Google Git
Sign in
gerrit / gcompute-tools / 6c05256b54c45b529c4863c70452b7c072a9eeab
commit6c05256b54c45b529c4863c70452b7c072a9eeab[log] [tgz]
authorJoe Bandenburg <joeban@google.com>Thu Jun 30 11:21:53 2022 -0400
committerJoe Bandenburg <joeban@google.com>Thu Jun 30 11:27:41 2022 -0400
treedabae6300c02b0dfc3fd8f3eef541ccd36ba7bc4
parent147e9b8acf2d449dc55894362db0192d00a68cb7 [diff]
Fix scripts for Python 3.10

There was a change in Python 3.10 that causes these scripts to
crash with the following error:

File "gcompute-tools/./git-cookie-authdaemon", line 148, in update_cookie
    cj.save()
  File "/usr/lib/python3.10/http/cookiejar.py", line 2120, in save
    if cookie.has_nonstandard_attr(HTTPONLY_ATTR):
  File "/usr/lib/python3.10/http/cookiejar.py", line 805, in has_nonstandard_attr
    return name in self._rest
TypeError: argument of type 'NoneType' is not iterable

Looking at the source for Cookie in both Python 2.7[1] and
Python 3.10[2], it looks like it expects the rest parameter to be
a dictionary. I've tested this change in Python 3.10 and it fixes the
issue.

[1] https://github.com/python/cpython/blob/v2.7.18/Lib/cookielib.py#L794
[2] https://github.com/python/cpython/blob/v3.10.5/Lib/http/cookiejar.py#L809

Change-Id: I2a917022d5a096696b48231dd95d4b9131734b54
2 files changed
tree: dabae6300c02b0dfc3fd8f3eef541ccd36ba7bc4
  1. git-cookie-authdaemon
  2. git-googlesource-login
  3. LICENSE
  4. README.md
README.md

Git authentication tools for Google Compute Engine

The git-cookie-authdaemon uses the GCE metadata server to acquire an OAuth2 access token and configures git to always present this OAuth2 token when connecting to googlesource.com or Google Cloud Source Repositories.

Setup

Launch the GCE VMs with the gerritcodereview scope requested, for example:

gcloud compute instances create \
  --scopes https://www.googleapis.com/auth/gerritcodereview \
  ...

To add a scope to an existing GCE instance see this gcloud beta feature.

Installation on Linux

Install the daemon within the VM image and start it running:

sudo apt-get install git
git clone https://gerrit.googlesource.com/gcompute-tools/
./gcompute-tools/git-cookie-authdaemon

The daemon launches itself into the background and continues to keep the OAuth2 access token fresh.

Launch at Linux boot

git-cookie-authdaemon can be started as a systemd service at boot.

# Write the service config
$ sudo cat > /etc/systemd/system/git-cookie-authdaemon.service << EOF
[Unit]
Description=git-cookie-authdaemon required to access git-on-borg from GCE

Wants=network.target
After=syslog.target network-online.target

[Service]
User=builder  # update to your user
Group=builder  # update to your group
Type=simple
ExecStart=/path/to/git-cookie-authdaemon  # update the path
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

# Reload the service configs
$ sudo systemctl daemon-reload

# Enable the service
$ sudo systemctl enable git-cookie-authdaemon

# Start the service
sudo systemctl start git-cookie-authdaemon

# Check the status of the service
systemctl status git-cookie-authdaemon
ps -ef | grep git-cookie-authdaemon

# Reboot and check status again.

Installation on Windows

Prerequisite

Install Python 3.9 and Git for Windows. Older Python3 versions will probably work but are not tested in the setup below.

Run interactively or in a build script

Run git-cookie-authdaemon in the same environment under the same user git commands will be run, for example in either Command Prompt or Cygwin bash shell under user builder. In Windows Command Prompt start can be used to put the process into background.

python git-cookie-authdaemon --nofork

Launch at Windows boot

It may be desired in automation to launch git-cookie-authdaemon at Windows boot. It can be done as a scheduled task. The following is an example on a Jenkins node:

  1. The VM is created from GCE Windows Server 2019 or 2012R2 image.
  2. It runs under builder account.
  3. It is launched from a Bash shell. Cygwin is used here. Msys2 or Git Bash may work too but not tested.
  4. C:\build exists (log file destination in wrapper script used below
    • adjust as needed)

How to create a scheduled task.

  1. Launch Task Scheduler from an Administrator account.
  2. Click Create Task in the right pane.
  3. In General tab:
    1. Change user to the one running Jenkins node if it is different. You may want to run Jenkins node as a non-privileged user, builder in this example.
    2. Select Run whether user is logged on or not
  4. In Trigger tab. Add a trigger
    1. Set Begin the task as At startup.
    2. Uncheck Stop task if it runs longer than.
    3. Check Enabled.
  5. In Actions tab. Add Start a program.
    1. Set Program/script as C:\cygwin64\bin\bash.ext,
    2. Set Add arguments as --login -c /home/builder/git-cookie-authdaemon_wrapper.sh (see note below)
  6. Click Ok to save it.
  7. Optional: click Enable All Tasks History in Task Scheduler's right pane.
  8. Add builder account to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log On As Batch Job

Note: /home/builder/git-cookie-authdaemon_wrapper.sh is as below:

#!/bin/bash
exe=gcompute-tools/git-cookie-authdaemon
log=/cygdrive/c/build/git-cookie-autodaemon.log

# HOMEPATH and HOMEDRIVE are not set in a task scheduled at machine boot.
export HOMEPATH=${HOMEPATH:-'\Users\builder'}
export HOMEDRIVE=${HOMEDRIVE:-'C:'}

/cygdrive/c/Users/builder/AppData/Local/Programs/Python/Python39/python $exe --nofork >> $log 2>&1 # option --debug is also available.

This will write a log file to “C:\build\git-cookie-autodaemon.log” and a cookie to “C:\Users\builder.git-credential-cache\cookie”. The cookie is used for authentication by the user's gitconfig as shown below. The wrapper script assumes Python 3.9 is installed to the default location of “%LOCALAPPDATA%\Programs\Python\Python39”

C:\Users\builder.gitconfig contains the following section

[http]
        cookiefile = C:\\Users\\builder\\.git-credential-cache\\cookie