From 0226ed48d6d62d47b6097d8e6cd7a662eb10da26 Mon Sep 17 00:00:00 2001 From: BERTRAND ZANCO Date: Tue, 22 Sep 2020 09:50:18 +0200 Subject: [PATCH 1/4] Add export Vault Token --- README.md | 1 + action.yml | 4 ++++ src/action.js | 6 ++++++ 3 files changed, 11 insertions(+) diff --git a/README.md b/README.md index f9f68414..2fb07c7f 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,7 @@ Here are all the inputs available through `with`: | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | | +| `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | | | `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | | | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | diff --git a/action.yml b/action.yml index fc8a2d01..b6b4ae33 100644 --- a/action.yml +++ b/action.yml @@ -36,6 +36,10 @@ inputs: description: 'Whether or not export secrets as environment variables.' default: 'true' required: false + exportToken: + description: 'Whether or not export Vault token as environment variables.' + default: 'false' + required: false caCertificate: description: 'Base64 encoded CA certificate to verify the Vault server certificate.' required: false diff --git a/src/action.js b/src/action.js index e6875ee2..82cd5edc 100644 --- a/src/action.js +++ b/src/action.js @@ -12,6 +12,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; + const exportToken = core.getInput('exportToken', { required: false }) != 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -60,6 +61,11 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); + if (exportToken) { + command.issue('add-mask', vaultToken); + core.exportVariable('VAULT_TOKEN', `${vaultToken}`); + } + const requests = secretRequests.map(request => { const { path, selector } = request; return request; From 2ca42fb8f989e998ad9471ae7fb30e542163f387 Mon Sep 17 00:00:00 2001 From: BERTRAND ZANCO Date: Wed, 23 Sep 2020 11:28:37 +0200 Subject: [PATCH 2/4] Set correct condition for default value --- dist/index.js | 6 ++++++ src/action.js | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/dist/index.js b/dist/index.js index 63ba5a3f..36bf68f2 100644 --- a/dist/index.js +++ b/dist/index.js @@ -14022,6 +14022,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; + const exportToken = core.getInput('exportToken', { required: false }) == 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -14070,6 +14071,11 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); + if (exportToken) { + command.issue('add-mask', vaultToken); + core.exportVariable('VAULT_TOKEN', `${vaultToken}`); + } + const requests = secretRequests.map(request => { const { path, selector } = request; return request; diff --git a/src/action.js b/src/action.js index 82cd5edc..a8089d72 100644 --- a/src/action.js +++ b/src/action.js @@ -12,7 +12,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - const exportToken = core.getInput('exportToken', { required: false }) != 'false'; + const exportToken = core.getInput('exportToken', { required: false }) == 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); From f2fb2d1d647fa4d56586f7700abd82de068066e3 Mon Sep 17 00:00:00 2001 From: BERTRAND ZANCO Date: Wed, 23 Sep 2020 17:36:38 +0200 Subject: [PATCH 3/4] Add test for exportToken Fix key with dash --- dist/index.js | 19 ++++++----- integrationTests/basic/integration.test.js | 16 +++++----- src/action.js | 13 ++++---- src/action.test.js | 37 ++++++++++++++++++++++ src/secrets.js | 6 ++-- 5 files changed, 67 insertions(+), 24 deletions(-) diff --git a/dist/index.js b/dist/index.js index 36bf68f2..cd267d8a 100644 --- a/dist/index.js +++ b/dist/index.js @@ -10688,7 +10688,9 @@ async function getSecrets(secretRequests, client) { body = result.body; responseCache.set(requestPath, body); } - + if (!selector.match(/.*[\.].*/)) { + selector = '"' + selector + '"' + } selector = "data." + selector body = JSON.parse(body) if (body.data["data"] != undefined) { @@ -10714,7 +10716,7 @@ function selectData(data, selector) { const ata = jsonata(selector); let result = JSON.stringify(ata.evaluate(data)); // Compat for custom engines - if (!result && ata.ast().type === "path" && ata.ast()['steps'].length === 1 && selector !== 'data' && 'data' in data) { + if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) { result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data)); } else if (!result) { throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`); @@ -14022,7 +14024,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - const exportToken = core.getInput('exportToken', { required: false }) == 'false'; + const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -14071,7 +14073,7 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); - if (exportToken) { + if (exportToken === true) { command.issue('add-mask', vaultToken); core.exportVariable('VAULT_TOKEN', `${vaultToken}`); } @@ -14140,12 +14142,13 @@ function parseSecretsInput(secretsInput) { throw Error(`You must provide a valid path and key. Input: "${secret}"`); } - const [path, selector] = pathParts; + const [path, selectorQuoted] = pathParts; /** @type {any} */ - const selectorAst = jsonata(selector).ast(); + const selectorAst = jsonata(selectorQuoted).ast(); + const selector = selectorQuoted.replace(new RegExp('"', 'g'), ''); - if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && !outputVarName) { + if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) { throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); } @@ -14172,7 +14175,7 @@ function parseSecretsInput(secretsInput) { */ function normalizeOutputKey(dataKey, isEnvVar = false) { let outputKey = dataKey - .replace('.', '__').replace(/[^\p{L}\p{N}_-]/gu, ''); + .replace('.', '__').replace(new RegExp('-', 'g'), '').replace(/[^\p{L}\p{N}_-]/gu, ''); if (isEnvVar) { outputKey = outputKey.toUpperCase(); } diff --git a/integrationTests/basic/integration.test.js b/integrationTests/basic/integration.test.js index 6c911d34..2c436c81 100644 --- a/integrationTests/basic/integration.test.js +++ b/integrationTests/basic/integration.test.js @@ -37,7 +37,7 @@ describe('integration', () => { }, json: { data: { - otherSecret: 'OTHERSUPERSECRET', + "other-Secret-dash": 'OTHERSUPERSECRET', }, } }); @@ -100,7 +100,7 @@ describe('integration', () => { 'X-Vault-Token': 'testtoken', }, json: { - otherSecret: 'OTHERCUSTOMSECRET', + "other-Secret-dash": 'OTHERCUSTOMSECRET', }, }); }); @@ -140,18 +140,18 @@ describe('integration', () => { }); it('get nested secret', async () => { - mockInput('secret/data/nested/test otherSecret'); + mockInput(`secret/data/nested/test "other-Secret-dash"`); await exportSecrets(); - expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET'); + expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET'); }); it('get multiple secrets', async () => { mockInput(` secret/data/test secret ; secret/data/test secret | NAMED_SECRET ; - secret/data/nested/test otherSecret ;`); + secret/data/nested/test "other-Secret-dash" ;`); await exportSecrets(); @@ -159,7 +159,7 @@ describe('integration', () => { expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET'); expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET'); - expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET'); + expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET'); }); it('leading slash kvv2', async () => { @@ -179,11 +179,11 @@ describe('integration', () => { }); it('get nested secret from K/V v1', async () => { - mockInput('secret-kv1/nested/test otherSecret'); + mockInput('secret-kv1/nested/test "other-Secret-dash"'); await exportSecrets(); - expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET'); + expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERCUSTOMSECRET'); }); it('leading slash kvv1', async () => { diff --git a/src/action.js b/src/action.js index a8089d72..7a3c072e 100644 --- a/src/action.js +++ b/src/action.js @@ -12,7 +12,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - const exportToken = core.getInput('exportToken', { required: false }) == 'false'; + const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -61,7 +61,7 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); - if (exportToken) { + if (exportToken === true) { command.issue('add-mask', vaultToken); core.exportVariable('VAULT_TOKEN', `${vaultToken}`); } @@ -130,12 +130,13 @@ function parseSecretsInput(secretsInput) { throw Error(`You must provide a valid path and key. Input: "${secret}"`); } - const [path, selector] = pathParts; + const [path, selectorQuoted] = pathParts; /** @type {any} */ - const selectorAst = jsonata(selector).ast(); + const selectorAst = jsonata(selectorQuoted).ast(); + const selector = selectorQuoted.replace(new RegExp('"', 'g'), ''); - if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && !outputVarName) { + if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) { throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); } @@ -162,7 +163,7 @@ function parseSecretsInput(secretsInput) { */ function normalizeOutputKey(dataKey, isEnvVar = false) { let outputKey = dataKey - .replace('.', '__').replace(/[^\p{L}\p{N}_-]/gu, ''); + .replace('.', '__').replace(new RegExp('-', 'g'), '').replace(/[^\p{L}\p{N}_-]/gu, ''); if (isEnvVar) { outputKey = outputKey.toUpperCase(); } diff --git a/src/action.test.js b/src/action.test.js index c2738ac8..cd7828e5 100644 --- a/src/action.test.js +++ b/src/action.test.js @@ -178,6 +178,12 @@ describe('exportSecrets', () => { } } + function mockExportToken(doExport) { + when(core.getInput) + .calledWith('exportToken') + .mockReturnValueOnce(doExport); + } + it('simple