndTlsOptions.credentialHelpers);
+    return new CredentialHelperCredentials(
+        credentialHelperProvider, credentialHelperEnvironment, creds);
+  }
+
+  private CredentialHelperEnvironment newCredentialHelperEnvironment(
+      CommandEnvironment env, AuthAndTLSOptions authAndTlsOptions) {
+    Preconditions.checkNotNull(env);
+    Preconditions.checkNotNull(authAndTlsOptions);
+
+    return CredentialHelperEnvironment.newBuilder()
+        .setEventReporter(env.getReporter())
+        .setWorkspacePath(env.getWorkspace())
+        .setClientEnvironment(env.getClientEnv())
+        .setHelperExecutionTimeout(authAndTlsOptions.credentialHelperTimeout)
+        .build();
+  }
+
+  @VisibleForTesting
+  static CredentialHelperProvider newCredentialHelperProvider(
+      CredentialHelperEnvironment environment,
+      CommandLinePathFactory pathFactory,
+      List<String> inputs)
+      throws IOException {
+    Preconditions.checkNotNull(environment);
+    Preconditions.checkNotNull(pathFactory);
+    Preconditions.checkNotNull(inputs);
+
+    CredentialHelperProvider.Builder builder = CredentialHelperProvider.builder();
+    for (String input : inputs) {
+      ScopedCredentialHelper helper = parseCredentialHelperFlag(environment, pathFactory, input);
+      builder.add(helper.getScope(), helper.getPath());
+    }
+    return builder.build();
+  }
+
+  @VisibleForTesting
+  static ScopedCredentialHelper parseCredentialHelperFlag(
+      CredentialHelperEnvironment environment, CommandLinePathFactory pathFactory, String input)
+      throws IOException {
+    Preconditions.checkNotNull(environment);
+    Preconditions.checkNotNull(pathFactory);
+    Preconditions.checkNotNull(input);
+
+    int pos = input.indexOf('=');
+    if (pos > 0) {
+      String scope = input.substring(0, pos);
+      String path = input.substring(pos + 1);
+      return new AutoValue_RemoteModule_ScopedCredentialHelper(
+          Optional.of(scope), pathFactory.create(environment.getClientEnvironment(), path));
+    }
+
+    // `input` does not specify a scope.
+    return new AutoValue_RemoteModule_ScopedCredentialHelper(
+        Optional.empty(), pathFactory.create(environment.getClientEnvironment(), input));
+  }
+
+  @VisibleForTesting
+  @AutoValue
+  static abstract class ScopedCredentialHelper {
+    /** Returns the scope of the credential helper (if any). */
+    public abstract Optional<String> getScope();
+
+    /** Returns the path of the credential helper. */
+    public abstract Path getPath();
   }
 }