From 18f2aae9364638f33abdfddfa6aebe65a5c8b26f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Laszlo?= <laszlo@kisi.io>
Date: Fri, 6 Dec 2024 17:15:22 +0100
Subject: [PATCH] Simplify parsing by changing account separators

---
 .../secrets/adapters/gcp_secret_manager.rb    | 22 +++++--------------
 .../gcp_secret_manager_adapter_test.rb        |  6 ++---
 2 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/lib/kamal/secrets/adapters/gcp_secret_manager.rb b/lib/kamal/secrets/adapters/gcp_secret_manager.rb
index 25c9fa00..82fbb0bf 100644
--- a/lib/kamal/secrets/adapters/gcp_secret_manager.rb
+++ b/lib/kamal/secrets/adapters/gcp_secret_manager.rb
@@ -5,7 +5,7 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
       # impersonation.
       #
       # Syntax:
-      # ACCOUNT: USER | USER "," DELEGATION_CHAIN
+      # ACCOUNT: USER | USER "|" DELEGATION_CHAIN
       # USER: DEFAULT_USER | EMAIL
       # DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN
       # EMAIL: <The email address of the user or service account, like "my-user@example.com" >
@@ -13,10 +13,10 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
       #
       # Some valid examples:
       # - "my-user@example.com" sets the user
-      # - "my-user@example.com,my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
+      # - "my-user@example.com|my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
       # - "default" will use the default user and no impersonation
-      # - "default,my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
-      # - "default,my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
+      # - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
+      # - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
 
       if !logged_in?
         raise RuntimeError, "gcloud is not authenticated, please run `gcloud auth login`"
@@ -102,19 +102,7 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
     end
 
     def parse_account(account)
-      return "default", nil if account == "default"
-
-      parts = account.split(",", 2)
-
-      if parts.length == 2
-        return parts.shift, parts.shift
-      elsif parts.length != 1
-        raise RuntimeError, "Invalid account, too many parts: #{account}"
-      elsif is_user?(account)
-        return account, nil
-      end
-
-      raise RuntimeError, "Invalid account, not a user: #{account}"
+      account.split("|", 2)
     end
 
     def is_user?(candidate)
diff --git a/test/secrets/gcp_secret_manager_adapter_test.rb b/test/secrets/gcp_secret_manager_adapter_test.rb
index 3369d08e..d9b30151 100644
--- a/test/secrets/gcp_secret_manager_adapter_test.rb
+++ b/test/secrets/gcp_secret_manager_adapter_test.rb
@@ -91,7 +91,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
     stub_authenticated
     stub_items(0, project: "some-project", version: "123", impersonate_service_account: "service-user@example.com")
 
-    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "default,service-user@example.com")))
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "default|service-user@example.com")))
 
     expected_json = {
       "some-project/item1"=>"secret1"
@@ -105,7 +105,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
     stub_authenticated
     stub_items(0, project: "some-project", version: "123", account: "user@example.com", impersonate_service_account: "service-user@example.com,service-user2@example.com")
 
-    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "user@example.com,service-user@example.com,service-user2@example.com")))
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "user@example.com|service-user@example.com,service-user2@example.com")))
 
     expected_json = {
       "some-project/item1"=>"secret1"
@@ -119,7 +119,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
     stub_authenticated
     stub_items(0, project: "some-project", version: "123", account: "email@example.com", impersonate_service_account: "service-user@example.com")
 
-    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com,service-user@example.com")))
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com|service-user@example.com")))
 
     expected_json = {
       "some-project/item1"=>"secret1"