actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

feat: add support for (nearly) any engine (#15)

Browse source 
* feat: add support for (nearly) any engine

* cache response and fixup data depth logic

* use starting slash as non-kv sentinel value

* add tests for custom engines

* improve docs and add descriptor of generic support

* update dist
This commit is contained in:
Richard Simpson 2020-02-05 16:33:12 -06:00 committed by GitHub
parent f229481670
commit 0188d9d223
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 238 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/build.yml vendored
View file

@ -130,6 +130,14 @@ jobs:
test altSecret ; test altSecret ;
test altSecret | NAMED_ALTSECRET ; test altSecret | NAMED_ALTSECRET ;
nested/test otherAltSecret ; nested/test otherAltSecret ;
- name: use vault action (using cubbyhole engine)
uses: ./
with:
url: http://localhost:${{ job.services.vault.ports[8200] }}
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
- name: verify - name: verify
run: npm run test:e2e run: npm run test:e2e

58
README.md
View file

@ -1,8 +1,8 @@
# vault-action # vault-action
A helper action for easily pulling secrets from the K/V backend of vault. A helper action for easily pulling secrets from HashiCorp Vault™.
Expects [Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2/) of the KV Secrets Engine by default. By default, this action pulls from [Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2/) of the K/V Engine. See examples below for how to [use v1](#using-kv-version-1) as well as non-K/V engines.
## Example Usage ## Example Usage
@ -26,7 +26,8 @@ jobs:
## Authentication method ## Authentication method
The `method` parameter can have these value : While most workflows will likely use a vault token, you can also use an `approle` to authenticate with vaule. You can configure which by using the `method` parameter:
- **token**: (by default) you must provide a token parameter - **token**: (by default) you must provide a token parameter
```yaml ```yaml
... ...
@ -106,7 +107,7 @@ with:
kv-version: 1 kv-version: 1
``` ```
### Custom Engine Path ### Custom K/V Engine Path
When you enable the K/V Engine, by default it's placed at the path `secret`, so a secret named `ci` will be accessed from `secret/ci`. However, [if you enabled the secrets engine using a custom `path`](https://www.vaultproject.io/docs/commands/secrets/enable/#inlinecode--path-4), you When you enable the K/V Engine, by default it's placed at the path `secret`, so a secret named `ci` will be accessed from `secret/ci`. However, [if you enabled the secrets engine using a custom `path`](https://www.vaultproject.io/docs/commands/secrets/enable/#inlinecode--path-4), you
can pass it as follows: can pass it as follows:
@ -119,9 +120,56 @@ with:
This way, the `ci` secret in the example above will be retrieved from `my-secrets/ci`. This way, the `ci` secret in the example above will be retrieved from `my-secrets/ci`.
### Other Secret Engines
While this action primarily supports the K/V engine, it is possible to request secrets from other engines in Vault.
To do so when specifying the `Secret Path`, just append a leading formard slash (`/`) and specify the path as described in the Vault API documentation.
For example, to retrieve a stored secret from the [`cubbyhole` engine](https://www.vaultproject.io/api-docs/secret/cubbyhole/), assuming you have a stored secret at the path `foo` with the contents:
```json
{
"foo": "bar",
"zip": "zap"
}
```
You could request the contents like so:
```yaml
with:
secrets: |
/cubbyhole/foo foo ;
/cubbyhole/foo zip | MY_KEY ;
```
Resulting in:
```bash
FOO=bar MY_KEY=zap
```
Secrets pulled from the same `Secret Path` are cached by default. So if you, for example, are using the `aws` engine and retrieve a key, only a single key for a given path is returned.
e.g.:
```yaml
with:
secrets: |
/aws/creds/ci access_key | AWS_ACCESS_KEY_ID ;
/aws/creds/ci secret_key | AWS_SECRET_ACCESS_KEY
```
would work fine.
NOTE: The `Secret Key` is pulled from the `data` property of the response.
## Vault Enterprise Features
### Namespace ### Namespace
This action could be use with namespace Vault Enterprise feature. You can specify namespace in request : If you need to retrieve secrets from a specific vault namespace, all that's required is an additional parameter specifying the namespace.
```yaml ```yaml
steps: steps:

95
action.js
View file

