Implement JWT auth (#188)

2025-11-07 07:06:56 +00:00 · 2021-05-04 15:49:35 +03:00 · 2021-05-04 15:49:35 +03:00 · 9e8f22534f
commit 9e8f22534f
parent 8417c61f8a
8 changed files with 275 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -86,6 +86,17 @@ with:
  githubToken: ${{ secrets.MY_GITHUB_TOKEN }}
  caCertificate: ${{ secrets.VAULTCA }}
 ```
 - **jwt**: you must provide a `role` & `jwtPrivateKey` parameters, additionally you can pass `jwtKeyPassword` & `jwtTtl` parameters
 ```yaml
 ...
 with:
  url: https://vault.mycompany.com:8200
  method: jwt
  role: github-action
  jwtPrivateKey: ${{ secrets.JWT_PRIVATE_KEY }}
  jwtKeyPassword: ${{ secrets.JWT_KEY_PASS }}
  jwtTtl: 3600 # 1 hour, default value
 ```
 If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
@ -254,6 +265,10 @@ Here are all the inputs available through `with`:
 | `roleId`            | The Role Id for App Role authentication                                                                                                              |         |          |
 | `secretId`          | The Secret Id for App Role authentication                                                                                                            |         |          |
 | `githubToken`       | The Github Token to be used to authenticate with Vault                                                                                               |         |          |
 | `role`              | Vault role for specified auth method                                                                                                                 |         |          |
 | `jwtPrivateKey`     | Base64 encoded Private key to sign JWT                                                                                                               |         |          |
 | `jwtKeyPassword`    | Password for key stored in jwtPrivateKey (if needed)                                                                                                 |         |          |
 | `jwtTtl`            | Time in seconds, after which token expires                                                                                                           |         | 3600     |
 | `authPayload`       | The JSON payload to be sent to Vault when using a custom authentication method.                                                                      |         |          |
 | `extraHeaders`      | A string of newline separated extra headers to include on every request.                                                                             |         |          |
 | `exportEnv`         | Whether or not export secrets as environment variables.                                                                                              | `true`  |          |
--- a/action.yml
+++ b/action.yml
@ -53,6 +53,19 @@ inputs:
    description: 'When set to true, disables verification of the Vault server certificate.  Setting this to true in production is not recommended.'
    required: false
    default: "false"
  role:
    description: 'Vault role for specified auth method'
    required: false
  jwtPrivateKey:
    description: 'Base64 encoded Private key to sign JWT'
    required: false
  jwtKeyPassword:
    description: 'Password for key stored in jwtPrivateKey (if needed)'
    required: false
  jwtTtl:
    description: 'Time in seconds, after which token expires'
    required: false
    default: 3600
 runs:
  using: 'node12'
  main: 'dist/index.js'
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@ -0,0 +1,126 @@
