actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-10 00:26:55 +00:00
Code Activity Actions

feat: kv v1 and engine name

Browse source
This commit is contained in:
Giancarlo 2020-01-14 14:54:11 -03:00
parent 3b9239de79
commit fa325aa881
7 changed files with 385 additions and 127 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.github/workflows/build.yml vendored
View file

@ -110,7 +110,7 @@ jobs:
env: env:
VAULT_HOST: localhost VAULT_HOST: localhost
VAULT_PORT: ${{ job.services.vault.ports[8200] }} VAULT_PORT: ${{ job.services.vault.ports[8200] }}
- name: use vault action - name: use vault action (default K/V version 2)
uses: ./ uses: ./
with: with:
url: http://localhost:${{ job.services.vault.ports[8200] }} url: http://localhost:${{ job.services.vault.ports[8200] }}
@ -119,6 +119,17 @@ jobs:
test secret ; test secret ;
test secret | NAMED_SECRET ; test secret | NAMED_SECRET ;
nested/test otherSecret ; nested/test otherSecret ;
- name: use vault action (custom K/V version 1)
uses: ./
with:
url: http://localhost:${{ job.services.vault.ports[8200] }}
token: testtoken
engine-name: my-secret
kv-version: 1
secrets: |
test altSecret ;
test altSecret | NAMED_ALTSECRET ;
nested/test otherAltSecret ;
- name: verify - name: verify
run: npm run test:e2e run: npm run test:e2e

52
action.js
View file

@ -7,6 +7,9 @@ async function exportSecrets() {
const vaultUrl = core.getInput('url', { required: true }); const vaultUrl = core.getInput('url', { required: true });
const vaultNamespace = core.getInput('namespace', { required: false }); const vaultNamespace = core.getInput('namespace', { required: false });
let engineName = core.getInput('engine-name', { required: false });
let kvVersion = core.getInput('kv-version', { required: false });
const secretsInput = core.getInput('secrets', { required: true }); const secretsInput = core.getInput('secrets', { required: true });
const secrets = parseSecretsInput(secretsInput); const secrets = parseSecretsInput(secretsInput);
@ -44,6 +47,20 @@ async function exportSecrets() {
break; break;
} }
if (!engineName){
engineName = 'secret';
}
if (!kvVersion){
kvVersion = '2';
}
if (kvVersion !== '1' && kvVersion !== '2') {
throw Error(`You must provide a valid K/V version. Input: "${kvVersion}"`);
}
kvVersion = parseInt(kvVersion);
for (const secret of secrets) { for (const secret of secrets) {
const { secretPath, outputName, secretKey } = secret; const { secretPath, outputName, secretKey } = secret;
const requestOptions = { const requestOptions = {
@ -56,12 +73,13 @@ async function exportSecrets() {
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace; requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
} }
const result = await got(`${vaultUrl}/v1/secret/data/${secretPath}`, requestOptions); const requestPath = (kvVersion === 1)
? `${vaultUrl}/v1/${engineName}/${secretPath}`
: `${vaultUrl}/v1/${engineName}/data/${secretPath}`;
const result = await got(requestPath, requestOptions);
const parsedResponse = JSON.parse(result.body); const secretData = parseResponse(result.body, kvVersion);
const vaultKeyData = parsedResponse.data; const value = secretData[secretKey];
const versionData = vaultKeyData.data;
const value = versionData[secretKey];
command.issue('add-mask', value); command.issue('add-mask', value);
core.exportVariable(outputName, `${value}`); core.exportVariable(outputName, `${value}`);
core.debug(`${secretPath} => ${outputName}`); core.debug(`${secretPath} => ${outputName}`);
@ -120,6 +138,29 @@ function parseSecretsInput(secretsInput) {
return output; return output;
} }
/**
* Parses a JSON response and returns the secret data
* @param {string} responseBody
* @param {number} kvVersion
*/
function parseResponse(responseBody, kvVersion) {
const parsedResponse = JSON.parse(responseBody);
let secretData;
switch(kvVersion) {
case 1:
secretData = parsedResponse.data;
break;
case 2:
const vaultKeyData = parsedResponse.data;
secretData = vaultKeyData.data;
break;
}
return secretData;
}
/** /**
* Replaces any forward-slash characters to * Replaces any forward-slash characters to
* @param {string} dataKey * @param {string} dataKey
@ -131,5 +172,6 @@ function normalizeOutputKey(dataKey) {
module.exports = { module.exports = {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse,
normalizeOutputKey normalizeOutputKey
}; };

86
action.test.js
View file

@ -7,6 +7,7 @@ const got = require('got');
const { const {
exportSecrets, exportSecrets,
parseSecretsInput, parseSecretsInput,
parseResponse
} = require('./action'); } = require('./action');
const { when } = require('jest-when'); const { when } = require('jest-when');
@ -82,6 +83,38 @@ describe('parseSecretsInput', () => {
}) })
}); });
describe('parseResponse', () => {
// https://www.vaultproject.io/api/secret/kv/kv-v1.html#sample-response
it('parses K/V version 1 response', () => {
const response = JSON.stringify({
data: {
foo: 'bar'
}
})
const output = parseResponse(response, 1);
expect(output).toEqual({
foo: 'bar'
});
});
// https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
it('parses K/V version 2 response', () => {
const response = JSON.stringify({
data: {
data: {
foo: 'bar'
}
}
})
const output = parseResponse(response, 2);
expect(output).toEqual({
foo: 'bar'
});
});
});
describe('exportSecrets', () => { describe('exportSecrets', () => {
beforeEach(() => { beforeEach(() => {
@ -89,27 +122,44 @@ describe('exportSecrets', () => {
when(core.getInput) when(core.getInput)
.calledWith('url') .calledWith('url')
.mockReturnValue('http://vault:8200'); .mockReturnValueOnce('http://vault:8200');
when(core.getInput) when(core.getInput)
.calledWith('token') .calledWith('token')
.mockReturnValue('EXAMPLE'); .mockReturnValueOnce('EXAMPLE');
}); });
function mockInput(key) { function mockInput(key) {
when(core.getInput) when(core.getInput)
.calledWith('secrets') .calledWith('secrets')
.mockReturnValue(key); .mockReturnValueOnce(key);
} }
function mockVaultData(data) { function mockVersion(version) {
got.mockResolvedValue({ when(core.getInput)
body: JSON.stringify({ .calledWith('kv-version')
data: { .mockReturnValueOnce(version);
data }
}
}) function mockVaultData(data, version='2') {
}); switch(version) {
case '1':
got.mockResolvedValue({
body: JSON.stringify({
data
})
});
break;
case '2':
got.mockResolvedValue({
body: JSON.stringify({
data: {
data
}
})
});
break;
}
} }
it('simple secret retrieval', async () => { it('simple secret retrieval', async () => {
@ -133,4 +183,18 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1'); expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
}); });
it('simple secret retrieval from K/V v1', async () => {
const version = '1';
mockInput('test key');
mockVersion(version);
mockVaultData({
key: 1
}, version);
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('KEY', '1');
});
}); });

