From 2f64a9749832e676136ea587e5adbaae1d4344eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= Date: Thu, 7 Apr 2022 16:34:46 +0200 Subject: [PATCH] make "role" input optional (#291) * make "role" input optional Per Vault documentation it doesn't have to be provided, and the auth provider's "default_role" parameter is required precisely for this case. https://www.vaultproject.io/api/auth/jwt --- integrationTests/basic/jwt_auth.test.js | 35 ++++++++++++++++++------- src/auth.js | 2 +- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/integrationTests/basic/jwt_auth.test.js b/integrationTests/basic/jwt_auth.test.js index c761bd4..6d283ed 100644 --- a/integrationTests/basic/jwt_auth.test.js +++ b/integrationTests/basic/jwt_auth.test.js @@ -51,6 +51,9 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action" return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey); } +// The sign call inside this function takes a while to run, so cache the default JWT in a constant. +const defaultGithubJwt = mockGithubOIDCResponse(); + describe('jwt auth', () => { beforeAll(async () => { // Verify Connection @@ -99,7 +102,8 @@ describe('jwt auth', () => { 'X-Vault-Token': 'testtoken', }, json: { - jwt_validation_pubkeys: publicRsaKey + jwt_validation_pubkeys: publicRsaKey, + default_role: "default" } }); @@ -198,20 +202,20 @@ describe('jwt auth', () => { .calledWith('jwtPrivateKey') .mockReturnValueOnce(''); - when(core.getInput) - .calledWith('role') - .mockReturnValueOnce('default'); - when(core.getInput) .calledWith('secrets') .mockReturnValueOnce('secret/data/test secret'); - - when(core.getIDToken) - .calledWith() - .mockReturnValueOnce(mockGithubOIDCResponse()); }); it('successfully authenticates', async () => { + when(core.getInput) + .calledWith('role') + .mockReturnValueOnce('default'); + + when(core.getIDToken) + .calledWith() + .mockReturnValueOnce(defaultGithubJwt); + await exportSecrets(); expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); }); @@ -233,6 +237,19 @@ describe('jwt auth', () => { expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); }) + it('successfully authenticates as default role without specifying it', async () => { + when(core.getInput) + .calledWith('role') + .mockReturnValueOnce(null); + + when(core.getIDToken) + .calledWith() + .mockReturnValueOnce(defaultGithubJwt); + + await exportSecrets(); + expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); + }) + }); }); diff --git a/src/auth.js b/src/auth.js index ba89eeb..5e9cb20 100644 --- a/src/auth.js +++ b/src/auth.js @@ -25,7 +25,7 @@ async function retrieveToken(method, client) { case 'jwt': { /** @type {string} */ let jwt; - const role = core.getInput('role', { required: true }); + const role = core.getInput('role', { required: false }); const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false }); const privateKey = Buffer.from(privateKeyRaw, 'base64').toString(); const keyPassword = core.getInput('jwtKeyPassword', { required: false });