credshelper accepts bazel credhelper compat GetCredentialsResponse json.

go/pkg/credshelper/credshelper.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -230,12 +231,64 @@ type JSONOut struct {
 	Expiry  string            `json:"expiry"`
 }
 
+// bazelCompatJSONOut is a record the json output from the credshelper
+// that also accepts bazel credhelper output
+// https://github.com/EngFlow/credential-helper-spec/blob/main/spec.md
+// https://github.com/EngFlow/credential-helper-spec/blob/main/schemas/get-credentials-response.schema.json
+type bazelCompatJSONOut struct {
+	// value is []any (slice of string) (bazel),
+	// or string (reclient legacy).
+	Headers map[string]any `json:"headers"`
+	Expires string         `json:"expires"` // RFC3339
+	// for reclient legacy
+	Token  string `json:"token"`
+	Expiry string `json:"expiry"` // unix date
+}
+
 func parseTokenExpiryFromOutput(out string) (*credshelperOutput, error) {
 	credsOut := &credshelperOutput{}
-	var jsonOut JSONOut
-	if err := json.Unmarshal([]byte(out), &jsonOut); err != nil {
+	var jout bazelCompatJSONOut
+	if err := json.Unmarshal([]byte(out), &jout); err != nil {
 		return nil, fmt.Errorf("error while decoding credshelper output:%v", err)
 	}
+	var jsonOut JSONOut
+	var bearerToken string
+	if len(jout.Headers) > 0 {
+		h := make(http.Header)
+		for k, v := range jout.Headers {
+			switch v := v.(type) {
+			case string: // reclient legacy
+				h.Set(k, v)
+			case []any: // bazel compat?
+				for _, x := range v {
+					if s, ok := x.(string); ok {
+						h.Add(k, s)
+					} else {
+						return nil, fmt.Errorf("wrong value type for headers for %q: %v (%T)", k, x, x)
+					}
+				}
+			default:
+				return nil, fmt.Errorf("wrong value type for headers for %q: %T", k, v)
+			}
+		}
+		jsonOut.Headers = make(map[string]string)
+		for k := range jout.Headers {
+			v := h.Get(k)
+			jsonOut.Headers[k] = v
+			if http.CanonicalHeaderKey(k) == http.CanonicalHeaderKey("Authorization") && strings.HasPrefix(v, "Bearer ") {
+				bearerToken = strings.TrimSpace(strings.TrimPrefix(v, "Bearer "))
+			}
+		}
+	}
+	if jout.Token != "" {
+		jsonOut.Token = jout.Token
+	} else if bearerToken != "" {
+		jsonOut.Token = bearerToken
+	}
+	if jout.Expiry != "" {
+		jsonOut.Expiry = jout.Expiry
+	}
+
 	if jsonOut.Token == "" && len(jsonOut.Headers) == 0 {
 		return nil, fmt.Errorf("both token and headers are empty, invalid credentials")
 	}
@@ -248,6 +301,13 @@ func parseTokenExpiryFromOutput(out string) (*credshelperOutput, error) {
 		}
 		credsOut.tk.Expiry = expiry
 	}
+	if jout.Expires != "" {
+		expiry, err := time.Parse(time.RFC3339, jout.Expires)
+		if err != nil {
+			return nil, fmt.Errorf("invalid expires format: %v (Expected time.RFC3339 format)", jout.Expires)
+		}
+		credsOut.tk.Expiry = expiry
+	}
 	return credsOut, nil
 }
 

go/pkg/credshelper/credshelper_test.go

@@ -116,6 +116,7 @@ func TestNewExternalCredentials(t *testing.T) {
 	exp := time.Now().Add(time.Hour).Truncate(time.Second)
 	expStr := exp.String()
 	unixExp := exp.Format(time.UnixDate)
+	rfc3339Exp := exp.Format(time.RFC3339)
 	tests := []struct {
 		name           string
 		wantErr        bool
@@ -138,6 +139,12 @@ func TestNewExternalCredentials(t *testing.T) {
 		name:           "Wrong Expiry Format",
 		wantErr:        true,
 		credshelperOut: fmt.Sprintf(`{"headers":{"hdr":"val"},"token":"%v","expiry":"%v"}`, testToken, expStr),
+	}, {
+		name:           "bazelCompatAndReclientLegacy",
+		credshelperOut: fmt.Sprintf(`{"headers":{"hdr":["val"]},"token":%q,"expiry":%q, "expires":%q}`, testToken, unixExp, rfc3339Exp),
+	}, {
+		name:           "bazelCompat",
+		credshelperOut: fmt.Sprintf(`{"headers":{"Authorization":["Bearer %s"]},"expires":%q}`, testToken, rfc3339Exp),
 	}}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {