make "role" input optional (#291)

* make "role" input optional Per Vault documentation it doesn't have to be provided, and the auth provider's "default_role" parameter is required precisely for this case. https://www.vaultproject.io/api/auth/jwt
2025-11-07 07:06:56 +00:00 · 2022-04-07 16:34:46 +02:00 · 2022-04-07 16:34:46 +02:00 · 2f64a97498
commit 2f64a97498
parent 25c4aec690
2 changed files with 27 additions and 10 deletions
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@ -51,6 +51,9 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action"
    return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
 }

+// The sign call inside this function takes a while to run, so cache the default JWT in a constant.
+const defaultGithubJwt = mockGithubOIDCResponse();
+
 describe('jwt auth', () => {
    beforeAll(async () => {
        // Verify Connection
@ -99,7 +102,8 @@ describe('jwt auth', () => {
                'X-Vault-Token': 'testtoken',
            },
            json: {
-                jwt_validation_pubkeys: publicRsaKey
+                jwt_validation_pubkeys: publicRsaKey,
+                default_role: "default"
            }
        });

@ -198,20 +202,20 @@ describe('jwt auth', () => {
                .calledWith('jwtPrivateKey')
                .mockReturnValueOnce('');

-            when(core.getInput)
-                .calledWith('role')
-                .mockReturnValueOnce('default');
-
            when(core.getInput)
                .calledWith('secrets')
                .mockReturnValueOnce('secret/data/test secret');
-
-            when(core.getIDToken)
-                .calledWith()
-                .mockReturnValueOnce(mockGithubOIDCResponse());
        });

        it('successfully authenticates', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce('default');
+
+            when(core.getIDToken)
+                .calledWith()
+                .mockReturnValueOnce(defaultGithubJwt);
+
            await exportSecrets();
            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
        });
@ -233,6 +237,19 @@ describe('jwt auth', () => {
            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
        })

+        it('successfully authenticates as default role without specifying it', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce(null);
+
+            when(core.getIDToken)
+                .calledWith()
+                .mockReturnValueOnce(defaultGithubJwt);
+
+            await exportSecrets();
+            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        })
+
    });

 });
--- a/src/auth.js
+++ b/src/auth.js
@ -25,7 +25,7 @@ async function retrieveToken(method, client) {
        case 'jwt': {
            /** @type {string} */
            let jwt;
-            const role = core.getInput('role', { required: true });
+            const role = core.getInput('role', { required: false });
            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
            const keyPassword = core.getInput('jwtKeyPassword', { required: false });