actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-16 02:43:45 +00:00
Code Activity Actions

chore: make vault action consumable

Browse source
This commit is contained in:
Richard Simpson 2020-04-10 19:42:50 -05:00
parent 9878eba70a
commit 7b3e2a5aac
7 changed files with 143 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
package-lock.json generated
View file

@ -7693,6 +7693,11 @@
"minimist": "^1.2.5" "minimist": "^1.2.5"
} }
}, },
"jsonata": {
"version": "1.8.2",
"resolved": "https://registry.npmjs.org/jsonata/-/jsonata-1.8.2.tgz",
"integrity": "sha512-ma5F/Bs47dZfJfDZ0Dt37eIbzVBVKZIDqsZSqdCCAPNHxKn+s3+CfMA6ahVVlf8Y1hyIjXkVLFU7yv4XxRfihA=="
},
"jsonfile": { "jsonfile": {
"version": "6.0.1", "version": "6.0.1",
"resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.0.1.tgz", "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.0.1.tgz",

10
package.json
View file

@ -10,12 +10,17 @@
"test:integration:enterprise": "jest -c integrationTests/enterprise/jest.config.js", "test:integration:enterprise": "jest -c integrationTests/enterprise/jest.config.js",
"test:e2e": "jest -c integrationTests/e2e/jest.config.js" "test:e2e": "jest -c integrationTests/e2e/jest.config.js"
}, },
"files": [
"src/**/*",
"dist/**/*"
],
"release": { "release": {
"branch": "master", "branch": "master",
"plugins": [ "plugins": [
"@semantic-release/commit-analyzer", "@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator", "@semantic-release/release-notes-generator",
"@semantic-release/github" "@semantic-release/github",
"@semantic-release/npm"
], ],
"ci": false "ci": false
}, },
@ -38,8 +43,9 @@
}, },
"homepage": "https://github.com/RichiCoder1/vault-action#readme", "homepage": "https://github.com/RichiCoder1/vault-action#readme",
"dependencies": { "dependencies": {
"@actions/core": "^1.2.3",
"got": "^10.2.2", "got": "^10.2.2",
"@actions/core": "^1.2.3" "jsonata": "^1.8.2"
}, },
"devDependencies": { "devDependencies": {
"@types/got": "^9.6.9", "@types/got": "^9.6.9",

