PSA: depot_tools is switching to OAuth2 to talk to Rietveld

[Vadim Shtayura]

tl;dr On Apr 19 "git cl ..." will ask you to run "depot-tools-auth login" once, to authenticate.

 

Currently depot_tools is using password based authentication method that will stop working on Apr 20. As a replacement, depot_tools now supports OAuth2 based authentication. It is currently hidden behind a flag, but will become the default method on Apr 19. See: crbug.com/356813.

To try it now:

(I encourage you to test it, to catch as many corner cases as possible before it is the default)

1) You can pass --oauth2 option to any depot_tools command that talks to Rietveld (e.g "git cl upload --oauth2") to use OAuth2 only for that command.

2) Alternatively you can drop empty USE_OAUTH2 file into depot_tools directory to enable OAuth2 by default (and then --no-oauth2 can be passed to individual commands to switch back to password auth). For Linux\Mac:

touch $(dirname `which gclient`)/USE_OAUTH2

What to expect:

When you run "git cl" for the first time there's no cached OAuth2 token and depot_tools will ask you to grab it by running "depot-tools-auth login <host>". "depot-tools-auth login <host>" will open a browser with the account chooser page and OAuth2 consent page where you can click "Accept". Once this flow is complete, depot_tools caches refresh token in ~/.depot_tools_oauth2_tokens and subsequent commands silently use it.

$ git cl upload

...

You are not logged in. Please login first by running:

  depot-tools-auth login https://codereview.chromium.org

$ depot-tools-auth login https://codereview.chromium.org

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?...

If your browser is on a different machine then exit and re-run this application with the command-line parameter

  --auth-no-local-webserver

<Click "Accept" in the browser>

Logged in to https://codereview.chromium.org as vad...@chromium.org.

To login with a different email run:

  depot-tools-auth login https://codereview.chromium.org

To logout and purge the authentication token run:

  depot-tools-auth logout https://codereview.chromium.org

$ git cl upload

<works>

No more application-specific passwords :)

Known issues:

Rietveld has to be configured to accept depot_tools's OAuth client_id. So far only codereview.chromium.org and Google's internal instance have been configured. Let me know (in the bug) if you use depot_tools with some other instance of Rietveld. 

Thanks,

Vadim  // chrome-infrastructure-team

[Christian Biesinger]

Neat! Does this work on all of Linux/Win/Mac?

(I can't currently test on my Windows machine, but it does seem to
work on Linux. Yay!)

-christian

[Vadim Shtayura]

It should work everywhere where depot_tools works (though I tested on Windows only briefly).

[Vadim Shtayura]

Reminder: OAuth2 is now the default method.

Make sure to update your copy of depot_tools before running "git cl ...". Just running "gclient" without arguments should be enough to do this.

[Chris Hamilton]

Doh! This doesn't work with codereview.appspot.com and forces us to run things with command-line flags to disable oauth. Any plan of adding oauth support to codereview.appspot.com, or making the tool only default to oauth for codereview.chromium.org?

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Vadim Shtayura]

On Mon, Apr 20, 2015 at 2:21 PM, Chris Hamilton <chr...@chromium.org> wrote:

Doh! This doesn't work with codereview.appspot.com and forces us to run things with command-line flags to disable oauth.

I couldn't find an owner of this Rietveld instance... An owner should add depot_tools client_id to additional_client_ids here to make it work. +Jason Robbins who might know owners. There were also plans to migrate chromium-related projects off to codereview.chromium.org.

 

Any plan of adding oauth support to codereview.appspot.com, or making the tool only default to oauth for codereview.chromium.org?

Non OAuth2 login will stop working very soon per this scary red box. So making OAuth2 non-default isn't going to work for long...

 

--
You received this message because you are subscribed to the Google Groups "infra-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to infra-dev+...@chromium.org.
To post to this group, send email to infr...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAA2pCLectHkq55JkXSDHg-yfXq1YS2XQxaZNV%3DeG3hO6jyWTNw%40mail.gmail.com.

[Deepak]

I am getting the following error while running "depot-tools-auth login https://codereview.chromium.org" :

