diff --git a/README.md b/README.md index 073dc15..9c2d87f 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,17 @@ with: githubToken: ${{ secrets.MY_GITHUB_TOKEN }} caCertificate: ${{ secrets.VAULTCA }} ``` +- **jwt**: you must provide a `role` & `jwtPrivateKey` parameters, additionally you can pass `jwtKeyPassword` & `jwtTtl` parameters +```yaml +... +with: + url: https://vault.mycompany.com:8200 + method: jwt + role: github-action + jwtPrivateKey: ${{ secrets.JWT_PRIVATE_KEY }} + jwtKeyPassword: ${{ secrets.JWT_KEY_PASS }} + jwtTtl: 3600 # 1 hour, default value +``` If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token. @@ -254,6 +265,10 @@ Here are all the inputs available through `with`: | `roleId` | The Role Id for App Role authentication | | | | `secretId` | The Secret Id for App Role authentication | | | | `githubToken` | The Github Token to be used to authenticate with Vault | | | +| `role` | Vault role for specified auth method | | | +| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | | +| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | | +| `jwtTtl` | Time in seconds, after which token expires | | 3600 | | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | | diff --git a/action.yml b/action.yml index b6b4ae3..bda458b 100644 --- a/action.yml +++ b/action.yml @@ -53,6 +53,19 @@ inputs: description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.' required: false default: "false" + role: + description: 'Vault role for specified auth method' + required: false + jwtPrivateKey: + description: 'Base64 encoded Private key to sign JWT' + required: false + jwtKeyPassword: + description: 'Password for key stored in jwtPrivateKey (if needed)' + required: false + jwtTtl: + description: 'Time in seconds, after which token expires' + required: false + default: 3600 runs: using: 'node12' main: 'dist/index.js' diff --git a/integrationTests/basic/jwt_auth.test.js b/integrationTests/basic/jwt_auth.test.js new file mode 100644 index 0000000..fa6ea4d --- /dev/null +++ b/integrationTests/basic/jwt_auth.test.js @@ -0,0 +1,126 @@ +jest.mock('@actions/core'); +jest.mock('@actions/core/lib/command'); +const core = require('@actions/core'); +const { + privateRsaKeyBase64, + publicRsaKey +} = require('./rsa_keys'); + +const got = require('got'); +const { when } = require('jest-when'); + +const { exportSecrets } = require('../../src/action'); + +const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`; + +describe('jwt auth', () => { + beforeAll(async () => { + // Verify Connection + await got(`${vaultUrl}/v1/secret/config`, { + headers: { + 'X-Vault-Token': 'testtoken', + }, + }); + + try { + await got(`${vaultUrl}/v1/sys/auth/jwt`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + type: 'jwt' + } + }); + } catch (error) { + const {response} = error; + if (response.statusCode === 400 && response.body.includes("path is already in use")) { + // Auth method might already be enabled from previous test runs + } else { + throw error; + } + } + + await got(`${vaultUrl}/v1/sys/policy/reader`, { + method: 