diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5aae23f..784ca86 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -141,21 +141,19 @@ jobs: url: http://localhost:8200 token: testtoken secrets: | - test secret ; - test secret | NAMED_SECRET ; - nested/test otherSecret ; + secret/data/test secret ; + secret/data/test secret | NAMED_SECRET ; + secret/data/nested/test otherSecret ; - name: Test Vault Action (default KV V1) uses: ./ with: url: http://localhost:8200 token: testtoken - path: my-secret - kv-version: 1 secrets: | - test altSecret ; - test altSecret | NAMED_ALTSECRET ; - nested/test otherAltSecret ; + secret/data/test altSecret ; + secret/data/test altSecret | NAMED_ALTSECRET ; + secret/data/nested/test otherAltSecret ; - name: Test Vault Action (cubbyhole) uses: ./ @@ -217,9 +215,9 @@ jobs: clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} clientKey: ${{ secrets.VAULT_CLIENT_KEY }} secrets: | - test secret ; - test secret | NAMED_SECRET ; - nested/test otherSecret ; + secret/data/test secret ; + secret/data/test secret | NAMED_SECRET ; + secret/data/nested/test otherSecret ; - name: Test Vault Action (tlsSkipVerify) uses: ./ @@ -230,22 +228,20 @@ jobs: clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} clientKey: ${{ secrets.VAULT_CLIENT_KEY }} secrets: | - tlsSkipVerify skip ; + secret/data/tlsSkipVerify skip ; - name: Test Vault Action (default KV V1) uses: ./ with: url: https://localhost:8200 token: ${{ env.VAULT_TOKEN }} - path: my-secret - kv-version: 1 caCertificate: ${{ secrets.VAULTCA }} clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} clientKey: ${{ secrets.VAULT_CLIENT_KEY }} secrets: | - test altSecret ; - test altSecret | NAMED_ALTSECRET ; - nested/test otherAltSecret ; + my-secret/test altSecret ; + my-secret/test altSecret | NAMED_ALTSECRET ; + my-secret/nested/test otherAltSecret ; - name: Test Vault Action (cubbyhole) uses: ./ diff --git a/action.yml b/action.yml index 652c676..cc02c11 100644 --- a/action.yml +++ b/action.yml @@ -10,13 +10,6 @@ inputs: namespace: description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default' required: false - path: - description: 'The path of a non-default K/V engine' - required: false - kv-version: - description: 'The version of the K/V engine to use.' - default: '2' - required: false method: description: 'The method to use to authenticate with Vault.' default: 'token' diff --git a/dist/index.js b/dist/index.js index 5182c2c..d14bbd0 100644 --- a/dist/index.js +++ b/dist/index.js @@ -10552,9 +10552,9 @@ async function getSecrets(secretRequests, client) { const responseCache = new Map(); const results = []; for (const secretRequest of secretRequests) { - const { path, selector } = secretRequest; + let { path, selector } = secretRequest; - const requestPath = `v1${path}`; + const requestPath = `v1/${path}`; let body; let cachedResponse = false; if (responseCache.has(requestPath)) { @@ -10566,7 +10566,13 @@ async function getSecrets(secretRequests, client) { responseCache.set(requestPath, body); } - const value = selectData(JSON.parse(body), selector); + selector = "data." + selector + body = JSON.parse(body) + if (body.data["data"] != undefined) { + selector = "data." + selector + } + + const value = selectData(body, selector); results.push({ request: secretRequest, value, @@ -14099,7 +14105,6 @@ const jsonata = __webpack_require__(350); const { auth: { retrieveToken }, secrets: { getSecrets } } = __webpack_require__(676); const AUTH_METHODS = ['approle', 'token', 'github']; -const VALID_KV_VERSION = [-1, 1, 2]; async function exportSecrets() { const vaultUrl = core.getInput('url', { required: true }); @@ -14107,10 +14112,6 @@ async function exportSecrets() { const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - let enginePath = core.getInput('path', { required: false }); - /** @type {number | string} */ - let kvVersion = core.getInput('kv-version', { required: false }); - const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -14158,32 +14159,9 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); - if (!enginePath) { - enginePath = 'secret'; - } - - if (!kvVersion) { - kvVersion = 2; - } - kvVersion = +kvVersion; - - if (Number.isNaN(kvVersion) || !VALID_KV_VERSION.includes(kvVersion)) { - throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`); - } - const requests = secretRequests.map(request => { const { path, selector } = request; - - if (path.startsWith('/')) { - return request; - } - const kvPath = (kvVersion === 2) - ? `/${enginePath}/data/${path}` - : `/${enginePath}/${path}`; - const kvSelector = (kvVersion === 2) - ? `data.data.${selector}` - : `data.${selector}`; - return { ...request, path: kvPath, selector: kvSelector }; + return request; }); const results = await getSecrets(requests, client); diff --git a/integrationTests/basic/integration.test.js b/integrationTests/basic/integration.test.js index a9a89e5..749ffcc 100644 --- a/integrationTests/basic/integration.test.js +++ b/integrationTests/basic/integration.test.js @@ -7,7 +7,7 @@ const { when } = require('jest-when'); const { exportSecrets } = require('../../src/action'); -const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`; +const vaultUrl = `http://${process.env.VAULT_HOST || '0.0.0.0'}:${process.env.VAULT_PORT || '8200'}`; describe('integration', () => { beforeAll(async () => { @@ -42,9 +42,21 @@ describe('integration', () => { } }); + await got(`${vaultUrl}/v1/secret/data/foobar`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + data: { + fookv2: 