remote: Allow auth scopes to be a comma-separated list.

--auth_scopes can be passed a comma-separated list of authentication scopes. Add "https://www.googleapis.com/auth/devstorage.read_write" to the list of defaults. This scope is used when using Google Cloud Storage (GCS) as a remote caching backend. Change-Id: I62e6fed28b28737823ad6c70cbc5048b3a3190b5 PiperOrigin-RevId: 179548090
author: Jakob Buchgraber <buchgr@google.com> 2017-12-19 06:51:56 -0800
committer: Copybara-Service <copybara-piper@google.com> 2017-12-19 06:53:56 -0800
commit: f527577fcc27a06a3db5b9fdc426a71a1b96d5a4 (patch)
tree: ec57dedbcf15da43205fb17c52f7e5fe5fa40dd4 /src/main/java/com/google/devtools/build/lib/authandtls
parent: 905e30721ad566c3a940afbec06d73b134d5f064 (diff)
2 files changed, 23 insertions, 8 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java b/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java
index 88cae094db..2f573f964f 100644
--- a/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java
@@ -14,11 +14,13 @@
 
 package com.google.devtools.build.lib.authandtls;
 
+import com.google.devtools.common.options.Converters.CommaSeparatedOptionListConverter;
 import com.google.devtools.common.options.Option;
 import com.google.devtools.common.options.OptionDocumentationCategory;
 import com.google.devtools.common.options.OptionEffectTag;
 import com.google.devtools.common.options.OptionMetadataTag;
 import com.google.devtools.common.options.OptionsBase;
+import java.util.List;
 
 /**
  * Common options for authentication and TLS.
@@ -37,15 +39,28 @@ public class AuthAndTLSOptions extends OptionsBase {
   )
   public boolean authEnabled;
 
+  /**
+   * Comma-separated list of auth scopes.
+   *
+   * <ul>
+   *   <li><b>https://www.googleapis.com/auth/cloud-source-tools</b> is the auth scope for Build
+   *       Event Service (BES) and Remote Build Execution (RBE).
+   *   <li><b>https://www.googleapis.com/auth/devstorage.read_write</b> is the auth scope for Google
+   *       Cloud Storage (GCS).
+   * </ul>
+   */
   @Option(
     name = "auth_scope",
-    defaultValue = "https://www.googleapis.com/auth/cloud-source-tools",
+    defaultValue =
+        "https://www.googleapis.com/auth/cloud-source-tools,"
+            + "https://www.googleapis.com/auth/devstorage.read_write",
+    converter = CommaSeparatedOptionListConverter.class,
     category = "remote",
     documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
     effectTags = {OptionEffectTag.UNKNOWN},
-    help = "If server authentication requires a scope, provide it here."
+    help = "A comma-separated list of authentication scopes."
   )
-  public String authScope;
+  public List<String> authScope;
 
   @Option(
     name = "auth_credentials",
diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java b/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java
index 63dda5014b..53fbefd699 100644
--- a/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java
+++ b/src/main/java/com/google/devtools/build/lib/authandtls/GoogleAuthUtils.java
@@ -18,7 +18,6 @@ import com.google.auth.Credentials;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableList;
 import io.grpc.CallCredentials;
 import io.grpc.ManagedChannel;
 import io.grpc.auth.MoreCallCredentials;
@@ -32,6 +31,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.List;
 import javax.annotation.Nullable;
 
 /** Utility methods for using {@link AuthAndTLSOptions} with Google Cloud. */
@@ -104,7 +104,7 @@ public final class GoogleAuthUtils {
 
   @VisibleForTesting
   public static CallCredentials newCallCredentials(
-      @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException {
+      @Nullable InputStream credentialsFile, List<String> authScope) throws IOException {
     Credentials creds = newCredentials(credentialsFile, authScope);
     if (creds != null) {
       return MoreCallCredentials.from(creds);
@@ -139,14 +139,14 @@ public final class GoogleAuthUtils {
   }
 
   private static Credentials newCredentials(
-      @Nullable InputStream credentialsFile, @Nullable String authScope) throws IOException {
+      @Nullable InputStream credentialsFile, List<String> authScopes) throws IOException {
     try {
       GoogleCredentials creds =
           credentialsFile == null
               ? GoogleCredentials.getApplicationDefault()
               : GoogleCredentials.fromStream(credentialsFile);
-      if (authScope != null) {
-        creds = creds.createScoped(ImmutableList.of(authScope));
+      if (!authScopes.isEmpty()) {
+        creds = creds.createScoped(authScopes);
       }
       return creds;
     } catch (IOException e) {
author	Jakob Buchgraber <buchgr@google.com>	2017-12-19 06:51:56 -0800
committer	Copybara-Service <copybara-piper@google.com>	2017-12-19 06:53:56 -0800
commit	f527577fcc27a06a3db5b9fdc426a71a1b96d5a4 (patch)
tree	ec57dedbcf15da43205fb17c52f7e5fe5fa40dd4 /src/main/java/com/google/devtools/build/lib/authandtls
parent	905e30721ad566c3a940afbec06d73b134d5f064 (diff)