Closed kaxil closed 4 years ago
cc @exelban @tibotiber
Hi. Thanks for this PR.
Maybe there is an option to do this without an additional key? Detect in some way check if passed credentials are base64 or not?
Hi. Thanks for this PR.
Maybe there is an option to do this without an additional key? Detect in some way check if passed credentials are base64 or not?
Sure I could do that
I trying to implement this a few times. But as I remember there is no good solution to determine if a string is base64 or not. The only one solution what I found is this regex: ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$
. There is a link with an explanation. I hope it will help.
Or maybe you will find a better solution.
How about:
❯ orig_str='bGludXhoaW50Y29'
❯ if [ "$orig_str" = "$(echo $orig_str | base64 --decode | base64)" ]; then
echo "Base64 Encoded"; else echo "Not Base64 Not Encoded"
fi
Not Base64 Not Encoded
i.e check base64.b64encode(base64.b64decode(s)) == s
(If by decoding and encoding it again we get the same result it is a Base64 string or else it is not)
It looks like it will no work. Because you just decode -> encode the string. The problem is that base64 is a string. So you will just decode a base64 again, and encode it to the original one.
At least, these cases show that this way, will not work:
echo dGVzdA== | base64 --decode | base64
echo test | base64 --decode | base64
Both will return the $orig_str
.
It looks like it will no work. Because you just decode -> encode the string. The problem is that base64 is a string. So you will just decode a base64 again, and encode it to the original one.
At least, these cases show that this way, will not work:
echo dGVzdA== | base64 --decode | base64 echo test | base64 --decode | base64
Both will return the
$orig_str
.
That is because both of them are valid base64 strings though (based on https://stackoverflow.com/a/45928164/5691525)
Hmm, so the trick there is credentials are JSON object, and base64 will throw an error. And valid base64 string will just decode->encode?
So the logic here is not to check if provided credentials are invalid base64, but to check if it's a valid base64?
yeah:
❯ export orig_str="sasdasdadada=fsfs"
❯ if [ "$orig_str" = "$(echo $orig_str | base64 --decode | base64)" ]; then
echo "Base64 Encoded"; else echo "Not Base64 Encoded"
fi
Invalid character in input stream.
Not Base64 Encoded
Thanks. I will make a few tests tonight, and merge this.
Just a small ask, could you add some log to if/else?
Even this one: echo "Base64 Encoded"; else echo "Not Base64 Encoded"
.
It will help if someone will have a problem with credentials.
Thanks. I will make a few tests tonight, and merge this. Just a small ask, could you add some log to if/else? Even this one:
echo "Base64 Encoded"; else echo "Not Base64 Encoded"
.It will help if someone will have a problem with credentials.
Done (in https://github.com/actions-hub/gcloud/pull/13/commits/d20e794f89d36458f759b981fdddad4e91f23328)
It does not work(
It does not work(
Does the test contain Base64 encoded secret or without encoding?
For now, it contains only base64 encoded
And it says that base64 encoded credentials are not encoded
How about we simplify it and go back to the first approach i.e. instead of guessing or validating let the user tell us whrther it is encoded or not via environment variable (defaulting it to base64 encoded) ?
I just cannot understand the reason to put a json file to secret but not a base64 encoded. For me it's some standard when I need to put some structure as a string, I just encode it with base64.
If there is a way to support both methods, base64 and json in the string. I will accept it, but without any additional flags. It will make usage more complicated. If you want to put a file to secret set this key, otherwise keep it false.
I just cannot understand the reason to put a json file to secret but not a base64 encoded. For me it's some standard when I need to put some structure as a string, I just encode it with base64.
If there is a way to support both methods, base64 and json in the string. I will accept it, but without any additional flags. It will make usage more complicated. If you want to put a file to secret set this key, otherwise keep it false.
Sure let me try something out and get back to this PR
This PR maintains backwards-compatibility and removes the need of having a base64 encoded Secret