78
integrationTests/basic/integration.test.js
View file

@ -39,6 +39,46 @@ describe('integration', () => {
data: { data: {
otherSecret: 'OTHERSUPERSECRET', otherSecret: 'OTHERSUPERSECRET',
}, },
}
});
// Enable custom secret engine
try {
await got(`${vaultUrl}/v1/sys/mounts/my-secret`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
type: 'kv'
}
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("path is already in use")) {
// Engine might already be enabled from previous test runs
} else {
throw error;
}
}
await got(`${vaultUrl}/v1/my-secret/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
secret: 'CUSTOMSECRET',
}
});
await got(`${vaultUrl}/v1/my-secret/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
otherSecret: 'OTHERCUSTOMSECRET',
}, },
}); });
}); });
@ -48,17 +88,29 @@ describe('integration', () => {
when(core.getInput) when(core.getInput)
.calledWith('url') .calledWith('url')
.mockReturnValue(`${vaultUrl}`); .mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput) when(core.getInput)
.calledWith('token') .calledWith('token')
.mockReturnValue('testtoken'); .mockReturnValueOnce('testtoken');
}); });
function mockInput(secrets) { function mockInput(secrets) {
when(core.getInput) when(core.getInput)
.calledWith('secrets') .calledWith('secrets')
.mockReturnValue(secrets); .mockReturnValueOnce(secrets);
}
function mockEngineName(name) {
when(core.getInput)
.calledWith('engine-name')
.mockReturnValueOnce(name);
}
function mockVersion(version) {
when(core.getInput)
.calledWith('kv-version')
.mockReturnValueOnce(version);
} }
it('get simple secret', async () => { it('get simple secret', async () => {
@ -99,4 +151,24 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET'); expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET'); expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET');
}); });
it('get secret from K/V v1', async () => {
mockInput('test secret');
mockEngineName('my-secret');
mockVersion('1');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET');
});
it('get nested secret from K/V v1', async () => {
mockInput('nested/test otherSecret');
mockEngineName('my-secret');
mockVersion('1');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET');
});
}); });

3
integrationTests/e2e/e2e.test.js
View file

@ -3,5 +3,8 @@ describe('e2e', () => {
expect(process.env.SECRET).toBe("SUPERSECRET"); expect(process.env.SECRET).toBe("SUPERSECRET");
expect(process.env.NAMED_SECRET).toBe("SUPERSECRET"); expect(process.env.NAMED_SECRET).toBe("SUPERSECRET");
expect(process.env.OTHERSECRET).toBe("OTHERSUPERSECRET"); expect(process.env.OTHERSECRET).toBe("OTHERSUPERSECRET");
expect(process.env.ALTSECRET).toBe("CUSTOMSECRET");
expect(process.env.NAMED_ALTSECRET).toBe("CUSTOMSECRET");
expect(process.env.OTHERALTSECRET).toBe("OTHERCUSTOMSECRET");
}); });
}); });

38
integrationTests/e2e/setup.js
View file

@ -1,15 +1,17 @@
const got = require('got'); const got = require('got');
const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
(async () => { (async () => {
try { try {
// Verify Connection // Verify Connection
await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/config`, { await got(`http://${vaultUrl}/v1/secret/config`, {
headers: { headers: {
'X-Vault-Token': 'testtoken', 'X-Vault-Token': 'testtoken',
}, },
}); });
await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/data/test`, { await got(`http://${vaultUrl}/v1/secret/data/test`, {
method: 'POST', method: 'POST',
headers: { headers: {
'X-Vault-Token': 'testtoken', 'X-Vault-Token': 'testtoken',
@ -21,7 +23,7 @@ const got = require('got');
}, },
}); });
await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/data/nested/test`, { await got(`http://${vaultUrl}/v1/secret/data/nested/test`, {
method: 'POST', method: 'POST',
headers: { headers: {
'X-Vault-Token': 'testtoken', 'X-Vault-Token': 'testtoken',
@ -30,6 +32,36 @@ const got = require('got');
data: { data: {
otherSecret: 'OTHERSUPERSECRET', otherSecret: 'OTHERSUPERSECRET',
}, },
}
});
await got(`http://${vaultUrl}/v1/sys/mounts/my-secret`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
type: 'kv'
}
});
await got(`http://${vaultUrl}/v1/my-secret/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
altSecret: 'CUSTOMSECRET',
}
});
await got(`http://${vaultUrl}/v1/my-secret/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
json: {
otherAltSecret: 'OTHERCUSTOMSECRET',
}, },
}); });
} catch (error) { } catch (error) {

