From 587292fbaedf0a51694770bc167f9f1e7a1e3e82 Mon Sep 17 00:00:00 2001
From: Chen Sun <chensun@users.noreply.github.com>
Date: Mon, 10 Feb 2020 14:43:54 -0800
Subject: [PATCH] Deduce proxy type from the presence of client_id (#3003)

* Deduce proxy type from presence of client_id

* handle error in get_gcp_access_token()

* restore the logic to detect inverse proxy host
---
 sdk/python/kfp/_auth.py   |  9 +++++++--
 sdk/python/kfp/_client.py | 16 +++++-----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/sdk/python/kfp/_auth.py b/sdk/python/kfp/_auth.py
index ce3f0d750aa..f9846eeb1ba 100644
--- a/sdk/python/kfp/_auth.py
+++ b/sdk/python/kfp/_auth.py
@@ -36,9 +36,14 @@ def get_gcp_access_token():
     Credentials. If not set, returns None. For more information, see
     https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token
     """
+    token = None
     args = ['gcloud', 'auth', 'print-access-token']
-    # Casting to string to accommodate API server request schema.
-    return subprocess.check_output(args).rstrip().decode("utf-8")
+    try:
+      # Casting to string to accommodate API server request schema.
+      token = subprocess.check_output(args).rstrip().decode("utf-8")
+    except subprocess.CalledProcessError as e:
+      logging.warning('Failed to get GCP access token: %s', e)
+    return token
 
 def get_auth_token(client_id, other_client_id, other_client_secret):
     """Gets auth token from default service account or user account."""
diff --git a/sdk/python/kfp/_client.py b/sdk/python/kfp/_client.py
index 89e2e0e8291..671a97ccbd4 100644
--- a/sdk/python/kfp/_client.py
+++ b/sdk/python/kfp/_client.py
@@ -116,11 +116,12 @@ def _load_config(self, host, client_id, namespace, other_client_id, other_client
 
     token = None
 
-    # Obtain the tokens if it is inverse proxy or IAP.
-    if self._is_inverse_proxy_host(host):
-      token = get_gcp_access_token()
-    if self._is_iap_host(host,client_id):
+    # Obtain the tokens if it is IAP or inverse proxy.
+    # client_id is only used for IAP, so when the value is provided, we assume it's IAP.
+    if client_id:
       token = get_auth_token(client_id, other_client_id, other_client_secret)
+    elif self._is_inverse_proxy_host(host):
+      token = get_gcp_access_token()
 
     if token:
       config.api_key['authorization'] = token
@@ -153,13 +154,6 @@ def _load_config(self, host, client_id, namespace, other_client_id, other_client
       config.host = config.host + '/' + Client.KUBE_PROXY_PATH.format(namespace)
     return config
 
-  def _is_iap_host(self, host, client_id):
-    if host and client_id:
-      if re.match(r'\S+.endpoints.\S+.cloud.goog/{0,1}$', host):
-        warnings.warn('Suffix /pipeline is not ignorable for IAP host.')
-      return re.match(r'\S+.endpoints.\S+.cloud.goog/pipeline', host)
-    return False
-
   def _is_inverse_proxy_host(self, host):
     if host:
       return re.match(r'\S+.googleusercontent.com/{0,1}$', host)