'bar', + }, + } + }); + // Enable custom secret engine try { - await got(`${vaultUrl}/v1/sys/mounts/my-secret`, { + await got(`${vaultUrl}/v1/sys/mounts/secret-kv1`, { method: 'POST', headers: { 'X-Vault-Token': 'testtoken', @@ -62,7 +74,7 @@ describe('integration', () => { } } - await got(`${vaultUrl}/v1/my-secret/test`, { + await got(`${vaultUrl}/v1/secret-kv1/test`, { method: 'POST', headers: { 'X-Vault-Token': 'testtoken', @@ -72,7 +84,17 @@ describe('integration', () => { } }); - await got(`${vaultUrl}/v1/my-secret/nested/test`, { + await got(`${vaultUrl}/v1/secret-kv1/foobar`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + fookv1: 'bar', + } + }); + + await got(`${vaultUrl}/v1/secret-kv1/nested/test`, { method: 'POST', headers: { 'X-Vault-Token': 'testtoken', @@ -101,20 +123,8 @@ describe('integration', () => { .mockReturnValueOnce(secrets); } - function mockEngineName(name) { - when(core.getInput) - .calledWith('path') - .mockReturnValueOnce(name); - } - - function mockVersion(version) { - when(core.getInput) - .calledWith('kv-version') - .mockReturnValueOnce(version); - } - it('get simple secret', async () => { - mockInput('test secret'); + mockInput('secret/data/test secret'); await exportSecrets(); @@ -122,7 +132,7 @@ describe('integration', () => { }); it('re-map secret', async () => { - mockInput('test secret | TEST_KEY'); + mockInput('secret/data/test secret | TEST_KEY'); await exportSecrets(); @@ -130,7 +140,7 @@ describe('integration', () => { }); it('get nested secret', async () => { - mockInput('nested/test otherSecret'); + mockInput('secret/data/nested/test otherSecret'); await exportSecrets(); @@ -139,9 +149,9 @@ describe('integration', () => { it('get multiple secrets', async () => { mockInput(` - test secret ; - test secret | NAMED_SECRET ; - nested/test otherSecret ;`); + secret/data/test secret ; + secret/data/test secret | NAMED_SECRET ; + secret/data/nested/test otherSecret ;`); await exportSecrets(); @@ -152,10 +162,16 @@ describe('integration', () => { expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET'); }); + it('leading slash kvv2', async () => { + mockInput('/secret/data/foobar fookv2'); + + await exportSecrets(); + + expect(core.exportVariable).toBeCalledWith('FOOKV2', 'bar'); + }); + it('get secret from K/V v1', async () => { - mockInput('test secret'); - mockEngineName('my-secret'); - mockVersion('1'); + mockInput('secret-kv1/test secret'); await exportSecrets(); @@ -163,15 +179,21 @@ describe('integration', () => { }); it('get nested secret from K/V v1', async () => { - mockInput('nested/test otherSecret'); - mockEngineName('my-secret'); - mockVersion('1'); + mockInput('secret-kv1/nested/test otherSecret'); await exportSecrets(); expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET'); }); + it('leading slash kvv1', async () => { + mockInput('/secret-kv1/foobar fookv1'); + + await exportSecrets(); + + expect(core.exportVariable).toBeCalledWith('FOOKV1', 'bar'); + }); + describe('generic engines', () => { beforeAll(async () => { await got(`${vaultUrl}/v1/cubbyhole/test`, { diff --git a/src/action.js b/src/action.js index 9404a42..e6875ee 100644 --- a/src/action.js +++ b/src/action.js @@ -6,7 +6,6 @@ const jsonata = require('jsonata'); const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index'); const AUTH_METHODS = ['approle', 'token', 'github']; -const VALID_KV_VERSION = [-1, 1, 2]; async function exportSecrets() { const vaultUrl = core.getInput('url', { required: true }); @@ -14,10 +13,6 @@ async function exportSecrets() { const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - let enginePath = core.getInput('path', { required: false }); - /** @type {number | string} */ - let kvVersion = core.getInput('kv-version', { required: false }); - const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -65,32 +60,9 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); - if (!enginePath) { - enginePath = 'secret'; - } - - if (!kvVersion) { - kvVersion = 2; - } - kvVersion = +kvVersion; - - if (Number.isNaN(kvVersion) || !VALID_KV_VERSION.includes(kvVersion)) { - throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`); - } - const requests = secretRequests.map(request => { const { path, selector } = request; - - if (path.startsWith('/')) { - return request; - } - const kvPath = (kvVersion === 2) - ? `/${enginePath}/data/${path}` - : `/${enginePath}/${path}`; - const kvSelector = (kvVersion === 2) - ? `data.data.${selector}` - : `data.${selector}`; - return { ...request, path: kvPath, selector: kvSelector }; + return request; }); const results = await getSecrets(requests, client); diff --git a/src/secrets.js b/src/secrets.js index a259293..a364925 100644 --- a/src/secrets.js +++ b/src/secrets.js @@ -25,9 +25,9 @@ async function getSecrets(secretRequests, client) { const responseCache = new Map(); const results = []; for (const secretRequest of secretRequests) { - const { path, selector } = secretRequest; + let { path, selector } = secretRequest; - const requestPath = `v1${path}`; + const requestPath = `v1/${path}`; let body; let cachedResponse = false; if (responseCache.has(requestPath)) { @@ -39,7 +39,13 @@ async function getSecrets(secretRequests, client) { responseCache.set(requestPath, body); } - const value = selectData(JSON.parse(body), selector); + selector = "data." + selector + body = JSON.parse(body) + if (body.data["data"] != undefined) { + selector = "data." + selector + } + + const value = selectData(body, selector); results.push({ request: secretRequest, value,