commit cccca95d8fca2274aee9c6550e63d6787d648694
author Takuto Ikuta <tikuta@chromium.org> Fri Dec 01 02:47:55 2023 +0000
committer LUCI CQ <infra-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Dec 01 02:47:55 2023 +0000
tree 288c2c6d83973c5b9378a8d2881f90110499a023
parent 8197d724a6eac77766f6505683bd9cad2e82a039

Revert^2 "autoninja.py: disallow external account from corp machine"

This reverts commit ed596dadf949912c91d2632ef422426d7db85ac6.

Reason for revert:
Ignore exception when getting account for application default
credentials.

Original change's description:
> Revert "autoninja.py: disallow external account from corp machine"
>
> This reverts commit 0d0f28a4fc7b8493532e731d873475ad927043d8.
>
> Reason for revert:
> http://b/309720176#comment7
>
> Original change's description:
> > autoninja.py: disallow external account from corp machine
> >
> > This disallows Googler to use non-google account with reclient and
> > siso from corp machine.
> >
> > Bug: b/309720176
> > Change-Id: I8077eff8bbf47f579462e1fefa3609a5d492a013
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5035266
> > Reviewed-by: Philipp Wollermann <philwo@chromium.org>
> > Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
> > Commit-Queue: Takuto Ikuta <tikuta@chromium.org>
>
> Bug: b/309720176
> Change-Id: I62b4891b1e2e2554d088d162057982b95c8adcd7
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5065849
> Reviewed-by: Philipp Wollermann <philwo@chromium.org>
> Owners-Override: Takuto Ikuta <tikuta@chromium.org>
> Commit-Queue: Takuto Ikuta <tikuta@chromium.org>
> Auto-Submit: Takuto Ikuta <tikuta@chromium.org>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>

Bug: b/309720176
Change-Id: Ib9aef1b7fa8e3c9bb20ac8d6b461c6bcff72dc83
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5065052
Reviewed-by: Gavin Mak <gavinmak@google.com>
Commit-Queue: Takuto Ikuta <tikuta@chromium.org>

autoninja.py

diff --git a/autoninja.py b/autoninja.py
index 417fa97..9bf0d1b 100755
--- a/autoninja.py
+++ b/autoninja.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env vpython3
 # Copyright (c) 2017 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
@@ -14,13 +14,19 @@
 settings.
 """
 
+import json
 import multiprocessing
 import os
 import platform
 import re
 import shlex
+import shutil
 import subprocess
 import sys
+import warnings
+
+import google.auth
+from google.auth.transport.requests import AuthorizedSession
 
 import autosiso
 import ninja
@@ -43,6 +49,72 @@
 _ALL_META_CHARS = _UNSAFE_FOR_CMD.union(set('"'))
 
 
+def _adc_account():
+    """Returns account used to authenticate with GCP application default credentials."""
+
+    try:
+        # Suppress warnings from google.auth.default.
+        # https://github.com/googleapis/google-auth-library-python/issues/271
+        warnings.filterwarnings(
+            "ignore",
+            "Your application has authenticated using end user credentials from"
+            " Google Cloud SDK without a quota project.",
+        )
+        credentials, _ = google.auth.default(
+            scopes=["https://www.googleapis.com/auth/userinfo.email"])
+    except google.auth.exceptions.DefaultCredentialsError:
+        # Application Default Crendetials is not configured.
+        return None
+    finally:
+        warnings.resetwarnings()
+
+    with AuthorizedSession(credentials) as session:
+        try:
+            response = session.get(
+                "https://www.googleapis.com/oauth2/v1/userinfo")
+        except Exception:
+            # Ignore exception.
+            return None
+
+    return response.json().get("email")
+
+
+def _gcloud_auth_account():
+    """Returns active account authenticated with `gcloud auth login`."""
+    if shutil.which("gcloud") is None:
+        return None
+
+    accounts = json.loads(
+        subprocess.check_output("gcloud auth list --format=json",
+                                shell=True,
+                                text=True))
+    for account in accounts:
+        if account["status"] == "ACTIVE":
+            return account["account"]
+    return None
+
+
+def _is_google_corp_machine():
+    """This assumes that corp machine has gcert binary in known location."""
+    return shutil.which("gcert") is not None
+
+
+def _is_google_corp_machine_using_external_account():
+    if not _is_google_corp_machine():
+        return False
+
+    account = _adc_account()
+    if account and not account.endswith("@google.com"):
+        return True
+
+    account = _gcloud_auth_account()
+    if not account:
+        return False
+    # Handle service account and google account as internal account.
+    return not (account.endswith("@google.com")
+                or account.endswith("gserviceaccount.com"))
+
+
 def _quote_for_cmd(arg):
     # First, escape the arg so that CommandLineToArgvW will parse it properly.
     if arg == "" or " " in arg or '"' in arg:
@@ -163,6 +235,18 @@
                 use_siso = True
                 continue
 
+        if use_remoteexec:
+            if _is_google_corp_machine_using_external_account():
+                print(
+                    "You can't use a non-@google.com account (%s and/or %s) on"
+                    " a corp machine.\n"
+                    "Please login via `gcloud auth login --update-adc` with"
+                    " your @google.com account instead.\n" %
+                    (_adc_account(), _gcloud_auth_account()),
+                    file=sys.stderr,
+                )
+                return 1
+
         siso_marker = os.path.join(output_dir, ".siso_deps")
         if use_siso:
             # autosiso generates a .ninja_log file so the mere existence of a