Revert "fix secrets stored in json format (#466)" (#471)

* Revert "fix secrets stored in json format (#466)" This reverts commit b9f4d16071. * fix build: use new Verified Publisher image hashicorp/vault
2026-04-07 12:39:26 +00:00 · 2023-07-03 10:31:51 -05:00 · 2023-07-03 10:31:51 -05:00 · 5213b69445
commit 5213b69445
parent 357cb9c034
8 changed files with 12 additions and 144 deletions
--- a/src/action.test.js
+++ b/src/action.test.js
@ -220,22 +220,6 @@ describe('exportSecrets', () => {
        expect(core.setOutput).toBeCalledWith('key', '1');
    });

-    it('json secret retrieval', async () => {
-        const jsonString = '{"x":1,"y":2}';
-        let result = JSON.stringify(jsonString);
-        result = result.substring(1, result.length - 1);
-
-        mockInput('test key');
-        mockVaultData({
-            key: jsonString,
-        });
-
-        await exportSecrets();
-
-        expect(core.exportVariable).toBeCalledWith('KEY', result);
-        expect(core.setOutput).toBeCalledWith('key', result);
-    });
-
    it('intl secret retrieval', async () => {
        mockInput('测试 测试');
        mockVaultData({
@ -350,31 +334,7 @@ describe('exportSecrets', () => {
        expect(core.setOutput).toBeCalledWith('key', 'secret');
    })

-    it('multi-line secret', async () => {
-        const multiLineString = `ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
-GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
-Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
-NrRFi9wrf+M7Q==`;
-
-        mockInput('test key');
-        mockVaultData({
-            key: multiLineString
-        });
-        mockExportToken("false")
-
-        await exportSecrets();
-
-        expect(core.setSecret).toBeCalledTimes(5); // 1 for each non-empty line + VAULT_TOKEN
-
-        expect(core.setSecret).toBeCalledWith("EXAMPLE"); // called for VAULT_TOKEN
-        expect(core.setSecret).toBeCalledWith("ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU");
-        expect(core.setSecret).toBeCalledWith("GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3");
-        expect(core.setSecret).toBeCalledWith("Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA");
-        expect(core.setSecret).toBeCalledWith("NrRFi9wrf+M7Q==");
-        expect(core.setOutput).toBeCalledWith('key', multiLineString);
-    })
-
-    it('multi-line secret gets masked for each non-empty line', async () => {
+    it('multi-line secret gets masked for each line', async () => {
        const multiLineString = `a multi-line string

 with blank lines
@ -388,7 +348,7 @@ with blank lines

        await exportSecrets();

-        expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line + VAULT_TOKEN
+        expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line.

        expect(core.setSecret).toBeCalledWith('a multi-line string');
        expect(core.setSecret).toBeCalledWith('with blank lines');
--- a/src/retries.test.js
+++ b/src/retries.test.js
@ -66,4 +66,4 @@ describe('exportSecrets retries', () => {
            done();
        });
    });
-});
+});
--- a/src/secrets.js
+++ b/src/secrets.js
@ -1,5 +1,6 @@
 const jsonata = require("jsonata");

+
 /**
 * @typedef {Object} SecretRequest
 * @property {string} path
@ -66,20 +67,12 @@ async function getSecrets(secretRequests, client) {

 /**
 * Uses a Jsonata selector retrieve a bit of data from the result
- * @param {object} data
- * @param {string} selector
+ * @param {object} data 
+ * @param {string} selector 
 */
 async function selectData(data, selector) {
    const ata = jsonata(selector);
-    let d = await ata.evaluate(data);
-    if (isJSON(d)) {
-        // If we already have JSON we will not "stringify" it yet so that we
-        // don't end up calling JSON.parse. This would break the secrets that
-        // are stored as JSON. See: https://github.com/hashicorp/vault-action/issues/194
-        result = d;
-    } else {
-        result = JSON.stringify(d);
-    }
+    let result = JSON.stringify(await ata.evaluate(data));
    // Compat for custom engines
    if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) {
        result = JSON.stringify(await jsonata(`data.${selector}`).evaluate(data));
@ -88,44 +81,12 @@ async function selectData(data, selector) {
    }

    if (result.startsWith(`"`)) {
-        // we need to strip the beginning and ending quotes otherwise it will
-        // always successfully parse as JSON
-        result = result.substring(1, result.length - 1);
-        if (!isJSON(result)) {
-            // add the quotes back so we can parse it into a Javascript object
-            // to allow support for multi-line secrets. See https://github.com/hashicorp/vault-action/issues/160
-            result = `"${result}"`
-            result = JSON.parse(result);
-        }
-    } else if (isJSON(result)) {
-        // This is required to support secrets in JSON format.
-        // See https://github.com/hashicorp/vault-action/issues/194 and https://github.com/hashicorp/vault-action/pull/173
-        result = JSON.stringify(result);
-        result = result.substring(1, result.length - 1);
+        result = JSON.parse(result);
    }
    return result;
 }

-/**
- * isJSON returns true if str parses as a valid JSON string
- * @param {string} str
- */
-function isJSON(str) {
-    if (typeof str !== "string"){
-        return false;
-    }
-
-    try {
-        JSON.parse(str);
-    } catch (e) {
-        return false;
-    }
-
-    return true;
-}
-
 module.exports = {
    getSecrets,
    selectData
-}
-
+}