feat: add support for credentials JSON flag

Fixes #323.
GoogleCloudPlatform · Sep 19, 2022 · 7f2ba2d · 7f2ba2d
1 parent 47b39d3
commit 7f2ba2d
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 5 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -311,6 +311,15 @@ func parseConfig(cmd *Command, conf *proxy.Config, args []string) error {
 	if conf.CredentialsFile != "" && conf.GcloudAuth {
 		return newBadCommandError("cannot specify --credentials-file and --gcloud-auth flags at the same time")
 	}
+	if conf.CredentialsJSON != "" && conf.Token != "" {
+		return newBadCommandError("cannot specify --credentials-json and --token flags at the same time")
+	}
+	if conf.CredentialsJSON != "" && conf.CredentialsFile != "" {
+		return newBadCommandError("cannot specify --credentials-json and --credentials-file flags at the same time")
+	}
+	if conf.CredentialsJSON != "" && conf.GcloudAuth {
+		return newBadCommandError("cannot specify --credentials-json and --gcloud-auth flags at the same time")
+	}
 
 	if userHasSet("http-port") && !userHasSet("prometheus") && !userHasSet("health-check") {
 		cmd.logger.Infof("Ignoring --http-port because --prometheus or --health-check was not set")

diff --git a/cmd/root_test.go b/cmd/root_test.go
@@ -507,7 +507,25 @@ func TestNewCommandWithErrors(t *testing.T) {
 			desc: "when both gcloud auth and credentials file are set",
 			args: []string{
 				"--gcloud-auth",
-				"--credential-file", "/path/to/file", "proj:region:inst"},
+				"--credentials-file", "/path/to/file", "proj:region:inst"},
+		},
+		{
+			desc: "when both token and credentials JSON are set",
+			args: []string{
+				"--token", "a-token",
+				"--credentials-json", `{"json":"here"}`, "proj:region:inst"},
+		},
+		{
+			desc: "when both credentials file and credentials JSON are set",
+			args: []string{
+				"--credentials-file", "/a/file",
+				"--credentials-json", `{"json":"here"}`, "proj:region:inst"},
+		},
+		{
+			desc: "when both gcloud auth and credentials JSON are set",
+			args: []string{
+				"--gcloud-auth",
+				"--credentials-json", `{"json":"here"}`, "proj:region:inst"},
 		},
 		{
 			desc: "when the unix socket query param contains multiple values",

diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -205,7 +205,7 @@ func (c *Config) DialerOptions(l cloudsql.Logger) ([]cloudsqlconn.Option, error)
 			c.CredentialsFile,
 		))
 	case c.CredentialsJSON != "":
-		l.Infof("Authorizing with JSON credentials")
+		l.Infof("Authorizing with JSON credentials environment variable")
 		opts = append(opts, cloudsqlconn.WithCredentialsJSON(
 			[]byte(c.CredentialsJSON),
 		))

diff --git a/tests/connection_test.go b/tests/connection_test.go
@@ -17,6 +17,7 @@ package tests
 import (
 	"context"
 	"database/sql"
+	"io/ioutil"
 	"net/http"
 	"net/http/httputil"
 	"os"
@@ -54,6 +55,18 @@ func removeAuthEnvVar(t *testing.T) (*oauth2.Token, string, func()) {
 	}
 }
 
+func keyfile(t *testing.T) string {
+	path := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")
+	if path == "" {
+		t.Fatal("GOOGLE_APPLICATION_CREDENTIALS not set")
+	}
+	creds, err := ioutil.ReadFile(path)
+	if err != nil {
+		t.Fatalf("io.ReadAll(): %v", err)
+	}
+	return string(creds)
+}
+
 // proxyConnTest is a test helper to verify the proxy works with a basic connectivity test.
 func proxyConnTest(t *testing.T, args []string, driver, dsn string) {
 	ctx, cancel := context.WithTimeout(context.Background(), connTestTimeout)

diff --git a/tests/mysql_test.go b/tests/mysql_test.go
@@ -124,6 +124,24 @@ func TestMySQLAuthWithCredentialsFile(t *testing.T) {
 		"mysql", cfg.FormatDSN())
 }
 
-func TestMySQLHealthCheck(t *testing.T) {
-	testHealthCheck(t, *mysqlConnName)
+func TestMySQLAuthWithCredentialsJSON(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping MySQL integration tests")
+	}
+	requireMySQLVars(t)
+	creds := keyfile(t)
+	_, _, cleanup := removeAuthEnvVar(t)
+	defer cleanup()
+
+	cfg := mysql.Config{
+		User:                 *mysqlUser,
+		Passwd:               *mysqlPass,
+		DBName:               *mysqlDB,
+		AllowNativePasswords: true,
+		Addr:                 "127.0.0.1:3306",
+		Net:                  "tcp",
+	}
+	proxyConnTest(t,
+		[]string{"--credentials-json", creds, *mysqlConnName},
+		"mysql", cfg.FormatDSN())
 }
diff --git a/tests/postgres_test.go b/tests/postgres_test.go
@@ -124,11 +124,14 @@ func TestPostgresAuthWithCredentialsJSON(t *testing.T) {
 		t.Skip("skipping Postgres integration tests")
 	}
 	requirePostgresVars(t)
+	creds := keyfile(t)
+	_, _, cleanup := removeAuthEnvVar(t)
+	defer cleanup()
 
 	dsn := fmt.Sprintf("host=localhost user=%s password=%s database=%s sslmode=disable",
 		*postgresUser, *postgresPass, *postgresDB)
 	proxyConnTest(t,
-		[]string{"--credentials-json", os.Getenv("GOOGLE_APPLICATION_CREDENTIALS"), *postgresConnName},
+		[]string{"--credentials-json", string(creds), *postgresConnName},
 		"pgx", dsn)
 }
 

diff --git a/tests/sqlserver_test.go b/tests/sqlserver_test.go
@@ -85,6 +85,22 @@ func TestSQLServerAuthWithCredentialsFile(t *testing.T) {
 		"sqlserver", dsn)
 }
 
+func TestSQLServerAuthWithCredentialsJSON(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping SQL Server integration tests")
+	}
+	requireSQLServerVars(t)
+	creds := keyfile(t)
+	_, _, cleanup := removeAuthEnvVar(t)
+	defer cleanup()
+
+	dsn := fmt.Sprintf("sqlserver://%s:%s@127.0.0.1?database=%s",
+		*sqlserverUser, *sqlserverPass, *sqlserverDB)
+	proxyConnTest(t,
+		[]string{"--credentials-json", creds, *sqlserverConnName},
+		"sqlserver", dsn)
+}
+
 func TestSQLServerHealthCheck(t *testing.T) {
 	testHealthCheck(t, *sqlserverConnName)
 }