Skip to content

Commit

Permalink
Retry reading default GCP credentials in the expired case
Browse files Browse the repository at this point in the history 
Currently, Google Auth library caches default credentials indefinitely
in a static field. This means if user's credentials expire, they run
gcloud auth command, then try runnning Gradle again the old credentials
are used. This change adds a reflection based mechanism to clear default
credentials cache and retrying one additional time to get new
credentials.

Additionally, allow specifying the message on authentication failure.
  • Loading branch information
@liutikas
liutikas committed Jul 26, 2023
1 parent 8f20c58 commit 884bfcb
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 23 deletions.
4 changes: 4 additions & 0 deletions gcpbuildcache/src/main/kotlin/androidx/build/gradle/gcpbuildcache/GcpBuildCache.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,8 @@ abstract class GcpBuildCache : RemoteGradleBuildCache() {
* The type of credentials to use to connect to the Google Cloud Platform project instance.
*/
override var credentials: GcpCredentials = ApplicationDefaultGcpCredentials

var messageOnAuthenticationFailure: String = """Your GCP Credentials have expired.
Please regenerate credentials following the steps below and try again:
gcloud auth application-default login""".trimIndent()
}
3 changes: 2 additions & 1 deletion gcpbuildcache/src/main/kotlin/androidx/build/gradle/gcpbuildcache/GcpBuildCacheService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ internal class GcpBuildCacheService(
private val projectId: String,
private val bucketName: String,
gcpCredentials: GcpCredentials,
messageOnAuthenticationFailure: String,
isPush: Boolean,
isEnabled: Boolean,
inTestMode: Boolean = false
Expand All @@ -47,7 +48,7 @@ internal class GcpBuildCacheService(
// Use an implementation backed by the File System when in test mode.
FileSystemStorageService(bucketName, isPush, isEnabled)
} else {
GcpStorageService(projectId, bucketName, gcpCredentials, isPush, isEnabled)
GcpStorageService(projectId, bucketName, gcpCredentials, messageOnAuthenticationFailure, isPush, isEnabled)
}

override fun close() {
Expand Down
1 change: 1 addition & 0 deletions ...dcache/src/main/kotlin/androidx/build/gradle/gcpbuildcache/GcpBuildCacheServiceFactory.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ class GcpBuildCacheServiceFactory : BuildCacheServiceFactory<GcpBuildCache> {
buildCache.projectId,
buildCache.bucketName,
buildCache.credentials,
buildCache.messageOnAuthenticationFailure,
buildCache.isPush,
buildCache.isEnabled
)
Expand Down
85 changes: 63 additions & 22 deletions gcpbuildcache/src/main/kotlin/androidx/build/gradle/gcpbuildcache/GcpStorageService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,15 @@ internal class GcpStorageService(
private val projectId: String,
override val bucketName: String,
gcpCredentials: GcpCredentials,
messageOnAuthenticationFailure: String,
override val isPush: Boolean,
override val isEnabled: Boolean,
private val sizeThreshold: Long = BLOB_SIZE_THRESHOLD
) : StorageService {

private val storageOptions by lazy { storageOptions(projectId, gcpCredentials, isPush) }
private val storageOptions by lazy {
storageOptions(projectId, gcpCredentials, messageOnAuthenticationFailure, isPush)
}

override fun load(cacheKey: String): InputStream? {
if (!isEnabled) {
Expand Down Expand Up @@ -153,9 +156,14 @@ internal class GcpStorageService(
private fun storageOptions(
projectId: String,
gcpCredentials: GcpCredentials,
messageOnAuthenticationFailure: String,
isPushSupported: Boolean
): StorageOptions? {
val credentials = credentials(gcpCredentials, isPushSupported) ?: return null
val credentials = credentials(
gcpCredentials,
messageOnAuthenticationFailure,
isPushSupported
) ?: return null
val retrySettings = RetrySettings.newBuilder()
retrySettings.maxAttempts = 3
return StorageOptions.newBuilder().setCredentials(credentials)
Expand All @@ -165,8 +173,60 @@ internal class GcpStorageService(
.build()
}

