actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-14 18:13:45 +00:00
Code Activity Actions

make output more forgiving and shore up selectors

Browse source
This commit is contained in:
Richard Simpson 2020-04-11 23:49:29 -05:00
parent 5099ea65b2
commit fc73c8c906
5 changed files with 88 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
README.md
View file

@ -12,6 +12,7 @@ By default, this action pulls from [Version 2](https://www.vaultproject.io/docs
- [Simple Key](#simple-key) - [Simple Key](#simple-key)
- [Set Output Variable Name](#set-output-variable-name) - [Set Output Variable Name](#set-output-variable-name)
- [Multiple Secrets](#multiple-secrets) - [Multiple Secrets](#multiple-secrets)
- [Nested Secrets](#nested-secrets)
- [Using K/V version 1](#using-kv-version-1) - [Using K/V version 1](#using-kv-version-1)
- [Custom K/V Engine Path](#custom-kv-engine-path) - [Custom K/V Engine Path](#custom-kv-engine-path)
- [Other Secret Engines](#other-secret-engines) - [Other Secret Engines](#other-secret-engines)
@ -20,6 +21,7 @@ By default, this action pulls from [Version 2](https://www.vaultproject.io/docs
- [Namespace](#namespace) - [Namespace](#namespace)
- [Reference](#reference) - [Reference](#reference)
- [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs) - [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
- [Normalization](#normalization)
<!-- /TOC --> <!-- /TOC -->
@ -81,7 +83,7 @@ The `secrets` parameter is a set of multiple secret requests separated by the `;
Each secret request is comprised of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name. Each secret request is comprised of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
```raw ```raw
{{ Secret Path }} {{ Secret Key }} | {{ Output Variable Name }} {{ Secret Path }} {{ Secret Key or Selector }} | {{ Env/Output Variable Name }}
``` ```
### Simple Key ### Simple Key
@ -151,6 +153,21 @@ with:
ci/aws secretKey | AWS_SECRET_ACCESS_KEY ci/aws secretKey | AWS_SECRET_ACCESS_KEY
``` ```
### Nested Secrets
By default, `vault-action` will read the key specified of `data.data` for the K/V v2 engine (default), or `data` for K/V v1 and other secrets engines (see below for more info).
If you need to retrieve a sub-key from a JSON document, or are interested in some other component of the Vault response, you can specify a different key as the path to the desired out.
_**Important**_: You must specify an [Output Variable Name](#set-output-variable-name) when using this method.
```yaml
with:
secrets: |
my/path pair.key | NESTED_SECRET ;
```
Under the covers, we're using [JSONata](https://jsonata.org/) to provide the querying functionality. Any valid JSONata syntax is valid here, and will be outputed as a `JSON.stringify`-ied result.
### Using K/V version 1 ### Using K/V version 1
By default, `vault-action` expects a K/V engine using [version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html). By default, `vault-action` expects a K/V engine using [version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html).
@ -179,7 +196,7 @@ This way, the `ci` secret in the example above will be retrieved from `my-secret
While this action primarily supports the K/V engine, it is possible to request secrets from other engines in Vault. While this action primarily supports the K/V engine, it is possible to request secrets from other engines in Vault.
To do so when specifying the `Secret Path`, just append a leading formard slash (`/`) and specify the path as described in the Vault API documentation. To do so when specifying the `Secret Path`, just append a leading forward slash (`/`) and specify the path as described in the Vault API documentation.
For example, to retrieve a stored secret from the [`cubbyhole` engine](https://www.vaultproject.io/api-docs/secret/cubbyhole/), assuming you have a stored secret at the path `foo` with the contents: For example, to retrieve a stored secret from the [`cubbyhole` engine](https://www.vaultproject.io/api-docs/secret/cubbyhole/), assuming you have a stored secret at the path `foo` with the contents:
@ -231,7 +248,7 @@ with:
would work fine. would work fine.
NOTE: The `Secret Key` is pulled from the `data` property of the response. *NOTE: Per [Nested Secrets](#nested-secrets), the `Key` is pulled from the `data` property of the response.*
## Adding Extra Headers ## Adding Extra Headers
@ -247,13 +264,13 @@ with:
X-Secure-Secret: ${{ secrets.SECURE_SECRET }} X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
``` ```
This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to vault. This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault.
## Vault Enterprise Features ## Vault Enterprise Features
### Namespace ### Namespace
If you need to retrieve secrets from a specific vault namespace, all that's required is an additional parameter specifying the namespace. If you need to retrieve secrets from a specific Vault namespace, all that's required is an additional parameter specifying the namespace.
```yaml ```yaml
steps: steps:
@ -273,7 +290,7 @@ steps:
## Reference ## Reference
Here is all the inputs available through `with`: Here are all the inputs available through `with`:
| Input | Description | Default | Required | | Input | Description | Default | Required |
| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
@ -295,3 +312,7 @@ Here is all the inputs available through `with`:
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
**This only obscures secrets from output logs.** If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets. **This only obscures secrets from output logs.** If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets.
## Normalization
To make it simpler to consume certain secrets as env vars, if no Env/Output Var Name is specified `vault-action` will replace and `.` chars with `__`, remove any other non-letter or number characters. If you're concerned about the result, it's recommended to provider an explicit Output Var Key.

30
