aiden
/
depot_tools
mirror of https://chromium.googlesource.com/chromium/tools/depot_tools
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "autoninja.py: disallow external account from corp machine"

Browse Source 
This reverts commit 0d0f28a4fc.

Reason for revert:
http://b/309720176#comment7

Original change's description:
> autoninja.py: disallow external account from corp machine
>
> This disallows Googler to use non-google account with reclient and
> siso from corp machine.
>
> Bug: b/309720176
> Change-Id: I8077eff8bbf47f579462e1fefa3609a5d492a013
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5035266
> Reviewed-by: Philipp Wollermann <philwo@chromium.org>
> Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
> Commit-Queue: Takuto Ikuta <tikuta@chromium.org>

Bug: b/309720176
Change-Id: I62b4891b1e2e2554d088d162057982b95c8adcd7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5065849
Reviewed-by: Philipp Wollermann <philwo@chromium.org>
Owners-Override: Takuto Ikuta <tikuta@chromium.org>
Commit-Queue: Takuto Ikuta <tikuta@chromium.org>
Auto-Submit: Takuto Ikuta <tikuta@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
changes/49/5065849/2
Takuto Ikuta 1 year ago committed by LUCI CQ
parent 0d0f28a4fc
commit ed596dadf9
5 changed files with 4 additions and 133 deletions
Show Stats Download Patch File Download Diff File

30
.vpython3
Unescape Escape View File

@ -65,33 +65,3 @@ wheel: <
name: "infra/python/wheels/certifi-py2_py3"
version: "version:2021.5.30"
>
# Used by:
# autoninja.py
wheel: <
name: "infra/python/wheels/google-auth-py3"
version: "version:2.16.2"
>
wheel: <
name: "infra/python/wheels/cachetools-py3"
version: "version:4.2.2"
>
wheel: <
name: "infra/python/wheels/pyasn1_modules-py2_py3"
version: "version:0.2.8"
>
wheel: <
name: "infra/python/wheels/rsa-py3"
version: "version:4.7.2"
>
wheel: <
name: "infra/python/wheels/pyasn1-py2_py3"
version: "version:0.4.8"
>
# Used by:
# tests/autoninja_test.py
wheel: <
name: "infra/python/wheels/parameterized-py2_py3"
version: "version:0.8.1"
>

2
autoninja
Unescape Escape View File

@ -20,7 +20,7 @@ fi
# Execute whatever is printed by autoninja.py.
# Also print it to reassure that the right settings are being used.
vpython3 "$(dirname -- "$0")/autoninja.py" "$@"
python3 "$(dirname -- "$0")/autoninja.py" "$@"
retval=$?
if [ "$retval" == "0" ] && [ "$NINJA_SUMMARIZE_BUILD" == "1" ]; then

2
autoninja.bat
Unescape Escape View File

@ -30,7 +30,7 @@ if "%NINJA_SUMMARIZE_BUILD%" == "1" set "NINJA_STATUS=[%%r processes, %%f/%%t @
:: should be consistent between autoninja.bat and the autoninja script used by
:: git bash.
@call %scriptdir%\vpython3.bat %scriptdir%autoninja.py "%%*"
@call %scriptdir%python-bin\python3.bat %scriptdir%autoninja.py "%%*"
@if errorlevel 1 goto buildfailure
:: Use call to invoke python script here, because we use python via python3.bat.