Traceback (most recent call last):
  File "/home/deepak/blink/depot_tools/depot-tools-auth.py", line 99, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/home/deepak/blink/depot_tools/depot-tools-auth.py", line 90, in main
    return dispatcher.execute(OptionParser(), argv)
  File "/home/deepak/blink/depot_tools/subcommand.py", line 252, in execute
    return command(parser, args[1:])
  File "/home/deepak/blink/depot_tools/depot-tools-auth.py", line 32, in CMDlogin
    authenticator.login()
  File "/home/deepak/blink/depot_tools/auth.py", line 260, in login
    force_refresh=True, allow_user_interaction=True)
  File "/home/deepak/blink/depot_tools/auth.py", line 311, in get_access_token
    self._access_token = self._create_access_token(allow_user_interaction)
  File "/home/deepak/blink/depot_tools/auth.py", line 490, in _create_access_token
    credentials = _run_oauth_dance(self._config)
  File "/home/deepak/blink/depot_tools/auth.py", line 636, in _run_oauth_dance
    return flow.step2_exchange(code)
  File "/home/deepak/blink/depot_tools/third_party/oauth2client/util.py", line 132, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/home/deepak/blink/depot_tools/third_party/oauth2client/client.py", line 1282, in step2_exchange
    headers=headers)
  File "/home/deepak/blink/depot_tools/third_party/httplib2/__init__.py", line 1593, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/home/deepak/blink/depot_tools/third_party/httplib2/__init__.py", line 1335, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/home/deepak/blink/depot_tools/third_party/httplib2/__init__.py", line 1257, in _conn_request
    conn.connect()
  File "/home/deepak/blink/depot_tools/third_party/httplib2/__init__.py", line 1044, in connect
    raise SSLHandshakeError(e)
third_party.httplib2.SSLHandshakeError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Thanks in advance!

[Chris Hamilton]

Simply switching to codereview.chromium.org seems reasonable to me. Thanks.

[James Robinson]

I'm not 100% sure this is related but I've noticed emails generated by 'git cl ...' such as 'git cl upload -s' or 'git cl land' now appear have a From: header of "re...@chromiumcodereview-hr.appspotmail.com" instead of (for me) "jam...@chromium.org".  Emails generated from rietveld have the expected From header.

- James

On Wed, Apr 15, 2015 at 2:53 PM, Vadim Shtayura <vad...@chromium.org> wrote:

[Vadim Shtayura]

Thanks for reporting. It is related. Filed http://crbug.com/479365. It's not clear now how to fix it, looks like a limitation (or rather lack of feature) of Appengine.

--
You received this message because you are subscribed to the Google Groups "infra-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to infra-dev+...@chromium.org.
To post to this group, send email to infr...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAD73mdLd43SaZLLJERK1v21h39f%2BqY38U3Ghe3n0UEbB8n-4Tw%40mail.gmail.com.

[Shreeram Kushwaha]

On executing this command 

depot-tools-auth login https://codereview.chromium.org

Browser is opened, I choose the account and clicked on accept. and got following message in that tab "The authentication flow has completed."

But on terminal I got this error

Traceback (most recent call last):

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/depot-tools-auth.py", line 99, in <module>

    sys.exit(main(sys.argv[1:]))

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/depot-tools-auth.py", line 90, in main

    return dispatcher.execute(OptionParser(), argv)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/subcommand.py", line 252, in execute

    return command(parser, args[1:])

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/depot-tools-auth.py", line 32, in CMDlogin

    authenticator.login()

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/auth.py", line 260, in login

    force_refresh=True, allow_user_interaction=True)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/auth.py", line 311, in get_access_token

    self._access_token = self._create_access_token(allow_user_interaction)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/auth.py", line 490, in _create_access_token

    credentials = _run_oauth_dance(self._config)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/auth.py", line 636, in _run_oauth_dance

    return flow.step2_exchange(code)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/oauth2client/util.py", line 132, in positional_wrapper

    return wrapped(*args, **kwargs)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/oauth2client/client.py", line 1282, in step2_exchange

    headers=headers)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/httplib2/__init__.py", line 1593, in request

    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/httplib2/__init__.py", line 1335, in _request

    (response, content) = self._conn_request(conn, request_uri, method, body, headers)

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/httplib2/__init__.py", line 1257, in _conn_request

    conn.connect()

  File "/home/shreeram.k/tizwork/codeSpace/openSource/depot_tools/third_party/httplib2/__init__.py", line 1060, in connect

    raise socket.error, msg

socket.error: [Errno 111] Connection refused

Please someone help.

-Shreeram

[Shreeram Kushwaha]

Due to some proxy issue on my system, it was not working for me. Now its working fine :) :) 

[Jorge Lucangeli Obes]

This seems to have broken the "my_activity.py" script, which is super convenient for snippets:

$ my_activity.py

Searching for activity by jorgelo

Using range 2015-05-11 00:00:00 to 2015-05-18 00:00:00

Found cookie file: /usr/local/google/home/jorgelo/.codereview_upload_cookies

No cookie found for the following Rietveld instances:

codereview.chromium.org

chromereviews.googleplex.com

codereview.appspot.com

breakpad.appspot.com

webrtc-codereview.appspot.com

Use --auth if you would like to authenticate to them.

Using password from system keyring.

HTTP Error 404: Not Found

Password for jor...@chromium.org:

Any idea if it's related, and if so, whether it can be fixed?

On Wed, Apr 15, 2015 at 2:53 PM, Vadim Shtayura <vad...@chromium.org> wrote:

--