directory: support non-base64 encoded service accounts (#3150)

This commit is contained in:
Caleb Doxsey 2022-03-14 14:38:41 -06:00 committed by GitHub
parent 925fc29ab8
commit f894205d08
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 267 additions and 51 deletions

View file

@ -4,7 +4,6 @@ package github
import (
"bytes"
"context"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
@ -14,6 +13,7 @@ import (
"github.com/rs/zerolog"
"github.com/tomnomnom/linkheader"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/pkg/grpc/directory"
@ -300,14 +300,8 @@ type ServiceAccount struct {
// ParseServiceAccount parses the service account in the config options.
func ParseServiceAccount(rawServiceAccount string) (*ServiceAccount, error) {
bs, err := base64.StdEncoding.DecodeString(rawServiceAccount)
if err != nil {
return nil, err
}
var serviceAccount ServiceAccount
err = json.Unmarshal(bs, &serviceAccount)
if err != nil {
if err := encoding.DecodeBase64OrJSON(rawServiceAccount, &serviceAccount); err != nil {
return nil, err
}

View file

@ -11,6 +11,7 @@ import (
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/vektah/gqlparser/ast"
"github.com/vektah/gqlparser/parser"
@ -347,6 +348,49 @@ func TestProvider_UserGroups(t *testing.T) {
]`, groups)
}
func TestParseServiceAccount(t *testing.T) {
tests := []struct {
name string
rawServiceAccount string
serviceAccount *ServiceAccount
wantErr bool
}{
{
"json",
`{"username": "USERNAME", "personal_access_token": "PERSONAL_ACCESS_TOKEN"}`,
&ServiceAccount{Username: "USERNAME", PersonalAccessToken: "PERSONAL_ACCESS_TOKEN"},
false,
},
{
"base64 json",
`eyJ1c2VybmFtZSI6ICJVU0VSTkFNRSIsICJwZXJzb25hbF9hY2Nlc3NfdG9rZW4iOiAiUEVSU09OQUxfQUNDRVNTX1RPS0VOIn0=`,
&ServiceAccount{Username: "USERNAME", PersonalAccessToken: "PERSONAL_ACCESS_TOKEN"},
false,
},
{
"empty",
"",
nil,
true,
},
{
"invalid",
"Zm9v---",
nil,
true,
},
}
for _, tc := range tests {
tc := tc
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
got, err := ParseServiceAccount(tc.rawServiceAccount)
require.True(t, (err != nil) == tc.wantErr)
assert.Equal(t, tc.serviceAccount, got)
})
}
}
func mustParseURL(rawurl string) *url.URL {
u, err := url.Parse(rawurl)
if err != nil {