reauth: implement GitCreds credential pre-flight checks

This CL implements ensure_authenticated() for GitCredsAuthenticator, and adds ReAuth support. This check performs best-effort credential checks before performing expensive operations such as presubmit hooks. This allows us to fail fast when an ReAuth token is missing for a contributor subject to ReAuth requirements. If you suspect this CL has caused a breakage on CL upload, please revert. Bug: 451651615 Change-Id: I42f3ffe3c830ed7bd2322f6cf2ad8adbba7e7251 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7036772 Reviewed-by: Allen Li <ayatane@chromium.org> Reviewed-by: Scott Lee <ddoman@chromium.org> Commit-Queue: Jiewei Qian <qjw@chromium.org>
2026-01-11 18:51:29 +00:00 · 2025-11-04 11:38:19 -08:00
parent 5567ad1ea0
commit 240cd02c29
2 changed files with 77 additions and 5 deletions
--- a/tests/git_cl_test.py
+++ b/tests/git_cl_test.py
@@ -29,6 +29,7 @@ import metrics_utils
 # We have to disable monitoring before importing git_cl.
 metrics_utils.COLLECT_METRICS = False

+import auth
 import clang_format
 import contextlib
 import gclient_utils
@@ -2552,6 +2553,60 @@ class TestGitCl(unittest.TestCase):
        cl.lookedup_issue = True
        self.assertIsNone(cl.EnsureAuthenticated(force=False))

+    @mock.patch('sys.stderr', io.StringIO())
+    def test_gerrit_ensure_authenticated_with_reauth(self):
+        scm.GIT.SetConfig('', 'remote.origin.url',
+                          'https://chromium.googlesource.com/my/repo')
+
+        self._add_patch_with_cleanup(
+            'gclient_utils.AskForData',
+            lambda prompt: self._mocked_call('ask_for_data', prompt))
+
+        mock_ensure_authenticated = mock.MagicMock(
+            spec=gerrit_util.ensure_authenticated,
+            return_value=(False, "You have not done ReAuth"))
+        self._add_patch_with_cleanup('git_cl.gerrit_util.ensure_authenticated',
+                                     mock_ensure_authenticated)
+
+        cl = git_cl.Changelist()
+        cl.branch = 'main'
+        cl.branchref = 'refs/heads/main'
+
+        with self.assertRaises(SystemExitMock):
+            cl.EnsureAuthenticated(force=False)
+
+        self.assertRegex(sys.stderr.getvalue(), "You have not done ReAuth")
+        mock_ensure_authenticated.assert_called_with(
+            gerrit_host="chromium-review.googlesource.com",
+            git_host="chromium.googlesource.com",
+            reauth_context=auth.ReAuthContext(
+                host='chromium-review.googlesource.com', project='my/repo'))
+
+    def test_gerrit_ensure_authenticated_reauth_not_needed(self):
+        scm.GIT.SetConfig('', 'remote.origin.url',
+                          'https://chromium.googlesource.com/my/repo')
+
+        self._add_patch_with_cleanup(
+            'gclient_utils.AskForData',
+            lambda prompt: self._mocked_call('ask_for_data', prompt))
+
+        mock_ensure_authenticated = mock.MagicMock(
+            spec=gerrit_util.ensure_authenticated, return_value=(True, ''))
+        self._add_patch_with_cleanup('git_cl.gerrit_util.ensure_authenticated',
+                                     mock_ensure_authenticated)
+
+        cl = git_cl.Changelist()
+        cl.branch = 'main'
+        cl.branchref = 'refs/heads/main'
+
+        self.assertIsNone(
+            cl.EnsureAuthenticated(force=False, skip_reauth_check=True))
+        mock_ensure_authenticated.assert_called_with(
+            gerrit_host='chromium-review.googlesource.com',
+            git_host="chromium.googlesource.com",
+            reauth_context=None)
+
+
    def _cmd_set_commit_gerrit_common(self, vote, notify=None):
        scm.GIT.SetConfig('', 'branch.main.gerritissue', '123')
        scm.GIT.SetConfig('', 'branch.main.gerritserver',