dist/index.js vendored
View file

@ -11024,11 +11024,15 @@ async function getSecrets(secretRequests, client) {
* @param {string} selector * @param {string} selector
*/ */
function selectData(data, selector) { function selectData(data, selector) {
let result = JSON.stringify(jsonata(selector).evaluate(data)); const ata = jsonata(selector);
let result = JSON.stringify(ata.evaluate(data));
// Compat for custom engines // Compat for custom engines
if (!result && !selector.includes('.') && selector !== 'data' && 'data' in data) { if (!result && ata.ast().type === "path" && ata.ast()['steps'].length === 1 && selector !== 'data' && 'data' in data) {
result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data)); result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data));
} else if (!result) {
throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`);
} }
if (result.startsWith(`"`)) { if (result.startsWith(`"`)) {
result = result.substring(1, result.length - 1); result = result.substring(1, result.length - 1);
} }
@ -13381,18 +13385,14 @@ function parseSecretsInput(secretsInput) {
/** @type {any} */ /** @type {any} */
const selectorAst = jsonata(selector).ast(); const selectorAst = jsonata(selector).ast();
if (selectorAst.type !== "path") { if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && !outputVarName) {
throw Error(`Invalid path selector.`);
}
if ((selectorAst.steps > 1 || selectorAst.steps[0].stages) && !outputVarName) {
throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
} }
let envVarName = outputVarName; let envVarName = outputVarName;
if (!outputVarName) { if (!outputVarName) {
outputVarName = selector; outputVarName = normalizeOutputKey(selector);
envVarName = normalizeOutputKey(outputVarName); envVarName = normalizeOutputKey(selector, true);
} }
output.push({ output.push({
@ -13406,11 +13406,17 @@ function parseSecretsInput(secretsInput) {
} }
/** /**
* Replaces any forward-slash characters to * Replaces any dot chars to __ and removes non-ascii charts
* @param {string} dataKey * @param {string} dataKey
* @param {boolean=} isEnvVar
*/ */
function normalizeOutputKey(dataKey) { function normalizeOutputKey(dataKey, isEnvVar = false) {
return dataKey.replace('/', '__').replace('.', '__').replace(/[^\w-]/, '').toUpperCase(); let outputKey = dataKey
.replace('.', '__').replace(/[^\p{L}\p{N}_-]/gu, '');
if (isEnvVar) {
outputKey = outputKey.toUpperCase();
}
return outputKey;
} }
/** /**

22
src/action.js
View file

@ -136,18 +136,14 @@ function parseSecretsInput(secretsInput) {
/** @type {any} */ /** @type {any} */
const selectorAst = jsonata(selector).ast(); const selectorAst = jsonata(selector).ast();
if (selectorAst.type !== "path") { if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && !outputVarName) {
throw Error(`Invalid path selector.`);
}
if ((selectorAst.steps > 1 || selectorAst.steps[0].stages) && !outputVarName) {
throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
} }
let envVarName = outputVarName; let envVarName = outputVarName;
if (!outputVarName) { if (!outputVarName) {
outputVarName = selector; outputVarName = normalizeOutputKey(selector);
envVarName = normalizeOutputKey(outputVarName); envVarName = normalizeOutputKey(selector, true);
} }
output.push({ output.push({
@ -161,11 +157,17 @@ function parseSecretsInput(secretsInput) {
} }
/** /**
* Replaces any forward-slash characters to * Replaces any dot chars to __ and removes non-ascii charts
* @param {string} dataKey * @param {string} dataKey
* @param {boolean=} isEnvVar
*/ */
function normalizeOutputKey(dataKey) { function normalizeOutputKey(dataKey, isEnvVar = false) {
return dataKey.replace('/', '__').replace('.', '__').replace(/[^\w-]/, '').toUpperCase(); let outputKey = dataKey
.replace('.', '__').replace(/[^\p{L}\p{N}_-]/gu, '');
if (isEnvVar) {
outputKey = outputKey.toUpperCase();
}
return outputKey;
} }
/** /**

26
src/action.test.js
View file

@ -87,7 +87,7 @@ describe('parseSecretsInput', () => {
outputVarName: 'SOME_C', outputVarName: 'SOME_C',
envVarName: 'SOME_C', envVarName: 'SOME_C',
}); });
}) });
}); });
describe('parseHeaders', () => { describe('parseHeaders', () => {
@ -190,6 +190,18 @@ describe('exportSecrets', () => {
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
}); });
it('intl secret retrieval', async () => {
mockInput('测试 测试');
mockVaultData({
测试: 1
});
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('测试', '1');
expect(core.setOutput).toBeCalledWith('测试', '1');
});
it('mapped secret retrieval', async () => { it('mapped secret retrieval', async () => {
mockInput('test key|TEST_NAME'); mockInput('test key|TEST_NAME');
mockVaultData({ mockVaultData({
@ -233,4 +245,16 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
}); });
it('nested secret retrieval', async () => {
mockInput('test key.value');
mockVaultData({
key: { value: 1 }
});
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
expect(core.setOutput).toBeCalledWith('key__value', '1');
});
}); });

8
src/secrets.js
View file

@ -55,11 +55,15 @@ async function getSecrets(secretRequests, client) {
* @param {string} selector * @param {string} selector
*/ */
function selectData(data, selector) { function selectData(data, selector) {
let result = JSON.stringify(jsonata(selector).evaluate(data)); const ata = jsonata(selector);
let result = JSON.stringify(ata.evaluate(data));
// Compat for custom engines // Compat for custom engines
if (!result && !selector.includes('.') && selector !== 'data' && 'data' in data) { if (!result && ata.ast().type === "path" && ata.ast()['steps'].length === 1 && selector !== 'data' && 'data' in data) {
result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data)); result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data));
} else if (!result) {
throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`);
} }
if (result.startsWith(`"`)) { if (result.startsWith(`"`)) {
result = result.substring(1, result.length - 1); result = result.substring(1, result.length - 1);
} }