This CL adds ReAuth support to GerritAuthenticator. ReAuth token can be
obtained with a new get_authorization_header() call.
The task of obtaining such a token is delegated to different
authenticators to check if ReAuth is necessary, and if the existing
authentication token already satisfies ReAuth requirements.
Bug: 442666611
Change-Id: Ic661b868f1c61c653de0da43eb784ad5938342f2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6914237
Reviewed-by: Scott Lee <ddoman@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Allen Li <ayatane@chromium.org>
Per the Git credential helper protocol, the credential helpers should
read stdin for attributes. Previously, we didn't implement the
attributes for git-credential-luci, so this wasn't an issue, but
we're (going to) use the attributes now, and if we don't explicitly
send or close stdin, the helper will hang
Bug: 411487838
Change-Id: I80d47c31e597187c05d5fc23438ae8a52147cb9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6868130
Commit-Queue: Gavin Mak <gavinmak@google.com>
Auto-Submit: Allen Li <ayatane@chromium.org>
Reviewed-by: Gavin Mak <gavinmak@google.com>
git-credential-luci is very similar to luci-auth, except that it is
expressly for git/Gerrit. Therefore, it hard codes the scopes needed
for git/Gerrit. It's also a separate binary, which makes it more
convenient for us to configure it for ReAuth later.
Bug: b/382341041
Change-Id: I7de56d3922adac7eb4671849eb6e30be310d4de7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6073043
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
Commit-Queue: Allen Li <ayatane@chromium.org>
Inspired by https://chromium-review.googlesource.com/c/5577744.
This implementation allows toggling the entire new-auth-stack with
the git configuration:
[depot-tools]
useNewAuthStack = 1
Additionally, you can set:
[depot-tools]
newAuthSkipSSO = 1
To intentionally skip SSOAuthenticator for now while doing local
evaluation of these auth methods.
This CL was uploaded without gitcookies using the new luci-auth
Authenticator.
Subsequent CLs will adjust creds-check and EnsureAuthenticated to
work correctly with the new auth stack.
R=ayatane@google.com
Bug: 336351842, 336652327
Change-Id: I0eb6d82ca106ddd114b74f63d8cda4c5a7b70c86
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5590324
Reviewed-by: Yiwei Zhang <yiwzhang@google.com>
Reviewed-by: Scott Lee <ddoman@chromium.org>
Commit-Queue: Allen Li <ayatane@chromium.org>
Leave the recipes/ code at 2 space to match the rest of the recipes
project in other repos.
Reformatted using:
files=( $(
git ls-tree -r --name-only HEAD | \
grep -Ev -e '^(third_party|recipes)/' | \
grep '\.py$';
git grep -l '#!/usr/bin/env.*python' | grep -v '\.py$'
) )
parallel ./yapf -i -- "${files[@]}"
~/chromiumos/chromite/contrib/reflow_overlong_comments "${files[@]}"
The files that still had strings that were too long were manually
reformatted because they were easy and only a few issues.
autoninja.py
clang_format.py
download_from_google_storage.py
fix_encoding.py
gclient_utils.py
git_cache.py
git_common.py
git_map_branches.py
git_reparent_branch.py
gn.py
my_activity.py
owners_finder.py
presubmit_canned_checks.py
reclient_helper.py
reclientreport.py
roll_dep.py
rustfmt.py
siso.py
split_cl.py
subcommand.py
subprocess2.py
swift_format.py
upload_to_google_storage.py
These files still had lines (strings) that were too long, so the pylint
warnings were suppressed with a TODO.
auth.py
gclient.py
gclient_eval.py
gclient_paths.py
gclient_scm.py
gerrit_util.py
git_cl.py
presubmit_canned_checks.py
presubmit_support.py
scm.py
Change-Id: Ia6535c4f2c48d46b589ec1e791dde6c6b2ea858f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4836379
Commit-Queue: Josip Sokcevic <sokcevic@chromium.org>
Auto-Submit: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
Ran "2to3 -w -n -f print ./" and manually added imports.
Ran "^\s*print " and "\s+print " to find batch/shell scripts, comments and the like with embedded code, and updated them manually.
Also manually added imports to files, which used print as a function, but were missing the import.
The scripts still work with Python 2.
