Revert "Remove caching from credshelper interface & SDK Import"

This reverts commit bb6db233c6d6e44c8298edb4c5a9ca296e4137fd.

Reason for revert: This failed the android CI build

Change-Id: I0fd5f2880754fd83a625511928853f363fd7b535
Bug: b/332568410
Test: Triggered an android CI build with this commit to verify
GitOrigin-RevId: 8dab0b3ef7f6aceef5a275342e9e920868ec08e6

cmd/bootstrap/BUILD.bazel

@@ -11,6 +11,7 @@ go_library(
         "//internal/pkg/auth",
         "//internal/pkg/bootstrap",
         "//internal/pkg/event",
+        "//internal/pkg/features",
         "//internal/pkg/logger",
         "//internal/pkg/loghttp",
         "//internal/pkg/pathtranslator",

cmd/bootstrap/main.go

@@ -31,6 +31,7 @@ import (
 	"github.com/bazelbuild/reclient/internal/pkg/auth"
 	"github.com/bazelbuild/reclient/internal/pkg/bootstrap"
 	"github.com/bazelbuild/reclient/internal/pkg/event"
+	"github.com/bazelbuild/reclient/internal/pkg/features"
 	"github.com/bazelbuild/reclient/internal/pkg/logger"
 	"github.com/bazelbuild/reclient/internal/pkg/loghttp"
 	"github.com/bazelbuild/reclient/internal/pkg/pathtranslator"
@@ -135,6 +136,11 @@ func main() {
 		}
 	}
 
+	cf, err := credsFilePath()
+	if err != nil {
+		log.Exitf("Failed to determine the token cache file name: %v", err)
+	}
+	var chCreds *credshelper.Credentials
 	var ts *grpcOauth.TokenSource
 	credsArgs := []string{}
 	if !*remoteDisabled {
@@ -145,7 +151,7 @@ func main() {
 			credsArgs = append(credsArgs, fmt.Sprintf("--%v=%v", credshelper.CredshelperArgsFlag, *credentialsHelperArgs))
 		}
 		if *credentialsHelper != "" {
-			c, err := credshelper.NewExternalCredentials(*credentialsHelper, strings.Fields(*credentialsHelperArgs))
+			c, err := credshelper.NewExternalCredentials(*credentialsHelper, strings.Fields(*credentialsHelperArgs), cf)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Credentials helper failed. Please try again or use application default credentials:%v", err)
 				os.Exit(auth.ExitCodeExternalTokenAuth)
@@ -154,6 +160,8 @@ func main() {
 			if err != nil {
 				log.Exitf("Error obtaining credentials: %v", err)
 			}
+			c.SaveToDisk()
+			chCreds = c
 			ts = c.TokenSource()
 		} else {
 			m := authMechanism()
@@ -239,6 +247,7 @@ func main() {
 			args = append(args, "--cfg="+cfg.Value.String())
 		}
 	}
+	args = append(args, "--creds_file="+cf)
 
 	if *fastLogCollection {
 		args = append(args, "--wait_for_shutdown_rpc=true")
@@ -253,7 +262,8 @@ func main() {
 	if exitCode == 0 {
 		fmt.Fprintf(os.Stderr, msg)
 	} else {
-		fmt.Fprintf(os.Stderr, "\nReproxy failed to start:%s\n Please try again. If this continues to fail, please file a bug.\n", msg)
+		fmt.Fprintf(os.Stderr, "\nReproxy failed to start:%s\nCredentials cache file was deleted. Please try again. If this continues to fail, please file a bug.\n", msg)
+		chCreds.RemoveFromDisk()
 	}
 	log.Flush()
 	os.Exit(exitCode)
@@ -346,6 +356,22 @@ func bootstrapReproxy(args []string, startTime time.Time) (string, int) {
 	return "Proxy started successfully.", 0
 }
 
+func credsFilePath() (string, error) {
+	if !features.GetConfig().EnableCredentialCache {
+		return "", nil
+	}
+	dir := os.TempDir()
+	if *cacheDir != "" {
+		dir = *cacheDir
+	}
+	cf := filepath.Join(dir, "reproxy.creds")
+	err := os.MkdirAll(filepath.Dir(cf), 0755)
+	if err != nil {
+		return "", fmt.Errorf("failed to create dir for credentials file %q: %v", cf, err)
+	}
+	return cf, nil
+}
+
 func authMechanism() auth.Mechanism {
 	if *experimentalCredentialsHelper != "" {
 		fmt.Fprintf(os.Stderr, "--experimental_credentials_helper flags are deprecated, please use --credentials_helper flags")

cmd/reproxy/main.go

@@ -130,7 +130,7 @@ var (
 
 	depsScannerAddress = flag.String("depsscanner_address", "execrel://", "If set, connects to the given address for C++ dependency scanning; a path with the prefix 'exec://' will start the target executable and connect to it. Defaults to execrel:// which looks for the `scandeps_server` binary in the same folder as reproxy. When set to \"\", the internal dependency scanner will be used.")
 
