Implement kubernetes auth / Add customizable auth path (#218)

* Implement kubernetes auth / Add customizable auth path * Fix typo * Apply suggestions from code review Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2026-04-07 12:39:26 +00:00 · 2021-06-03 10:59:51 -04:00 · 2021-06-03 10:59:51 -04:00 · 72c7a899ca
commit 72c7a899ca
parent 0cf3bd6a39
5 changed files with 139 additions and 23 deletions
--- a/src/action.js
+++ b/src/action.js
@ -5,7 +5,7 @@ const got = require('got').default;
 const jsonata = require('jsonata');
 const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');

-const AUTH_METHODS = ['approle', 'token', 'github', 'jwt'];
+const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes'];

 async function exportSecrets() {
    const vaultUrl = core.getInput('url', { required: true });
--- a/src/auth.js
+++ b/src/auth.js
@ -1,22 +1,26 @@
 // @ts-check
 const core = require('@actions/core');
 const rsasign = require('jsrsasign');
+const fs = require('fs');

+const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
 /***
 * Authenticate with Vault and retrieve a Vault token that can be used for requests.
 * @param {string} method
 * @param {import('got').Got} client
 */
 async function retrieveToken(method, client) {
+    const path = core.getInput('path', { required: false }) || method;
+
    switch (method) {
        case 'approle': {
            const vaultRoleId = core.getInput('roleId', { required: true });
            const vaultSecretId = core.getInput('secretId', { required: true });
-            return await getClientToken(client, method, { role_id: vaultRoleId, secret_id: vaultSecretId });
+            return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
        }
        case 'github': {
            const githubToken = core.getInput('githubToken', { required: true });
-            return await getClientToken(client, method, { token: githubToken });
+            return await getClientToken(client, method, path, { token: githubToken });
        }
        case 'jwt': {
            const role = core.getInput('role', { required: true });
@ -25,8 +29,18 @@ async function retrieveToken(method, client) {
            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
            const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
-            return await getClientToken(client, method, { jwt: jwt, role: role });
+            return await getClientToken(client, method, path, { jwt: jwt, role: role });
        }
+        case 'kubernetes': {
+            const role = core.getInput('role', { required: true })
+            const tokenPath = core.getInput('kubernetesTokenPath', { required: false }) || defaultKubernetesTokenPath
+            const data = fs.readFileSync(tokenPath, 'utf8')
+            if (!(role && data) && data != "") {
+                throw new Error("Role Name must be set and a kubernetes token must set")
+            }
+            return await getClientToken(client, method, path, { jwt: data, role: role })
+        }
+
        default: {
            if (!method || method === 'token') {
                return core.getInput('token', { required: true });
@ -36,7 +50,7 @@ async function retrieveToken(method, client) {
                if (!payload) {
                    throw Error('When using a custom authentication method, you must provide the payload');
                }
-                return await getClientToken(client, method, JSON.parse(payload.trim()));
+                return await getClientToken(client, method, path, JSON.parse(payload.trim()));
            }
        }
    }
@ -72,9 +86,10 @@ function generateJwt(privateKey, keyPassword, ttl) {
 * Call the appropriate login endpoint and parse out the token in the response.
 * @param {import('got').Got} client
 * @param {string} method
+ * @param {string} path
 * @param {any} payload
 */
-async function getClientToken(client, method, payload) {
+async function getClientToken(client, method, path, payload) {
    /** @type {'json'} */
    const responseType = 'json';
    var options = {
@ -82,10 +97,10 @@ async function getClientToken(client, method, payload) {
        responseType,
    };

-    core.debug(`Retrieving Vault Token from v1/auth/${method}/login endpoint`);
+    core.debug(`Retrieving Vault Token from v1/auth/${path}/login endpoint`);

    /** @type {import('got').Response<VaultLoginResponse>} */
-    const response = await client.post(`v1/auth/${method}/login`, options);
+    const response = await client.post(`v1/auth/${path}/login`, options);
    if (response && response.body && response.body.auth && response.body.auth.client_token) {
        core.debug('✔ Vault Token successfully retrieved');

--- a/src/auth.test.js
+++ b/src/auth.test.js
@ -0,0 +1,83 @@
+jest.mock('got');
+jest.mock('@actions/core');
+jest.mock('@actions/core/lib/command');
+jest.mock("fs")
+
+const core = require('@actions/core');
+const got = require('got');
+const fs = require("fs")
+const { when } = require('jest-when');
+
+
+const {
+    retrieveToken
+} = require('./auth');
+
+
+function mockInput(name, key) {
+    when(core.getInput)
+        .calledWith(name)
+        .mockReturnValueOnce(key);
+}
+
+function mockApiResponse() {
+    const response = { body: { auth: { client_token: testToken, renewable: true, policies: [], accessor: "accessor" } } }
+    got.post = jest.fn()
+    got.post.mockReturnValue(response)
+}
+const testToken = "testoken";
+
+describe("test retrival for token", () => {
+
+    beforeEach(() => {
+        jest.resetAllMocks();
+    });
+
+    it("test retrival with approle", async () => {
+        const method = 'approle'
+        mockApiResponse()
+        const testRoleId = "testRoleId"
+        const testSecretId = "testSecretId"
+        mockInput("roleId", testRoleId)
+        mockInput("secretId", testSecretId)
+        const token = await retrieveToken(method, got)
+        expect(token).toEqual(testToken)
+        const payload = got.post.mock.calls[0][1].json
+        expect(payload).toEqual({ role_id: testRoleId, secret_id: testSecretId })
+        const url = got.post.mock.calls[0][0]
+        expect(url).toContain('approle')
+    })
+
+    it("test retrival with github token", async () => {
+        const method = 'github'
+        mockApiResponse()
+        const githubToken = "githubtoken"
+        mockInput("githubToken", githubToken)
+        const token = await retrieveToken(method, got)
+        expect(token).toEqual(testToken)
+        const payload = got.post.mock.calls[0][1].json
+        expect(payload).toEqual({ token: githubToken })
+        const url = got.post.mock.calls[0][0]
+        expect(url).toContain('github')
+    })
+
+    it("test retrival with kubernetes", async () => {
+        const method = 'kubernetes'
+        const jwtToken = "someJwtToken"
+        const testRole = "testRole"
+        const testTokenPath = "testTokenPath"
+        const testPath = 'differentK8sPath'
+        mockApiResponse()
+        mockInput("kubernetesTokenPath", testTokenPath)
+        mockInput("role", testRole)
+        mockInput("path", testPath)
+        fs.readFileSync = jest.fn()
+        fs.readFileSync.mockReturnValueOnce(jwtToken)
+        const token = await retrieveToken(method, got)
+        expect(token).toEqual(testToken)
+        const payload = got.post.mock.calls[0][1].json
+        expect(payload).toEqual({ jwt: jwtToken, role: testRole })
+        const url = got.post.mock.calls[0][0]
+        expect(url).toContain('differentK8sPath')
+    })
+})