[Fuchsia] Use luci-auth in ffx product to download smart display images

ffx product can use luci-auth to authorize the request to download
smart display images.
After this change, update_images.py can be removed.

Bug: b/286849798
Change-Id: I06303a3c6dfe152b4c4f4f558b566fc7fef12a9a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4944678
Commit-Queue: Zijie He <zijiehe@google.com>
Reviewed-by: David Song <wintermelons@google.com>
Cr-Commit-Position: refs/heads/main@{#1212906}

diff --git a/build/fuchsia/get_auth_token.py b/build/fuchsia/get_auth_token.py
new file mode 100755
index 0000000..8c293fb4
--- /dev/null
+++ b/build/fuchsia/get_auth_token.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env vpython3
+# Copyright 2023 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Print the default service account's auth token to stdout."""
+
+from __future__ import absolute_import
+import os
+import subprocess
+import sys
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__),
+                                             'test')))
+from common import DIR_SRC_ROOT
+
+sys.path.append(os.path.join(DIR_SRC_ROOT, 'build'))
+import find_depot_tools
+
+
+def main():
+  luci_auth = os.path.join(find_depot_tools.DEPOT_TOOLS_PATH, 'luci-auth')
+  proc = subprocess.run([luci_auth, 'token'], encoding='utf-8')
+  return proc.returncode
+
+
+if __name__ == '__main__':
+  sys.exit(main())

diff --git a/build/fuchsia/update_product_bundles.py b/build/fuchsia/update_product_bundles.py
index db0282985..5a2bdb6 100755
--- a/build/fuchsia/update_product_bundles.py
+++ b/build/fuchsia/update_product_bundles.py

@@ -120,6 +120,9 @@
       type=str,
       help='List of product bundles to download, represented as a comma '
       'separated list.')
+  parser.add_argument('--auth',
+                      action='store_true',
+                      help='Enable additional authorization for ffx product')
   args = parser.parse_args()
 
   logging.basicConfig(level=logging.DEBUG if args.verbose else logging.INFO)
@@ -133,6 +136,11 @@
   logging.debug('Getting new SDK hash')
   new_sdk_hash = common.get_hash_from_sdk()
 
+  auth_args = [
+      '--auth',
+      os.path.join(os.path.dirname(__file__), 'get_auth_token.py')
+  ] if args.auth else []
+
   for product in new_products:
     prod, board = product.split('.', 1)
     image_dir = os.path.join(common.IMAGES_ROOT, prod, board)
@@ -148,15 +156,15 @@
         base_url = update_sdk.GetSDKOverrideGCSPath().replace('/sdk', '')
       else:
         base_url = f'gs://fuchsia/development/{new_sdk_hash}'
-      download_url = common.run_ffx_command(cmd=('product', 'lookup', product,
-                                                 new_sdk_hash, '--base-url',
-                                                 base_url),
+      download_url = common.run_ffx_command(cmd=[
+          'product', 'lookup', product, new_sdk_hash, '--base-url', base_url
+      ] + auth_args,
                                             check=True,
                                             capture_output=True).stdout.strip()
       logging.info(f'Downloading {product} from {base_url}.')
-      common.run_ffx_command(cmd=('product', 'download', download_url,
-                                  image_dir),
-                             check=True)
+      common.run_ffx_command(
+          cmd=['product', 'download', download_url, image_dir] + auth_args,
+          check=True)
 
   return 0
 

diff --git a/build/fuchsia/update_product_bundles_test.py b/build/fuchsia/update_product_bundles_test.py
index 75bde88..13f664dc 100755
--- a/build/fuchsia/update_product_bundles_test.py
+++ b/build/fuchsia/update_product_bundles_test.py

@@ -97,6 +97,35 @@
                     check=True)
       ])
 
+  @mock.patch('common.get_hash_from_sdk', return_value='abc')
+  def testLookupAndDownloadWithAuth(self, get_hash_mock):
+    try:
+      common.get_host_os()
+    except:
+      # Ignore unsupported platforms. common.get_host_os used in
+      # update_product_bundles.main throws an unsupported exception.
+      return
+    auth_file = os.path.abspath(
+        os.path.join(os.path.dirname(__file__), 'get_auth_token.py'))
+    self._ffx_mock.return_value.stdout = 'http://download-url'
+    with mock.patch('sys.argv',
+                    ['update_product_bundles.py', 'terminal.x64', '--auth']):
+      update_product_bundles.main()
+    self._ffx_mock.assert_has_calls([
+        mock.call(cmd=[
+            'product', 'lookup', 'terminal.x64', 'abc', '--base-url',
+            'gs://fuchsia/development/abc', '--auth', auth_file
+        ],
+                  capture_output=True,
+                  check=True),
+        mock.call(cmd=[
+            'product', 'download', 'http://download-url',
+            os.path.join(common.IMAGES_ROOT, 'terminal', 'x64'), '--auth',
+            auth_file
+        ],
+                  check=True)
+    ])
+
 
 if __name__ == '__main__':
   unittest.main()