actions-hub / gcloud

GitHub Action for interacting with Google Cloud Platform (GCP)
https://github.com/marketplace/actions/google-cloud-platform-gcp-cli-gcloud
MIT License
232 stars 27 forks source link

Work without encoding the secret with base64 #14

Closed kaxil closed 4 years ago

kaxil commented 4 years ago

This PR maintains backwards-compatibility and removes the need of having a base64 encoded Secret

kaxil commented 4 years ago

cc @exelban

I used act and figured out that there were issues.

The following answer helped:

https://superuser.com/questions/1225134/why-does-the-base64-of-a-string-contain-n

Also I found out that base64 --decode was only available to OSX and not the base64 that was included in the docker image. So I updated it to use -d

MacOS:

❯ base64 --help
Usage:  base64 [-hvDd] [-b num] [-i in_file] [-o out_file]
  -h, --help     display this message
  -Dd, --decode   decodes input
  -b, --break    break encoded string into num character lines
  -i, --input    input file (default: "-" for stdin)
  -o, --output   output file (default: "-" for stdout)

From the Dockerimage:

root@docker-desktop:/github/workspace# base64 --help
Usage: base64 [OPTION]... [FILE]
Base64 encode or decode FILE, or standard input, to standard output.

With no FILE, or when FILE is -, read standard input.

Mandatory arguments to long options are mandatory for short options too.
  -d, --decode          decode data
  -i, --ignore-garbage  when decoding, ignore non-alphabet characters
  -w, --wrap=COLS       wrap encoded lines after COLS character (default 76).
                          Use 0 to disable line wrapping

      --help     display this help and exit
      --version  output version information and exit

The data are encoded as described for the base64 alphabet in RFC 4648.
When decoding, the input may contain newlines in addition to the bytes of
the formal base64 alphabet.  Use --ignore-garbage to attempt to recover
from any other non-alphabet bytes in the encoded stream.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Report base64 translation bugs to <https://translationproject.org/team/>
Full documentation at: <https://www.gnu.org/software/coreutils/base64>
or available locally via: info '(coreutils) base64 invocation'
exelban commented 4 years ago

I tried with -d, it does not change anything.

kaxil commented 4 years ago

I tried with -d, it does not change anything.

Did you try with the following though:

    # Check if $APPLICATION_CREDENTIALS is a valid base64 encoded string or not
    if [ "$APPLICATION_CREDENTIALS" = "$(echo "$APPLICATION_CREDENTIALS" | base64 -d | base64  | tr -d \\n)" ]; then
      echo "APPLICATION_CREDENTIALS is Base64 Encoded"
      echo "$APPLICATION_CREDENTIALS" | base64 -d > /tmp/account.json
    else
      echo "APPLICATION_CREDENTIALS is not Base64 Encoded"
      echo "$APPLICATION_CREDENTIALS" > /tmp/account.json
    fi
kaxil commented 4 years ago

especially the tr -d \\n one . Check https://superuser.com/questions/1225134/why-does-the-base64-of-a-string-contain-n for details

kaxil commented 4 years ago
❯ act -s GCP_CREDENTIALS="$(base64   ~/Desktop/kvn-XXXX-cd7f245e888d.json)"  -s GCP_PROJECT_ID=dsssd
[test/multistep-test       ] 🚀  Start image=node:12.6-buster-slim
[Deploy to docker hub/build] 🚀  Start image=node:12.6-buster-slim
[test/info-test            ] 🚀  Start image=node:12.6-buster-slim
[test/multistep-test       ]   🐳  docker run image=node:12.6-buster-slim entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Deploy to docker hub/build]   🐳  docker run image=node:12.6-buster-slim entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[test/info-test            ]   🐳  docker run image=node:12.6-buster-slim entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[test/info-test            ]   🐳  docker cp src=/Users/kaxilnaik/Documents/Github/actions-hub/gcloud/. dst=/github/workspace
[Deploy to docker hub/build]   🐳  docker cp src=/Users/kaxilnaik/Documents/Github/actions-hub/gcloud/. dst=/github/workspace
[test/multistep-test       ]   🐳  docker cp src=/Users/kaxilnaik/Documents/Github/actions-hub/gcloud/. dst=/github/workspace
[test/multistep-test       ] ⭐  Run actions/checkout@master
[test/multistep-test       ]   ✅  Success - actions/checkout@master
[test/multistep-test       ] ⭐  Run ./
[test/multistep-test       ]   🐳  docker build -t act-gcloud:latest /Users/kaxilnaik/Documents/Github/actions-hub/gcloud
[test/info-test            ] ⭐  Run actions/checkout@master
[test/info-test            ]   ✅  Success - actions/checkout@master
[test/info-test            ] ⭐  Run ./
[test/info-test            ]   🐳  docker build -t act-gcloud:latest /Users/kaxilnaik/Documents/Github/actions-hub/gcloud
[Deploy to docker hub/build] ⭐  Run actions/checkout@master
[Deploy to docker hub/build]   ✅  Success - actions/checkout@master
[test/info-test            ]   🐳  docker run image=act-gcloud:latest entrypoint=[] cmd=["info"]
[test/multistep-test       ]   🐳  docker run image=act-gcloud:latest entrypoint=[] cmd=[]
| APPLICATION_CREDENTIALS is Base64 Encoded
| APPLICATION_CREDENTIALS is Base64 Encoded
| Activated service account credentials for: [tmp-442@XXXX.iam.gserviceaccount.com]
| Activated service account credentials for: [tmp-442@XXXX.iam.gserviceaccount.com]
kaxil commented 4 years ago

@exelban thoughts?

exelban commented 4 years ago

Oh, I’m so sorry. I didn’t have time today to take a look. I will take a look tomorrow. But if this test passed. It means that it works.

exelban commented 4 years ago

Ok, it passed my local tests with json credentials and with base64 encoded. I merge this PR and add tests to master after this.

Thanks for your contribution.