builder().add(path.getPathString()).add(args).build())
+ .setWorkingDirectory(environment.getWorkspacePath().getPathFile())
+ .setEnv(environment.getClientEnvironment())
+ .setTimeoutMillis(environment.getHelperExecutionTimeout().toMillis())
+ .start();
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (o instanceof CredentialHelper) {
+ CredentialHelper that = (CredentialHelper) o;
+ return Objects.equals(this.getPath(), that.getPath());
+ }
+
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hashCode(getPath());
+ }
}
diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperEnvironment.java b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperEnvironment.java
new file mode 100644
index 00000000000000..e2ae01c190b3da
--- /dev/null
+++ b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperEnvironment.java
@@ -0,0 +1,75 @@
+// Copyright 2022 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.devtools.build.lib.authandtls.credentialhelper;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableMap;
+import com.google.devtools.build.lib.events.Reporter;
+import com.google.devtools.build.lib.vfs.Path;
+import java.time.Duration;
+
+/** Environment for running {@link CredentialHelper}s in. */
+@AutoValue
+public abstract class CredentialHelperEnvironment {
+ /** Returns the reporter for reporting events related to {@link CredentialHelper}s. */
+ public abstract Reporter getEventReporter();
+
+ /**
+ * Returns the (absolute) path to the workspace.
+ *
+ * Used as working directory when invoking the subprocess.
+ */
+ public abstract Path getWorkspacePath();
+
+ /**
+ * Returns the environment from the Bazel client.
+ *
+ *
Passed as environment variables to the subprocess.
+ */
+ public abstract ImmutableMap getClientEnvironment();
+
+ /** Returns the execution timeout for the helper subprocess. */
+ public abstract Duration getHelperExecutionTimeout();
+
+ /** Returns a new builder for {@link CredentialHelperEnvironment}. */
+ public static CredentialHelperEnvironment.Builder newBuilder() {
+ return new AutoValue_CredentialHelperEnvironment.Builder();
+ }
+
+ /** Builder for {@link CredentialHelperEnvironment}. */
+ @AutoValue.Builder
+ public abstract static class Builder {
+ /** Sets the reporter for reporting events related to {@link CredentialHelper}s. */
+ public abstract Builder setEventReporter(Reporter reporter);
+
+ /**
+ * Sets the (absolute) path to the workspace to use as working directory when invoking the
+ * subprocess.
+ */
+ public abstract Builder setWorkspacePath(Path path);
+
+ /**
+ * Sets the environment from the Bazel client to pass as environment variables to the
+ * subprocess.
+ */
+ public abstract Builder setClientEnvironment(ImmutableMap environment);
+
+ /** Sets the execution timeout for the helper subprocess. */
+ public abstract Builder setHelperExecutionTimeout(Duration timeout);
+
+ /** Returns the newly constructed {@link CredentialHelperEnvironment}. */
+ public abstract CredentialHelperEnvironment build();
+ }
+}
diff --git a/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/GetCredentialsResponse.java b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/GetCredentialsResponse.java
index 72f25cf4ddf196..6d450e001fb682 100644
--- a/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/GetCredentialsResponse.java
+++ b/src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper/GetCredentialsResponse.java
@@ -50,7 +50,7 @@ public static Builder newBuilder() {
/** Builder for {@link GetCredentialsResponse}. */
@AutoValue.Builder
public abstract static class Builder {
- protected abstract ImmutableMap.Builder> headersBuilder();
+ public abstract ImmutableMap.Builder> headersBuilder();
/** Returns the newly constructed {@link GetCredentialsResponse}. */
public abstract GetCredentialsResponse build();
diff --git a/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/BUILD b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/BUILD
index 95b3ee4483cdc9..024763f7c1dd63 100644