@ -3,6 +3,8 @@ const command = require('@actions/core/lib/command');
const got = require('got'); const got = require('got');
const AUTH_METHODS = ['approle', 'token']; const AUTH_METHODS = ['approle', 'token'];
const VALID_KV_VERSION = [-1, 1, 2];
async function exportSecrets() { async function exportSecrets() {
const vaultUrl = core.getInput('url', { required: true }); const vaultUrl = core.getInput('url', { required: true });
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
@ -11,7 +13,7 @@ async function exportSecrets() {
let kvVersion = core.getInput('kv-version', { required: false }); let kvVersion = core.getInput('kv-version', { required: false });
const secretsInput = core.getInput('secrets', { required: true }); const secretsInput = core.getInput('secrets', { required: true });
const secrets = parseSecretsInput(secretsInput); const secretRequests = parseSecretsInput(secretsInput);
const vaultMethod = core.getInput('method', { required: false }) || 'token'; const vaultMethod = core.getInput('method', { required: false }) || 'token';
if (!AUTH_METHODS.includes(vaultMethod)) { if (!AUTH_METHODS.includes(vaultMethod)) {
@ -52,17 +54,17 @@ async function exportSecrets() {
} }
if (!kvVersion) { if (!kvVersion) {
kvVersion = '2'; kvVersion = 2;
}
kvVersion = +kvVersion;
if (Number.isNaN(kvVersion) || !VALID_KV_VERSION.includes(kvVersion)) {
throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`);
} }
if (kvVersion !== '1' && kvVersion !== '2') { const responseCache = new Map();
throw Error(`You must provide a valid K/V version (1 or 2). Input: "${kvVersion}"`); for (const secretRequest of secretRequests) {
} const { secretPath, outputName, secretSelector, isJSONPath } = secretRequest;
kvVersion = parseInt(kvVersion);
for (const secret of secrets) {
const { secretPath, outputName, secretKey } = secret;
const requestOptions = { const requestOptions = {
headers: { headers: {
'X-Vault-Token': vaultToken 'X-Vault-Token': vaultToken
@ -73,13 +75,30 @@ async function exportSecrets() {
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace; requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
} }
const requestPath = (kvVersion === 1) let requestPath = `${vaultUrl}/v1`;
? `${vaultUrl}/v1/${enginePath}/${secretPath}` const kvRequest = !secretPath.startsWith('/')
: `${vaultUrl}/v1/${enginePath}/data/${secretPath}`; if (!kvRequest) {
const result = await got(requestPath, requestOptions); requestPath += secretPath;
} else {
requestPath += (kvVersion === 2)
? `/${enginePath}/data/${secretPath}`
: `/${enginePath}/${secretPath}`;
}
const secretData = parseResponse(result.body, kvVersion); let body;
const value = secretData[secretKey]; if (responseCache.has(requestPath)) {
body = responseCache.get(requestPath);
core.debug(' using cached response');
} else {
const result = await got(requestPath, requestOptions);
body = result.body;
responseCache.set(requestPath, body);
}
let dataDepth = isJSONPath === true ? 0 : kvRequest === false ? 1 : kvVersion;
const secretData = getResponseData(body, dataDepth);
const value = selectData(secretData, secretSelector);
command.issue('add-mask', value); command.issue('add-mask', value);
core.exportVariable(outputName, `${value}`); core.exportVariable(outputName, `${value}`);
core.debug(`${secretPath} => ${outputName}`); core.debug(`${secretPath} => ${outputName}`);
@ -122,17 +141,18 @@ function parseSecretsInput(secretsInput) {
throw Error(`You must provide a valid path and key. Input: "${secret}"`) throw Error(`You must provide a valid path and key. Input: "${secret}"`)
} }
const [secretPath, secretKey] = pathParts; const [secretPath, secretSelector] = pathParts;
// If we're not using a mapped name, normalize the key path into a variable name. // If we're not using a mapped name, normalize the key path into a variable name.
if (!outputName) { if (!outputName) {
outputName = normalizeOutputKey(secretKey); outputName = normalizeOutputKey(secretSelector);
} }
output.push({ output.push({
secretPath, secretPath,
outputName, outputName,
secretKey secretSelector,
isJSONPath: secretSelector.startsWith('$')
}); });
} }
return output; return output;
@ -143,22 +163,26 @@ function parseSecretsInput(secretsInput) {
* @param {string} responseBody * @param {string} responseBody
* @param {number} kvVersion * @param {number} kvVersion
*/ */
function parseResponse(responseBody, kvVersion) { function getResponseData(responseBody, dataLevel) {
