Generalize auth to be used in other contexts

This is largely a rename with a slightly widened interface.

BUG=275368350
PiperOrigin-RevId: 560174530
Change-Id: I680b462564f98a8bb03e97d89c330d6ce6870e8f

Author: hsudhof

java/com/google/copybara/BUILD

@@ -230,6 +230,7 @@ java_library(
         "//java/com/google/copybara/config:base",
         "//java/com/google/copybara/config:global_migrations",
         "//java/com/google/copybara/config:parser",
+        "//java/com/google/copybara/credentials",
         "//java/com/google/copybara/doc:annotations",
         "//java/com/google/copybara/effect",
         "//java/com/google/copybara/exception",

java/com/google/copybara/ConfigItemDescription.java

@@ -18,6 +18,7 @@
 
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.copybara.util.Glob;
+import javax.annotation.Nullable;
 
 /**
  * Interface for self-description. The information returned should be sufficient to create a new
@@ -31,7 +32,7 @@ default String getType() {
   }
 
   /** Returns a key-value ist of the options the endpoint was instantiated with. */
-  default ImmutableSetMultimap<String, String> describe(Glob originFiles) {
+  default ImmutableSetMultimap<String, String> describe(@Nullable Glob originFiles) {
     ImmutableSetMultimap.Builder<String, String> builder =
         new ImmutableSetMultimap.Builder<String, String>()
         .put("type", getType());

java/com/google/copybara/Endpoint.java

@@ -16,6 +16,7 @@
 
 package com.google.copybara;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.copybara.effect.DestinationEffect.DestinationRef;
 import com.google.copybara.revision.OriginRef;
@@ -63,9 +64,14 @@ default void repr(Printer printer) {
     printer.append(toString());
   }
 
-  /** Returns a key-value ist of the options the endpoint was instantiated with. */
+  /** Returns a key-value list of the options the endpoint was instantiated with. */
   ImmutableSetMultimap<String, String> describe();
 
+  /** Returns a key-value list describing the credentials the endpoint was instantiated with. */
+  default ImmutableList<ImmutableSetMultimap<String, String>> describeCredentials() {
+    return ImmutableList.of();
+  }
+
   @StarlarkMethod(
       name = "new_origin_ref",
       doc = "Creates a new origin reference out of this endpoint.",

java/com/google/copybara/ModuleSupplier.java

@@ -25,6 +25,8 @@
 import com.google.copybara.buildozer.BuildozerModule;
 import com.google.copybara.buildozer.BuildozerOptions;
 import com.google.copybara.compression.CompressionModule;
+import com.google.copybara.credentials.CredentialModule;
+import com.google.copybara.credentials.CredentialOptions;
 import com.google.copybara.folder.FolderDestinationOptions;
 import com.google.copybara.folder.FolderModule;
 import com.google.copybara.folder.FolderOriginOptions;
@@ -132,6 +134,7 @@ public ImmutableSet<Object> getModules(Options options) {
         new HttpModule(console, options.get(HttpOptions.class)),
         new PythonModule(),
         new CompressionModule(),
+        new CredentialModule(console, options.get(CredentialOptions.class)),
         Json.INSTANCE);
   }
 
@@ -166,7 +169,8 @@ protected Options newOptions() {
             new DebugOptions(generalOptions),
             new GeneratorOptions(),
             new HttpOptions(),
-            new RegenerateOptions()));
+            new RegenerateOptions(),
+            new CredentialOptions()));
   }
 
   /**

java/com/google/copybara/credentials/BUILD

@@ -0,0 +1,32 @@
+# Copyright 2023 Google LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+java_library(
+    name = "credentials",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//java/com/google/copybara:options",
+        "//java/com/google/copybara/exception",
+        "//java/com/google/copybara/util/console",
+        "//third_party:autovalue",
+        "//third_party:guava",
+        "//third_party:jsr305",
+        "//third_party:starlark",
+        "//third_party:tomlj",
+    ],
+)

java/com/google/copybara/credentials/ConstantCredentialIssuer.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2023 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.copybara.credentials;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSetMultimap;
+
+/**
+ * A static CredentialIssuer, e.g. a password, username, api key, etc
+ */
+public class ConstantCredentialIssuer implements CredentialIssuer {
+
+  private final String secret;
+  private final String name;
+
+  private final boolean open;
+
+  public static ConstantCredentialIssuer createConstantSecret(String name, String secret) {
+    return new ConstantCredentialIssuer(
+        Preconditions.checkNotNull(name), Preconditions.checkNotNull(secret), false);
+  }
+
+  public static ConstantCredentialIssuer createConstantOpenValue(String value) {
+    return new ConstantCredentialIssuer(Preconditions.checkNotNull(value), value, true);
+  }
+
+  private ConstantCredentialIssuer(String name, String secret, boolean open) {
+    this.secret = secret;
+    this.name = name;
+    this.open = open;
+  }
+
+  @Override
+  public Credential issue() throws CredentialIssuingException {
+    return open ? new OpenCredential(secret) : new StaticSecret(name, secret);
+  }
+
+  @Override
+  public ImmutableSetMultimap<String, String> describe() {
+    return ImmutableSetMultimap.of("type", "constant", "name", name, "open", "" + open);
+  }
+}

java/com/google/copybara/credentials/Credential.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2023 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.copybara.credentials;
+
+/** Holder for a credential. */
+public interface Credential {
+
+  /** A safe value that describes the credential */
+  String printableValue();
+
+  /** Whether the creential is still believed to be valid */
+  boolean valid();
+
+  /** The raw secret, this should not be used outside of framework code. */
+  String provideSecret() throws CredentialRetrievalException;
+}

java/com/google/copybara/http/auth/KeySource.java renamed to java/com/google/copybara/credentials/CredentialIssuer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023 Google Inc.
+ * Copyright (C) 2023 Google LLC.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,24 +13,23 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+package com.google.copybara.credentials;
 
