directory: support non-base64 encoded service accounts (#3150)

2025-08-01 16:01:26 +02:00 · 2022-03-14 14:38:41 -06:00 · 2022-03-14 14:38:41 -06:00 · f894205d08
commit f894205d08
parent 925fc29ab8
14 changed files with 267 additions and 51 deletions
--- a/internal/directory/github/github.go
+++ b/internal/directory/github/github.go
@ -4,7 +4,6 @@ package github
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
@ -14,6 +13,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/tomnomnom/linkheader"

+	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/pkg/grpc/directory"
@ -300,14 +300,8 @@ type ServiceAccount struct {

 // ParseServiceAccount parses the service account in the config options.
 func ParseServiceAccount(rawServiceAccount string) (*ServiceAccount, error) {
-	bs, err := base64.StdEncoding.DecodeString(rawServiceAccount)
-	if err != nil {
-		return nil, err
-	}
-
 	var serviceAccount ServiceAccount
-	err = json.Unmarshal(bs, &serviceAccount)
-	if err != nil {
+	if err := encoding.DecodeBase64OrJSON(rawServiceAccount, &serviceAccount); err != nil {
 		return nil, err
 	}

--- a/internal/directory/github/github_test.go
+++ b/internal/directory/github/github_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/vektah/gqlparser/ast"
 	"github.com/vektah/gqlparser/parser"

@ -347,6 +348,49 @@ func TestProvider_UserGroups(t *testing.T) {
 	]`, groups)
 }

+func TestParseServiceAccount(t *testing.T) {
+	tests := []struct {
+		name              string
+		rawServiceAccount string
+		serviceAccount    *ServiceAccount
+		wantErr           bool
+	}{
+		{
+			"json",
+			`{"username": "USERNAME", "personal_access_token": "PERSONAL_ACCESS_TOKEN"}`,
+			&ServiceAccount{Username: "USERNAME", PersonalAccessToken: "PERSONAL_ACCESS_TOKEN"},
+			false,
+		},
+		{
+			"base64 json",
+			`eyJ1c2VybmFtZSI6ICJVU0VSTkFNRSIsICJwZXJzb25hbF9hY2Nlc3NfdG9rZW4iOiAiUEVSU09OQUxfQUNDRVNTX1RPS0VOIn0=`,
+			&ServiceAccount{Username: "USERNAME", PersonalAccessToken: "PERSONAL_ACCESS_TOKEN"},
+			false,
+		},
+		{
+			"empty",
+			"",
+			nil,
+			true,
+		},
+		{
+			"invalid",
+			"Zm9v---",
+			nil,
+			true,
+		},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := ParseServiceAccount(tc.rawServiceAccount)
+			require.True(t, (err != nil) == tc.wantErr)
+			assert.Equal(t, tc.serviceAccount, got)
+		})
+	}
+}
+
 func mustParseURL(rawurl string) *url.URL {
 	u, err := url.Parse(rawurl)
 	if err != nil {