Configure oauth for uploader client and make it required (#2836)

* Remove --auth_type argument and make use of OAuth creds unconditional

* Add OAuth client configuration

Author: nfelt

tensorboard/uploader/auth.py

@@ -46,27 +46,32 @@
 )
 
 
+# The client "secret" is public by design for installed apps. See
+# https://developers.google.com/identity/protocols/OAuth2?csw=1#installed
+OAUTH_CLIENT_CONFIG = b"""
+{
+  "installed": {
+    "client_id": "373649185512-8v619h5kft38l4456nm2dj4ubeqsrvh6.apps.googleusercontent.com",
+    "project_id": "hosted-tensorboard-prod",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://oauth2.googleapis.com/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_secret": "pOyAuU2yq2arsM98Bw5hwYtr",
+    "redirect_uris": [
+      "urn:ietf:wg:oauth:2.0:oob",
+      "http://localhost"
+    ]
+  }
+}
+"""
+
+
 # Components of the relative path (within the user settings directory) at which
 # to store TensorBoard uploader credentials.
 TENSORBOARD_CREDENTIALS_FILEPATH_PARTS = [
     "tensorboard", "credentials", "uploader-creds.json"]
 
 
-def application_default_credentials():
-  """Returns the active Application Default Credentials.
-
-  Returns:
-    google.auth.credentials.Credentials: the current credentials.
-
-  Raises:
-    google.auth.exceptions.DefaultCredentialsError:
-        If no credentials were found, or if the credentials found were invalid.
-  """
-  credentials, project_id = google.auth.default(scopes=OPENID_CONNECT_SCOPES)
-  del project_id  # unused
-  return credentials
-
-
 class CredentialsStore(object):
   """Private file store for a `google.oauth2.credentials.Credentials`."""
 

tensorboard/uploader/uploader_main.py

@@ -101,13 +101,6 @@ def _define_flags(parser):
       choices=('local', 'ssl', 'ssl_dev'),
       help='The type of credentials to use for the gRPC client')
 
-  parser.add_argument(
-      '--auth_type',
-      type=str,
-      default='user',
-      choices=('adc', 'user', 'none'),
-      help='The type of auth credentials to obtain and add to requests.')
-
   parser.add_argument(
       '--auth_force_console',
       action='store_true',
@@ -201,6 +194,15 @@ def _run(flags):
     sys.stderr.write('Logged out of uploader.\n')
     sys.stderr.flush()
     return
+  # TODO(b/141723268): maybe reconfirm Google Account prior to reuse.
+  credentials = store.read_credentials()
+  if not credentials:
+    _prompt_for_user_ack(intent)
+    client_config = json.loads(auth.OAUTH_CLIENT_CONFIG)
+    flow = auth.build_installed_app_flow(client_config)
+    credentials = flow.run(force_console=flags.auth_force_console)
+    sys.stderr.write('\n')  # Extra newline after auth flow messages.
+    store.write_credentials(credentials)
 
   channel_options = None
   if flags.grpc_creds_type == 'local':
@@ -214,27 +216,13 @@ def _run(flags):
     msg = 'Invalid --grpc_creds_type %s' % flags.grpc_creds_type
     raise base_plugin.FlagsError(msg)
 
-  if flags.auth_type != 'none':
-    if flags.auth_type == 'user':
-      # TODO(b/141723268): determine if we should reconfirm the intended Google
-      #   Account used for uploading prior to reusing the stored credentials.
-      credentials = store.read_credentials()
-      if not credentials:
-        _prompt_for_user_ack(intent)
-        client_config = json.loads(dev_creds.DEV_OAUTH_CLIENT_CONFIG)
-        flow = auth.build_installed_app_flow(client_config)
-        credentials = flow.run(force_console=flags.auth_force_console)
-        sys.stderr.write('\n')  # Extra newline after auth flow messages.
-        store.write_credentials(credentials)
-    elif flags.auth_type == 'adc':
-      credentials = auth.application_default_credentials()
-    channel_creds = grpc.composite_channel_credentials(
-        channel_creds, auth.id_token_call_credentials(credentials))
+  composite_channel_creds = grpc.composite_channel_credentials(
+      channel_creds, auth.id_token_call_credentials(credentials))
 
   # TODO(@nfelt): In the `_UploadIntent` case, consider waiting until
   # logdir exists to open channel.
   channel = grpc.secure_channel(
-      flags.endpoint, channel_creds, options=channel_options)
+      flags.endpoint, composite_channel_creds, options=channel_options)
   with channel:
     intent.execute(channel)