mirror of
https://github.com/hashicorp/vault-action.git
synced 2025-11-07 07:06:56 +00:00
3b9239de79
* feat(authenticate): add approle auth method * docs(readme): update readme * fix: update index.js * fix: update got to 10.2.2 to fix ncc * chore: clean up code slightly * chore: update tests to use got correctly * chore(test): fix integration tests * chore: streamline method logic * chore: make role and secret required in approle Co-authored-by: Sébastien FAUVART <sebastien.fauvart@gmail.com> Co-authored-by: Richard Simpson <richardsimpson@outlook.com>
135 lines
4.5 KiB
JavaScript
135 lines
4.5 KiB
JavaScript
const core = require('@actions/core');
|
|
const command = require('@actions/core/lib/command');
|
|
const got = require('got');
|
|
|
|
const AUTH_METHODS = ['approle', 'token'];
|
|
async function exportSecrets() {
|
|
const vaultUrl = core.getInput('url', { required: true });
|
|
const vaultNamespace = core.getInput('namespace', { required: false });
|
|
|
|
const secretsInput = core.getInput('secrets', { required: true });
|
|
const secrets = parseSecretsInput(secretsInput);
|
|
|
|
const vaultMethod = core.getInput('method', { required: false }) || 'token';
|
|
if (!AUTH_METHODS.includes(vaultMethod)) {
|
|
throw Error(`Sorry, the authentication method ${vaultMethod} is not currently supported.`);
|
|
}
|
|
|
|
let vaultToken = null;
|
|
switch (vaultMethod) {
|
|
case 'approle':
|
|
const vaultRoleId = core.getInput('roleId', { required: true });
|
|
const vaultSecretId = core.getInput('secretId', { required: true });
|
|
core.debug('Try to retrieve Vault Token from approle');
|
|
var options = {
|
|
headers: {},
|
|
json: { role_id: vaultRoleId, secret_id: vaultSecretId },
|
|
responseType: 'json'
|
|
};
|
|
|
|
if (vaultNamespace != null) {
|
|
options.headers["X-Vault-Namespace"] = vaultNamespace;
|
|
}
|
|
|
|
const result = await got.post(`${vaultUrl}/v1/auth/approle/login`, options);
|
|
if (result && result.body && result.body.auth && result.body.auth.client_token) {
|
|
vaultToken = result.body.auth.client_token;
|
|
core.debug('✔ Vault Token has retrieved from approle');
|
|
} else {
|
|
throw Error(`No token was retrieved with the role_id and secret_id provided.`);
|
|
}
|
|
break;
|
|
default:
|
|
vaultToken = core.getInput('token', { required: true });
|
|
break;
|
|
}
|
|
|
|
for (const secret of secrets) {
|
|
const { secretPath, outputName, secretKey } = secret;
|
|
const requestOptions = {
|
|
headers: {
|
|
'X-Vault-Token': vaultToken
|
|
},
|
|
};
|
|
|
|
if (vaultNamespace != null) {
|
|
requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
|
|
}
|
|
|
|
const result = await got(`${vaultUrl}/v1/secret/data/${secretPath}`, requestOptions);
|
|
|
|
const parsedResponse = JSON.parse(result.body);
|
|
const vaultKeyData = parsedResponse.data;
|
|
const versionData = vaultKeyData.data;
|
|
const value = versionData[secretKey];
|
|
command.issue('add-mask', value);
|
|
core.exportVariable(outputName, `${value}`);
|
|
core.debug(`✔ ${secretPath} => ${outputName}`);
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Parses a secrets input string into key paths and their resulting environment variable name.
|
|
* @param {string} secretsInput
|
|
*/
|
|
function parseSecretsInput(secretsInput) {
|
|
const secrets = secretsInput
|
|
.split(';')
|
|
.filter(key => !!key)
|
|
.map(key => key.trim())
|
|
.filter(key => key.length !== 0);
|
|
|
|
/** @type {{ secretPath: string; outputName: string; dataKey: string; }[]} */
|
|
const output = [];
|
|
for (const secret of secrets) {
|
|
let path = secret;
|
|
let outputName = null;
|
|
|
|
const renameSigilIndex = secret.lastIndexOf('|');
|
|
if (renameSigilIndex > -1) {
|
|
path = secret.substring(0, renameSigilIndex).trim();
|
|
outputName = secret.substring(renameSigilIndex + 1).trim();
|
|
|
|
if (outputName.length < 1) {
|
|
throw Error(`You must provide a value when mapping a secret to a name. Input: "${secret}"`);
|
|
}
|
|
}
|
|
|
|
const pathParts = path
|
|
.split(/\s+/)
|
|
.map(part => part.trim())
|
|
.filter(part => part.length !== 0);
|
|
|
|
if (pathParts.length !== 2) {
|
|
throw Error(`You must provide a valid path and key. Input: "${secret}"`)
|
|
}
|
|
|
|
const [secretPath, secretKey] = pathParts;
|
|
|
|
// If we're not using a mapped name, normalize the key path into a variable name.
|
|
if (!outputName) {
|
|
outputName = normalizeOutputKey(secretKey);
|
|
}
|
|
|
|
output.push({
|
|
secretPath,
|
|
outputName,
|
|
secretKey
|
|
});
|
|
}
|
|
return output;
|
|
}
|
|
|
|
/**
|
|
* Replaces any forward-slash characters to
|
|
* @param {string} dataKey
|
|
*/
|
|
function normalizeOutputKey(dataKey) {
|
|
return dataKey.replace('/', '__').replace(/[^\w-]/, '').toUpperCase();
|
|
}
|
|
|
|
module.exports = {
|
|
exportSecrets,
|
|
parseSecretsInput,
|
|
normalizeOutputKey
|
|
};
|