actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 07:06:56 +00:00
Code Activity Actions

make "role" input optional (#291)

Browse source 
* make "role" input optional

Per Vault documentation it doesn't have to be provided,
and the auth provider's "default_role" parameter is required
precisely for this case.
https://www.vaultproject.io/api/auth/jwt
This commit is contained in:
Kamil Domański 2022-04-07 16:34:46 +02:00 committed by GitHub
parent 25c4aec690
commit 2f64a97498
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
integrationTests/basic/jwt_auth.test.js
View file

@ -51,6 +51,9 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action"
return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey); return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
} }
// The sign call inside this function takes a while to run, so cache the default JWT in a constant.
const defaultGithubJwt = mockGithubOIDCResponse();
describe('jwt auth', () => { describe('jwt auth', () => {
beforeAll(async () => { beforeAll(async () => {
// Verify Connection // Verify Connection
@ -99,7 +102,8 @@ describe('jwt auth', () => {
'X-Vault-Token': 'testtoken', 'X-Vault-Token': 'testtoken',
}, },
json: { json: {
jwt_validation_pubkeys: publicRsaKey jwt_validation_pubkeys: publicRsaKey,
default_role: "default"
} }
}); });
@ -198,20 +202,20 @@ describe('jwt auth', () => {
.calledWith('jwtPrivateKey') .calledWith('jwtPrivateKey')
.mockReturnValueOnce(''); .mockReturnValueOnce('');
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default');
when(core.getInput) when(core.getInput)
.calledWith('secrets') .calledWith('secrets')
.mockReturnValueOnce('secret/data/test secret'); .mockReturnValueOnce('secret/data/test secret');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(mockGithubOIDCResponse());
}); });
it('successfully authenticates', async () => { it('successfully authenticates', async () => {
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(defaultGithubJwt);
await exportSecrets(); await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
}); });
@ -233,6 +237,19 @@ describe('jwt auth', () => {
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
}) })
it('successfully authenticates as default role without specifying it', async () => {
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce(null);
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(defaultGithubJwt);
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
})
}); });
}); });

2
src/auth.js
View file

@ -25,7 +25,7 @@ async function retrieveToken(method, client) {
case 'jwt': { case 'jwt': {
/** @type {string} */ /** @type {string} */
let jwt; let jwt;
const role = core.getInput('role', { required: true }); const role = core.getInput('role', { required: false });
const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false }); const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
const privateKey = Buffer.from(privateKeyRaw, 'base64').toString(); const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
const keyPassword = core.getInput('jwtKeyPassword', { required: false }); const keyPassword = core.getInput('jwtKeyPassword', { required: false });