Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Enable service account keys to be provided in base64 #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 5, 2021
Merged

Enable service account keys to be provided in base64 #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1d419cb
enable providing SA key base64 encoded
soeirosantos Apr 2, 2021
445f2d3
update DOC
soeirosantos Apr 2, 2021
0eac195
log skipping base64 decode
soeirosantos Apr 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions DOCS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ Refer to GAE [Access Control](https://cloud.google.com/appengine/docs/flexible/p
Use least permissible role for the tasks required.
Typically for `action: deploy` this is `App Engine Admin` and `Cloud Build Service Account`.

If the service account JSON key is provided in base64 format, the plugin will decode it internally.

For example:

```yml
Expand Down
8 changes: 8 additions & 0 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package main

import (
"bytes"
"encoding/base64"
"encoding/json"
"fmt"
"io"
Expand Down Expand Up @@ -244,6 +245,13 @@ func configFromEnv(vargs *GAE, workspace *string) error {
vargs.Token = os.Getenv("GAE_CREDENTIALS")
}

if decodedToken, err := base64.StdEncoding.DecodeString(vargs.Token); err == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this function able to figure out if the string that it's reading actually is encoded?

Copy link
Contributor Author

@soeirosantos soeirosantos Apr 5, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the usual way to verify if a string is encoded in Go is to call DecodeString and check if err == nil.

Copy link
Contributor

@msuterski msuterski Apr 5, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, I'm not sure if it is 100% reliable

	encoded := "ZW5jb2RlZCBzZXJ2aWNlIGFjY291bnQga2V5"

	if decodedToken, err := base64.StdEncoding.DecodeString(encoded); err == nil {
		fmt.Println(string(decodedToken))
	}

	notencoded := "encodedserviceaccountkey"

	if decodedToken, err := base64.StdEncoding.DecodeString(notencoded); err == nil {
		fmt.Println(string(decodedToken))
	}

Both of these print for me (no error) and the second one is not base64 encoded string.

The error is returned when there are spaces or other non alphanumerics in the string.

The second one (decoding of not-encoded string) is producing garbage string but it seems it is a "valid" string.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got your point, that makes sense. I believe your test has this behavior because "encodedserviceaccountkey" is a "valid" base64 encoded string in terms of structure.

The main point is when an actual service account key json is provided the DecodeString function will fail and an error is going to be returned.

Another option (that I'd like to avoid if possible) would be to add a different field for the base64, like GAE_CREDENTIALS_B64. I'd like to avoid this approach because it unnecessarily changes the plugin interface. But I'm not totally against it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right that this should work in this type of field case.

I wonder if it would be helpful to indicate somehow to the users (log to the console) that decoding failed and it's going to be using the value as is. I'm thinking about cases where someone puts in invalid b64 string e.g. with extra whitespace at the end or similar (which was happening in the past).
The b64 values will come from an external source, not users in this use case, but who knows how people will use it in the future.

It may also be an overkill and what we have in the PR is good enough.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense. I'll add the log output. It will definitely make it easier to debug when someone puts in an invalid base64 string.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought: how about if you check the credential can be unmarshalled into it's JSON structure first? If it doesn't, then try decoding it and unmarshalling?

That way you are doing validation for both structure types.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @tonglil, I'm so sorry I haven't seen your comment before merging - just seeing it now. I think this is a good validation to have. In any case, the best validation is going to be provided by the gcloud command when it tries to activate the service account. I'm happy to add the JSON structure validation if that makes sense, tho.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nah you're right, let's let gcloud do the heavy lifting

// if no error then the token is base64 encoded (or empty)
vargs.Token = string(decodedToken)
} else {
fmt.Println("gae_credentials is not base64 encoded: skipping decode")
}

// Maps
dummyVargs := dummyGAE{}
addlArgs := os.Getenv("PLUGIN_ADDL_ARGS")
Expand Down
19 changes: 19 additions & 0 deletions main_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,3 +229,22 @@ func TestSetupFile(t *testing.T) {
}

}

func TestEncodedToken(t *testing.T) {

os.Setenv("PLUGIN_GAE_CREDENTIALS", "ZW5jb2RlZCBzZXJ2aWNlIGFjY291bnQga2V5")

vargs := GAE{}

workspace := ""
configFromEnv(&vargs, &workspace)

expectedDecodedToken := "encoded service account key"
assert.Equal(t, expectedDecodedToken, vargs.Token)

nonEncodedToken := "non-encoded service account key"
os.Setenv("PLUGIN_GAE_CREDENTIALS", nonEncodedToken)

configFromEnv(&vargs, &workspace)
assert.Equal(t, nonEncodedToken, vargs.Token)
}