Generic credential helper API call

[agomezl]

Currently, only Bazel-native methods (rctx.download() and similar) have access to the credential helper interface. As such, authentication for any external tool called within a repository rule must come up with it's own (user facing) authentication mechanism. We would like to propose an extension to the repository rule's API that would allow arbitrary starlark code to access the credential helper. To illustrate this idea, consider a repository rule attempting to authenticate against tool foo.exe using flag --auth=<user>:<password>

def _foo_repo_imp(rctx):
  ...
  credentials = rctx.get_credentials(rctx.attr.url)
  user = credentials["FOO_USER"]
  pwd = credentials["FOO_PASSWORD"]
  rctx.execute("foo.exe --auth={}:{} ... --url={}".format(user,pwd,rctx.attr.url))
  ...

foo_repo = repository_rule(
    implementation=_foo_repo_impl,
    attrs={
        "url": attr.string(mandatory=True), 
    }
)

In this example rctx.get_credential(url) request the credentials to any matching credential helper and returns a dictionary with the headers it provides.

We argue that while this can be accomplished using other methods (i.e. env variables or .netrc), for any non-trivial credential usage, it would not be as seamless and consistent as using the mechanism provided by the credential helper.

[agomezl]

@tjgq 😉

[fmeum]

I'm very much in favor of exposing this functionality to Starlark for use by tools that don't go through rctx.download.

Since by now there are multiple ways in which users can configure the behavior of Bazel downloads (at least .netrc, downloader config and credential helpers come to mind), I would like us to put some thought into whether we could expose a single API surface for all of those. This could be a skylib/bazel-lib wrapper around more low-level individual functions if needed, but having something like this avoids the maintenance burden of "your ruleset doesn't take X into account when downloading files" issues, of which there are quite a few.