-	credsFile             = flag.String("creds_file", "", "DEPRECATED. Path to file where short-lived credentials are stored. If the file includes a token, reproxy will update the token if it refreshes it. Token refresh is only applicable if use_external_auth_token is used.")
+	credsFile             = flag.String("creds_file", "", "Path to file where short-lived credentials are stored. If the file includes a token, reproxy will update the token if it refreshes it. Token refresh is only applicable if use_external_auth_token is used.")
 	waitForShutdownRPC    = flag.Bool("wait_for_shutdown_rpc", false, "If set, will only shutdown after 3 SIGINT signals")
 	logHTTPCalls          = flag.Bool("log_http_calls", false, "Log all http requests made with the default http client.")
 	auxiliaryMetadataPath = flag.String("auxiliary_metadata_path", "", "Path to file where auxiliary_metadata.pb file is stored. Should be a absolute path or a relative path to reproxy.")
@@ -275,20 +275,16 @@ func main() {
 	ctx := context.Background()
 	var ts *grpcOauth.TokenSource
 	if !*remoteDisabled {
-		if *credsFile != "" {
-			// --creds_file flag shouldn't be set anywhere, so this shouldn't come up - since bootstrap was responsible for setting this flag based on the given cache_dir
-			fmt.Fprintf(os.Stderr, "--creds_file flag is invalid now. No credentials are cached. Please unset this flag and try again")
-			os.Exit(1)
-		}
 		chFlag := flag.Lookup(credshelper.CredshelperPathFlag)
 		credentialsHelperPath := chFlag.Value.String()
 		if credentialsHelperPath != "" {
 			credentialsHelperArgs := flag.Lookup(credshelper.CredshelperArgsFlag).Value.String()
-			c, err := credshelper.NewExternalCredentials(credentialsHelperPath, strings.Fields(credentialsHelperArgs))
+			c, err := credshelper.NewExternalCredentials(credentialsHelperPath, strings.Fields(credentialsHelperArgs), *credsFile)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Credentials helper failed. Please try again or use application default credentials:%v", err)
 				os.Exit(auth.ExitCodeExternalTokenAuth)
 			}
+			defer c.SaveToDisk()
 			ts = c.TokenSource()
 		}
 	}

go.mod

@@ -11,7 +11,7 @@ require (
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14
 	github.com/GoogleCloudPlatform/protoc-gen-bq-schema v1.1.0
 	github.com/Microsoft/go-winio v0.6.2
-	github.com/bazelbuild/remote-apis-sdks v0.0.0-20240815141737-7a76f178e91c
+	github.com/bazelbuild/remote-apis-sdks v0.0.0-20240725185642-719a5dd43ab6
 	github.com/bazelbuild/rules_go v0.48.0
 	github.com/eapache/go-resiliency v1.6.0
 	github.com/fatih/color v1.17.0

go.sum

@@ -165,8 +165,8 @@ github.com/aws/aws-sdk-go v1.43.31 h1:yJZIr8nMV1hXjAvvOLUFqZRJcHV7udPQBfhJqawDzI
 github.com/aws/aws-sdk-go v1.43.31/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/bazelbuild/remote-apis v0.0.0-20230411132548-35aee1c4a425 h1:Lj8uXWW95oXyYguUSdQDvzywQb4f0jbJWsoLPQWAKTY=
 github.com/bazelbuild/remote-apis v0.0.0-20230411132548-35aee1c4a425/go.mod h1:ry8Y6CkQqCVcYsjPOlLXDX2iRVjOnjogdNwhvHmRcz8=
-github.com/bazelbuild/remote-apis-sdks v0.0.0-20240815141737-7a76f178e91c h1:4Yj2ooLL63JlIYMnf36686JXy4l77WEaRL69mSC2gMU=
-github.com/bazelbuild/remote-apis-sdks v0.0.0-20240815141737-7a76f178e91c/go.mod h1:SkKj81cDNRVeJ9Ba34FGlnlz9QmpLJ1d2AOushpY5L4=
+github.com/bazelbuild/remote-apis-sdks v0.0.0-20240725185642-719a5dd43ab6 h1:plDS7TlvX4jDuyXyGjJI7pJdvjff4QrBSJxyrK1r5sI=
+github.com/bazelbuild/remote-apis-sdks v0.0.0-20240725185642-719a5dd43ab6/go.mod h1:xTnFpTrMb0eMa4bsueAUc3/K2MSLiTwhrTjpuDJVSSQ=
 github.com/bazelbuild/rules_go v0.48.0 h1:fZgo6mCUKeL/+GQiMWy5/QU1FjNXGPnTd5bAeao1pbg=
 github.com/bazelbuild/rules_go v0.48.0/go.mod h1:Dhcz716Kqg1RHNWos+N6MlXNkjNP2EwZQ0LukRKJfMs=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=