123
src/action.js
View file

@ -2,7 +2,8 @@
const core = require('@actions/core'); const core = require('@actions/core');
const command = require('@actions/core/lib/command'); const command = require('@actions/core/lib/command');
const got = require('got').default; const got = require('got').default;
const { retrieveToken } = require('./auth'); const jsonata = require('jsonata');
const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
const AUTH_METHODS = ['approle', 'token', 'github']; const AUTH_METHODS = ['approle', 'token', 'github'];
const VALID_KV_VERSION = [-1, 1, 2]; const VALID_KV_VERSION = [-1, 1, 2];
@ -39,8 +40,9 @@ async function exportSecrets() {
defaultOptions.headers["X-Vault-Namespace"] = vaultNamespace; defaultOptions.headers["X-Vault-Namespace"] = vaultNamespace;
} }
const vaultToken = await retrieveToken(vaultMethod, got.extend(defaultOptions));
defaultOptions.headers['X-Vault-Token'] = vaultToken;
const client = got.extend(defaultOptions); const client = got.extend(defaultOptions);
const vaultToken = await retrieveToken(vaultMethod, client);
if (!enginePath) { if (!enginePath) {
enginePath = 'secret'; enginePath = 'secret';
@ -55,62 +57,39 @@ async function exportSecrets() {
throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`); throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`);
} }
const responseCache = new Map(); const requests = secretRequests.map(request => {
for (const secretRequest of secretRequests) { const { path, selector } = request;
const { secretPath, outputVarName, envVarName, secretSelector, isJSONPath } = secretRequest;
const requestOptions = {
headers: {
'X-Vault-Token': vaultToken
},
};
for (const [headerName, headerValue] of extraHeaders) { if (path.startsWith('/')) {
requestOptions.headers[headerName] = headerValue; return request;
} }
const kvPath = (kvVersion === 2)
? `/${enginePath}/data/${path}`
: `/${enginePath}/${path}`;
const kvSelector = (kvVersion === 2)
? `data.data.${selector}`
: `data.${selector}`;
return { ...request, path: kvPath, selector: kvSelector };
});
if (vaultNamespace != null) { const results = await getSecrets(requests, client);
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
}
let requestPath = `v1`; for (const result of results) {
const kvRequest = !secretPath.startsWith('/') const { value, request } = result;
if (!kvRequest) {
requestPath += secretPath;
} else {
requestPath += (kvVersion === 2)
? `/${enginePath}/data/${secretPath}`
: `/${enginePath}/${secretPath}`;
}
let body;
if (responseCache.has(requestPath)) {
body = responseCache.get(requestPath);
core.debug(' using cached response');
} else {
const result = await client.get(requestPath, requestOptions);
body = result.body;
responseCache.set(requestPath, body);
}
let dataDepth = isJSONPath === true ? 0 : kvRequest === false ? 1 : kvVersion;
const secretData = getResponseData(body, dataDepth);
const value = selectData(secretData, secretSelector, isJSONPath);
command.issue('add-mask', value); command.issue('add-mask', value);
if (exportEnv) { if (exportEnv) {
core.exportVariable(envVarName, `${value}`); core.exportVariable(request.envVarName, `${value}`);
} }
core.setOutput(outputVarName, `${value}`); core.setOutput(request.outputVarName, `${value}`);
core.debug(`${secretPath} => outputs.${outputVarName}${exportEnv ? ` | env.${envVarName}` : ''}`); core.debug(`${request.path} => outputs.${request.outputVarName}${exportEnv ? ` | env.${request.envVarName}` : ''}`);
} }
}; };
/** @typedef {Object} SecretRequest /** @typedef {Object} SecretRequest
* @property {string} secretPath * @property {string} path
* @property {string} envVarName * @property {string} envVarName
* @property {string} outputVarName * @property {string} outputVarName
* @property {string} secretSelector * @property {string} selector
* @property {boolean} isJSONPath
*/ */
/** /**
@ -127,12 +106,12 @@ function parseSecretsInput(secretsInput) {
/** @type {SecretRequest[]} */ /** @type {SecretRequest[]} */
const output = []; const output = [];
for (const secret of secrets) { for (const secret of secrets) {
let path = secret; let pathSpec = secret;
let outputVarName = null; let outputVarName = null;
const renameSigilIndex = secret.lastIndexOf('|'); const renameSigilIndex = secret.lastIndexOf('|');
if (renameSigilIndex > -1) { if (renameSigilIndex > -1) {
path = secret.substring(0, renameSigilIndex).trim(); pathSpec = secret.substring(0, renameSigilIndex).trim();
outputVarName = secret.substring(renameSigilIndex + 1).trim(); outputVarName = secret.substring(renameSigilIndex + 1).trim();
if (outputVarName.length < 1) { if (outputVarName.length < 1) {
@ -140,7 +119,7 @@ function parseSecretsInput(secretsInput) {
} }
} }
const pathParts = path const pathParts = pathSpec
.split(/\s+/) .split(/\s+/)
.map(part => part.trim()) .map(part => part.trim())
.filter(part => part.length !== 0); .filter(part => part.length !== 0);
@ -149,64 +128,41 @@ function parseSecretsInput(secretsInput) {
throw Error(`You must provide a valid path and key. Input: "${secret}"`); throw Error(`You must provide a valid path and key. Input: "${secret}"`);
} }
const [secretPath, secretSelector] = pathParts; const [path, selector] = pathParts;
const isJSONPath = secretSelector.includes('.'); /** @type {any} */
const selectorAst = jsonata(selector).ast();
if (isJSONPath && !outputVarName) { if (selectorAst.type !== "path") {
throw Error(`Invalid path selector.`);
}
if ((selectorAst.steps > 1 || selectorAst.steps[0].stages) && !outputVarName) {
throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
} }
let envVarName = outputVarName; let envVarName = outputVarName;
if (!outputVarName) { if (!outputVarName) {
outputVarName = secretSelector; outputVarName = selector;
envVarName = normalizeOutputKey(outputVarName); envVarName = normalizeOutputKey(outputVarName);
} }
output.push({ output.push({
secretPath, path,
envVarName, envVarName,
outputVarName, outputVarName,
secretSelector, selector
isJSONPath
}); });
} }
return output; return output;
} }
/**
* Parses a JSON response and returns the secret data
* @param {string} responseBody
* @param {number} dataLevel
*/
function getResponseData(responseBody, dataLevel) {
let secretData = JSON.parse(responseBody);
for (let i = 0; i < dataLevel; i++) {
secretData = secretData['data'];
}
return secretData;
}
/**
* Parses a JSON response and returns the secret data
* @param {Object} data
* @param {string} selector
*/
function selectData(data, selector, isJSONPath) {
if (!isJSONPath) {
return data[selector];
}
// TODO: JSONPath
}
/** /**
* Replaces any forward-slash characters to * Replaces any forward-slash characters to
* @param {string} dataKey * @param {string} dataKey
*/ */
function normalizeOutputKey(dataKey) { function normalizeOutputKey(dataKey) {
return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase(); return dataKey.replace('/', '__').replace('.', '__').replace(/[^\w-]/, '').toUpperCase();
} }
/** /**
@ -237,7 +193,6 @@ function parseHeadersInput(inputKey, inputOptions) {
module.exports = { module.exports = {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse: getResponseData,
normalizeOutputKey, normalizeOutputKey,
parseHeadersInput parseHeadersInput
}; };

