Add Decoding to Secrets (#408)

* Add decoding to secrets * remove index.js * Add test case, and other updates
2025-11-07 07:06:56 +00:00 · 2023-01-17 10:42:49 -06:00 · 2023-01-17 10:42:49 -06:00 · 0f409d4023
commit 0f409d4023
parent 8fa61e9099
3 changed files with 39 additions and 2 deletions
--- a/action.yml
+++ b/action.yml
@ -76,6 +76,9 @@ inputs:
    description: 'Time in seconds, after which token expires'
    required: false
    default: 3600
+  secretEncodingType:
+    description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
+    required: false
 runs:
  using: 'node16'
  main: 'dist/index.js'
--- a/src/action.js
+++ b/src/action.js
@ -6,6 +6,7 @@ const jsonata = require('jsonata');
 const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');

 const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes'];
+const ENCODING_TYPES = ['base64', 'hex', 'utf8'];

 async function exportSecrets() {
    const vaultUrl = core.getInput('url', { required: true });
@ -17,6 +18,8 @@ async function exportSecrets() {
    const secretsInput = core.getInput('secrets', { required: false });
    const secretRequests = parseSecretsInput(secretsInput);

+    const secretEncodingType = core.getInput('secretEncodingType', { required: false });
+
    const vaultMethod = (core.getInput('method', { required: false }) || 'token').toLowerCase();
    const authPayload = core.getInput('authPayload', { required: false });
    if (!AUTH_METHODS.includes(vaultMethod) && !authPayload) {
@ -81,11 +84,23 @@ async function exportSecrets() {

    const results = await getSecrets(requests, client);

+
    for (const result of results) {
-        const { value, request, cachedResponse } = result;
+        // Output the result
+
+        var value = result.value;
+        const request = result.request;
+        const cachedResponse = result.cachedResponse;
+
        if (cachedResponse) {
            core.debug('ℹ using cached response');
        }
+
+        // if a secret is encoded, decode it
+        if (ENCODING_TYPES.includes(secretEncodingType)) {
+            value = Buffer.from(value, secretEncodingType).toString();
+        }
+
        for (const line of value.replace(/\r/g, '').split('\n')) {
            if (line.length > 0) {
                command.issue('add-mask', line);
@ -99,7 +114,7 @@ async function exportSecrets() {
    }
 };

-/** @typedef {Object} SecretRequest 
+/** @typedef {Object} SecretRequest
 * @property {string} path
 * @property {string} envVarName
 * @property {string} outputVarName
--- a/src/action.test.js
+++ b/src/action.test.js
@ -184,6 +184,12 @@ describe('exportSecrets', () => {
            .mockReturnValueOnce(doExport);
    }

+    function mockEncodeType(doEncode) {
+        when(core.getInput)
+            .calledWith('secretEncodingType', expect.anything())
+            .mockReturnValueOnce(doEncode);
+    }
+
    it('simple secret retrieval', async () => {
        mockInput('test key');
        mockVaultData({
@ -196,6 +202,19 @@ describe('exportSecrets', () => {
        expect(core.setOutput).toBeCalledWith('key', '1');
    });

+    it('encoded secret retrieval', async () => {
+        mockInput('test key');
+        mockVaultData({
+            key: 'MQ=='
+        });
+        mockEncodeType('base64');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', '1');
+        expect(core.setOutput).toBeCalledWith('key', '1');
+    });
+
    it('intl secret retrieval', async () => {
        mockInput('测试 测试');
        mockVaultData({