This CL makes it possible for ensure_authenticated to check whether
the current credential would satisfy ReAuth requirement.
Right now, only GitCredsAuthenticator performs additional ReAuth
check. For other Authenticator, either ReAuth is not relevant
(e.g. SSO), or not supported or implied (e.g. .gitcookies).
This CL does nothing on its own, because ensure_autheticated with
ReAuth is opt-in. Subsequent CL will update callsites to pass in
ReAuthContext to make the check effective.
Bug: 451651615
Change-Id: Idb1e70c52aaa844e672331fad8d462a2a7577d45
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7104363
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Scott Lee <ddoman@chromium.org>
Reviewed-by: Allen Li <ayatane@chromium.org>
Implements ensure_authenticated in ChainedAuthenticator to call the
first applicable authenticator.
In addition, makes `GitCredsAuthenticator.is_applicable` work when `gerrit_host` isn't provided, and caches the result to avoid sending
redundant RPCs for the same host.
This change is slightly risky because we'll start exercising
ensure_authenticated code path on different Authenticators. Though
currently, only .gitcookies (CookiesAuthenticator) implements this
check. With newauthstack shipped, CookiesAuthenticator shouldn't be used for normal workflows.
If you suspect this change has caused a breakage, please file a bug and
revert this CL.
Bug: 348024314
Change-Id: I420929bd552d7804d53a5f118f8d8c2d10940480
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7065052
Reviewed-by: Scott Lee <ddoman@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Allen Li <ayatane@chromium.org>
ensure_authenticated was defined to take gerrit_host then git_host,
but the callsite got it flipped in https://crrev.com/c/5665455
This CL fixes the mistake, and also changed the method signature to
require kwargs argument (and hopefully make it easier to spot and avoid
such mistakes).
Note, this change shouldn't impact normal operation. Only the deprecated
CookiesAuthenticator relies on git_host and gerrit_host, which is not
used when New Auth Stack is enabled.
Bug: 451651615
Change-Id: I8157f3bd4cd51cc78dc4e1c2a917682ced91da86
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7077739
Auto-Submit: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Scott Lee <ddoman@chromium.org>
Commit-Queue: Scott Lee <ddoman@chromium.org>
This CL implements attempt_authenticate_with_reauth in LuciContextAuthenticator according to the base _Authenticator's
interface definition.
This allows LuciContextAuthenticator to be used where an action that needs to meet ReAuth requirement (instead of raising an exception
saying "ReAuth
is required").
Luci context access tokens should already satisfy ReAuth requirement.
Bug: 442666611
Change-Id: I2e4d43a75b230932fc779c805f75b5828c9d0980
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6967915
Reviewed-by: Allen Li <ayatane@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Scott Lee <ddoman@chromium.org>
This CL implements attempt_authenticate_with_reauth in GceAuthenticator
according to the base _Authenticator's interface definition.
This allows GceAuthenticator to be used where an action that needs to
meet ReAuth requirement (instead of raising an exception saying "ReAuth
is required").
GceAuthenticator's credential already satisfies ReAuth requirement.
ReAuth is satisfied if the GCE bot is trusted (controlled by Gerrit
server side config).
Bug:442666611
Change-Id: I9a801e3fd6ab9fb446e7842a93bcd9ee1ff953c7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6965527
Reviewed-by: Allen Li <ayatane@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Scott Lee <ddoman@chromium.org>
The `git cl cherry-pick` command previously created chained CLs by
first cherry-picking a change onto the destination branch tip and then
rebasing the result onto the parent CL created in the previous step.
This approach failed when a sequence of cherry-picks resulted in an
intermediate state having an identical tree compared to its intended
base (e.g., commit 1 changes X->Y, commit 2 changes Y->X). Gerrit
would reject the second cherry-pick with an "identical tree" error
because the rebase is done after the cherry pick.
This change modifies the process to use the `base` parameter of the
Gerrit `cherrypick` REST API endpoint.
Changes:
- Modify `gerrit_util.CherryPick` to accept and pass an optional `base`
commit hash in the API request body.
- Update `git_cl.CMDcherry_pick`:
- Before each cherry-pick operation in the loop, fetch the commit hash
of the latest patchset from the previously processed parent CL.
- Pass this commit hash as the `base` parameter to `gerrit_util.CherryPick`.
- Remove the subsequent, now redundant, call to `gerrit_util.RebaseChange`.
