[Fuchsia] Use luci-auth in ffx product to download smart display images
ffx product can use luci-auth to authorize the request to download
smart display images.
After this change, update_images.py can be removed.
Bug: b/286849798
Change-Id: I06303a3c6dfe152b4c4f4f558b566fc7fef12a9a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4944678
Commit-Queue: Zijie He <zijiehe@google.com>
Reviewed-by: David Song <wintermelons@google.com>
Cr-Commit-Position: refs/heads/main@{#1212906}
diff --git a/build/fuchsia/get_auth_token.py b/build/fuchsia/get_auth_token.py
new file mode 100755
index 0000000..8c293fb4
--- /dev/null
+++ b/build/fuchsia/get_auth_token.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env vpython3
+# Copyright 2023 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Print the default service account's auth token to stdout."""
+
+from __future__ import absolute_import
+import os
+import subprocess
+import sys
+
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__),
+ 'test')))
+from common import DIR_SRC_ROOT
+
+sys.path.append(os.path.join(DIR_SRC_ROOT, 'build'))
+import find_depot_tools
+
+
+def main():
+ luci_auth = os.path.join(find_depot_tools.DEPOT_TOOLS_PATH, 'luci-auth')
+ proc = subprocess.run([luci_auth, 'token'], encoding='utf-8')
+ return proc.returncode
+
+
+if __name__ == '__main__':
+ sys.exit(main())
diff --git a/build/fuchsia/update_product_bundles.py b/build/fuchsia/update_product_bundles.py
index db0282985..5a2bdb6 100755
--- a/build/fuchsia/update_product_bundles.py
+++ b/build/fuchsia/update_product_bundles.py
@@ -120,6 +120,9 @@
type=str,
help='List of product bundles to download, represented as a comma '
'separated list.')
+ parser.add_argument('--auth',
+ action='store_true',
+ help='Enable additional authorization for ffx product')
args = parser.parse_args()
logging.basicConfig(level=logging.DEBUG if args.verbose else logging.INFO)
@@ -133,6 +136,11 @@
logging.debug('Getting new SDK hash')
new_sdk_hash = common.get_hash_from_sdk()
+ auth_args = [
+ '--auth',
+ os.path.join(os.path.dirname(__file__), 'get_auth_token.py')
+ ] if args.auth else []
+
for product in new_products:
prod, board = product.split('.', 1)
image_dir = os.path.join(common.IMAGES_ROOT, prod, board)
@@ -148,15 +156,15 @@
base_url = update_sdk.GetSDKOverrideGCSPath().replace('/sdk', '')
else:
base_url = f'gs://fuchsia/development/{new_sdk_hash}'
- download_url = common.run_ffx_command(cmd=('product', 'lookup', product,
- new_sdk_hash, '--base-url',
- base_url),
+ download_url = common.run_ffx_command(cmd=[
+ 'product', 'lookup', product, new_sdk_hash, '--base-url', base_url
+ ] + auth_args,
check=True,
capture_output=True).stdout.strip()
logging.info(f'Downloading {product} from {base_url}.')
- common.run_ffx_command(cmd=('product', 'download', download_url,
- image_dir),
- check=True)
+ common.run_ffx_command(
+ cmd=['product', 'download', download_url, image_dir] + auth_args,
+ check=True)
return 0
diff --git a/build/fuchsia/update_product_bundles_test.py b/build/fuchsia/update_product_bundles_test.py
index 75bde88..13f664dc 100755
--- a/build/fuchsia/update_product_bundles_test.py
+++ b/build/fuchsia/update_product_bundles_test.py
@@ -97,6 +97,35 @@
check=True)
])
+ @mock.patch('common.get_hash_from_sdk', return_value='abc')
+ def testLookupAndDownloadWithAuth(self, get_hash_mock):
+ try:
+ common.get_host_os()
+ except:
+ # Ignore unsupported platforms. common.get_host_os used in
+ # update_product_bundles.main throws an unsupported exception.
+ return
+ auth_file = os.path.abspath(
+ os.path.join(os.path.dirname(__file__), 'get_auth_token.py'))
+ self._ffx_mock.return_value.stdout = 'http://download-url'
+ with mock.patch('sys.argv',
+ ['update_product_bundles.py', 'terminal.x64', '--auth']):
+ update_product_bundles.main()
+ self._ffx_mock.assert_has_calls([
+ mock.call(cmd=[
+ 'product', 'lookup', 'terminal.x64', 'abc', '--base-url',
+ 'gs://fuchsia/development/abc', '--auth', auth_file
+ ],
+ capture_output=True,
+ check=True),
+ mock.call(cmd=[
+ 'product', 'download', 'http://download-url',
+ os.path.join(common.IMAGES_ROOT, 'terminal', 'x64'), '--auth',
+ auth_file
+ ],
+ check=True)
+ ])
+
if __name__ == '__main__':
unittest.main()