actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-14 18:13:45 +00:00
Code Activity Actions

test: add tests

Browse source
This commit is contained in:
Alex Kulikovskikh 2021-10-06 23:05:14 -04:00
parent 90a42565f2
commit 5ea664fe4a
2 changed files with 133 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
integrationTests/basic/jwt_auth.test.js
View file

@ -1,7 +1,9 @@
jest.mock('@actions/core'); jest.mock('@actions/core');
jest.mock('@actions/core/lib/command'); jest.mock('@actions/core/lib/command');
const core = require('@actions/core'); const core = require('@actions/core');
const rsasign = require('jsrsasign');
const { const {
privateRsaKey,
privateRsaKeyBase64, privateRsaKeyBase64,
publicRsaKey publicRsaKey
} = require('./rsa_keys'); } = require('./rsa_keys');
@ -13,6 +15,42 @@ const { exportSecrets } = require('../../src/action');
const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`; const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
/**
* Returns Github OIDC response mock
* @param {string} aud Audience claim
* @returns {string}
*/
function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action") {
const alg = 'RS256';
const header = { alg: alg, typ: 'JWT' };
const now = rsasign.KJUR.jws.IntDate.getNow();
const payload = {
jti: "unique-id",
sub: "repo:hashicorp/vault-action:ref:refs/heads/master",
aud,
ref: "refs/heads/master",
sha: "commit-sha",
repository: "hashicorp/vault-action",
repository_owner: "hashicorp",
run_id: "1",
run_number: "1",
run_attempt: "1",
actor: "github-username",
workflow: "Workflow Name",
head_ref: "",
base_ref: "",
event_name: "push",
ref_type: "branch",
job_workflow_ref: "hashicorp/vault-action/.github/workflows/workflow.yml@refs/heads/master",
iss: 'vault-action',
iat: now,
nbf: now,
exp: now + 3600,
};
const decryptedKey = rsasign.KEYUTIL.getKey(privateRsaKey);
return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
}
describe('jwt auth', () => { describe('jwt auth', () => {
beforeAll(async () => { beforeAll(async () => {
// Verify Connection // Verify Connection
@ -94,33 +132,107 @@ describe('jwt auth', () => {
}); });
}); });
beforeEach(() => { describe('authenticate with private key', () => {
jest.resetAllMocks(); beforeEach(() => {
jest.resetAllMocks();
when(core.getInput) when(core.getInput)
.calledWith('url') .calledWith('url')
.mockReturnValueOnce(`${vaultUrl}`); .mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput) when(core.getInput)
.calledWith('method') .calledWith('method')
.mockReturnValueOnce('jwt'); .mockReturnValueOnce('jwt');
when(core.getInput) when(core.getInput)
.calledWith('jwtPrivateKey') .calledWith('jwtPrivateKey')
.mockReturnValueOnce(privateRsaKeyBase64); .mockReturnValueOnce(privateRsaKeyBase64);
when(core.getInput) when(core.getInput)
.calledWith('role') .calledWith('role')
.mockReturnValueOnce('default'); .mockReturnValueOnce('default');
when(core.getInput) when(core.getInput)
.calledWith('secrets') .calledWith('secrets')
.mockReturnValueOnce('secret/data/test secret'); .mockReturnValueOnce('secret/data/test secret');
});
it('successfully authenticates', async () => {
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
});
}); });
it('successfully authenticates', async () => { describe('authenticate with Github OIDC', () => {
await exportSecrets(); beforeAll(async () => {
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action',
aud: 'sigstore',
},
user_claim: 'iss',
policies: ['reader']
}
});
})
beforeEach(() => {
jest.resetAllMocks();
when(core.getInput)
.calledWith('url')
.mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput)
.calledWith('method')
.mockReturnValueOnce('jwt');
when(core.getInput)
.calledWith('jwtPrivateKey')
.mockReturnValueOnce('');
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default');
when(core.getInput)
.calledWith('secrets')
.mockReturnValueOnce('secret/data/test secret');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(mockGithubOIDCResponse());
});
it('successfully authenticates', async () => {
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
});
it('successfully authenticates with `jwtGithubAudience` set to `sigstore`', async () => {
when(core.getInput)
.calledWith('role')
.mockReturnValueOnce('default-sigstore');
when(core.getInput)
.calledWith('jwtGithubAudience')
.mockReturnValueOnce('sigstore');
when(core.getIDToken)
.calledWith()
.mockReturnValueOnce(mockGithubOIDCResponse('sigstore'));
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
})
}); });
}); });

1
integrationTests/basic/rsa_keys.js
View file

@ -72,6 +72,7 @@ f52E9W2iFNt3sxB0KFtOkbkCAwEAAQ==
`; `;
module.exports = { module.exports = {
privateRsaKey,
privateRsaKeyBase64, privateRsaKeyBase64,
publicRsaKey publicRsaKey
}; };