 jest.mock('@actions/core');
 jest.mock('@actions/core/lib/command');
 const core = require('@actions/core');
 const {
    privateRsaKeyBase64,
    publicRsaKey
 } = require('./rsa_keys');
 const got = require('got');
 const { when } = require('jest-when');
 const { exportSecrets } = require('../../src/action');
 const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
 describe('jwt auth', () => {
    beforeAll(async () => {
        // Verify Connection
        await got(`${vaultUrl}/v1/secret/config`, {
            headers: {
                'X-Vault-Token': 'testtoken',
            },
        });
        try {
            await got(`${vaultUrl}/v1/sys/auth/jwt`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': 'testtoken',
                },
                json: {
                    type: 'jwt'
                }
            });
        } catch (error) {
            const {response} = error;
            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
                // Auth method might already be enabled from previous test runs
            } else {
                throw error;
            }
        }
        await got(`${vaultUrl}/v1/sys/policy/reader`, {
            method: 'PUT',
            headers: {
                'X-Vault-Token': 'testtoken',
            },
            json: {
                policy: `
                path "*" {
                    capabilities = ["read"]
                }
                `
            }
        });
        await got(`${vaultUrl}/v1/auth/jwt/config`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': 'testtoken',
            },
            json: {
                jwt_validation_pubkeys: publicRsaKey
            }
        });
        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': 'testtoken',
            },
            json: {
                role_type: 'jwt',
                bound_audiences: null,
                bound_claims: {
                    iss: 'vault-action'
                },
                user_claim: 'iss',
                policies: ['reader']
            }
        });
        await got(`${vaultUrl}/v1/secret/data/test`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': 'testtoken',
            },
            json: {
                data: {
                    secret: 'SUPERSECRET',
                },
            },
        });
    });
    beforeEach(() => {
        jest.resetAllMocks();
        when(core.getInput)
            .calledWith('url')
            .mockReturnValueOnce(`${vaultUrl}`);
        when(core.getInput)
            .calledWith('method')
            .mockReturnValueOnce('jwt');
        when(core.getInput)
            .calledWith('jwtPrivateKey')
            .mockReturnValueOnce(privateRsaKeyBase64);
        when(core.getInput)
            .calledWith('role')
            .mockReturnValueOnce('default');
        when(core.getInput)
            .calledWith('secrets')
            .mockReturnValueOnce('secret/data/test secret');
    });
    it('successfully authenticates', async () => {
        await exportSecrets();
        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
    });
 });
--- a/integrationTests/basic/rsa_keys.js
+++ b/integrationTests/basic/rsa_keys.js
@ -0,0 +1,77 @@
 const privateRsaKey = `
 -----BEGIN RSA PRIVATE KEY-----
 MIIJKAIBAAKCAgEAwavSHLLo7bUSuKX2EKu3YStrNTGdmhku7sAFaeDyi9His1oo
 t+wzajWp1rqHaGVk4b5o5z6D7Xhm0zYPhpTTvEd3NyONc9sjVd7sf9rQaBY3QusP
 YAdF6j0ydTJGnTeG9N2zhHjdMLR+3F39F9Ry6vddS9w3ibjVERucQtpqGhy5TIWh
 ttk3gN3A7dk972+WCQeKUCC6wU6PvAEUPflThQc1hSHldpjVUHQlZkQXl/XHWBzZ
 ESwMgiQcAmVL3lkvxmgIYscqWzf8cTHogNrPml9Il89N+2XYcEfXgWLOyzGhQggi