--- a/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/BUILD
+++ b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/BUILD
@@ -17,12 +17,17 @@ filegroup(
java_test(
name = "credentialhelper",
srcs = glob(["*.java"]),
+ data = [
+ ":test_credential_helper",
+ ],
test_class = "com.google.devtools.build.lib.AllTests",
runtime_deps = [
"//src/test/java/com/google/devtools/build/lib:test_runner",
],
deps = [
"//src/main/java/com/google/devtools/build/lib/authandtls/credentialhelper",
+ "//src/main/java/com/google/devtools/build/lib/events",
+ "//src/main/java/com/google/devtools/build/lib/util:os",
"//src/main/java/com/google/devtools/build/lib/vfs",
"//src/main/java/com/google/devtools/build/lib/vfs:pathfragment",
"//src/main/java/com/google/devtools/build/lib/vfs/inmemoryfs",
@@ -30,5 +35,11 @@ java_test(
"//third_party:guava",
"//third_party:junit4",
"//third_party:truth",
+ "@bazel_tools//tools/java/runfiles",
],
)
+
+py_binary(
+ name = "test_credential_helper",
+ srcs = ["test_credential_helper.py"],
+)
diff --git a/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperTest.java b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperTest.java
new file mode 100644
index 00000000000000..4aeb4595b084d0
--- /dev/null
+++ b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/CredentialHelperTest.java
@@ -0,0 +1,143 @@
+// Copyright 2022 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.devtools.build.lib.authandtls.credentialhelper;
+
+import static com.google.common.truth.Truth.assertThat;
+import static org.junit.Assert.assertThrows;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.eventbus.EventBus;
+import com.google.devtools.build.lib.events.Reporter;
+import com.google.devtools.build.lib.util.OS;
+import com.google.devtools.build.lib.vfs.DigestHashFunction;
+import com.google.devtools.build.lib.vfs.FileSystem;
+import com.google.devtools.build.lib.vfs.PathFragment;
+import com.google.devtools.build.lib.vfs.inmemoryfs.InMemoryFileSystem;
+import com.google.devtools.build.runfiles.Runfiles;
+import java.io.IOException;
+import java.net.URI;
+import java.time.Duration;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+@RunWith(JUnit4.class)
+public class CredentialHelperTest {
+ private static final PathFragment TEST_WORKSPACE_PATH =
+ PathFragment.create(System.getenv("TEST_TMPDIR"));
+ private static final PathFragment TEST_CREDENTIAL_HELPER_PATH =
+ PathFragment.create(
+ "io_bazel/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/test_credential_helper"
+ + (OS.getCurrent() == OS.WINDOWS ? ".exe" : ""));
+
+ private static final Reporter reporter = new Reporter(new EventBus());
+
+ private GetCredentialsResponse getCredentialsFromHelper(
+ String uri, ImmutableMap env) throws Exception {
+ Preconditions.checkNotNull(uri);
+ Preconditions.checkNotNull(env);
+
+ FileSystem fs = new InMemoryFileSystem(DigestHashFunction.SHA256);
+
+ CredentialHelper credentialHelper =
+ new CredentialHelper(
+ fs.getPath(
+ Runfiles.create().rlocation(TEST_CREDENTIAL_HELPER_PATH.getSafePathString())));
+ return credentialHelper.getCredentials(
+ CredentialHelperEnvironment.newBuilder()
+ .setEventReporter(reporter)
+ .setWorkspacePath(fs.getPath(TEST_WORKSPACE_PATH))
+ .setClientEnvironment(env)
+ .setHelperExecutionTimeout(Duration.ofSeconds(5))
+ .build(),
+ URI.create(uri));
+ }
+
+ private GetCredentialsResponse getCredentialsFromHelper(String uri) throws Exception {
+ Preconditions.checkNotNull(uri);
+
+ return getCredentialsFromHelper(uri, ImmutableMap.of());
+ }
+
+ @Test
+ public void knownUriWithSingleHeader() throws Exception {
+ GetCredentialsResponse response = getCredentialsFromHelper("https://singleheader.example.com");
+ assertThat(response.getHeaders()).containsExactly("header1", ImmutableList.of("value1"));
+ }
+
+ @Test
+ public void knownUriWithMultipleHeaders() throws Exception {
+ GetCredentialsResponse response =
+ getCredentialsFromHelper("https://multipleheaders.example.com");
