Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

lucictx/local_auth.go

Index: lucictx/local_auth.go
diff --git a/lucictx/local_auth.go b/lucictx/local_auth.go
index 2d5b72060d93184e3f429eba07bf873ad975e853..dfd926b409390cb5bc1b9059f70173f1d3f0dbbc 100644
--- a/lucictx/local_auth.go
+++ b/lucictx/local_auth.go
@@ -13,8 +13,35 @@ import (
 // LocalAuth is a struct that may be used with the "local_auth" section of
 // LUCI_CONTEXT.
 type LocalAuth struct {
+	// RPCPort and Secret define how to connect to the local auth server.
 	RPCPort uint32 `json:"rpc_port"`
 	Secret  []byte `json:"secret"`
+
+	// Accounts and DefaultAccountID defines what access tokens are available.
+	Accounts         []LocalAuthAccount `json:"accounts"`
+	DefaultAccountID string             `json:"default_account_id"`
+}
+
+// LocalAuthAccount contains information about a service account available
+// through a local auth server.
+type LocalAuthAccount struct {
+	// ID is logical identifier of the account, e.g. "system" or "task".
+	ID string `json:"id"`
+}
+
+// CanUseByDefault returns true if the authentication context can be picked up
+// by default.
+//
+// TODO(vadimsh): Remove this method once all servers provide 'accounts'.
+func (la *LocalAuth) CanUseByDefault() bool {
+	// Old API servers don't provide list of accounts. Instead there's single
+	// account that is always used by default.
+	if len(la.Accounts) == 0 {
+		return true
+	}
+	// New API servers give a list of available account and an optional default
+	// account. Auth should be used only if default account is given.
+	return la.DefaultAccountID != ""
 }
 
 // GetLocalAuth calls Lookup and returns the current LocalAuth from LUCI_CONTEXT