 gN9DRHDDE1UWT1foHnmeXAIZPCveKZc/Jp5SASIxaZ+r73mWjVt19GSvEsqtejDR
 mMC3jrYCdISrCVsHkbRQq7/yLCi5sJG9p2gD91jCgaBy2tw22nWN/KoHm9p/mhzW
 mlWwVJrFTNiP0qccyoa5h1a6WBPt0oCKQk3IAMV5HhVw4DhPx8gvh7qwOZk9vXXA
 FyA8bWhOVIFIJ8i8Gq25y7/bukyzqsEPkQ2mKgbQnh3VOUCSugJFodPC/Jf7VQK1
 yRpUZH2v7r9cBjHVnUnePGac3Zns7/iRYBvK5cIFUg+X48VXIMKIvs4EA8ee8Vac
 Vh8tyR6EuP42BU5fGQlvLC+ZKT165maQv/Vlf52E9W2iFNt3sxB0KFtOkbkCAwEA
 AQKCAgBwAwAyuQce9GsvgE0gtzAIcyQ+T8PnLEmIrGZ1JjUhyPJk6PBD78iM1Ry1
 pIxMRNhj98yUcgO7hLdz0QCJxenwKyU4LsfRCh0VvSjriZKfoLm1al4qHArDv0E/
 pyRQKZ1UYiVBqOXFFZ+JtJJ9BdKxMwAyr9svPEd+7Yki4VAcaiCBsYgmSNthHOBI
 sCyyHseX0VSdo1BgHR/kjHs4nMtBVToPFduxDBPTxFkdHKTIrs3smEKzO9bALkJE
 4HFQ2CRZjDHNb4N/3pGSplriq6sGjbVel/dyPyU/S03I92zC+KFbn3jVMEunedBZ
 jgypNx55Ab4lWNFfi7+iLmfH3ilumsajGSRGVTo0evuBhK5obUudHeXxmvEBa81n
 yo38swQFcSF9VOYwLDud6WgryTGLejRspWxbbV1pLp4uBvcDJktzh/fGyboZc2oG
 kmrozTenuLEsf85T8o6W9kOe4vNBFngMPjDf9rOw6zMFxO0Iy3d7ag9z0ccGV3zh
 66QijkWPXQfaLOaueGCQakS9BI4AJCIIjqv51jo8D86fHOdUwK2RlhVBHW6k+XJo
 VGVbeOLNbcOHA0/BU10ZX16F8ZKKBWs0NfNg5O7Vvr6qyAp4zQyUSfXgJHS0De2E
 5sLAr8+lemdd/pP/Oi8GHFmo+rwDheH1EYyziA2zm8Zmc7q+QQKCAQEA/LRs4LOJ
 XlwDfQE9w5L6geJ/jAKClrGOtP5tzBDjWSZ3xPZeBChXc5U+n2IEyqFU9j2HQlMr
 XQl74aEclG/y0371zWm83OEQCEBp2z/VsP7JZuEGNxla1EO6hSZXAZDQrTeOodhZ
 6OL6wdIGCQvnFZuiJwCfGItmBBaUjxpRsmyrf9naOM1BwM4PpZUvv18iqoK7YhGz
 t9Bs6W/LP2WK3Ze5WShZXXsFxGoWvYJvs8pQYua2TF+SGsnmc8FfmHSFZdu8qhXa
 J5XIxjynFweWZqxxCnfS77ejhx1h5s8iwKT1la8VHUJ7Tgcdn98VTcJPRsyYg6TU
 xvztwvEfUA7eewKCAQEAxDJUmi3ksP/nMy1Ox7BEnnWKFiVS46g58m9qhF5y8Oib
 ypCPt3EvdrXvzjlYJojbXMr0yjvGqiBblDMjewdvxb4CTTAIy3iwOCfHBnzdyNYA
 XZjtuD991klQP/BB62CMbCiwC1XBJzN57qxHEgPBwtkQYgSI/M/hQWZehi8JgjW7
 PNjDPqYdIck78G8zUQM96u6Y0F+BoQuo/YgKXyeeMhtMiTITN9NpCwa5KdlDunZ0
 qlZe1GKnOHmCW0NgeMxNZTRTJXvU7wUigs4isR19GuLuXnHRIwBoydu0UgczCvgh
 cGv19uCU/DcoxFF0fGD1Uual1R8KH+0FpN3mnJW0WwKCAQEAxy1Sj70Srcvqd/Gt
 g+PqDMvAalNkKHBkoaXUVr6M4yydxCHHMpG1dAWTKT6xtiB4/ei7Hny9NgSOnuVE
 yH6AL1DnXnNUB+hgoZBbnxLuVCZOCgecxXr3i0yiy+XPOA2zXIPoqQoEu7mDmZb3
 aNP33KEhqooj282rp9dAWpaNBAwBFLFZ/eFSTSxdSs6OptDOWwTVutNnCp996HRU
 B3D6hfPbhDl4TmTzw782k0Im1tfEil98GjBN0U2HlX854Mkeh40tZAX7P64gZJdT
 v6QcWGrcYjrViFn+yzVOgASNSLf8VXF9O+W1mGelYugLO5HGuG/0WfZmOz0KDdfN
 LWW61wKCAQB8qaZMGSEYvmF/iShnhb70GKdXDvwuH3RCcTzzQrgyDvr+qQBIhSit
 e0kWdiVmxsrrmSIVZgoDi2/lKOFAiSciNGtt9DmCX/tIky3JF4os1J2C22shCWbB
 w++z0Mtx7fULvIavjRuf9vthBiJadfyl/BqGzW7lhIkSbyNci4K1M8L3FJxqsE4O
 a7kkOuQWc8LiBh0fObA6ThhgkBJXB+ti1ym4exLvA+vYz7rTtnNshVv35811kgHC
 xqJnrtYbq2T6C1dRl+9iuJaHGse8VoppjQv9AsDqRpZOvMVE4cIzFBrbPh4ZcfX4
 lGvY4hDr/weiV1/DnWdnhclySnT/xbfFAoIBADjm+PaaMVps8tfgNcLUjOoAQzXo
 /ReGOa/Zs7pu3nQp49b+9QBHRXXRrfeJ6NAVAJvgc8PIUsVKQ67yjf1sLHZUSGjc
 3wyaAChmMLgl+00kQ7VL4Ls1bEb4Qxho6zoCjvaorN6gcNO8D32Oecux9F9nWinK
 zJi1GLoJpVenFT+M4zTWOl3otcVzTDxknFYx9Vul84n2z28GYmw8I0RKcmBKCvHo
 q/JyRYl9XunMp/7QDA9IYKTJXqIkiD+ksKtDfWRsy+iLvuVv0z9gA+MlaRTGANpt
 ucZsYfhw34I5dpcqrYP4DErpKdYA3nsjx9rNQg0I4Zo7yVCRoiqRHa97GVQ=
 -----END RSA PRIVATE KEY-----
 `;
 const privateRsaKeyBase64 = Buffer.from(privateRsaKey).toString('base64');
 const publicRsaKey = `
 -----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwavSHLLo7bUSuKX2EKu3
 YStrNTGdmhku7sAFaeDyi9His1oot+wzajWp1rqHaGVk4b5o5z6D7Xhm0zYPhpTT
 vEd3NyONc9sjVd7sf9rQaBY3QusPYAdF6j0ydTJGnTeG9N2zhHjdMLR+3F39F9Ry
 6vddS9w3ibjVERucQtpqGhy5TIWhttk3gN3A7dk972+WCQeKUCC6wU6PvAEUPflT
 hQc1hSHldpjVUHQlZkQXl/XHWBzZESwMgiQcAmVL3lkvxmgIYscqWzf8cTHogNrP
 ml9Il89N+2XYcEfXgWLOyzGhQggigN9DRHDDE1UWT1foHnmeXAIZPCveKZc/Jp5S
 ASIxaZ+r73mWjVt19GSvEsqtejDRmMC3jrYCdISrCVsHkbRQq7/yLCi5sJG9p2gD
 91jCgaBy2tw22nWN/KoHm9p/mhzWmlWwVJrFTNiP0qccyoa5h1a6WBPt0oCKQk3I