46
src/action.test.js
View file

@ -17,11 +17,10 @@ describe('parseSecretsInput', () => {
it('parses simple secret', () => { it('parses simple secret', () => {
const output = parseSecretsInput('test key'); const output = parseSecretsInput('test key');
expect(output).toContainEqual({ expect(output).toContainEqual({
secretPath: 'test', path: 'test',
secretSelector: 'key', selector: 'key',
outputVarName: 'key', outputVarName: 'key',
envVarName: 'KEY', envVarName: 'KEY'
isJSONPath: false
}); });
}); });
@ -49,10 +48,10 @@ describe('parseSecretsInput', () => {
expect(output).toHaveLength(2); expect(output).toHaveLength(2);
expect(output[0]).toMatchObject({ expect(output[0]).toMatchObject({
secretPath: 'first', path: 'first',
}); });
expect(output[1]).toMatchObject({ expect(output[1]).toMatchObject({
secretPath: 'second', path: 'second',
}); });
}); });
@ -78,7 +77,7 @@ describe('parseSecretsInput', () => {
expect(output).toHaveLength(3); expect(output).toHaveLength(3);
expect(output[0]).toMatchObject({ expect(output[0]).toMatchObject({
secretPath: 'first', path: 'first',
}); });
expect(output[1]).toMatchObject({ expect(output[1]).toMatchObject({
outputVarName: 'b', outputVarName: 'b',
@ -129,40 +128,7 @@ describe('parseHeaders', () => {
const result = parseHeadersInput('extraHeaders'); const result = parseHeadersInput('extraHeaders');
expect(Array.from(result)).toHaveLength(0); expect(Array.from(result)).toHaveLength(0);
}); });
})
describe('parseResponse', () => {
// https://www.vaultproject.io/api/secret/kv/kv-v1.html#sample-response
it('parses K/V version 1 response', () => {
const response = JSON.stringify({
data: {
foo: 'bar'
}
})
const output = parseResponse(response, 1);
expect(output).toEqual({
foo: 'bar'
}); });
});
// https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
it('parses K/V version 2 response', () => {
const response = JSON.stringify({
data: {
data: {
foo: 'bar'
}
}
})
const output = parseResponse(response, 2);
expect(output).toEqual({
foo: 'bar'
});
});
});
describe('exportSecrets', () => { describe('exportSecrets', () => {
beforeEach(() => { beforeEach(() => {

10
src/entry.js Normal file
View file

@ -0,0 +1,10 @@
const core = require('@actions/core');
const { exportSecrets } = require('./action');
(async () => {
try {
await core.group('Get Vault Secrets', exportSecrets);
} catch (error) {
core.setFailed(error.message);
}
})();

15
src/index.js
View file

@ -1,10 +1,7 @@
const core = require('@actions/core'); const auth = require('./auth');
const { exportSecrets } = require('./action'); const secrets = require('./secrets');
(async () => { module.exports = {
try { auth,
await core.group('Get Vault Secrets', exportSecrets); secrets
} catch (error) { };
core.setFailed(error.message);
}
})();

68
src/secrets.js Normal file
View file

@ -0,0 +1,68 @@
const jsonata = require("jsonata");
/**
* @typedef {Object} SecretRequest
* @property {string} path
* @property {string} selector
*/
/**
* @template {SecretRequest} TRequest
* @typedef {Object} SecretResponse
* @property {TRequest} request
* @property {string} value
* @property {boolean} cachedResponse
*/
/**
* @template TRequest
* @param {Array<TRequest>} secretRequests
* @param {import('got').Got} client
* @return {Promise<SecretResponse<TRequest>[]>}
*/
async function getSecrets(secretRequests, client) {
const responseCache = new Map();
const results = [];
for (const secretRequest of secretRequests) {
const { path, selector } = secretRequest;
const requestPath = `v1${path}`;
let body;
let cachedResponse = false;
if (responseCache.has(requestPath)) {
body = responseCache.get(requestPath);
cachedResponse = true;
} else {
const result = await client.get(requestPath);
body = result.body;
responseCache.set(requestPath, body);
}
const value = selectData(JSON.parse(body), selector);
results.push({
request: secretRequest,
value,
cachedResponse
});
}
return results;
}
/**
* Uses a Jsonata selector retrieve a bit of data from the result
* @param {object} data
* @param {string} selector
*/
function selectData(data, selector) {
let result = JSON.stringify(jsonata(selector).evaluate(data));
if (result.startsWith(`"`)) {
result = result.substring(1, result.length - 1);
}
return result;
}
module.exports = {
getSecrets,
selectData
}