+ assertThat(response.getHeaders())
+ .containsExactly(
+ "header1",
+ ImmutableList.of("value1"),
+ "header2",
+ ImmutableList.of("value1", "value2"),
+ "header3",
+ ImmutableList.of("value1", "value2", "value3"));
+ }
+
+ @Test
+ public void unknownUri() {
+ IOException ioException =
+ assertThrows(
+ IOException.class, () -> getCredentialsFromHelper("https://unknown.example.com"));
+ assertThat(ioException).hasMessageThat().contains("Unknown uri 'https://unknown.example.com'");
+ }
+
+ @Test
+ public void credentialHelperOutputsNothing() throws Exception {
+ IOException ioException =
+ assertThrows(
+ IOException.class, () -> getCredentialsFromHelper("https://printnothing.example.com"));
+ assertThat(ioException).hasMessageThat().contains("exited without output");
+ }
+
+ @Test
+ public void credentialHelperOutputsExtraFields() throws Exception {
+ GetCredentialsResponse response = getCredentialsFromHelper("https://extrafields.example.com");
+ assertThat(response.getHeaders()).containsExactly("header1", ImmutableList.of("value1"));
+ }
+
+ @Test
+ public void helperRunsInWorkspace() throws Exception {
+ GetCredentialsResponse response = getCredentialsFromHelper("https://cwd.example.com");
+ ImmutableMap> headers = response.getHeaders();
+ assertThat(PathFragment.create(headers.get("cwd").get(0))).isEqualTo(TEST_WORKSPACE_PATH);
+ }
+
+ @Test
+ public void helperGetEnvironment() throws Exception {
+ GetCredentialsResponse response =
+ getCredentialsFromHelper(
+ "https://env.example.com", ImmutableMap.of("FOO", "BAR!", "BAR", "123"));
+ assertThat(response.getHeaders())
+ .containsExactly(
+ "foo", ImmutableList.of("BAR!"),
+ "bar", ImmutableList.of("123"));
+ }
+
+ @Test
+ public void helperTimeout() throws Exception {
+ IOException ioException =
+ assertThrows(
+ IOException.class, () -> getCredentialsFromHelper("https://timeout.example.com"));
+ assertThat(ioException).hasMessageThat().contains("process timed out");
+ }
+}
diff --git a/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/test_credential_helper.py b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/test_credential_helper.py
new file mode 100644
index 00000000000000..c21fd7b22524e6
--- /dev/null
+++ b/src/test/java/com/google/devtools/build/lib/authandtls/credentialhelper/test_credential_helper.py
@@ -0,0 +1,92 @@
+# Copyright 2022 The Bazel Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Credential helper for testing."""
+
+import json
+import os
+import sys
+import time
+
+
+def eprint(*args, **kargs):
+ print(*args, file=sys.stderr, **kargs)
+
+
+def main(argv):
+ if len(argv) != 2:
+ eprint("Usage: test_credential_helper ")
+ return 1
+
+ if argv[1] != "get":
+ eprint("Unknown command '{}'".format(argv[1]))
+ return 1
+
+ request = json.load(sys.stdin)
+ if request["uri"] == "https://singleheader.example.com":
+ response = {
+ "headers": {
+ "header1": ["value1"],
+ },
+ }
+ elif request["uri"] == "https://multipleheaders.example.com":
+ response = {
+ "headers": {
+ "header1": ["value1"],
+ "header2": ["value1", "value2"],
+ "header3": ["value1", "value2", "value3"],
+ },
+ }
+ elif request["uri"] == "https://extrafields.example.com":
+ response = {
+ "foo": "YES",
+ "headers": {
+ "header1": ["value1"],
+ },
+ "umlaut": [
+ "ß",
+ "å",
+ ],
+ }
+ elif request["uri"] == "https://printnothing.example.com":
+ return 0
+ elif request["uri"] == "https://cwd.example.com":
+ response = {
+ "headers": {
+ "cwd": [os.getcwd()],
+ },
+ }
+ elif request["uri"] == "https://env.example.com":
+ response = {
+ "headers": {
+ "foo": [os.getenv("FOO")],
+ "bar": [os.getenv("BAR")],
+ },
+ }
+ elif request["uri"] == "https://timeout.example.com":
+ # We expect the subprocess to be killed after 5s.
+ time.sleep(10)
+ response = {
+ "headers": {
+ "header1": ["value1"],
+ },
+ }
+ else:
+ eprint("Unknown uri '{}'".format(request["uri"]))
+ return 1
+ json.dump(response, sys.stdout)
+ return 0
+
+
+if __name__ == "__main__":
+ sys.exit(main(sys.argv))