Re-add support for getting credentials from gcloud for older versions of gcloud.

lukecwik · davorbonaci · commit 5a11734d638b · 2015-02-11T15:19:19.000-08:00
[] ------------- Created by MOE: http://code.google.com/p/moe-java MOE_MIGRATED_REVID=86122002
diff --git a/sdk/src/main/java/com/google/cloud/dataflow/sdk/options/GcpOptions.java b/sdk/src/main/java/com/google/cloud/dataflow/sdk/options/GcpOptions.java
@@ -96,6 +96,11 @@ public interface GcpOptions extends GoogleApiDebugOptions, PipelineOptions {
   String getServiceAccountName();
   void setServiceAccountName(String value);
 
+  @Description("The path to the gcloud binary. "
+      + " Default is to search the system path.")
+  String getGCloudPath();
+  void setGCloudPath(String value);
+
   /**
    * Directory for storing dataflow credentials.
    */
diff --git a/sdk/src/main/java/com/google/cloud/dataflow/sdk/util/Credentials.java b/sdk/src/main/java/com/google/cloud/dataflow/sdk/util/Credentials.java
@@ -28,6 +28,7 @@
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.api.client.util.Preconditions;
+import com.google.api.client.util.Strings;
 import com.google.api.client.util.store.FileDataStoreFactory;
 import com.google.cloud.dataflow.sdk.options.GcpOptions;
 
@@ -49,15 +50,14 @@ public class Credentials {
 
   private static final Logger LOG = LoggerFactory.getLogger(Credentials.class);
 
-  /**
-   * OAuth 2.0 scopes used by a local worker (not on GCE).
-   * The scope cloud-platform provides access to all Cloud Platform resources.
-   * cloud-platform isn't sufficient yet for talking to datastore so we request
-   * those resources separately.
-   * <p>
-   * Note that trusted scope relationships don't apply to OAuth tokens, so for
-   * services we access directly (GCS) as opposed to through the backend
-   * (BigQuery, GCE), we need to explicitly request that scope.
+  /** OAuth 2.0 scopes used by a local worker (not on GCE).
+   *  The scope cloud-platform provides access to all Cloud Platform resources.
+   *  cloud-platform isn't sufficient yet for talking to datastore so we request
+   *  those resources separately.
+   *
+   *  Note that trusted scope relationships don't apply to OAuth tokens, so for
+   *  services we access directly (GCS) as opposed to through the backend
+   *  (BigQuery, GCE), we need to explicitly request that scope.
    */
   private static final List<String> SCOPES = Arrays.asList(
       "https://www.googleapis.com/auth/cloud-platform",
@@ -74,15 +74,20 @@ public String getRedirectUri() {
 
   /**
    * Initializes OAuth2 credentials.
-   * <p>
-   * This can use 3 different mechanisms for obtaining a credential:
+   *
+   * This can use 4 different mechanisms for obtaining a credential:
    * <ol>
    *   <li>
    *     It can fetch the
    *     <a href="https://developers.google.com/accounts/docs/application-default-credentials">
    *     application default credentials</a>.
    *   </li>
    *   <li>
+   *     It can run the gcloud tool in a subprocess to obtain a credential.
+   *     This is the preferred mechanism.  The property "gcloud_path" can be
+   *     used to specify where we search for gcloud data.
+   *   </li>
+   *   <li>
    *     The user can specify a client secrets file and go through the OAuth2
    *     webflow. The credential will then be cached in the user's home
    *     directory for reuse. Provide the property "secrets_file" to use this
@@ -96,8 +101,8 @@ public String getRedirectUri() {
    * </ol>
    * The default mechanism is to use the
    * <a href="https://developers.google.com/accounts/docs/application-default-credentials">
-   * application default credentials</a>. The other options can be used by providing the
-   * corresponding properties.
+   * application default credentials</a> falling back to gcloud. The other options can be
+   * used by providing the corresponding properties.
    */
   public static Credential getCredential(GcpOptions options)
       throws IOException, GeneralSecurityException {
@@ -119,12 +124,11 @@ public static Credential getCredential(GcpOptions options)
     try {
       return GoogleCredential.getApplicationDefault().createScoped(SCOPES);
     } catch (IOException e) {
-      throw new RuntimeException("Unable to get application default credentials. Please see "
-          + "https://developers.google.com/accounts/docs/application-default-credentials "
-          + "for details on how to specify credentials. This version of the SDK is "
-          + "dependent on the gcloud core component version 2015.02.05 or newer to "
-          + "be able to get credentials from the currently authorized user via gcloud auth.", e);
+      LOG.debug("Failed to get application default credentials, falling back to gcloud.");
     }
+
+    String gcloudPath = options.getGCloudPath();
+    return getCredentialFromGCloud(gcloudPath);
   }
 
