actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-14 18:13:45 +00:00
Code Activity Actions

fix: get token via @actions/core

Browse source 
- Update README
- Switch to use `getIDToken` method for Github token retrieval
- Bump `@actions/core` to 1.6.0
- Add `jwtGithubAudience` input
- Remove unnecessary code
This commit is contained in:
Alex Kulikovskikh 2021-10-02 11:20:21 -04:00
parent 2bffb94655
commit e093c295f7
6 changed files with 35811 additions and 15150 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
README.md
View file

@ -86,8 +86,28 @@ with:
githubToken: ${{ secrets.MY_GITHUB_TOKEN }} githubToken: ${{ secrets.MY_GITHUB_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }} caCertificate: ${{ secrets.VAULTCA }}
``` ```
- **jwt**: you must provide a `role` parameter, additionally you can pass `jwtPrivateKey`, `jwtKeyPassword` & `jwtTtl` parameters. - **jwt**: (Github OIDC) you must provide a `role` parameter, additionally you can pass `jwtGithubAudience` parameter.
Github provided JWT will be used if `jwtPrivateKey` was not specified
```yaml
...
with:
url: https://vault.mycompany.com:8200
method: jwt
role: github-action
```
**Notice:** For Github provided OIDC token to work workflow should have `id-token: write` & `contents: read` specified in the `permissions` section of a workflow
```yaml
...
permissions:
id-token: write
contents: read
...
```
- **jwt**: you must provide a `role` parameter, additionally you can pass `jwtPrivateKey`, `jwtKeyPassword`, & `jwtTtl` parameters.
```yaml ```yaml
... ...
with: with:
@ -99,16 +119,6 @@ with:
jwtTtl: 3600 # 1 hour, default value jwtTtl: 3600 # 1 hour, default value
``` ```
**Notice:** In order for Github provided JWT to work workflow should have `id-token: write` & `contents: read` specified in the `permissions` section of a workflow
```yaml
...
permissions:
id-token: write
contents: read
...
```
- **kubernetes**: you must provide the `role` paramaters. You can optionally override the `kubernetesTokenPath` paramater for custom mounted serviceAccounts. Consider [kubernetes auth](https://www.vaultproject.io/docs/auth/kubernetes) when using self-hosted runners on Kubernetes: - **kubernetes**: you must provide the `role` paramaters. You can optionally override the `kubernetesTokenPath` paramater for custom mounted serviceAccounts. Consider [kubernetes auth](https://www.vaultproject.io/docs/auth/kubernetes) when using self-hosted runners on Kubernetes:
```yaml ```yaml
... ...
@ -289,6 +299,7 @@ Here are all the inputs available through `with`:
| `githubToken` | The Github Token to be used to authenticate with Vault | | | | `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | | | `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | |
| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | | | `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | |
| `jwtGithubAudience` | Audience (`aud`) for Github OIDC token | sigstore| |
| `jwtTtl` | Time in seconds, after which token expires | | 3600 | | `jwtTtl` | Time in seconds, after which token expires | | 3600 |
| `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | | | `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |

3
action.yml
View file

@ -69,6 +69,9 @@ inputs:
jwtKeyPassword: jwtKeyPassword:
description: 'Password for key stored in jwtPrivateKey (if needed)' description: 'Password for key stored in jwtPrivateKey (if needed)'
required: false required: false
jwtGithubAudience:
description: ''
required: false
jwtTtl: jwtTtl:
description: 'Time in seconds, after which token expires' description: 'Time in seconds, after which token expires'
required: false required: false

1410
dist/index.js vendored
View file

File diff suppressed because it is too large Load diff

49466
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

2
package.json
View file

@ -52,7 +52,7 @@
"@actions/core": ">=1 <2" "@actions/core": ">=1 <2"
}, },
"devDependencies": { "devDependencies": {
"@actions/core": "^1.2.3", "@actions/core": "^1.6.0",
"@types/got": "^9.6.11", "@types/got": "^9.6.11",
"@types/jest": "^26.0.13", "@types/jest": "^26.0.13",
"@zeit/ncc": "^0.22.3", "@zeit/ncc": "^0.22.3",

45
src/auth.js
View file

@ -2,7 +2,6 @@
const core = require('@actions/core'); const core = require('@actions/core');
const rsasign = require('jsrsasign'); const rsasign = require('jsrsasign');
const fs = require('fs'); const fs = require('fs');
const got = require('got').default;
const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token' const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
/*** /***
@ -26,17 +25,15 @@ async function retrieveToken(method, client) {
case 'jwt': { case 'jwt': {
/** @type {string} */ /** @type {string} */
let jwt; let jwt;
const actionsIDTokenRequestToken = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'];
const actionsIDTokenRequestURL = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'];
const role = core.getInput('role', { required: true }); const role = core.getInput('role', { required: true });
const privateKeyRaw = core.getInput('jwtPrivateKey', { required: (!(actionsIDTokenRequestToken && actionsIDTokenRequestURL)) }); const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
const privateKey = Buffer.from(privateKeyRaw, 'base64').toString(); const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
const keyPassword = core.getInput('jwtKeyPassword', { required: false }); const keyPassword = core.getInput('jwtKeyPassword', { required: false });
const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
const githubAudience = core.getInput('jwtGithubAudience', { required: false });
if (!privateKeyRaw && actionsIDTokenRequestToken && actionsIDTokenRequestURL) { if (!privateKey) {
jwt = await getJwt(actionsIDTokenRequestToken, `${actionsIDTokenRequestURL}&audience=sigstore`); jwt = await core.getIDToken(githubAudience || 'sigstore')
} else { } else {
jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl)); jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
} }
@ -94,34 +91,6 @@ function generateJwt(privateKey, keyPassword, ttl) {
return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey); return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
} }
/***
* Call the appropriate endpoint and retrieves job's JWT
* @param {string} actionsIDTokenRequestToken
* @param {string} actionsIDTokenRequestURL
*/
async function getJwt(actionsIDTokenRequestToken, actionsIDTokenRequestURL) {
/** @type {'json'} */
const responseType = 'json';
const options = {
headers: {
Authorization: `Bearer ${actionsIDTokenRequestToken}`,
},
responseType,
};
const client = got.extend(options)
core.debug(`Retrieving Vault JWT from ${actionsIDTokenRequestURL} endpoint`);
/** @type {import('got').Response<GithubActionsIdTokenResponse>} */
const response = await client.get(actionsIDTokenRequestURL, options);
if (response && response.body && response.body.value) {
core.debug('✔ Github Actions ID Token successfully retrieved');
return response.body.value;
} else {
throw Error(`Unable to retrieve token from ${actionsIDTokenRequestURL}'s endpoint.`);
}
}
/*** /***
* Call the appropriate login endpoint and parse out the token in the response. * Call the appropriate login endpoint and parse out the token in the response.
* @param {import('got').Got} client * @param {import('got').Got} client
@ -167,12 +136,6 @@ async function getClientToken(client, method, path, payload) {
* }} auth * }} auth
*/ */
/***
* @typedef {Object} GithubActionsIdTokenResponse
* @property {string} value
* @property {string} count
*/
module.exports = { module.exports = {
retrieveToken, retrieveToken,
}; };