This ensures the correct parent commit is specified during the
cherry-pick operation itself, allowing Gerrit to handle the chaining
correctly and avoid failures caused by identical tree states in
intermediate steps.
Bug: 408388488
Change-Id: I84066d65bd6bb127b253bee6564dd0622148a0e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6433112
Commit-Queue: Gennady Tsitovich <gtsitovich@google.com>
Reviewed-by: Gavin Mak <gavinmak@google.com>
Sometimes I want to add a message without touching the attention set.
The default review call will automatically update it regardless. Add
a flag to explicitly control behavior.
Test:
# No attention set option.
$ ./gerrit_client.py ...
-> ignore_automatic_attention_set_rules not included in body of request
$ ./gerrit_client.py ... --automatic-attention
-> body has {'ignore_automatic_attention_set_rules': False}
$ ./gerrit_client.py ... --no-automatic-attention
-> body has {'ignore_automatic_attention_set_rules': True}
Change-Id: Idcf7975ba691942cfe385a2156ef3a3ec064a0b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6172486
Commit-Queue: Yiwei Zhang <yiwzhang@google.com>
Reviewed-by: Yiwei Zhang <yiwzhang@google.com>
Auto-Submit: Mike Frysinger <vapier@chromium.org>
gerrit_utils retries failed HTTP requests 6 times by default. For SubmitChange the failure reason is often 409 on a merge conflict, which doesn't make sense to retry as the conflict remains.
This is being done as part of improving efficiency of submitting Chrome signing request changes. We currently spend a lot of time just retrying to submit a conflicting change. Reducing the number of retries in gerrit_util will free up the time for more retries that include fully recreating the change on top of the latest changes.
Bug: 365827690
Change-Id: Ifae83c14da7ca829a155c1cd6e79398e5ea0cf85
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6172303
Reviewed-by: Brian Ryner <bryner@google.com>
Commit-Queue: Alex Kravchuk <alexanderkr@google.com>
This fixes the case where a user tries to fetch new repos but isn't in
a Git directory (probably true for most people if they don't have,
e.g., their home directory as a Git repo).
There are a couple of ways to bikeshed a solution for this, but the
most straightforward/easiest is to skip since we're just caching the
account presence check.
Bug: b/328682976
Change-Id: I87a0b210451e6952839eef73616d012c41ad300f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6154836
Commit-Queue: Allen Li <ayatane@chromium.org>
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
git-credential-luci is very similar to luci-auth, except that it is
expressly for git/Gerrit. Therefore, it hard codes the scopes needed
for git/Gerrit. It's also a separate binary, which makes it more
convenient for us to configure it for ReAuth later.
Bug: b/382341041
Change-Id: I7de56d3922adac7eb4671849eb6e30be310d4de7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6073043
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
Commit-Queue: Allen Li <ayatane@chromium.org>
"Better" means:
1. Retrying a failed gerrit_util.CherryPick only once instead
of 5 times for faster feedback since more retries don't help.
2. Gracefully handling GerritErrors raised by gerrit_util.CherryPick
This CL also fixes a minor bug where the "Remaining commit(s) to
cherry pick" message would always print even if there were no more
commits left.
Bug: 341792235
Change-Id: I1712a6b080b14396463f3bceeeac84772f1253b1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5825626
Commit-Queue: Gavin Mak <gavinmak@google.com>
Reviewed-by: Joanna Wang <jojwang@chromium.org>
Users who want to upload multiple cherry picks usually run "git
cherry-pick" locally, multiple times. Gerrit does not recognize
these changes as cherry picks and neither do other services that
query cherry pick info from Gerrit, e.g. rubber stamper.
For Gerrit to identify a change as a true cherry pick, you need to
use their Cherry Pick Revision REST API endpoint. This new command
uses it to create a chain of cherry pick CLs recognized by Gerrit.
Bug: b/341792235
Change-Id: I4ba75da3901f6ea68c1debd65820e802da681798
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5756161
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
Commit-Queue: Gavin Mak <gavinmak@google.com>
In nosquash mode, `git cl` is pretty challenging to use since we don't
have issue numbers. All three parts of the triplet id are readily
available though. This CL adds a fallback to `git cl` which looks up the
issue number by getting the change details by triplet_id.
Change-Id: I0839fe75bcb4bc8d60ff36b4da26dc0e419a1493
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5633186
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Gavin Mak <gavinmak@google.com>