const parsedResponse = JSON.parse(responseBody); let secretData = JSON.parse(responseBody);
let secretData;
switch(kvVersion) { for (let i = 0; i < dataLevel; i++) {
case 1: { secretData = secretData['data'];
secretData = parsedResponse.data; }
} break; return secretData;
}
case 2: { /**
const vaultKeyData = parsedResponse.data; * Parses a JSON response and returns the secret data
secretData = vaultKeyData.data; * @param {Object} data
} break; * @param {string} selector
*/
function selectData(data, selector, isJSONPath) {
if (!isJSONPath) {
return data[selector];
} }
return secretData; // TODO: JSONPath
} }
/** /**
@ -169,9 +193,16 @@ function normalizeOutputKey(dataKey) {
return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase(); return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase();
} }
function parseBoolInput(input) {
if (input === null || input === undefined || input.trim() === '') {
return null;
}
return Boolean(input);
}
module.exports = { module.exports = {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse, parseResponse: getResponseData,
normalizeOutputKey normalizeOutputKey
}; };

3
action.test.js
View file

@ -17,8 +17,9 @@ describe('parseSecretsInput', () => {
const output = parseSecretsInput('test key'); const output = parseSecretsInput('test key');
expect(output).toContainEqual({ expect(output).toContainEqual({
secretPath: 'test', secretPath: 'test',
secretKey: 'key', secretSelector: 'key',
outputName: 'KEY', outputName: 'KEY',
isJSONPath: false
}); });
}); });

95
dist/index.js vendored
View file

@ -4066,6 +4066,8 @@ const command = __webpack_require__(431);
const got = __webpack_require__(77); const got = __webpack_require__(77);
const AUTH_METHODS = ['approle', 'token']; const AUTH_METHODS = ['approle', 'token'];
const VALID_KV_VERSION = [-1, 1, 2];
async function exportSecrets() { async function exportSecrets() {
const vaultUrl = core.getInput('url', { required: true }); const vaultUrl = core.getInput('url', { required: true });
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
@ -4074,7 +4076,7 @@ async function exportSecrets() {
let kvVersion = core.getInput('kv-version', { required: false }); let kvVersion = core.getInput('kv-version', { required: false });
const secretsInput = core.getInput('secrets', { required: true }); const secretsInput = core.getInput('secrets', { required: true });
const secrets = parseSecretsInput(secretsInput); const secretRequests = parseSecretsInput(secretsInput);
const vaultMethod = core.getInput('method', { required: false }) || 'token'; const vaultMethod = core.getInput('method', { required: false }) || 'token';
if (!AUTH_METHODS.includes(vaultMethod)) { if (!AUTH_METHODS.includes(vaultMethod)) {
@ -4115,17 +4117,17 @@ async function exportSecrets() {
} }
if (!kvVersion) { if (!kvVersion) {
kvVersion = '2'; kvVersion = 2;
}
kvVersion = +kvVersion;
if (Number.isNaN(kvVersion) || !VALID_KV_VERSION.includes(kvVersion)) {
throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`);
} }
if (kvVersion !== '1' && kvVersion !== '2') { const responseCache = new Map();
throw Error(`You must provide a valid K/V version (1 or 2). Input: "${kvVersion}"`); for (const secretRequest of secretRequests) {
} const { secretPath, outputName, secretSelector, isJSONPath } = secretRequest;
kvVersion = parseInt(kvVersion);
for (const secret of secrets) {
const { secretPath, outputName, secretKey } = secret;
const requestOptions = { const requestOptions = {
headers: { headers: {
'X-Vault-Token': vaultToken 'X-Vault-Token': vaultToken
@ -4136,13 +4138,30 @@ async function exportSecrets() {
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace; requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
} }
const requestPath = (kvVersion === 1) let requestPath = `${vaultUrl}/v1`;
? `${vaultUrl}/v1/${enginePath}/${secretPath}` const kvRequest = !secretPath.startsWith('/')
: `${vaultUrl}/v1/${enginePath}/data/${secretPath}`; if (!kvRequest) {
const result = await got(requestPath, requestOptions); requestPath += secretPath;
} else {
requestPath += (kvVersion === 2)
? `/${enginePath}/data/${secretPath}`
: `/${enginePath}/${secretPath}`;
}
const secretData = parseResponse(result.body, kvVersion); let body;
const value = secretData[secretKey]; if (responseCache.has(requestPath)) {
body = responseCache.get(requestPath);
core.debug(' using cached response');
} else {
const result = await got(requestPath, requestOptions);
