Copied a way to auth to GAR/GCR from PAPI to SFS. Tests TODO.

supportedBackends/sfs/src/main/scala/cromwell/backend/impl/sfs/config/ConfigBackendLifecycleActorFactory.scala

@@ -1,13 +1,17 @@
 package cromwell.backend.impl.sfs.config
 
 import com.typesafe.config.Config
-import cromwell.backend.BackendConfigurationDescriptor
+import cromwell.backend.{BackendConfigurationDescriptor, BackendInitializationData, BackendWorkflowDescriptor}
 import cromwell.backend.impl.sfs.config.ConfigConstants._
 import cromwell.backend.sfs._
 import cromwell.backend.standard.callcaching.StandardFileHashingActor
+import cromwell.cloudsupport.gcp.auth.GoogleAuthMode
+import cromwell.core.{BackendDockerConfiguration, DockerCredentials}
 import net.ceedubs.ficus.Ficus._
 import org.slf4j.{Logger, LoggerFactory}
 
+import scala.util.{Success, Try}
+
 /**
   * Builds a backend by reading the job control from the config.
   *
@@ -36,4 +40,39 @@ class ConfigBackendLifecycleActorFactory(val name: String, val configurationDesc
   override lazy val fileHashingActorClassOption: Option[Class[_ <: StandardFileHashingActor]] = Option(
     classOf[ConfigBackendFileHashingActor]
   )
+
+  override def dockerHashCredentials(workflowDescriptor: BackendWorkflowDescriptor,
+                                     initializationData: Option[BackendInitializationData]
+  ): List[Any] =
+    /*
+    Heavily adapted from:
+    https://github.com/broadinstitute/cromwell/blob/78/supportedBackends/google/pipelines/common/src/main/scala/cromwell/backend/google/pipelines/common/PipelinesApiBackendLifecycleActorFactory.scala#L71-L85
+
+    Could also be moved into a "standard" location.
+     */
+    Try(BackendInitializationData.as[ConfigInitializationData](initializationData)) match {
+      case Success(configInitializationData) =>
+        val tokenFromWorkflowOptions =
+          workflowDescriptor.workflowOptions
+            .get(GoogleAuthMode.DockerCredentialsTokenKey)
+            .toOption
+        val effectiveToken =
+          tokenFromWorkflowOptions
+            .orElse(
+              BackendDockerConfiguration
+                .build(configurationDescriptor.backendConfig)
+                .dockerCredentials
+                .map(_.token)
+            )
+
+        val dockerCredentials: Option[DockerCredentials] = effectiveToken map { token =>
+          // These credentials are being returned for hashing and all that matters in this context is the token
+          // so just `None` the auth and key.
+          val baseDockerCredentials = new DockerCredentials(token = token, authName = None, keyName = None)
+          baseDockerCredentials
+        }
+        val googleCredentials = configInitializationData.googleRegistryCredentialsOption
+        List(dockerCredentials, googleCredentials).flatten
+      case _ => List.empty[Any]
+    }
 }

supportedBackends/sfs/src/main/scala/cromwell/backend/impl/sfs/config/ConfigInitializationActor.scala

@@ -1,12 +1,19 @@
 package cromwell.backend.impl.sfs.config
 
+import cats.instances.future._
+import cats.instances.option._
+import cats.syntax.traverse._
+import com.google.auth.oauth2.OAuth2Credentials
+import common.validation.Validation._
 import cromwell.backend.io.WorkflowPaths
 import cromwell.backend.sfs._
 import cromwell.backend.standard.{
   StandardInitializationActorParams,
   StandardInitializationData,
   StandardValidatedRuntimeAttributesBuilder
 }
+import cromwell.cloudsupport.gcp.GoogleConfiguration
+import net.ceedubs.ficus.Ficus._
 import wdl.draft2.model.WdlNamespace
 
 import scala.concurrent.Future
@@ -23,6 +30,7 @@ import scala.concurrent.Future
   */
 class ConfigInitializationData(workflowPaths: WorkflowPaths,
                                runtimeAttributesBuilder: StandardValidatedRuntimeAttributesBuilder,
+                               val googleRegistryCredentialsOption: Option[OAuth2Credentials],
                                val declarationValidations: Seq[DeclarationValidation],
                                val wdlNamespace: WdlNamespace
 ) extends StandardInitializationData(workflowPaths,
@@ -47,11 +55,42 @@ class ConfigInitializationActor(params: StandardInitializationActorParams)
                                            configWdlNamespace.callCachedRuntimeAttributes
     )
 
+  /**
+    * Return optional credentials for call caching GAR/GCR images.
+    */
+  private lazy val googleRegistryCredentialsOption: Future[Option[OAuth2Credentials]] = {
+    val dockerGoogleAuthOption =
+      standardParams.configurationDescriptor.backendConfig.getAs[String]("docker.google.auth")
+    dockerGoogleAuthOption traverse { dockerGoogleAuth =>
+      val googleConfiguration = GoogleConfiguration(standardParams.configurationDescriptor.globalConfig)
+      val googleAuthTry =
+        googleConfiguration
+          .auth(dockerGoogleAuth)
+          .toTry(s"Error retrieving google auth mode $dockerGoogleAuth")
+      for {
+        googleAuth <- Future.fromTry(googleAuthTry)
+        credentials <- Future(
+          googleAuth.credentials(
+            workflowDescriptor.workflowOptions.get(_).get,
+            List("https://www.googleapis.com/auth/cloud-platform")
+          )
+        )
+      } yield credentials
+    }
+  }
+
   override lazy val initializationData: Future[ConfigInitializationData] = {
     val wdlNamespace = configWdlNamespace.wdlNamespace
-    workflowPaths map {
-      new ConfigInitializationData(_, runtimeAttributesBuilder, declarationValidations, wdlNamespace)
-    }
+    for {
+      workflowPathsActual <- workflowPaths
+      googleRegistryCredentialsOptionActual <- googleRegistryCredentialsOption
+    } yield new ConfigInitializationData(
+      workflowPathsActual,
+      runtimeAttributesBuilder,
+      googleRegistryCredentialsOptionActual,
+      declarationValidations,
+      wdlNamespace
+    )
   }
 
   override lazy val runtimeAttributesBuilder: StandardValidatedRuntimeAttributesBuilder = {