76
autoninja.py
Unescape Escape View File

@ -1,4 +1,4 @@
#!/usr/bin/env vpython3
#!/usr/bin/env python3
# Copyright (c) 2017 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
@ -14,19 +14,13 @@ does handle import statements, but it can't handle conditional setting of build
settings.
"""
import json
import multiprocessing
import os
import platform
import re
import shlex
import shutil
import subprocess
import sys
import warnings
import google.auth
from google.auth.transport.requests import AuthorizedSession
import autosiso
import ninja
@ -49,62 +43,6 @@ _UNSAFE_FOR_CMD = set("^<>&|()%")
_ALL_META_CHARS = _UNSAFE_FOR_CMD.union(set('"'))
def _adc_account():
"""Returns account used to authenticate with GCP application default credentials."""
try:
# Suppress warnings from google.auth.default.
# https://github.com/googleapis/google-auth-library-python/issues/271
warnings.filterwarnings(
"ignore",
"Your application has authenticated using end user credentials from"
" Google Cloud SDK without a quota project.",
)
credentials, _ = google.auth.default(
scopes=["https://www.googleapis.com/auth/userinfo.email"])
except google.auth.exceptions.DefaultCredentialsError:
# Application Default Crendetials is not configured.
return None
finally:
warnings.resetwarnings()
with AuthorizedSession(credentials) as session:
response = session.get("https://www.googleapis.com/oauth2/v1/userinfo")
return response.json().get("email")
def _gcloud_auth_account():
"""Returns active account authenticated with `gcloud auth login`."""
if shutil.which("gcloud") is None:
return None
accounts = json.loads(
subprocess.check_output("gcloud auth list --format=json",
shell=True,
text=True))
for account in accounts:
if account["status"] == "ACTIVE":
return account["account"]
return None
def _is_google_corp_machine():
"""This assumes that corp machine has gcert binary in known location."""
return shutil.which("gcert") is not None
def _is_google_corp_machine_using_external_account():
if not _is_google_corp_machine():
return False
account = _adc_account()
if account and not account.endswith("@google.com"):
return True
account = _gcloud_auth_account()
return account and not account.endswith("@google.com")
def _quote_for_cmd(arg):
# First, escape the arg so that CommandLineToArgvW will parse it properly.
if arg == "" or " " in arg or '"' in arg:
@ -271,18 +209,6 @@ def main(args):
use_goma = True
break
if use_remoteexec or use_siso:
if _is_google_corp_machine_using_external_account():
print(
"You can't use a non-@google.com account (%s and/or %s) on a"
" corp machine.\n"
"Please login via `gcloud auth login --update-adc` with your"
" @google.com account instead.\n" %
(_adc_account(), _gcloud_auth_account()),
file=sys.stderr,
)
return 1
# Strip -o/--offline so ninja doesn't see them.
input_args = [arg for arg in input_args if arg not in ("-o", "--offline")]

27
tests/autoninja_test.py
Unescape Escape View File

@ -1,4 +1,4 @@
#!/usr/bin/env vpython3
#!/usr/bin/env python3
# Copyright (c) 2022 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
@ -12,8 +12,6 @@ import unittest
import contextlib
from unittest import mock
from parameterized import parameterized
ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
sys.path.insert(0, ROOT_DIR)
@ -154,29 +152,6 @@ class AutoninjaTest(trial_dir.TestCase):
self.assertIn('-C', args)
self.assertEqual(args[args.index('-C') + 1], out_dir)
@parameterized.expand([
("non corp machine", False, None, None, False),
("non corp adc account", True, "foo@chromium.org", None, True),
("corp adc account", True, "foo@google.com", None, False),
("non corp gcloud auth account", True, None, "foo@chromium.org", True),
("corp gcloud auth account", True, None, "foo@google.com", False),
])
def test_is_corp_machine_using_external_account(self, _, is_corp,
adc_account,
gcloud_auth_account,
expected):
with mock.patch('autoninja._is_google_corp_machine',
return_value=is_corp), mock.patch(
'autoninja._adc_account',
return_value=adc_account), mock.patch(
'autoninja._gcloud_auth_account',
return_value=gcloud_auth_account):
self.assertEqual(
bool(
# pylint: disable=line-too-long
autoninja._is_google_corp_machine_using_external_account()),
expected)
def test_gn_lines(self):
out_dir = os.path.join('out', 'dir')
# Make sure nested import directives work. This is based on the

Write Preview
Loading…
Cancel
Save