chore: Migrate make_bugs_public to use Google issue tracker. (#2676)

OSS-Fuzz migrated to Google Issue Tracker from Monorail as part of
Monorail being turned down.

Client based on a very stripped down implementation of
https://github.com/google/clusterfuzz/tree/e2c3d679fa6e4eac32718afa362c83cfb14fe06c/src/clusterfuzz/_internal/issue_management/google_issue_tracker,

with some changes to make auth work (via impersonation).

Author: oliverchang

docker/cron/make_bugs_public/google_issue_tracker/__init__.py

@@ -0,0 +1,14 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Google issue tracker."""

docker/cron/make_bugs_public/google_issue_tracker/client.py

@@ -0,0 +1,64 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Gets a Google Issue Tracker HTTP client."""
+
+import google.auth
+from google.auth import impersonated_credentials
+import google_auth_httplib2
+from googleapiclient import discovery
+from googleapiclient import errors
+import httplib2
+
+_DISCOVERY_URL = ('https://issuetracker.googleapis.com/$discovery/rest?'
+                  'version=v1&labels=GOOGLE_PUBLIC')
+_SCOPE = 'https://www.googleapis.com/auth/buganizer'
+# OSS-Fuzz service account.
+_IMPERSONATED_SERVICE_ACCOUNT = (
+    '[email protected]')
+_REQUEST_TIMEOUT = 60
+
+HttpError = errors.HttpError
+UnknownApiNameOrVersion = errors.UnknownApiNameOrVersion
+
+
+def build_http():
+  """Builds a httplib2.Http."""
+  source_credentials, _ = google.auth.default()
+  credentials = impersonated_credentials.Credentials(
+      source_credentials=source_credentials,
+      target_principal=_IMPERSONATED_SERVICE_ACCOUNT,
+      target_scopes=[_SCOPE])
+
+  return google_auth_httplib2.AuthorizedHttp(
+      credentials, http=httplib2.Http(timeout=_REQUEST_TIMEOUT))
+
+
+def _call_discovery(api, http):
+  """Calls the discovery service.
+
+  Retries upto twice if there are any UnknownApiNameOrVersion errors.
+  """
+  return discovery.build(
+      api,
+      'v1',
+      discoveryServiceUrl=_DISCOVERY_URL,
+      http=http,
+      static_discovery=False)
+
+
+def build(api='issuetracker', http=None):
+  """Builds a google api client for buganizer."""
+  if not http:
+    http = build_http()
+  return _call_discovery(api, http)

docker/cron/make_bugs_public/google_issue_tracker/issue_tracker.py

@@ -0,0 +1,79 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# pylint: disable=protected-access
+"""Google issue tracker implementation."""
+
+import enum
+
+from google.auth import exceptions
+
+from . import client
+
+_NUM_RETRIES = 3
+
+
+class IssueAccessLevel(str, enum.Enum):
+  LIMIT_NONE = 'LIMIT_NONE'
+  LIMIT_VIEW = 'LIMIT_VIEW'
+  LIMIT_APPEND = 'LIMIT_APPEND'
+  LIMIT_VIEW_TRUSTED = 'LIMIT_VIEW_TRUSTED'
+
+
+class IssueTrackerError(Exception):
+  """Base issue tracker error."""
+
+
+class IssueTrackerNotFoundError(IssueTrackerError):
+  """Not found error."""
+
+
+class IssueTrackerPermissionError(IssueTrackerError):
+  """Permission error."""
+
+
+class IssueTracker:
+  """Google issue tracker implementation."""
+
+  def __init__(self, http_client):
+    self._client = http_client
+
+  @property
+  def client(self):
+    """HTTP Client."""
+    if self._client is None:
+      self._client = client.build()
+    return self._client
+
+  def _execute(self, request):
+    """Executes a request."""
+    http = None
+    for _ in range(2):
+      try:
+        return request.execute(num_retries=_NUM_RETRIES, http=http)
+      except exceptions.RefreshError:
+        # Rebuild client and retry request.
+        http = client.build_http()
+        self._client = client.build('issuetracker', http=http)
+        return request.execute(num_retries=_NUM_RETRIES, http=http)
+      except client.HttpError as e:
+        if e.resp.status == 404:
+          raise IssueTrackerNotFoundError(str(e)) from e
+        if e.resp.status == 403:
+          raise IssueTrackerPermissionError(str(e)) from e
+        raise IssueTrackerError(str(e)) from e
+
+  def get_issue(self, issue_id):
+    """Gets the issue with the given ID."""
+    return self._execute(self.client.issues().get(issueId=str(issue_id)))

docker/cron/make_bugs_public/make_bugs_public.py

@@ -17,14 +17,12 @@
 import logging
 import sys
 from google.cloud import ndb
-import requests
 
-import monorail
+from google_issue_tracker import client
+from google_issue_tracker import issue_tracker
 import osv
 import osv.logs
 
-_MONORAIL_ACCOUNT = '[email protected]'
-
 
 def make_affected_commits_public(bug):
   """Make related AffectedCommits entities public."""
@@ -37,7 +35,7 @@ def make_affected_commits_public(bug):
 
 def main():
   """Mark bugs public."""
-  monorail_client = monorail.Client('oss-fuzz', _MONORAIL_ACCOUNT)
+  tracker = issue_tracker.IssueTracker(client.build())
   query = osv.Bug.query(osv.Bug.public == False)  # pylint: disable=singleton-comparison
 
   to_mark_public = []
@@ -48,13 +46,14 @@ def main():
       continue
 
     try:
-      issue = monorail_client.get_issue(issue_id)
-    except requests.exceptions.HTTPError:
+      issue = tracker.get_issue(issue_id)
+    except issue_tracker.IssueTrackerError:
       logging.error('Failed to get issue %s.', issue_id)
       continue
 
-    labels = [label['label'].lower() for label in issue['labels']]
-    if 'restrict-view-commit' not in labels:
+    if (issue['issueState'].get(
+        'accessLimit',
+        {}).get('accessLevel') == issue_tracker.IssueAccessLevel.LIMIT_NONE):
       bug.public = True
       logging.info('Marking %s as public.', bug.key.id())
       to_mark_public.append(bug)

docker/cron/make_bugs_public/monorail.py

@@ -5,6 +5,8 @@ package-mode = false
 [tool.poetry.dependencies]
 python = "^3.11"
 
+google-auth-httplib2 = "^0.2.0"
+google-api-python-client = "^2.147"
 google-cloud-pubsub = "==2.23.1"
 google-cloud-ndb = "==2.3.2"
 google-cloud-storage = "==2.18.2"