private fun clearCachedDefaultCredentials() {
val field = GoogleCredentials::class.java.getDeclaredField("defaultCredentialsProvider")
field.isAccessible = true
val defaultCredentialsProvider = field.get(null)
println(defaultCredentialsProvider.toString() + " " + field.type.name)
val cachedCreds = field.type.getDeclaredField("cachedCredentials")
cachedCreds.isAccessible = true
cachedCreds.set(defaultCredentialsProvider, null)
}

private fun defaultApplicationGcpCredentials(
scopes: List<String>,
messageOnAuthenticationFailure: String,
forceClearCache: Boolean
): GoogleCredentials {
if (forceClearCache) clearCachedDefaultCredentials()
val credentials = GoogleCredentials.getApplicationDefault().createScoped(scopes)

try {
// If the credentials have expired,
// reauth is required by the user to be able to generate or refresh access token;
// Refreshing the access token here helps us to provide a useful error message to the user
// in case the credentials have expired
credentials.refreshIfExpired()
} catch (e: Exception) {
if (!forceClearCache) {
throw Exception(messageOnAuthenticationFailure)
} else {
return defaultApplicationGcpCredentials(
scopes,
messageOnAuthenticationFailure,
forceClearCache = true
)
}
}
val tokenService = TokenInfoService.tokenService()
val tokenInfoResponse = tokenService.tokenInfo(credentials.accessToken.tokenValue).execute()
if (!tokenInfoResponse.isSuccessful) {
if (!forceClearCache) {
throw Exception(messageOnAuthenticationFailure)
} else {
return defaultApplicationGcpCredentials(
scopes,
messageOnAuthenticationFailure,
forceClearCache = true
)
}
}
return credentials
}

private fun credentials(
gcpCredentials: GcpCredentials,
messageOnAuthenticationFailure: String,
isPushSupported: Boolean
): GoogleCredentials? {
val scopes = mutableListOf(
Expand All @@ -177,26 +237,7 @@ internal class GcpStorageService(
}
return when (gcpCredentials) {
is ApplicationDefaultGcpCredentials -> {
val credentials = GoogleCredentials.getApplicationDefault().createScoped(scopes)
try {
// If the credentials have expired,
// reauth is required by the user to be able to generate or refresh access token;
// Refreshing the access token here helps us to provide a useful error message to the user
// in case the credentials have expired
credentials.refreshIfExpired()
} catch (e: Exception) {
throw Exception("""
"Your GCP Credentials have expired.
Please regenerate credentials and try again.
""".trimIndent()
)
}
val tokenService = TokenInfoService.tokenService()
val tokenInfoResponse = tokenService.tokenInfo(credentials.accessToken.tokenValue).execute()
if(!tokenInfoResponse.isSuccessful) {
throw GradleException(tokenInfoResponse.errorBody().toString())
}
credentials
defaultApplicationGcpCredentials(scopes, messageOnAuthenticationFailure, forceClearCache = false)
}
is ExportedKeyGcpCredentials -> {
val contents = gcpCredentials.credentials.invoke()
Expand Down
6 changes: 6 additions & 0 deletions gcpbuildcache/src/test/kotlin/androidx/build/gradle/gcpbuildcache/GcpStorageServiceTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath!!)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = true,
isEnabled = true,
sizeThreshold = 0L
Expand All @@ -54,6 +55,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath!!)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = true,
isEnabled = true,
sizeThreshold = 0L
Expand All @@ -77,6 +79,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath!!)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = false,
isEnabled = true,
sizeThreshold = 0L
Expand All @@ -96,6 +99,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath!!)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = true,
isEnabled = true,
sizeThreshold = 0L
Expand All @@ -104,6 +108,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = false,
isEnabled = true,
sizeThreshold = 0L
Expand All @@ -129,6 +134,7 @@ class GcpStorageServiceTest {
projectId = PROJECT_ID,
bucketName = BUCKET_NAME,
gcpCredentials = ExportedKeyGcpCredentials(File(serviceAccountPath!!)),
messageOnAuthenticationFailure = "Please re-authenticate",
isPush = true,
isEnabled = false,
sizeThreshold = 0L
Expand Down

0 comments on commit 884bfcb

Please sign in to comment.