Remove ADC cache from disk

We no longer need to cache ADC mechanism on disk and would instead
directly call the google oauth library for ADC checks (avoiding calling
gcloud which is what's problematic in Windows).

Tested: had a cached creds on disk, verified it was deleted with this
change. Also confirmed new cached creds weren't written out for ADC
mechanism.
Bug: b/303046311

Change-Id: I678aae4f29608938b583d8966acdba32a40c22bd
GitOrigin-RevId: 005709868f355d77b5880298f3a42cc38f6d1d62

internal/pkg/auth/auth.go

@@ -170,6 +170,11 @@ func MechanismFromFlags() (Mechanism, error) {
 	return Unknown, &Error{fmt.Errorf("couldn't determine auth mechanism from flags %v", vals), ExitCodeNoAuth}
 }
 
+// Cacheable returns true if this mechanism should be cached to disk
+func (m Mechanism) Cacheable() bool {
+	return false
+}
+
 func boolFlagVal(flagName string) (bool, error) {
 	if f := flag.Lookup(flagName); f != nil && f.Value.String() != "" {
 		b, err := strconv.ParseBool(f.Value.String())
@@ -217,6 +222,9 @@ func (c *Credentials) SaveToDisk() {
 	if c == nil {
 		return
 	}
+	if !c.m.Cacheable() {
+		return
+	}
 	cc := cachedCredentials{m: c.m, refreshExp: c.refreshExp}
 	if c.tokenSource != nil && c.refreshExp.IsZero() {
 		// Since c.tokenSource is always wrapped in a oauth2.ReuseTokenSourceWithExpiry

internal/pkg/auth/cache.go

@@ -60,6 +60,14 @@ func loadFromDisk(tf string) (cachedCredentials, error) {
 		token:      token,
 		refreshExp: TimeFromProto(cPb.GetRefreshExpiry()),
 	}
+	if !c.m.Cacheable() {
+		// Purge non cacheable credentials from disk.
+		if err := os.Remove(tf); err != nil {
+			log.Warningf("Unable to remove cached credentials file %q, err=%v", tf, err)
+		}
+		// TODO(b/2028466): Do not use the non-cacheable mechanism even for the
+		// current run.
+	}
 	log.Infof("Loaded cached credentials of type %v, expires at %v", c.m, exp)
 	return c, nil
 }

internal/pkg/auth/fakes/BUILD.bazel

@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "fakes",
+    srcs = ["fakeadc.go"],
+    importpath = "github.com/bazelbuild/reclient/internal/pkg/auth/fakes",
+    visibility = ["//:__subpackages__"],
+)

internal/pkg/auth/fakes/fakeadc.go

@@ -0,0 +1,44 @@
+package fakes
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+	"time"
+)
+
+// StartTokenValidationServer sets up a fake tokeninfo endpoint that responds with the given expiry for the given token.
+func StartTokenValidationServer(t *testing.T, exp time.Time, validToken string) string {
+	t.Helper()
+	fakeTokenServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/tokeninfo":
+			token := r.URL.Query().Get("access_token")
+			if token != validToken {
+				t.Errorf("Expected query param access_token=%s, got access_token=%s", validToken, token)
+			}
+			resp := map[string]interface{}{
+				"exp": strconv.FormatInt(exp.Unix(), 10),
+			}
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(resp)
+		case "/token":
+			resp := map[string]interface{}{
+				"access_token":  "adcToken",
+				"expires_in":    3600,
+				"refresh_token": "refresh",
+				"scope":         "https://www.googleapis.com/auth/pubsub",
+				"token_type":    "Bearer",
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(resp)
+		default:
+			t.Errorf("Unexpected request path, got '%s'", r.URL.Path)
+		}
+	}))
+	t.Cleanup(fakeTokenServer.Close)
+	return fakeTokenServer.URL
+}