 AMV5HhVw4DhPx8gvh7qwOZk9vXXAFyA8bWhOVIFIJ8i8Gq25y7/bukyzqsEPkQ2m
 KgbQnh3VOUCSugJFodPC/Jf7VQK1yRpUZH2v7r9cBjHVnUnePGac3Zns7/iRYBvK
 5cIFUg+X48VXIMKIvs4EA8ee8VacVh8tyR6EuP42BU5fGQlvLC+ZKT165maQv/Vl
 f52E9W2iFNt3sxB0KFtOkbkCAwEAAQ==
 -----END PUBLIC KEY-----
 `;
 module.exports = {
    privateRsaKeyBase64,
    publicRsaKey
 };
--- a/package-lock.json
+++ b/package-lock.json
@ -8895,6 +8895,11 @@
        "verror": "1.10.0"
      }
    },
    "jsrsasign": {
      "version": "10.1.10",
      "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-10.1.10.tgz",
      "integrity": "sha512-//Kkza0S/kFbK5fq6eVbwlM36tKes+ak6FfTn8+mFxKlYzN/3bVJDa0ZERGYu78QKWrXPpos+TIC1tTJDNFDRQ=="
    },
    "keyv": {
      "version": "4.0.3",
      "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.0.3.tgz",
--- a/package.json
+++ b/package.json
@ -45,7 +45,8 @@
    "homepage": "https://github.com/hashicorp/vault-action#readme",
    "dependencies": {
        "got": "^11.5.1",
-        "jsonata": "^1.8.2"
+        "jsonata": "^1.8.2",
        "jsrsasign": "^10.1.10"
    },
    "peerDependencies": {
        "@actions/core": ">=1 <2"
--- a/src/action.js
+++ b/src/action.js
@ -5,7 +5,7 @@ const got = require('got').default;
 const jsonata = require('jsonata');
 const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
-const AUTH_METHODS = ['approle', 'token', 'github'];
+const AUTH_METHODS = ['approle', 'token', 'github', 'jwt'];
 async function exportSecrets() {
    const vaultUrl = core.getInput('url', { required: true });
--- a/src/auth.js
+++ b/src/auth.js
@ -1,5 +1,6 @@
 // @ts-check
 const core = require('@actions/core');
 const rsasign = require('jsrsasign');
 /***
 * Authenticate with Vault and retrieve a Vault token that can be used for requests.
@ -17,6 +18,15 @@ async function retrieveToken(method, client) {
            const githubToken = core.getInput('githubToken', { required: true });
            return await getClientToken(client, method, { token: githubToken });
        }
        case 'jwt': {
            const role = core.getInput('role', { required: true });
            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: true });
            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
            const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
            return await getClientToken(client, method, { jwt: jwt, role: role });
        }
        default: {
            if (!method || method === 'token') {
                return core.getInput('token', { required: true });
@ -32,6 +42,32 @@ async function retrieveToken(method, client) {
    }
 }
 /***
 * Generates signed Json Web Token with specified private key and ttl
 * @param {string} privateKey
 * @param {string} keyPassword
 * @param {number} ttl
 */
 function generateJwt(privateKey, keyPassword, ttl) {
    const alg = 'RS256';
    const header = { alg: alg, typ: 'JWT' };
    const now = rsasign.KJUR.jws.IntDate.getNow();
    const payload = {
        iss: 'vault-action',
        iat: now,
        nbf: now,
        exp: now + ttl,
        event: process.env.GITHUB_EVENT_NAME,
        workflow: process.env.GITHUB_WORKFLOW,
        sha: process.env.GITHUB_SHA,
        actor: process.env.GITHUB_ACTOR,
        repository: process.env.GITHUB_REPOSITORY,
        ref: process.env.GITHUB_REF
    };
    const decryptedKey = rsasign.KEYUTIL.getKey(privateKey, keyPassword);
    return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
 }
 /***
 * Call the appropriate login endpoint and parse out the token in the response.
 * @param {import('got').Got} client