goto · rahmatrhd · Aug 23, 2023 · Aug 22, 2023 · Aug 22, 2023 · Aug 23, 2023
diff --git a/plugins/identities/http.go b/plugins/identities/http.go
@@ -2,6 +2,7 @@ package identities
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -36,8 +37,11 @@ type HTTPAuthConfig struct {
 
 	// google_idtoken
 	Audience string `mapstructure:"audience,omitempty" json:"audience,omitempty" yaml:"audience,omitempty" validate:"required_if=Type google_idtoken"`
-	// TODO: allow base64 encoded credentials
-	CredentialsJSON string `mapstructure:"credentials_json,omitempty" json:"credentials_json,omitempty" yaml:"credentials_json,omitempty" validate:"required_if=Type google_idtoken"`
+	// CredentialsJSON accept a JSON stringified credentials
+	// Deprecated: CredentialsJSON is deprecated, use CredentialsJSONBase64 instead
+	CredentialsJSON string `mapstructure:"credentials_json,omitempty" json:"credentials_json,omitempty" yaml:"credentials_json,omitempty"`
+	// CredentialsJSONBase64 accept a base64 encoded JSON stringified credentials
+	CredentialsJSONBase64 string `mapstructure:"credentials_json_base64,omitempty" json:"credentials_json_base64,omitempty" yaml:"credentials_json_base64,omitempty"`
 }
 
 // HTTPClientConfig is the configuration required by iam.Client
@@ -88,6 +92,13 @@ func (c *HTTPClientConfig) Encrypt() error {
 			}
 			c.Auth.CredentialsJSON = encryptedValue
 		}
+		if c.Auth.CredentialsJSONBase64 != "" {
+			encryptedValue, err := c.crypto.Encrypt(c.Auth.CredentialsJSONBase64)
+			if err != nil {
+				return err
+			}
+			c.Auth.CredentialsJSONBase64 = encryptedValue
+		}
 	}
 
 	return nil
@@ -126,6 +137,13 @@ func (c *HTTPClientConfig) Decrypt() error {
 			}
 			c.Auth.CredentialsJSON = decryptedValue
 		}
+		if c.Auth.CredentialsJSONBase64 != "" {
+			decryptedValue, err := c.crypto.Decrypt(c.Auth.CredentialsJSONBase64)
+			if err != nil {
+				return err
+			}
+			c.Auth.CredentialsJSONBase64 = decryptedValue
+		}
 	}
 
 	return nil
@@ -151,8 +169,22 @@ func NewHTTPClient(config *HTTPClientConfig) (*HTTPClient, error) {
 	}
 
 	if config.Auth.Type == "google_idtoken" {
+		var creds []byte
+		switch {
+		case config.Auth.CredentialsJSONBase64 != "":
+			v, err := base64.StdEncoding.DecodeString(config.Auth.CredentialsJSONBase64)
+			if err != nil {
+				return nil, fmt.Errorf("decoding credentials_json_base64: %w", err)
+			}
+			creds = v
+		case config.Auth.CredentialsJSON != "":
+			creds = []byte(config.Auth.CredentialsJSON)
+		default:
+			return nil, fmt.Errorf("missing credentials for google_idtoken auth")
+		}
+
 		ctx := context.Background()
-		ts, err := idtoken.NewTokenSource(ctx, config.Auth.Audience, idtoken.WithCredentialsJSON([]byte(config.Auth.CredentialsJSON)))
+		ts, err := idtoken.NewTokenSource(ctx, config.Auth.Audience, idtoken.WithCredentialsJSON(creds))
 		if err != nil {
 			return nil, err
 		}
@@ -236,3 +268,8 @@ func (c *HTTPClient) setAuth(req *http.Request) {
 		}
 	}
 }
+
+func isValidJSON(s string) bool {
+	var v map[string]interface{}
+	return json.Unmarshal([]byte(s), &v) == nil
+}