make "role" input optional (#291)

* make "role" input optional Per Vault documentation it doesn't have to be provided, and the auth provider's "default_role" parameter is required precisely for this case. https://www.vaultproject.io/api/auth/jwt
hashicorp · Apr 7, 2022 · 2f64a97 · 2f64a97
1 parent 25c4aec
commit 2f64a97
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/integrationTests/basic/jwt_auth.test.js b/integrationTests/basic/jwt_auth.test.js
@@ -51,6 +51,9 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action"
     return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
 }
 
+// The sign call inside this function takes a while to run, so cache the default JWT in a constant.
+const defaultGithubJwt = mockGithubOIDCResponse();
+
 describe('jwt auth', () => {
     beforeAll(async () => {
         // Verify Connection
@@ -99,7 +102,8 @@ describe('jwt auth', () => {
                 'X-Vault-Token': 'testtoken',
             },
             json: {
-                jwt_validation_pubkeys: publicRsaKey
+                jwt_validation_pubkeys: publicRsaKey,
+                default_role: "default"
             }
         });
 
@@ -198,20 +202,20 @@ describe('jwt auth', () => {
                 .calledWith('jwtPrivateKey')
                 .mockReturnValueOnce('');
 
-            when(core.getInput)
-                .calledWith('role')
-                .mockReturnValueOnce('default');
-
             when(core.getInput)
                 .calledWith('secrets')
                 .mockReturnValueOnce('secret/data/test secret');
+        });
+
+        it('successfully authenticates', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce('default');
 
             when(core.getIDToken)
                 .calledWith()
-                .mockReturnValueOnce(mockGithubOIDCResponse());
-        });
+                .mockReturnValueOnce(defaultGithubJwt);
 
-        it('successfully authenticates', async () => {
             await exportSecrets();
             expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
         });
@@ -233,6 +237,19 @@ describe('jwt auth', () => {
             expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
         })
 
+        it('successfully authenticates as default role without specifying it', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce(null);
+
+            when(core.getIDToken)
+                .calledWith()
+                .mockReturnValueOnce(defaultGithubJwt);
+
+            await exportSecrets();
+            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        })
+
     });
 
 });
diff --git a/src/auth.js b/src/auth.js
@@ -25,7 +25,7 @@ async function retrieveToken(method, client) {
         case 'jwt': {
             /** @type {string} */
             let jwt;
-            const role = core.getInput('role', { required: true });
+            const role = core.getInput('role', { required: false });
             const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
             const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
             const keyPassword = core.getInput('jwtKeyPassword', { required: false });