There are no intended behaviour changes.
Bug: 942522
Change-Id: Id777e4d4df4adcdfdab1b18bde89f235ef491b9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1595684
Reviewed-by: Dirk Pranke <dpranke@chromium.org>
Commit-Queue: Dirk Pranke <dpranke@chromium.org>
Auto-Submit: Raul Tambre <raul@tambre.ee>
Unfortunately, w/o rewrite of gerrit_util, one can't take advantage
of existing auth.Authenticator (which also doesn't know about ~/.netrc
or .gitcookies, but that's fixable). This rewrite, however, will likely
cause issues for nasty scripts outside of depot_tools which use
gerrit_util as a Python library. So, I followed outdated way of
gerrit_util :(
Also contains refactoring of auth library, which was kept backwards
compatible for the same reasons as above.
R=vadimsh@chromium.org
Test-with: led tool
Test-artifact: https://ci.chromium.org/swarming/task/3cf4687dfd26ca10?server=chromium-swarm.appspot.com
Bug: 834536
Change-Id: I6b84b8b5732aee5d345e2b2ba44f47aaecc0f6c5
Reviewed-on: https://chromium-review.googlesource.com/1018488
Reviewed-by: Vadim Shtayura <vadimsh@chromium.org>
Commit-Queue: Andrii Shyshkalov <tandrii@chromium.org>
depot_tools' git wrapper for some reason overrides %HOME% to point to
depot_tools directory, and thus scripts running as git subprocesses (git_cl.py)
use not the same HOME as scripts that run outside of git process tree
(depot-tools-auth.py). Instead always use USERPROFILE in auth.py to consistently
pick same directory.
This issue happens only when HOME is not set globally. It can explain why it
wasn't seen earlier.
R=iannucci@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1082833004
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294911 0039d316-1c4b-4281-b951-d872f2087c98
There are some mysterious issues happening to some Windows users. Verbose log
can be helpful.
R=maruel@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1051143004
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294910 0039d316-1c4b-4281-b951-d872f2087c98
OAuth token cache file (as implemented by oauth2client library) stores refresh
token and can in theory be deployed via Puppet as the credential. But it is
mutated by the library (to store access tokens, rotated each hour), and so it is
not static and managing it via Puppet (or however else) is a big pain.
Instead, now depot_tools accepts --auth-refresh-token-json parameter with a path
to a static JSON file (with minimal body being {"refresh_token": "....."}). It
can be used to pass previously prepared refresh tokens of role accounts. It
will be used for blink DEPS roller account and similar @chromium.org accounts.
R=maruel@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1060193005
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294870 0039d316-1c4b-4281-b951-d872f2087c98
This code path is not actually used yet, so the typo wasn't caught earlier.
Also make sure access tokens have 'str' type, not 'unicode'.
R=nodir@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1082133002
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294789 0039d316-1c4b-4281-b951-d872f2087c98
This CL introduces new top level command for managing cached auth tokens:
$ depot-tools-auth login codereview.chromium.org
$ depot-tools-auth info codereview.chromium.org
$ depot-tools-auth logout codereview.chromium.org
All scripts that use rietveld.Rietveld internally should be able to use cached
credentials created by 'depot-tools-auth' subcommand. Also 'depot-tools-auth'
is the only way to run login flow. If some scripts stumbles over expired or
revoked token, it dies with the error, asking user to run
'depot-tools-auth login <hostname>'.
Password login is still default. OAuth2 can be enabled by passing --oauth2 to
all scripts.
R=maruel@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1074673002
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294764 0039d316-1c4b-4281-b951-d872f2087c98
It is done in preparation for switching to OAuth2 as default (and only)
authentication method. Having all auth options handled by the same code makes it
easier to gradually add OAuth2 support.
As part of this, some options that would no longer work with OAuth2 (and that
are not being used from anywhere now, as far as I can tell) are removed:
* Passing account password for authentication via command line.
* Overriding 'Host' header when making requests to Rietveld (won't work with
SSL anyway).
* --account_type option (seems to be ClientLogin specific).
R=maruel@chromium.org
BUG=356813
Review URL: https://codereview.chromium.org/1075723002
git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294746 0039d316-1c4b-4281-b951-d872f2087c98