228
integrationTests/enterprise/enterprise.test.js
View file

@ -20,48 +20,19 @@ describe('integration', () => {
}); });
// Create namespace // Create namespace
await got(`${vaultUrl}/v1/sys/namespaces/ns1`, { await enableNamespace('ns1');
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
}
});
// Enable secret engine // Enable K/V v2 secret engine at 'secret/'
await got(`${vaultUrl}/v1/sys/mounts/secret`, { await enableEngine('secret', 'ns1', 2);
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': 'ns1',
},
json: { path: 'secret', type: 'kv', config: {}, options: { version: 2 }, generate_signing_key: true },
});
await got(`${vaultUrl}/v1/secret/data/test`, { await writeSecret('secret', 'test', 'ns1', 2, {secret: 'SUPERSECRET_IN_NAMESPACE'})
method: 'POST', await writeSecret('secret', 'nested/test', 'ns1', 2, {otherSecret: 'OTHERSUPERSECRET_IN_NAMESPACE'})
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': 'ns1',
},
json: {
data: {
secret: 'SUPERSECRET_IN_NAMESPACE',
},
},
});
await got(`${vaultUrl}/v1/secret/data/nested/test`, { // Enable K/V v1 secret engine at 'my-secret/'
method: 'POST', await enableEngine('my-secret', 'ns1', 1);
headers: {
'X-Vault-Token': 'testtoken', await writeSecret('my-secret', 'test', 'ns1', 1, {secret: 'CUSTOMSECRET_IN_NAMESPACE'})
'X-Vault-Namespace': 'ns1', await writeSecret('my-secret', 'nested/test', 'ns1', 1, {otherSecret: 'OTHERCUSTOMSECRET_IN_NAMESPACE'})
},
json: {
data: {
otherSecret: 'OTHERSUPERSECRET_IN_NAMESPACE',
},
},
});
} catch (e) { } catch (e) {
console.error('Failed to setup test', e); console.error('Failed to setup test', e);
throw e; throw e;
@ -73,23 +44,17 @@ describe('integration', () => {
when(core.getInput) when(core.getInput)
.calledWith('url') .calledWith('url')
.mockReturnValue(`${vaultUrl}`); .mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput) when(core.getInput)
.calledWith('token') .calledWith('token')
.mockReturnValue('testtoken'); .mockReturnValueOnce('testtoken');
when(core.getInput) when(core.getInput)
.calledWith('namespace') .calledWith('namespace')
.mockReturnValue('ns1'); .mockReturnValueOnce('ns1');
}); });
function mockInput(secrets) {
when(core.getInput)
.calledWith('secrets')
.mockReturnValue(secrets);
}
it('get simple secret', async () => { it('get simple secret', async () => {
mockInput('test secret'); mockInput('test secret');
@ -128,6 +93,26 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET_IN_NAMESPACE'); expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET_IN_NAMESPACE');
expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET_IN_NAMESPACE'); expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET_IN_NAMESPACE');
}); });
it('get secret from K/V v1', async () => {
mockInput('test secret');
mockEngineName('my-secret');
mockVersion('1');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
});
it('get nested secret from K/V v1', async () => {
mockInput('nested/test otherSecret');
mockEngineName('my-secret');
mockVersion('1');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET_IN_NAMESPACE');
});
}); });
describe('authenticate with approle', () => { describe('authenticate with approle', () => {
@ -143,48 +128,34 @@ describe('authenticate with approle', () => {
}); });
// Create namespace // Create namespace
await got(`${vaultUrl}/v1/sys/namespaces/ns2`, { await enableNamespace("ns2");
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
},
});
// Enable secret engine // Enable K/V v2 secret engine at 'secret/'
await got(`${vaultUrl}/v1/sys/mounts/secret`, { await enableEngine("secret", "ns2", 2);
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': 'ns2',
},
json: { path: 'secret', type: 'kv', config: {}, options: { version: 2 }, generate_signing_key: true },
});
// Add secret // Add secret
await got(`${vaultUrl}/v1/secret/data/test`, { await writeSecret('secret', 'test', 'ns2', 2, {secret: 'SUPERSECRET_WITH_APPROLE'})