'PUT', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + policy: ` + path "*" { + capabilities = ["read"] + } + ` + } + }); + + await got(`${vaultUrl}/v1/auth/jwt/config`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + jwt_validation_pubkeys: publicRsaKey + } + }); + + await got(`${vaultUrl}/v1/auth/jwt/role/default`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + role_type: 'jwt', + bound_audiences: null, + bound_claims: { + iss: 'vault-action' + }, + user_claim: 'iss', + policies: ['reader'] + } + }); + + await got(`${vaultUrl}/v1/secret/data/test`, { + method: 'POST', + headers: { + 'X-Vault-Token': 'testtoken', + }, + json: { + data: { + secret: 'SUPERSECRET', + }, + }, + }); + }); + + beforeEach(() => { + jest.resetAllMocks(); + + when(core.getInput) + .calledWith('url') + .mockReturnValueOnce(`${vaultUrl}`); + + when(core.getInput) + .calledWith('method') + .mockReturnValueOnce('jwt'); + + when(core.getInput) + .calledWith('jwtPrivateKey') + .mockReturnValueOnce(privateRsaKeyBase64); + + when(core.getInput) + .calledWith('role') + .mockReturnValueOnce('default'); + + when(core.getInput) + .calledWith('secrets') + .mockReturnValueOnce('secret/data/test secret'); + }); + + it('successfully authenticates', async () => { + await exportSecrets(); + expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); + }); + +}); diff --git a/integrationTests/basic/rsa_keys.js b/integrationTests/basic/rsa_keys.js new file mode 100644 index 0000000..a4e5546 --- /dev/null +++ b/integrationTests/basic/rsa_keys.js @@ -0,0 +1,77 @@ +const privateRsaKey = ` +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAwavSHLLo7bUSuKX2EKu3YStrNTGdmhku7sAFaeDyi9His1oo +t+wzajWp1rqHaGVk4b5o5z6D7Xhm0zYPhpTTvEd3NyONc9sjVd7sf9rQaBY3QusP +YAdF6j0ydTJGnTeG9N2zhHjdMLR+3F39F9Ry6vddS9w3ibjVERucQtpqGhy5TIWh +ttk3gN3A7dk972+WCQeKUCC6wU6PvAEUPflThQc1hSHldpjVUHQlZkQXl/XHWBzZ +ESwMgiQcAmVL3lkvxmgIYscqWzf8cTHogNrPml9Il89N+2XYcEfXgWLOyzGhQggi +gN9DRHDDE1UWT1foHnmeXAIZPCveKZc/Jp5SASIxaZ+r73mWjVt19GSvEsqtejDR +mMC3jrYCdISrCVsHkbRQq7/yLCi5sJG9p2gD91jCgaBy2tw22nWN/KoHm9p/mhzW +mlWwVJrFTNiP0qccyoa5h1a6WBPt0oCKQk3IAMV5HhVw4DhPx8gvh7qwOZk9vXXA +FyA8bWhOVIFIJ8i8Gq25y7/bukyzqsEPkQ2mKgbQnh3VOUCSugJFodPC/Jf7VQK1 +yRpUZH2v7r9cBjHVnUnePGac3Zns7/iRYBvK5cIFUg+X48VXIMKIvs4EA8ee8Vac +Vh8tyR6EuP42BU5fGQlvLC+ZKT165maQv/Vlf52E9W2iFNt3sxB0KFtOkbkCAwEA +AQKCAgBwAwAyuQce9GsvgE0gtzAIcyQ+T8PnLEmIrGZ1JjUhyPJk6PBD78iM1Ry1 +pIxMRNhj98yUcgO7hLdz0QCJxenwKyU4LsfRCh0VvSjriZKfoLm1al4qHArDv0E/ +pyRQKZ1UYiVBqOXFFZ+JtJJ9BdKxMwAyr9svPEd+7Yki4VAcaiCBsYgmSNthHOBI +sCyyHseX0VSdo1BgHR/kjHs4nMtBVToPFduxDBPTxFkdHKTIrs3smEKzO9bALkJE +4HFQ2CRZjDHNb4N/3pGSplriq6sGjbVel/dyPyU/S03I92zC+KFbn3jVMEunedBZ +jgypNx55Ab4lWNFfi7+iLmfH3ilumsajGSRGVTo0evuBhK5obUudHeXxmvEBa81n +yo38swQFcSF9VOYwLDud6WgryTGLejRspWxbbV1pLp4uBvcDJktzh/fGyboZc2oG +kmrozTenuLEsf85T8o6W9kOe4vNBFngMPjDf9rOw6zMFxO0Iy3d7ag9z0ccGV3zh +66QijkWPXQfaLOaueGCQakS9BI4AJCIIjqv51jo8D86fHOdUwK2RlhVBHW6k+XJo +VGVbeOLNbcOHA0/BU10ZX16F8ZKKBWs0NfNg5O7Vvr6qyAp4zQyUSfXgJHS0De2E +5sLAr8+lemdd/pP/Oi8GHFmo+rwDheH1EYyziA2zm8Zmc7q+QQKCAQEA/LRs4LOJ +XlwDfQE9w5L6geJ/jAKClrGOtP5tzBDjWSZ3xPZeBChXc5U+n2IEyqFU9j2HQlMr +XQl74aEclG/y0371zWm83OEQCEBp2z/VsP7JZuEGNxla1EO6hSZXAZDQrTeOodhZ +6OL6wdIGCQvnFZuiJwCfGItmBBaUjxpRsmyrf9naOM1BwM4PpZUvv18iqoK7YhGz +t9Bs6W/LP2WK3Ze5WShZXXsFxGoWvYJvs8pQYua2TF+SGsnmc8FfmHSFZdu8qhXa +J5XIxjynFweWZqxxCnfS77ejhx1h5s8iwKT1la8VHUJ7Tgcdn98VTcJPRsyYg6TU +xvztwvEfUA7eewKCAQEAxDJUmi3ksP/nMy1Ox7BEnnWKFiVS46g58m9qhF5y8Oib +ypCPt3EvdrXvzjlYJojbXMr0yjvGqiBblDMjewdvxb4CTTAIy3iwOCfHBnzdyNYA +XZjtuD991klQP/BB62CMbCiwC1XBJzN57qxHEgPBwtkQYgSI/M/hQWZehi8JgjW7 +PNjDPqYdIck78G8zUQM96u6Y0F+BoQuo/YgKXyeeMhtMiTITN9NpCwa5KdlDunZ0 +qlZe1GKnOHmCW0NgeMxNZTRTJXvU7wUigs4isR19GuLuXnHRIwBoydu0UgczCvgh +cGv19uCU/DcoxFF0fGD1Uual1R8KH+0FpN3mnJW0WwKCAQEAxy1Sj70Srcvqd/Gt +g+PqDMvAalNkKHBkoaXUVr6M4yydxCHHMpG1dAWTKT6xtiB4/ei7Hny9NgSOnuVE +yH6AL1DnXnNUB+hgoZBbnxLuVCZOCgecxXr3i0yiy+XPOA2zXIPoqQoEu7mDmZb3 +aNP33KEhqooj282rp9dAWpaNBAwBFLFZ/eFSTSxdSs6OptDOWwTVutNnCp996HRU +B3D6hfPbhDl4TmTzw782k0Im1tfEil98GjBN0U2HlX854Mkeh40tZAX7P64gZJdT +v6QcWGrcYjrViFn+yzVOgASNSLf8VXF9O+W1mGelYugLO5HGuG/0WfZmOz0KDdfN +LWW61wKCAQB8qaZMGSEYvmF/iShnhb70GKdXDvwuH3RCcTzzQrgyDvr+qQBIhSit +e0kWdiVmxsrrmSIVZgoDi2/lKOFAiSciNGtt9DmCX/tIky3JF4os1J2C22shCWbB +w++z0Mtx7fULvIavjRuf9vthBiJadfyl/BqGzW7lhIkSbyNci4K1M8L3FJxqsE4O +a7kkOuQWc8LiBh0fObA6ThhgkBJXB+ti1ym4exLvA+vYz7rTtnNshVv35811kgHC +xqJnrtYbq2T6C1dRl+9iuJaHGse8VoppjQv9AsDqRpZOvMVE4cIzFBrbPh4ZcfX4 +lGvY4hDr/weiV1/DnWdnhclySnT/xbfFAoIBADjm+PaaMVps8tfgNcLUjOoAQzXo +/ReGOa/Zs7pu3nQp49b+9QBHRXXRrfeJ6NAVAJvgc8PIUsVKQ67yjf1sLHZUSGjc +3wyaAChmMLgl+00kQ7VL4Ls1bEb4Qxho6zoCjvaorN6gcNO8D32Oecux9F9nWinK +zJi1GLoJpVenFT+M4zTWOl3otcVzTDxknFYx9Vul84n2z28GYmw8I0RKcmBKCvHo +q/JyRYl9XunMp/7QDA9IYKTJXqIkiD+ksKtDfWRsy+iLvuVv0z9gA+MlaRTGANpt +ucZsYfhw34I5dpcqrYP4DErpKdYA3nsjx9rNQg0I4Zo7yVCRoiqRHa97GVQ= +-----END RSA PRIVATE KEY----- +`; + +const privateRsaKeyBase64 = Buffer.from(privateRsaKey).toString('base64'); + +const publicRsaKey = ` +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwavSHLLo7bUSuKX2EKu3 +YStrNTGdmhku7sAFaeDyi9His1oot+wzajWp1rqHaGVk4b5o5z6D7Xhm0zYPhpTT +vEd3NyONc9sjVd7sf9rQaBY3QusPYAdF6j0ydTJGnTeG9N2zhHjdMLR+3F39F9Ry +6vddS9w3ibjVERucQtpqGhy5TIWhttk3gN3A7dk972+WCQeKUCC6wU6PvAEUPflT +hQc1hSHldpjVUHQlZkQXl/XHWBzZESwMgiQcAmVL3lkvxmgIYscqWzf8cTHogNrP +ml9Il89N+2XYcEfXgWLOyzGhQggigN9DRHDDE1UWT1foHnmeXAIZPCveKZc/Jp5S +ASIxaZ+r73mWjVt19GSvEsqtejDRmMC3jrYCdISrCVsHkbRQq7/yLCi5sJG9p2gD +91jCgaBy2tw22nWN/KoHm9p/mhzWmlWwVJrFTNiP0qccyoa5h1a6WBPt0oCKQk3I +AMV5HhVw4DhPx8gvh7qwOZk9vXXAFyA8bWhOVIFIJ8i8Gq25y7/bukyzqsEPkQ2m +KgbQnh3VOUCSugJFodPC/Jf7VQK1yRpUZH2v7r9cBjHVnUnePGac3Zns7/iRYBvK +5cIFUg+X48VXIMKIvs4EA8ee8VacVh8tyR6EuP42BU5fGQlvLC+ZKT165maQv/Vl +f52E9W2iFNt3sxB0KFtOkbkCAwEAAQ== +-----END PUBLIC KEY----- +`; + +module.exports = { + privateRsaKeyBase64, + publicRsaKey +}; diff --git a/package-lock.json b/package-lock.json index 9b46159..ef4066a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8895,6 +8895,11 @@ "verror": "1.10.0" } }, + "jsrsasign": { + "version": "10.1.10", + "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-10.1.10.tgz", + "integrity": "sha512-//Kkza0S/kFbK5fq6eVbwlM36tKes+ak6FfTn8+mFxKlYzN/3bVJDa0ZERGYu78QKWrXPpos+TIC1tTJDNFDRQ==" + }, "keyv": { "version": "4.0.3", "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.0.3.tgz", diff --git a/package.json b/package.json index 567da4d..eabef6a 100644 --- a/package.json +++ b/package.json @@ -45,7 +45,8 @@ "homepage": "https://github.com/hashicorp/vault-action#readme", "dependencies": { "got": "^11.5.1", - "jsonata": "^1.8.2" + "jsonata": "^1.8.2", + "jsrsasign": "^10.1.10" }, "peerDependencies": { "@actions/core": ">=1 <2" diff --git a/src/action.js b/src/action.js index 7a3c072..8b982e4 100644 --- a/src/action.js +++ b/src/action.js @@ -5,7 +5,7 @@ const got = require('got').default; const jsonata = require('jsonata'); const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index'); -const AUTH_METHODS = ['approle', 'token', 'github']; +const AUTH_METHODS = ['approle', 'token', 'github', 'jwt']; async function exportSecrets() { const vaultUrl = core.getInput('url', { required: true }); diff --git a/src/auth.js b/src/auth.js index 484fd48..bd3c535 100644 --- a/src/auth.js +++ b/src/auth.js @@ -1,5 +1,6 @@ // @ts-check const core = require('@actions/core'); +const rsasign = require('jsrsasign'); /*** * Authenticate with Vault and retrieve a Vault token that can be used for requests. @@ -17,6 +18,15 @@ async function retrieveToken(method, client) { const githubToken = core.getInput('githubToken', { required: true }); return await getClientToken(client, method, { token: githubToken }); } + case 'jwt': { + const role = core.getInput('role', { required: true }); + const privateKeyRaw = core.getInput('jwtPrivateKey', { required: true }); + const privateKey = Buffer.from(privateKeyRaw, 'base64').toString(); + const keyPassword = core.getInput('jwtKeyPassword', { required: false }); + const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour + const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl)); + return await getClientToken(client, method, { jwt: jwt, role: role }); + } default: { if (!method || method === 'token') { return core.getInput('token', { required: true }); @@ -32,6 +42,32 @@ async function retrieveToken(method, client) { } } +/*** + * Generates signed Json Web Token with specified private key and ttl + * @param {string} privateKey + * @param {string} keyPassword + * @param {number} ttl + */ +function generateJwt(privateKey, keyPassword, ttl) { + const alg = 'RS256'; + const header = { alg: alg, typ: 'JWT' }; + const now = rsasign.KJUR.jws.IntDate.getNow(); + const payload = { + iss: 'vault-action', + iat: now, + nbf: now, + exp: now + ttl, + event: process.env.GITHUB_EVENT_NAME, + workflow: process.env.GITHUB_WORKFLOW, + sha: process.env.GITHUB_SHA, + actor: process.env.GITHUB_ACTOR, + repository: process.env.GITHUB_REPOSITORY, + ref: process.env.GITHUB_REF + }; + const decryptedKey = rsasign.KEYUTIL.getKey(privateKey, keyPassword); + return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey); +} + /*** * Call the appropriate login endpoint and parse out the token in the response. * @param {import('got').Got} client