actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-10 08:36:55 +00:00
Code Activity Actions

feat: add support for (nearly) any engine

Browse source
This commit is contained in:
Richard Simpson 2020-02-05 14:17:02 -06:00
parent f229481670
commit 913f76cc85
No known key found for this signature in database
GPG key ID: 0CECAF50D013D1E2
2 changed files with 47 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
action.js
View file

@ -3,12 +3,15 @@ const command = require('@actions/core/lib/command');
const got = require('got'); const got = require('got');
const AUTH_METHODS = ['approle', 'token']; const AUTH_METHODS = ['approle', 'token'];
const VALID_KV_VERSION = [-1, 1, 2];
async function exportSecrets() { async function exportSecrets() {
const vaultUrl = core.getInput('url', { required: true }); const vaultUrl = core.getInput('url', { required: true });
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
let enginePath = core.getInput('path', { required: false }); let enginePath = core.getInput('path', { required: false });
let kvVersion = core.getInput('kv-version', { required: false }); let kvVersion = core.getInput('kv-version', { required: false });
const useKv = core.getInput('useKv', { required: false });
const secretsInput = core.getInput('secrets', { required: true }); const secretsInput = core.getInput('secrets', { required: true });
const secrets = parseSecretsInput(secretsInput); const secrets = parseSecretsInput(secretsInput);
@ -52,17 +55,23 @@ async function exportSecrets() {
} }
if (!kvVersion) { if (!kvVersion) {
kvVersion = '2'; if (useKv !== false) {
kvVersion = 2;
} else {
kvVersion = -1;
}
} }
kvVersion = +kvVersion;
if (kvVersion !== '1' && kvVersion !== '2') { if (Number.isNaN(kvVersion) || !VALID_KV_VERSION.includes(kvVersion)) {
throw Error(`You must provide a valid K/V version (1 or 2). Input: "${kvVersion}"`); throw Error(`You must provide a valid K/V version (${VALID_KV_VERSION.slice(1).join(', ')}). Input: "${kvVersion}"`);
} }
kvVersion = parseInt(kvVersion); kvVersion = parseInt(kvVersion);
const responseCache = new Map();
for (const secret of secrets) { for (const secret of secrets) {
const { secretPath, outputName, secretKey } = secret; const { secretPath, outputName, secretSelector } = secret;
const requestOptions = { const requestOptions = {
headers: { headers: {
'X-Vault-Token': vaultToken 'X-Vault-Token': vaultToken
@ -73,13 +82,18 @@ async function exportSecrets() {
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace; requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
} }
const requestPath = (kvVersion === 1) const requestPath = (kvVersion === 2)
? `${vaultUrl}/v1/${enginePath}/${secretPath}` ? `${vaultUrl}/v1/${enginePath}/data/${secretPath}`
: `${vaultUrl}/v1/${enginePath}/data/${secretPath}`; : `${vaultUrl}/v1/${enginePath}/${secretPath}`;
const result = await got(requestPath, requestOptions); let result;
if (responseCache.has(requestPath)) {
result = responseCache.get(requestPath);
} else {
result = await got(requestPath, requestOptions);
}
const secretData = parseResponse(result.body, kvVersion); const secretData = getResponseData(result.body, kvVersion);
const value = secretData[secretKey]; const value = selectData(secretData, secretSelector);
command.issue('add-mask', value); command.issue('add-mask', value);
core.exportVariable(outputName, `${value}`); core.exportVariable(outputName, `${value}`);
core.debug(`${secretPath} => ${outputName}`); core.debug(`${secretPath} => ${outputName}`);
@ -122,17 +136,17 @@ function parseSecretsInput(secretsInput) {
throw Error(`You must provide a valid path and key. Input: "${secret}"`) throw Error(`You must provide a valid path and key. Input: "${secret}"`)
} }
const [secretPath, secretKey] = pathParts; const [secretPath, secretSelector] = pathParts;
// If we're not using a mapped name, normalize the key path into a variable name. // If we're not using a mapped name, normalize the key path into a variable name.
if (!outputName) { if (!outputName) {
outputName = normalizeOutputKey(secretKey); outputName = normalizeOutputKey(secretSelector);
} }
output.push({ output.push({
secretPath, secretPath,
outputName, outputName,
secretKey secretSelector
}); });
} }
return output; return output;
@ -143,7 +157,7 @@ function parseSecretsInput(secretsInput) {
* @param {string} responseBody * @param {string} responseBody
* @param {number} kvVersion * @param {number} kvVersion
*/ */
function parseResponse(responseBody, kvVersion) { function getResponseData(responseBody, kvVersion) {
const parsedResponse = JSON.parse(responseBody); const parsedResponse = JSON.parse(responseBody);
let secretData; let secretData;
@ -156,11 +170,28 @@ function parseResponse(responseBody, kvVersion) {
const vaultKeyData = parsedResponse.data; const vaultKeyData = parsedResponse.data;
secretData = vaultKeyData.data; secretData = vaultKeyData.data;
} break; } break;
default: {
secretData = parsedResponse;
} break;
} }
return secretData; return secretData;
} }
/**
* Parses a JSON response and returns the secret data
* @param {Object} data
* @param {string} selector
*/
function selectData(data, selector) {
if (!selector.startsWith('$')) {
return data[selector];
}
// TODO: JSONPath
}
/** /**
* Replaces any forward-slash characters to * Replaces any forward-slash characters to
* @param {string} dataKey * @param {string} dataKey
@ -172,6 +203,6 @@ function normalizeOutputKey(dataKey) {
module.exports = { module.exports = {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse, parseResponse: getResponseData,
normalizeOutputKey normalizeOutputKey
}; };

2
action.test.js
View file

@ -17,7 +17,7 @@ describe('parseSecretsInput', () => {
const output = parseSecretsInput('test key'); const output = parseSecretsInput('test key');
expect(output).toContainEqual({ expect(output).toContainEqual({
secretPath: 'test', secretPath: 'test',
secretKey: 'key', secretSelector: 'key',
outputName: 'KEY', outputName: 'KEY',
}); });
}); });