Encode b64_mac_key in base64url, not in base64 (#13033) (#9424)

modular-magician · web-flow · commit bbeb677e071b · 2025-02-25T15:17:03.000-08:00
[upstream:d7efb7266051a333f248d3bbc7f103dc582a45e7]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/13033.txt b/.changelog/13033.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+publicca: encode b64_mac_key in base64url, not in base64
+```
diff --git a/google-beta/services/publicca/resource_public_ca_external_account_key.go b/google-beta/services/publicca/resource_public_ca_external_account_key.go
@@ -20,6 +20,7 @@
 package publicca
 
 import (
+	"encoding/base64"
 	"fmt"
 	"log"
 	"net/http"
@@ -56,10 +57,18 @@ func ResourcePublicCAExternalAccountKey() *schema.Resource {
 				Default:     "global",
 			},
 			"b64_mac_key": {
+				Type:       schema.TypeString,
+				Computed:   true,
+				Deprecated: "`b64_mac_key` is deprecated and will be removed in a future major release. Use `b64url_mac_key` instead.",
+				Description: `Base64-URL-encoded HS256 key. It is generated by the PublicCertificateAuthorityService
+when the ExternalAccountKey is created.`,
+				Sensitive: true,
+			},
+			"b64url_mac_key": {
 				Type:     schema.TypeString,
 				Computed: true,
 				Description: `Base64-URL-encoded HS256 key. It is generated by the PublicCertificateAuthorityService
-when the ExternalAccountKey is created.`,
+when the ExternalAccountKey is created.'`,
 				Sensitive: true,
 			},
 			"key_id": {
@@ -135,6 +144,9 @@ func resourcePublicCAExternalAccountKeyCreate(d *schema.ResourceData, meta inter
 	if err := d.Set("b64_mac_key", flattenPublicCAExternalAccountKeyB64MacKey(res["b64MacKey"], d, config)); err != nil {
 		return fmt.Errorf(`Error setting computed identity field "b64_mac_key": %s`, err)
 	}
+	if err := d.Set("b64url_mac_key", flattenPublicCAExternalAccountKeyB64urlMacKey(res["b64MacKey"], d, config)); err != nil {
+		return fmt.Errorf(`Error setting computed identity field "b64url_mac_key": %s`, err)
+	}
 
 	// Store the ID now
 	id, err := tpgresource.ReplaceVars(d, config, "{{name}}")
@@ -173,3 +185,16 @@ func flattenPublicCAExternalAccountKeyKeyId(v interface{}, d *schema.ResourceDat
 func flattenPublicCAExternalAccountKeyB64MacKey(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
+
+func flattenPublicCAExternalAccountKeyB64urlMacKey(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return ""
+	}
+
+	dec, err := base64.StdEncoding.DecodeString(v.(string))
+	if err != nil {
+		return ""
+	}
+
+	return base64.URLEncoding.EncodeToString(dec)
+}
diff --git a/google-beta/services/publicca/resource_public_ca_external_account_key_generated_meta.yaml b/google-beta/services/publicca/resource_public_ca_external_account_key_generated_meta.yaml
@@ -6,6 +6,7 @@ api_version: 'v1beta1'
 api_resource_type_kind: 'ExternalAccountKey'
 fields:
   - field: 'b64_mac_key'
+  - field: 'b64url_mac_key'
   - field: 'key_id'
   - field: 'location'
     provider_only: true
diff --git a/google-beta/verify/validation.go b/google-beta/verify/validation.go
@@ -339,6 +339,14 @@ func ValidateBase64String(i interface{}, val string) ([]string, []error) {
 	return nil, nil
 }
 
+func ValidateBase64URLString(i interface{}, val string) ([]string, []error) {
+	_, err := base64.URLEncoding.DecodeString(i.(string))
+	if err != nil {
+		return nil, []error{fmt.Errorf("could not decode %q as a valid base64URL value.", val)}
+	}
+	return nil, nil
+}
+
 // StringNotInSlice returns a SchemaValidateFunc which tests if the provided value
 // is of type string and that it matches none of the element in the invalid slice.
 // if ignorecase is true, case is ignored.
diff --git a/website/docs/r/public_ca_external_account_key.html.markdown b/website/docs/r/public_ca_external_account_key.html.markdown
@@ -39,7 +39,7 @@ The EAB secret is invalidated if you don't use it within 7 days.
 The ACME account registered by using an EAB secret has no expiration.
 
 ~> **Warning:** All arguments including the following potentially sensitive
-values will be stored in the raw state as plain text: `key_id`, `b64_mac_key`.
+values will be stored in the raw state as plain text: `key_id`, `b64_mac_key`, `b64url_mac_key`.
 [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
 
 ## Example Usage - Public Ca External Account Key
@@ -82,10 +82,18 @@ In addition to the arguments listed above, the following computed attributes are
   **Note**: This property is sensitive and will not be displayed in the plan.
 
 * `b64_mac_key` -
+  (Deprecated)
   Base64-URL-encoded HS256 key. It is generated by the PublicCertificateAuthorityService
   when the ExternalAccountKey is created.
   **Note**: This property is sensitive and will not be displayed in the plan.
 
+  ~> **Warning:** `b64_mac_key` is deprecated and will be removed in a future major release. Use `b64url_mac_key` instead.
+
+* `b64url_mac_key` -
+  Base64-URL-encoded HS256 key. It is generated by the PublicCertificateAuthorityService
+  when the ExternalAccountKey is created.'
+  **Note**: This property is sensitive and will not be displayed in the plan.
+
 
 ## Timeouts
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+publicca: encode b64_mac_key in base64url, not in base64`
	`3`	+```