-package com.google.copybara.http.auth;
+import com.google.common.collect.ImmutableSetMultimap;
+import net.starlark.java.eval.StarlarkValue;
 
-import java.io.IOException;
+/**
+ * An object able to mint credentials. The issuer should handle caching etc.
+ */
+public interface CredentialIssuer extends StarlarkValue {
 
-/** provider for auth credentials */
-public interface KeySource {
-  String get() throws IOException;
+  /**
+   * Issue a Credential to be used by an endpoint
+   */
+  Credential issue() throws CredentialIssuingException;
 
   /**
-   * Signifies the key source was unable to locate the key
-   * it is attempting to get.
-   * Extends IOException to work more easily with the
-   * http client interceptor type signature.
+   * Metadata describing this issuer.
    */
-  class KeyNotFoundException extends IOException {
-    public KeyNotFoundException(String message) {
-      super(message);
-    }
-  }
+  ImmutableSetMultimap<String, String> describe();
 }

java/com/google/copybara/credentials/CredentialIssuingException.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2023 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.copybara.credentials;
+
+import com.google.copybara.exception.ValidationException;
+
+/**
+ * An Exception thrown if minting a credential fails.
+ */
+public class CredentialIssuingException extends ValidationException  {
+
+  public CredentialIssuingException(String message) {
+    super(message);
+  }
+
+  public CredentialIssuingException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}

java/com/google/copybara/credentials/CredentialModule.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2023 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.copybara.credentials;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSetMultimap;
+import com.google.copybara.exception.ValidationException;
+import com.google.copybara.util.console.Console;
+import net.starlark.java.annot.Param;
+import net.starlark.java.annot.ParamType;
+import net.starlark.java.annot.StarlarkBuiltin;
+import net.starlark.java.annot.StarlarkMethod;
+import net.starlark.java.eval.EvalException;
+import net.starlark.java.eval.StarlarkValue;
+
+/** Starlark builtins to handle credentials. */
+@StarlarkBuiltin(name = "credentials", doc = "Module for working with credentials.")
+public class CredentialModule implements StarlarkValue {
+
+  protected CredentialOptions options;
+  protected Console console;
+
+  public CredentialModule(Console console, CredentialOptions options) {
+    this.console = console;
+    this.options = options;
+  }
+
+  @StarlarkMethod(
+      name = "static_secret",
+      doc = "Holder for secrets that can be in plaintext within the config.",
+      parameters = {
+        @Param(name = "name", doc = "A name for this secret."),
+        @Param(name = "secret", doc = "The secret value.")
+      })
+  public CredentialIssuer staticSecret(String name, String secret) throws EvalException {
+    return ConstantCredentialIssuer.createConstantSecret(name, secret);
+  }
+
+  @StarlarkMethod(
+      name = "static_value",
+      doc = "Holder for credentials that are safe to read/log (e.g. 'x-access-token') .",
+      parameters = {@Param(name = "value", doc = "The open value.")})
+  public CredentialIssuer staticValue(String value) throws EvalException {
+    return ConstantCredentialIssuer.createConstantOpenValue(value);
+  }
+
+  @StarlarkMethod(
+      name = "toml_key_source",
+      doc =
+          "Supply an authentication credential from the "
+              + "file pointed to by the --http-credential-file flag.",
+      parameters = {
+        @Param(
+            name = "dot_path",
+            doc = "Dot path to the data field containing the credential.",
+            allowedTypes = {@ParamType(type = String.class)})
+      })
+  public CredentialIssuer tomlKeySource(String dotPath) throws ValidationException {
+    if (options.credentialFile == null) {
+      throw new ValidationException("Credential file for toml key source has not been supplied");
+    }
+    return new TomlKeySource(options.credentialFile, dotPath);
+  }
+
+  @StarlarkMethod(
+      name = "username_password",
+      doc = "A pair of username and password credential issuers.",
+      parameters = {
+        @Param(
+            name = "username",
+            doc = "Username credential.",
+            allowedTypes = {@ParamType(type = CredentialIssuer.class)}),
+        @Param(
+            name = "password",
+            doc = "Password credential.",
+            allowedTypes = {@ParamType(type = CredentialIssuer.class)})
+      })
+  public UsernamePasswordIssuer usernamePassword(
+      CredentialIssuer username, CredentialIssuer password) {
+    return new AutoValue_CredentialModule_UsernamePasswordIssuer(username, password);
+  }
+
+  /** A username/password pair issuer */
+  @AutoValue
+  public abstract static class UsernamePasswordIssuer implements StarlarkValue {
+    public abstract CredentialIssuer username();
+
+    public abstract CredentialIssuer password();
+
+    public ImmutableList<ImmutableSetMultimap<String, String>> describeCredentials() {
+      return ImmutableList.of(username().describe(), password().describe());
+    }
+  }
+}