   /**
@@ -145,6 +149,29 @@ private static Credential getCredentialFromFile(
     return credential;
   }
 
+  /**
+   * Loads OAuth2 credential from GCloud utility.
+   */
+  private static Credential getCredentialFromGCloud(String gcloudPath)
+      throws IOException, GeneralSecurityException {
+    GCloudCredential credential;
+    HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
+    if (Strings.isNullOrEmpty(gcloudPath)) {
+      credential = new GCloudCredential(transport);
+    } else {
+      credential = new GCloudCredential(gcloudPath, transport);
+    }
+
+    try {
+      credential.refreshToken();
+    } catch (IOException e) {
+      throw new RuntimeException("Could not obtain credential using gcloud", e);
+    }
+
+    LOG.info("Got user credential from GCloud");
+    return credential;
+  }
+
   /**
    * Loads OAuth2 credential from client secrets, which may require an
    * interactive authorization prompt.
diff --git a/sdk/src/main/java/com/google/cloud/dataflow/sdk/util/GCloudCredential.java b/sdk/src/main/java/com/google/cloud/dataflow/sdk/util/GCloudCredential.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.cloud.dataflow.sdk.util;
+
+import com.google.api.client.auth.oauth2.BearerToken;
+import com.google.api.client.auth.oauth2.Credential;
+import com.google.api.client.auth.oauth2.TokenResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.util.IOUtils;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Arrays;
+
+/**
+ * A credential object which uses the GCloud command line tool to get
+ * an access token.
+ */
+public class GCloudCredential extends Credential {
+  private static final String DEFAULT_GCLOUD_BINARY = "gcloud";
+  private final String binary;
+
+  public GCloudCredential(HttpTransport transport) {
+    this(DEFAULT_GCLOUD_BINARY, transport);
+  }
+
+  /**
+   * Path to the GCloud binary.
+   */
+  public GCloudCredential(String binary, HttpTransport transport) {
+    super(new Builder(BearerToken.authorizationHeaderAccessMethod())
+        .setTransport(transport));
+
+    this.binary = binary;
+  }
+
+  private String readStream(InputStream stream) throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    IOUtils.copy(stream, baos);
+    return baos.toString("UTF-8");
+  }
+
+  @Override
+  protected TokenResponse executeRefreshToken() throws IOException {
+    TokenResponse response = new TokenResponse();
+
+    ProcessBuilder builder = new ProcessBuilder();
+    // ProcessBuilder will search the path automatically for the binary
+    // GCLOUD_BINARY.
+    builder.command(Arrays.asList(binary, "auth", "print-access-token"));
+    Process process = builder.start();
+
+    try {
+      process.waitFor();
+    } catch (InterruptedException e) {
+      throw new RuntimeException(
+          "Could not obtain an access token using gcloud; timed out waiting " +
+          "for gcloud.");
+    }
+
+    if (process.exitValue() != 0) {
+      String output;
+      try {
+        output = readStream(process.getErrorStream());
+      } catch (IOException e) {
+        throw new RuntimeException(
+            "Could not obtain an access token using gcloud.");
+      }
+
+      throw new RuntimeException(
+          "Could not obtain an access token using gcloud. Result of " +
+          "invoking gcloud was:\n" + output);
+    }
+
+    String output;
+    try {
+      output = readStream(process.getInputStream());
+    } catch (IOException e) {
+      throw new RuntimeException(
+          "Could not obtain an access token using gcloud. We encountered an " +
+          "an error trying to read stdout.", e);
+    }
+    String[] lines = output.split("\n");
+
+    if (lines.length != 1) {
+      throw new RuntimeException(
+          "Could not obtain an access token using gcloud. Result of " +
+          "invoking gcloud was:\n" + output);
+    }
+
+    // Access token should be good for 5 minutes.
+    Long expiresInSeconds = 5L * 60;
+    response.setExpiresInSeconds(expiresInSeconds);
+    response.setAccessToken(output.trim());
+
+    return response;
+  }
+}
