actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-09 16:16:55 +00:00
Code Activity Actions

Make optional instead of always, in case of untrusted steps

Browse source
This commit is contained in:
Thomas 2022-08-03 15:46:23 +01:00
parent e92c0909f9
commit f93ffc6726
4 changed files with 23 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -406,17 +406,12 @@ Here are all the inputs available through `with`:
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | |
| `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | | | `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | |
| `outputToken` | Whether or not to set the `vault_token` output to contain the Vault token after authentication. | `false` | |
| `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | | | `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | |
| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | |
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | | | `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
Here are outputs that are always available:
| Output | Description |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| `vault_token` | The Vault either used for authentication, or obtained via an auth method. |
## Masking - Hiding Secrets from Logs ## Masking - Hiding Secrets from Logs
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.

3
dist/index.js vendored
View file

@ -16448,6 +16448,7 @@ async function exportSecrets() {
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false });
const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; const exportEnv = core.getInput('exportEnv', { required: false }) != 'false';
const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false';
const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false';
const secretsInput = core.getInput('secrets', { required: false }); const secretsInput = core.getInput('secrets', { required: false });
@ -16506,7 +16507,9 @@ async function exportSecrets() {
const client = got.extend(defaultOptions); const client = got.extend(defaultOptions);
command.issue('add-mask', vaultToken); command.issue('add-mask', vaultToken);
if (outputToken === true) {
core.setOutput('vault_token', `${vaultToken}`); core.setOutput('vault_token', `${vaultToken}`);
}
if (exportToken === true) { if (exportToken === true) {
core.exportVariable('VAULT_TOKEN', `${vaultToken}`); core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
} }

3
src/action.js
View file

@ -12,6 +12,7 @@ async function exportSecrets() {
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false });
const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; const exportEnv = core.getInput('exportEnv', { required: false }) != 'false';
const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false';
const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false';
const secretsInput = core.getInput('secrets', { required: false }); const secretsInput = core.getInput('secrets', { required: false });
@ -70,7 +71,9 @@ async function exportSecrets() {
const client = got.extend(defaultOptions); const client = got.extend(defaultOptions);
command.issue('add-mask', vaultToken); command.issue('add-mask', vaultToken);
if (outputToken === true) {
core.setOutput('vault_token', `${vaultToken}`); core.setOutput('vault_token', `${vaultToken}`);
}
if (exportToken === true) { if (exportToken === true) {
core.exportVariable('VAULT_TOKEN', `${vaultToken}`); core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
} }

24
src/action.test.js
View file

@ -184,6 +184,12 @@ describe('exportSecrets', () => {
.mockReturnValueOnce(doExport); .mockReturnValueOnce(doExport);
} }
function mockOutputToken(doOutput) {
when(core.getInput)
.calledWith('outputToken', expect.anything())
.mockReturnValueOnce(doOutput);
}
it('simple secret retrieval', async () => { it('simple secret retrieval', async () => {
mockInput('test key'); mockInput('test key');
mockVaultData({ mockVaultData({
@ -194,7 +200,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('intl secret retrieval', async () => { it('intl secret retrieval', async () => {
@ -207,7 +212,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('测试', '1'); expect(core.exportVariable).toBeCalledWith('测试', '1');
expect(core.setOutput).toBeCalledWith('测试', '1'); expect(core.setOutput).toBeCalledWith('测试', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('mapped secret retrieval', async () => { it('mapped secret retrieval', async () => {
@ -220,7 +224,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1'); expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1'); expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('simple secret retrieval from K/V v1', async () => { it('simple secret retrieval from K/V v1', async () => {
@ -238,7 +241,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('simple secret retrieval with extra headers', async () => { it('simple secret retrieval with extra headers', async () => {
@ -254,7 +256,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('nested secret retrieval', async () => { it('nested secret retrieval', async () => {
@ -267,7 +268,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1'); expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
expect(core.setOutput).toBeCalledWith('key__value', '1'); expect(core.setOutput).toBeCalledWith('key__value', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('export Vault token', async () => { it('export Vault token', async () => {
@ -284,7 +284,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('not export Vault token', async () => { it('not export Vault token', async () => {
@ -300,7 +299,6 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('single-line secret gets masked', async () => { it('single-line secret gets masked', async () => {
@ -316,7 +314,6 @@ describe('exportSecrets', () => {
expect(command.issue).toBeCalledWith('add-mask', 'secret'); expect(command.issue).toBeCalledWith('add-mask', 'secret');
expect(core.setOutput).toBeCalledWith('key', 'secret'); expect(core.setOutput).toBeCalledWith('key', 'secret');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
it('multi-line secret gets masked for each line', async () => { it('multi-line secret gets masked for each line', async () => {
@ -338,7 +335,6 @@ with blank lines
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string'); expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines'); expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
expect(core.setOutput).toBeCalledWith('key', multiLineString); expect(core.setOutput).toBeCalledWith('key', multiLineString);
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
it('export only Vault token, no secrets', async () => { it('export only Vault token, no secrets', async () => {
@ -348,6 +344,14 @@ with blank lines
expect(core.exportVariable).toBeCalledTimes(1); expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
})
it('output only Vault token, no secrets', async () => {
mockOutputToken("true")
await exportSecrets();
expect(core.setOutput).toBeCalledTimes(1);
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
}); });