remoteapis: special-case buildbuddy cloud to work without config file

tweag · Feb 24, 2025 · 8729082 · 8729082
1 parent e7fde45
commit 8729082
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 12 deletions.
diff --git a/authenticate/remoteapis/remoteapis.go b/authenticate/remoteapis/remoteapis.go
@@ -35,8 +35,13 @@ func (g *RemoteAPIs) CacheKey(req api.GetCredentialsRequest) string {
 }
 
 func (g *RemoteAPIs) SetupInstructionsForURI(ctx context.Context, uri string) string {
+	parsedURL, error := url.Parse(uri)
+	if error != nil {
+		parsedURL = &url.URL{}
+	}
+
 	var lookupChainInstructions string
-	cfg, err := configFromContext(ctx)
+	cfg, err := configFromContext(ctx, parsedURL)
 	if err == nil {
 		chain := lookupchain.New(cfg.LookupChain)
 		lookupChainInstructions = chain.SetupInstructions("default", "secret sent to remote APIs as an authentication token or basic auth credentials")
@@ -63,16 +68,6 @@ func (RemoteAPIs) Resolver(ctx context.Context) (api.Resolver, error) {
 //
 // https://github.com/EngFlow/credential-helper-spec/blob/main/spec.md#get
 func (g *RemoteAPIs) Get(ctx context.Context, req api.GetCredentialsRequest) (api.GetCredentialsResponse, error) {
-	cfg, err := configFromContext(ctx)
-	if err != nil {
-		return api.GetCredentialsResponse{}, fmt.Errorf("getting configuration fragment for remotapis helper and url %s: %w", req.URI, err)
-	}
-	chain := lookupchain.New(cfg.LookupChain)
-	secret, err := chain.Lookup("default")
-	if err != nil {
-		return api.GetCredentialsResponse{}, err
-	}
-
 	parsedURL, error := url.Parse(req.URI)
 	if error != nil {
 		return api.GetCredentialsResponse{}, error
@@ -111,6 +106,17 @@ func (g *RemoteAPIs) Get(ctx context.Context, req api.GetCredentialsRequest) (ap
 	case REMOTE_EXECUTION_V2_EXECUTION:
 	}
 
+	cfg, err := configFromContext(ctx, parsedURL)
+	if err != nil {
+		return api.GetCredentialsResponse{}, fmt.Errorf("getting configuration fragment for remotapis helper and url %s: %w", req.URI, err)
+	}
+
+	chain := lookupchain.New(cfg.LookupChain)
+	secret, err := chain.Lookup("default")
+	if err != nil {
+		return api.GetCredentialsResponse{}, err
+	}
+
 	headerName := cfg.HeaderName
 	secretEncoding := func(secret string) string {
 		// by default, the secret is directly used as a header value
@@ -160,7 +166,11 @@ type configFragment struct {
 	LookupChain lookupchain.Config `json:"lookup_chain"`
 }
 
-func configFromContext(ctx context.Context) (configFragment, error) {
+func configFromContext(ctx context.Context, uri *url.URL) (configFragment, error) {
+	if cfg, ok := wellKnownServices[uri.Host]; ok {
+		return cfg, nil
+	}
+
 	return helperconfig.FromContext(ctx, configFragment{
 		AuthMethod: "header",
 		LookupChain: lookupchain.Default([]lookupchain.Source{
@@ -177,3 +187,22 @@ func configFromContext(ctx context.Context) (configFragment, error) {
 		}),
 	})
 }
+
+var wellKnownServices = map[string]configFragment{
+	"remote.buildbuddy.io": {
+		AuthMethod: "header",
+		HeaderName: "x-buildbuddy-api-key",
+		LookupChain: lookupchain.Default([]lookupchain.Source{
+			&lookupchain.Env{
+				Source:  "env",
+				Name:    "BUILDBUDDY_API_KEY",
+				Binding: "default",
+			},
+			&lookupchain.Keyring{
+				Source:  "keyring",
+				Service: "tweag-credential-helper:buildbuddy_api_key",
+				Binding: "default",
+			},
+		}),
+	},
+}
diff --git a/helperfactory/fallback/BUILD.bazel b/helperfactory/fallback/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
         "//authenticate/github",
         "//authenticate/null",
         "//authenticate/oci",
+        "//authenticate/remoteapis",
         "//authenticate/s3",
         "//logging",
     ],

diff --git a/helperfactory/fallback/fallback_factory.go b/helperfactory/fallback/fallback_factory.go
@@ -9,6 +9,7 @@ import (
 	authenticateGitHub "github.com/tweag/credential-helper/authenticate/github"
 	authenticateNull "github.com/tweag/credential-helper/authenticate/null"
 	authenticateOCI "github.com/tweag/credential-helper/authenticate/oci"
+	authenticateRemoteAPIs "github.com/tweag/credential-helper/authenticate/remoteapis"
 	authenticateS3 "github.com/tweag/credential-helper/authenticate/s3"
 	"github.com/tweag/credential-helper/logging"
 )
@@ -33,6 +34,8 @@ func FallbackHelperFactory(rawURL string) (api.Helper, error) {
 		return authenticateGitHub.GitHubContainerRegistry(), nil
 	case strings.HasSuffix(strings.ToLower(u.Host), ".r2.cloudflarestorage.com") && !u.Query().Has("X-Amz-Expires"):
 		return &authenticateS3.R2{}, nil
+	case strings.EqualFold(u.Host, "remote.buildbuddy.io"):
+		return &authenticateRemoteAPIs.RemoteAPIs{}, nil
 	// container registries using the default OCI resolver
 	case strings.EqualFold(u.Host, "index.docker.io"):
 		fallthrough