Implement JWT auth (#188)

2026-04-14 07:46:52 +00:00 · 2021-05-04 15:49:35 +03:00 · 2021-05-04 15:49:35 +03:00 · 9e8f22534f
commit 9e8f22534f
parent 8417c61f8a
8 changed files with 275 additions and 2 deletions
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@ -0,0 +1,126 @@
+jest.mock('@actions/core');
+jest.mock('@actions/core/lib/command');
+const core = require('@actions/core');
+const {
+    privateRsaKeyBase64,
+    publicRsaKey
+} = require('./rsa_keys');
+
+const got = require('got');
+const { when } = require('jest-when');
+
+const { exportSecrets } = require('../../src/action');
+
+const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
+
+describe('jwt auth', () => {
+    beforeAll(async () => {
+        // Verify Connection
+        await got(`${vaultUrl}/v1/secret/config`, {
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+        });
+
+        try {
+            await got(`${vaultUrl}/v1/sys/auth/jwt`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': 'testtoken',
+                },
+                json: {
+                    type: 'jwt'
+                }
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                // Auth method might already be enabled from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        await got(`${vaultUrl}/v1/sys/policy/reader`, {
+            method: 'PUT',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                policy: `
+                path "*" {
+                    capabilities = ["read"]
+                }
+                `
+            }
+        });
+
+        await got(`${vaultUrl}/v1/auth/jwt/config`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                jwt_validation_pubkeys: publicRsaKey
+            }
+        });
+
+        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                role_type: 'jwt',
+                bound_audiences: null,
+                bound_claims: {
+                    iss: 'vault-action'
+                },
+                user_claim: 'iss',
+                policies: ['reader']
+            }
+        });
+
+        await got(`${vaultUrl}/v1/secret/data/test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                data: {
+                    secret: 'SUPERSECRET',
+                },
+            },
+        });
+    });
+
+    beforeEach(() => {
+        jest.resetAllMocks();
+
+        when(core.getInput)
+            .calledWith('url')
+            .mockReturnValueOnce(`${vaultUrl}`);
+
+        when(core.getInput)
+            .calledWith('method')
+            .mockReturnValueOnce('jwt');
+
+        when(core.getInput)
+            .calledWith('jwtPrivateKey')
+            .mockReturnValueOnce(privateRsaKeyBase64);
+
+        when(core.getInput)
+            .calledWith('role')
+            .mockReturnValueOnce('default');
+
+        when(core.getInput)
+            .calledWith('secrets')
+            .mockReturnValueOnce('secret/data/test secret');
+    });
+
+    it('successfully authenticates', async () => {
+        await exportSecrets();
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+    });
+
+});