body = result.body;
responseCache.set(requestPath, body);
}
let dataDepth = isJSONPath === true ? 0 : kvRequest === false ? 1 : kvVersion;
const secretData = getResponseData(body, dataDepth);
const value = selectData(secretData, secretSelector);
command.issue('add-mask', value); command.issue('add-mask', value);
core.exportVariable(outputName, `${value}`); core.exportVariable(outputName, `${value}`);
core.debug(`${secretPath} => ${outputName}`); core.debug(`${secretPath} => ${outputName}`);
@ -4185,17 +4204,18 @@ function parseSecretsInput(secretsInput) {
throw Error(`You must provide a valid path and key. Input: "${secret}"`) throw Error(`You must provide a valid path and key. Input: "${secret}"`)
} }
const [secretPath, secretKey] = pathParts; const [secretPath, secretSelector] = pathParts;
// If we're not using a mapped name, normalize the key path into a variable name. // If we're not using a mapped name, normalize the key path into a variable name.
if (!outputName) { if (!outputName) {
outputName = normalizeOutputKey(secretKey); outputName = normalizeOutputKey(secretSelector);
} }
output.push({ output.push({
secretPath, secretPath,
outputName, outputName,
secretKey secretSelector,
isJSONPath: secretSelector.startsWith('$')
}); });
} }
return output; return output;
@ -4206,22 +4226,26 @@ function parseSecretsInput(secretsInput) {
* @param {string} responseBody * @param {string} responseBody
* @param {number} kvVersion * @param {number} kvVersion
*/ */
function parseResponse(responseBody, kvVersion) { function getResponseData(responseBody, dataLevel) {
const parsedResponse = JSON.parse(responseBody); let secretData = JSON.parse(responseBody);
let secretData;
switch(kvVersion) { for (let i = 0; i < dataLevel; i++) {
case 1: { secretData = secretData['data'];
secretData = parsedResponse.data; }
} break; return secretData;
}
case 2: { /**
const vaultKeyData = parsedResponse.data; * Parses a JSON response and returns the secret data
secretData = vaultKeyData.data; * @param {Object} data
} break; * @param {string} selector
*/
function selectData(data, selector, isJSONPath) {
if (!isJSONPath) {
return data[selector];
} }
return secretData; // TODO: JSONPath
} }
/** /**
@ -4232,10 +4256,17 @@ function normalizeOutputKey(dataKey) {
return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase(); return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase();
} }
function parseBoolInput(input) {
if (input === null || input === undefined || input.trim() === '') {
return null;
}
return Boolean(input);
}
module.exports = { module.exports = {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse, parseResponse: getResponseData,
normalizeOutputKey normalizeOutputKey
}; };

36
integrationTests/basic/integration.test.js
View file

@ -171,4 +171,40 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET'); expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET');
}); });
describe('generic engines', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/cubbyhole/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
foo: "bar",
zip: "zap"
},
});
});
it('supports cubbyhole', async () => {
mockInput('/cubbyhole/test foo');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
});
it('caches responses', async () => {
mockInput(`
/cubbyhole/test foo ;
/cubbyhole/test zip`);
await exportSecrets();
expect(core.debug).toBeCalledWith(' using cached response');
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
});
})
}); });

2
integrationTests/e2e/e2e.test.js
View file

@ -6,5 +6,7 @@ describe('e2e', () => {
expect(process.env.ALTSECRET).toBe("CUSTOMSECRET"); expect(process.env.ALTSECRET).toBe("CUSTOMSECRET");
expect(process.env.NAMED_ALTSECRET).toBe("CUSTOMSECRET"); expect(process.env.NAMED_ALTSECRET).toBe("CUSTOMSECRET");
expect(process.env.OTHERALTSECRET).toBe("OTHERCUSTOMSECRET"); expect(process.env.OTHERALTSECRET).toBe("OTHERCUSTOMSECRET");
expect(process.env.FOO).toBe("bar");
expect(process.env.NAMED_CUBBYSECRET).toBe("zap");
}); });
}); });

11
integrationTests/e2e/setup.js
View file

@ -64,6 +64,17 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
otherAltSecret: 'OTHERCUSTOMSECRET', otherAltSecret: 'OTHERCUSTOMSECRET',
}, },
}); });
await got(`http://${vaultUrl}/v1/cubbyhole/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
foo: 'bar',
zip: 'zap',
},
});
} catch (error) { } catch (error) {
console.log(error); console.log(error);
process.exit(1); process.exit(1);