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': 'ns2',
},
json: {
data: {
secret: 'SUPERSECRET_WITH_APPROLE',
},
},
});
// Enable approle // Enable approle
await got(`${vaultUrl}/v1/sys/auth/approle`, { try {
method: 'POST', await got(`${vaultUrl}/v1/sys/auth/approle`, {
headers: { method: 'POST',
'X-Vault-Token': 'testtoken', headers: {
'X-Vault-Namespace': 'ns2', 'X-Vault-Token': 'testtoken',
}, 'X-Vault-Namespace': 'ns2',
json: { },
type: 'approle' json: {
}, type: 'approle'
}); },
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("path is already in use")) {
// Approle might already be enabled from previous test runs
} else {
throw error;
}
}
// Create policies // Create policies
await got(`${vaultUrl}/v1/sys/policies/acl/test`, { await got(`${vaultUrl}/v1/sys/policies/acl/test`, {
@ -232,7 +203,7 @@ describe('authenticate with approle', () => {
}); });
secretId = secretIdResponse.body.data.secret_id; secretId = secretIdResponse.body.data.secret_id;
} catch(err) { } catch(err) {
console.warn('Create approle', err); console.warn('Create approle', err.response.body);
throw err; throw err;
} }
}); });
@ -242,27 +213,21 @@ describe('authenticate with approle', () => {
when(core.getInput) when(core.getInput)
.calledWith('method') .calledWith('method')
.mockReturnValue('approle'); .mockReturnValueOnce('approle');
when(core.getInput) when(core.getInput)
.calledWith('roleId') .calledWith('roleId')
.mockReturnValue(roleId); .mockReturnValueOnce(roleId);
when(core.getInput) when(core.getInput)
.calledWith('secretId') .calledWith('secretId')
.mockReturnValue(secretId); .mockReturnValueOnce(secretId);
when(core.getInput) when(core.getInput)
.calledWith('url') .calledWith('url')
.mockReturnValue(`${vaultUrl}`); .mockReturnValueOnce(`${vaultUrl}`);
when(core.getInput) when(core.getInput)
.calledWith('namespace') .calledWith('namespace')
.mockReturnValue('ns2'); .mockReturnValueOnce('ns2');
}); });
function mockInput(secrets) {
when(core.getInput)
.calledWith('secrets')
.mockReturnValue(secrets);
}
it('authenticate with approle', async()=> { it('authenticate with approle', async()=> {
mockInput('test secret'); mockInput('test secret');
@ -271,3 +236,72 @@ describe('authenticate with approle', () => {
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_WITH_APPROLE'); expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_WITH_APPROLE');
}) })
}); });
async function enableNamespace(name) {
try {
await got(`${vaultUrl}/v1/sys/namespaces/${name}`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
}
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("already exists")) {
// Namespace might already be enabled from previous test runs
} else {
throw error;
}
}
}
async function enableEngine(path, namespace, version) {
try {
await got(`${vaultUrl}/v1/sys/mounts/${path}`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': namespace,
},
json: { type: 'kv', config: {}, options: { version }, generate_signing_key: true },
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("path is already in use")) {
// Engine might already be enabled from previous test runs
} else {
throw error;
}
}
}
async function writeSecret(engine, path, namespace, version, data) {
const secretPath = (version == 1) ? (`${engine}/${path}`) : (`${engine}/data/${path}`);
const secretPayload = (version == 1) ? (data) : ({data});
await got(`${vaultUrl}/v1/${secretPath}`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Namespace': namespace,
},
json: secretPayload
});
}
function mockInput(secrets) {
when(core.getInput)
.calledWith('secrets')
.mockReturnValueOnce(secrets);
}
function mockEngineName(name) {
when(core.getInput)
.calledWith('engine-name')
.mockReturnValueOnce(name);
}
function mockVersion(version) {
when(core.getInput)
.calledWith('kv-version')
.mockReturnValueOnce(version);
}