Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

common/auth/auth.go

 // Copyright 2015 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 // Package auth implements a wrapper around golang.org/x/oauth2.
 //
 // Its main improvement is the on-disk cache for OAuth tokens, which is
 // especially important for 3-legged interactive OAuth flows: its usage
 // eliminates annoying login prompts each time a program is used (because the
 // refresh token can now be reused). The cache also allows to reduce unnecessary
@@ skipping 327 matching lines @@
 // Invoked by Authenticator if AutoSelectMethod is passed as Method in Options.
 // It picks the first applicable method in this order:
 //   * ServiceAccountMethod (if the service account private key is configured).
 //   * LUCIContextMethod (if running inside LUCI_CONTEXT with an auth server).
 //   * GCEMetadataMethod (if running on GCE and GCEAllowAsDefault is true).
 //   * UserCredentialsMethod (if no other method applies).
 //
 // Beware: it may do relatively heavy calls on first usage (to detect GCE
 // environment). Fast after that.
 func SelectBestMethod(ctx context.Context, opts Options) Method {
-        switch {
-        case opts.ServiceAccountJSONPath != "" || len(opts.ServiceAccountJSON) != 0:
+        // Asked to use JSON private key.
+        if opts.ServiceAccountJSONPath != "" || len(opts.ServiceAccountJSON) != 0 {
                 if opts.ServiceAccountJSONPath == GCEServiceAccount {
                         return GCEMetadataMethod
                 }
                 return ServiceAccountMethod
-        case lucictx.GetLocalAuth(ctx) != nil:
+        }
+
+        // Have a local auth server and an account we are allowed to pick by default.
+        // If no default account is given, don't automatically pick up this method.
+        if la := lucictx.GetLocalAuth(ctx); la != nil && la.CanUseByDefault() {
                 return LUCIContextMethod
-        case opts.GCEAllowAsDefault && metadata.OnGCE():
+        }
+
+        // Running on GCE and callers are fine with automagically picking up GCE
+        // metadata server.
+        if opts.GCEAllowAsDefault && metadata.OnGCE() {
                 return GCEMetadataMethod
-        default:
-                return UserCredentialsMethod
         }
+
+        return UserCredentialsMethod
 }
 
 // AllowsArbitraryScopes returns true if given authenticator options allow
 // generating tokens for arbitrary set of scopes.
 //
 // For example, using a private key to sign assertions allows to mint tokens
 // for any set of scopes (since there's no restriction on what scopes we can
 // put into JWT to be signed).
 //
 // On other hand, using e.g GCE metadata server restricts us to use only scopes
@@ skipping 894 matching lines @@
 func makeIAMTokenProvider(ctx context.Context, opts *Options) (internal.TokenProvider, error) {
         if opts.testingIAMTokenProvider != nil {
                 return opts.testingIAMTokenProvider, nil
         }
         return internal.NewIAMTokenProvider(
                 ctx,
                 opts.ActAsServiceAccount,
                 opts.Scopes,
                 opts.Transport)
 }