gerrit_util: Use git-credential-luci instead of luci-auth

git-credential-luci is very similar to luci-auth, except that it is expressly for git/Gerrit. Therefore, it hard codes the scopes needed for git/Gerrit. It's also a separate binary, which makes it more convenient for us to configure it for ReAuth later. Bug: b/382341041 Change-Id: I7de56d3922adac7eb4671849eb6e30be310d4de7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6073043 Reviewed-by: Josip Sokcevic <sokcevic@chromium.org> Commit-Queue: Allen Li <ayatane@chromium.org>
2026-01-11 18:51:29 +00:00 · 2024-12-06 01:39:13 +00:00
parent 58f5357e92
commit 522f5a4bd1
4 changed files with 82 additions and 10 deletions
--- a/gerrit_util.py
+++ b/gerrit_util.py
@@ -286,7 +286,7 @@ class _Authenticator(object):
                        SSOAuthenticator(),
                        # GCE detection can't distinguish cloud workstations.
                        GceAuthenticator(),
-                        LuciAuthAuthenticator(),
+                        GitCredsAuthenticator(),
                        NoAuthenticator(),
                    ]
                    if skip_sso:
@@ -850,13 +850,24 @@ class LuciContextAuthenticator(_Authenticator):
        return ''


-class LuciAuthAuthenticator(LuciContextAuthenticator):
-    """_Authenticator implementation that uses `luci-auth` credentials.
+class GitCredsAuthenticator(_Authenticator):
+    """_Authenticator implementation that uses `git-credential-luci` with OAuth.

-    This is the same as LuciContextAuthenticator, except that it is for local
-    non-google.com developer credentials.
+    This is similar to LuciContextAuthenticator, except that it is for
+    local non-google.com developer credentials.
    """

+    def __init__(self):
+        self._authenticator = auth.GerritAuthenticator()
+
+    def authenticate(self, conn: HttpConn):
+        conn.req_headers[
+            'Authorization'] = f'Bearer {self._authenticator.get_access_token()}'
+
+    def debug_summary_state(self) -> str:
+        # TODO(b/343230702) - report ambient account name.
+        return ''
+
    @classmethod
    def gerrit_account_exists(cls, host: str) -> bool:
        """Return True if the Gerrit account exists.