Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

common/auth/internal/luci_ctx.go

 // Copyright 2017 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package internal
 
 import (
         "bytes"
         "crypto/sha1"
         "encoding/hex"
@@ skipping 21 matching lines @@
         cacheKey  CacheKey // used only for in-memory cache
 }
 
 // NewLUCIContextTokenProvider returns TokenProvider that knows how to use a
 // local auth server to mint tokens.
 //
 // It requires LUCI_CONTEXT["local_auth"] to be present in the 'ctx'. It's a
 // description of how to locate and contact the local auth server.
 //
 // See common/auth/localauth package for the implementation of the server.
+//
+// TODO(vadimsh): This method currently supports both "old" auth server that
+// don't understand "account_id", and new servers that do. Remove support for
+// old servers once Swarming is updated to understand new protocol.
 func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, transport http.RoundTripper) (TokenProvider, error) {
         localAuth := lucictx.GetLocalAuth(ctx)
         if localAuth == nil {
                 return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)
         }
+        if !localAuth.CanUseByDefault() {
+                return nil, fmt.Errorf(`no "default_account_id" in LUCI_CONTEXT["local_auth"]`)
+        }
 
         // All authenticators share singleton in-process token cache, see
         // ProcTokenCache variable in proc_cache.go.
         //
         // It is possible (though very unusual), for a single process to use multiple
         // local auth servers (e.g if it enters a subcontext with another "local_auth"
         // value).
         //
         // For these reasons we use a digest of localAuth parameters as a cache key.
         // It is used only in the process-local cache, the token never ends up in
@@ skipping 26 matching lines @@
 
 func (p *luciContextTokenProvider) CacheKey(ctx context.Context) (*CacheKey, error) {
         return &p.cacheKey, nil
 }
 
 func (p *luciContextTokenProvider) MintToken(ctx context.Context, base *oauth2.Token) (*oauth2.Token, error) {
         // Note: deadlines and retries are implemented by Authenticator. MintToken
         // should just make a single attempt, and mark an error as transient to
         // trigger a retry, if necessary.
         request := rpcs.GetOAuthTokenRequest{
-                Scopes: p.scopes,
-                Secret: p.localAuth.Secret,
+                Scopes:    p.scopes,
+                Secret:    p.localAuth.Secret,
+                AccountID: p.localAuth.DefaultAccountID, // note: this is "" for old servers
         }
         if err := request.Validate(); err != nil {
                 return nil, err // should not really happen
         }
         body, err := json.Marshal(&request)
         if err != nil {
                 return nil, err
         }
 
         url := fmt.Sprintf("http://127.0.0.1:%d/rpc/LuciLocalAuthService.GetOAuthToken", p.localAuth.RPCPort)
@@ skipping 38 matching lines @@
                 AccessToken: response.AccessToken,
                 Expiry:      time.Unix(response.Expiry, 0).UTC(),
                 TokenType:   "Bearer",
         }, nil
 }
 
 func (p *luciContextTokenProvider) RefreshToken(ctx context.Context, prev, base *oauth2.Token) (*oauth2.Token, error) {
         // Minting and refreshing is the same thing: a call to local auth server.
         return p.MintToken(ctx, base)
 }