secret retrieval', async () => { mockInput('test key'); mockVaultData({ @@ -257,4 +263,35 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1'); expect(core.setOutput).toBeCalledWith('key__value', '1'); }); + + it('export Vault token', async () => { + mockInput('test key'); + mockVaultData({ + key: 1 + }); + mockExportToken("true") + + await exportSecrets(); + + expect(core.exportVariable).toBeCalledTimes(2); + + expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); + expect(core.exportVariable).toBeCalledWith('KEY', '1'); + expect(core.setOutput).toBeCalledWith('key', '1'); + }); + + it('not export Vault token', async () => { + mockInput('test key'); + mockVaultData({ + key: 1 + }); + mockExportToken("false") + + await exportSecrets(); + + expect(core.exportVariable).toBeCalledTimes(1); + + expect(core.exportVariable).toBeCalledWith('KEY', '1'); + expect(core.setOutput).toBeCalledWith('key', '1'); + }); }); diff --git a/src/secrets.js b/src/secrets.js index a3649259..669bde5e 100644 --- a/src/secrets.js +++ b/src/secrets.js @@ -38,7 +38,9 @@ async function getSecrets(secretRequests, client) { body = result.body; responseCache.set(requestPath, body); } - + if (!selector.match(/.*[\.].*/)) { + selector = '"' + selector + '"' + } selector = "data." + selector body = JSON.parse(body) if (body.data["data"] != undefined) { @@ -64,7 +66,7 @@ function selectData(data, selector) { const ata = jsonata(selector); let result = JSON.stringify(ata.evaluate(data)); // Compat for custom engines - if (!result && ata.ast().type === "path" && ata.ast()['steps'].length === 1 && selector !== 'data' && 'data' in data) { + if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) { result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data)); } else if (!result) { throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`); From 25c9428189dde8bce64ca8b331af08f3c289668f Mon Sep 17 00:00:00 2001 From: ZANCO Bertrand <31990529+fean5959a@users.noreply.github.com> Date: Thu, 1 Oct 2020 16:19:56 +0200 Subject: [PATCH 4/4] Restore index.js --- dist/index.js | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/dist/index.js b/dist/index.js index cd267d8a..ccb16d2a 100644 --- a/dist/index.js +++ b/dist/index.js @@ -10688,9 +10688,7 @@ async function getSecrets(secretRequests, client) { body = result.body; responseCache.set(requestPath, body); } - if (!selector.match(/.*[\.].*/)) { - selector = '"' + selector + '"' - } + selector = "data." + selector body = JSON.parse(body) if (body.data["data"] != undefined) { @@ -10716,7 +10714,7 @@ function selectData(data, selector) { const ata = jsonata(selector); let result = JSON.stringify(ata.evaluate(data)); // Compat for custom engines - if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) { + if (!result && ata.ast().type === "path" && ata.ast()['steps'].length === 1 && selector !== 'data' && 'data' in data) { result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data)); } else if (!result) { throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`); @@ -14024,7 +14022,6 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; - const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: true }); const secretRequests = parseSecretsInput(secretsInput); @@ -14073,11 +14070,6 @@ async function exportSecrets() { defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); - if (exportToken === true) { - command.issue('add-mask', vaultToken); - core.exportVariable('VAULT_TOKEN', `${vaultToken}`); - } - const requests = secretRequests.map(request => { const { path, selector } = request; return request; @@ -14142,13 +14134,12 @@ function parseSecretsInput(secretsInput) { throw Error(`You must provide a valid path and key. Input: "${secret}"`); } - const [path, selectorQuoted] = pathParts; + const [path, selector] = pathParts; /** @type {any} */ - const selectorAst = jsonata(selectorQuoted).ast(); - const selector = selectorQuoted.replace(new RegExp('"', 'g'), ''); + const selectorAst = jsonata(selector).ast(); - if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) { + if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && !outputVarName) { throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`); } @@ -14175,7 +14166,7 @@ function parseSecretsInput(secretsInput) { */ function normalizeOutputKey(dataKey, isEnvVar = false) { let outputKey = dataKey - .replace('.', '__').replace(new RegExp('-', 'g'), '').replace(/[^\p{L}\p{N}_-]/gu, ''); + .replace('.', '__').replace(/[^\p{L}\p{N}_-]/gu, ''); if (isEnvVar) { outputKey = outputKey.toUpperCase(); } @@ -16003,4 +15994,4 @@ module.exports.MaxBufferError = MaxBufferError; /***/ }) -/******/ }); \ No newline at end of file +/******/ });