tls: Allow TLS flags to be reset to default values

Author: alloveras

src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java

@@ -20,6 +20,7 @@
 import com.google.devtools.common.options.Converter;
 import com.google.devtools.common.options.Converters.CommaSeparatedOptionListConverter;
 import com.google.devtools.common.options.Converters.DurationConverter;
+import com.google.devtools.common.options.Converters.NullableStringConverter;
 import com.google.devtools.common.options.Option;
 import com.google.devtools.common.options.OptionDocumentationCategory;
 import com.google.devtools.common.options.OptionEffectTag;
@@ -81,29 +82,34 @@ public abstract class AuthAndTLSOptions extends OptionsBase {
   @Option(
       name = "tls_certificate",
       defaultValue = "null",
+      converter = NullableStringConverter.class,
       documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
       effectTags = {OptionEffectTag.UNKNOWN},
-      help = "Specify a path to a TLS certificate that is trusted to sign server certificates.")
+      help =
+          "Specify a path to a TLS certificate that is trusted to sign server certificates."
+              + " An empty value resets the flag to its default.")
   public abstract String getTlsCertificate();
 
   @Option(
       name = "tls_client_certificate",
       defaultValue = "null",
+      converter = NullableStringConverter.class,
       documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
       effectTags = {OptionEffectTag.UNKNOWN},
       help =
           "Specify the TLS client certificate to use; you also need to provide a client key to "
-              + "enable client authentication.")
+              + "enable client authentication. An empty value resets the flag to its default.")
   public abstract String getTlsClientCertificate();
 
   @Option(
       name = "tls_client_key",
       defaultValue = "null",
+      converter = NullableStringConverter.class,
       documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
       effectTags = {OptionEffectTag.UNKNOWN},
       help =
           "Specify the TLS client key to use; you also need to provide a client certificate to "
-              + "enable client authentication.")
+              + "enable client authentication. An empty value resets the flag to its default.")
   public abstract String getTlsClientKey();
 
   @Option(

src/main/java/com/google/devtools/common/options/Converters.java

@@ -78,6 +78,28 @@ public String getTypeDescription() {
     }
   }
 
+  /**
+   * Converter for nullable strings: treats an empty string as {@code null}, and passes any other
+   * value through unchanged. Use this for optional file-path flags that have {@code defaultValue =
+   * "null"} so that {@code --flag=} on the command line resets the flag to its unset state instead
+   * of being interpreted as a filename.
+   */
+  public static class NullableStringConverter extends Converter.Contextless<String> {
+    @Override
+    @Nullable
+    public String convert(String input) {
+      if (input.isEmpty()) {
+        return null;
+      }
+      return input;
+    }
+
+    @Override
+    public String getTypeDescription() {
+      return "a nullable string";
+    }
+  }
+
   /** Standard converter for integers. */
   public static class IntegerConverter extends Converter.Contextless<Integer> {
     @Override

src/test/java/com/google/devtools/common/options/NullableStringConverterTest.java

@@ -0,0 +1,50 @@
+// Copyright 2026 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package com.google.devtools.common.options;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import com.google.devtools.common.options.Converters.NullableStringConverter;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Tests for {@link NullableStringConverter}. */
+@RunWith(JUnit4.class)
+public class NullableStringConverterTest {
+
+  private final NullableStringConverter converter = new NullableStringConverter();
+
+  @Test
+  public void emptyStringReturnsNull() throws OptionsParsingException {
+    assertThat(converter.convert("")).isNull();
+  }
+
+  @Test
+  public void literalNullStringPassesThrough() throws OptionsParsingException {
+    // The framework handles defaultValue = "null" specially without invoking the converter.
+    // This test checks that if "null" makes it to the converter, then it is treated literally.
+    assertThat(converter.convert("null")).isEqualTo("null");
+  }
+
+  @Test
+  public void regularPathPassesThrough() throws OptionsParsingException {
+    assertThat(converter.convert("/path/to/cert.pem")).isEqualTo("/path/to/cert.pem");
+  }
+
+  @Test
+  public void arbitraryStringPassesThrough() throws OptionsParsingException {
+    assertThat(converter.convert("some-value")).isEqualTo("some-value");
+  }
+}