cmd/gomote, internal/iapclient: add a gomote login command

This change adds a gomote login subcommand. There is currently an
issue where gomote users have their authentication token invalidated.
They are unable to log into the gomote service. The only way to
create a new authentication token is to manually delete the
authentication token from the file system and attempt another command.
This change adds a login subcommand which removes any existing
authentication token and initiates the authentication workflow.
Investigation into why we can't detect invalid tokens will continue
after this CL has been submitted. The login command also authenticates
with the LUCI service.

For golang/go#68612

Change-Id: Ib0c14546e919648ffd76a1021154134184bc18e3
Reviewed-on: https://go-review.googlesource.com/c/build/+/601796
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Carlos Amedee <[email protected]>

Author: cagedmantis

cmd/gomote/gomote.go

@@ -27,6 +27,7 @@ To list the subcommands, run "gomote" without arguments:
 	  destroy    destroy a buildlet
 	  gettar     extract a tar.gz from a buildlet
 	  list       list active buildlets
+	  login      create authentication credentials for the gomote services
 	  ls         list the contents of a directory on a buildlet
 	  ping       test whether a buildlet is alive and reachable
 	  push       sync your GOROOT directory to the buildlet
@@ -215,8 +216,9 @@ func registerCommands() {
 	registerCommand("destroy", "destroy a buildlet", destroy)
 	registerCommand("gettar", "extract a tar.gz from a buildlet", getTar)
 	registerCommand("group", "manage groups of instances", group)
-	registerCommand("ls", "list the contents of a directory on a buildlet", ls)
 	registerCommand("list", "list active buildlets", list)
+	registerCommand("login", "authenticate with the gomote service", login)
+	registerCommand("ls", "list the contents of a directory on a buildlet", ls)
 	registerCommand("ping", "test whether a buildlet is alive and reachable ", ping)
 	registerCommand("push", "sync your GOROOT directory to the buildlet", push)
 	registerCommand("put", "put files on a buildlet", put)

cmd/gomote/login.go

@@ -0,0 +1,41 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"golang.org/x/build/internal/iapclient"
+)
+
+// login triggers the authentication workflow for the gomote service and
+// LUCI.
+func login(args []string) error {
+	fs := flag.NewFlagSet("login", flag.ContinueOnError)
+	fs.Usage = func() {
+		fmt.Fprintln(os.Stderr, "login usage: gomote login")
+		fmt.Fprintln(os.Stderr)
+		fs.PrintDefaults()
+		os.Exit(1)
+	}
+	fs.Parse(args)
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+	log.Print("Authenticating with the gomote service.")
+	if _, err := iapclient.TokenSourceForceLogin(ctx); err != nil {
+		fmt.Fprintf(os.Stderr, "unable to authenticate into gomoteserver: %s\n", err)
+	}
+	auth := createLUCIAuthenticator(ctx)
+	log.Print("Authenticating with the LUCI service.")
+	if err := auth.Login(); err != nil {
+		fmt.Fprintf(os.Stderr, "unable to authenticate into LUCI: %s\n", err)
+	}
+	return nil
+}

internal/iapclient/iapclient.go

@@ -103,6 +103,11 @@ type codeResponse struct {
 	VerificationURL string `json:"verification_url"`
 }
 
+const (
+	configSubDir = "gomote"
+	tokenFile    = "iap-refresh-tv-token"
+)
+
 func writeToken(refresh *oauth2.Token) error {
 	configDir, err := os.UserConfigDir()
 	if err != nil {
@@ -112,19 +117,30 @@ func writeToken(refresh *oauth2.Token) error {
 	if err != nil {
 		return err
 	}
-	err = os.MkdirAll(filepath.Join(configDir, "gomote"), 0755)
+	err = os.MkdirAll(filepath.Join(configDir, configSubDir), 0755)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filepath.Join(configDir, configSubDir, tokenFile), refreshBytes, 0600)
+}
+
+func removeToken() error {
+	configDir, err := os.UserConfigDir()
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(configDir, "gomote/iap-refresh-tv-token"), refreshBytes, 0600)
+	if err := os.Remove(filepath.Join(configDir, configSubDir, tokenFile)); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	return nil
 }
 
 func cachedToken() (*oauth2.Token, error) {
 	configDir, err := os.UserConfigDir()
 	if err != nil {
 		return nil, err
 	}
-	refreshBytes, err := os.ReadFile(filepath.Join(configDir, "gomote/iap-refresh-tv-token"))
+	refreshBytes, err := os.ReadFile(filepath.Join(configDir, configSubDir, tokenFile))
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil
@@ -141,6 +157,16 @@ func cachedToken() (*oauth2.Token, error) {
 	return &refreshToken, nil
 }
 
+// TokenSource returns a TokenSource that can be used to access Go's
+// IAP-protected sites. It will delete any existing authentication token
+// credentials and prompt for login.
+func TokenSourceForceLogin(ctx context.Context) (oauth2.TokenSource, error) {
+	if err := removeToken(); err != nil {
+		return nil, fmt.Errorf("failed to delete existing token file: %s", err)
+	}
+	return TokenSource(ctx)
+}
+
 // TokenSource returns a TokenSource that can be used to access Go's
 // IAP-protected sites. It will prompt for login if necessary.
 func TokenSource(ctx context.Context) (oauth2.TokenSource, error) {