actions/vault-action
3
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2026-04-08 05:00:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix secrets stored in JSON format

Browse source
This commit is contained in:
JM Faircloth 2023-07-03 15:57:28 -05:00
parent e926631bb2
commit a24b038252
5 changed files with 185 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

32
src/action.test.js
View file

@ -220,6 +220,38 @@ describe('exportSecrets', () => {
expect(core.setOutput).toBeCalledWith('key', '1');
});
it('json secret retrieval', async () => {
const jsonString = '{"x":1,"y":2}';
mockInput('test key');
mockVaultData({
key: jsonString,
});
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
expect(core.setOutput).toBeCalledWith('key', jsonString);
});
it('multi-line json secret retrieval', async () => {
const jsonString = `
{
"x":1,
"y":"bar"
}
`;
mockInput('test key');
mockVaultData({
key: jsonString,
});
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
expect(core.setOutput).toBeCalledWith('key', jsonString);
});
it('intl secret retrieval', async () => {
mockInput('测试 测试');
mockVaultData({

2
src/retries.test.js
View file

@ -66,4 +66,4 @@ describe('exportSecrets retries', () => {
done();
});
});
});
});

65
src/secrets.js
View file

@ -72,7 +72,21 @@ async function getSecrets(secretRequests, client) {
*/
async function selectData(data, selector) {
const ata = jsonata(selector);
let result = JSON.stringify(await ata.evaluate(data));
let d = await ata.evaluate(data);
// If we have a Javascript Object, then this data was stored in Vault as
// pure JSON (not a JSON string)
const storedAsJSONData = isObject(d);
if (isJSONString(d)) {
// If we already have a JSON string we will not "stringify" it yet so
// that we don't end up calling JSON.parse. This would break the
// secrets that are stored as pure JSON. See: https://github.com/hashicorp/vault-action/issues/194
result = d;
} else {
result = JSON.stringify(d);
}
// Compat for custom engines
if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) {
result = JSON.stringify(await jsonata(`data.${selector}`).evaluate(data));
@ -81,12 +95,57 @@ async function selectData(data, selector) {
}
if (result.startsWith(`"`)) {
result = JSON.parse(result);
// we need to strip the beginning and ending quotes otherwise it will
// always successfully parse as a JSON string
result = result.substring(1, result.length - 1);
if (!isJSONString(result)) {
// add the quotes back so we can parse it into a Javascript object
// to allow support for multi-line secrets. See https://github.com/hashicorp/vault-action/issues/160
result = `"${result}"`
result = JSON.parse(result);
}
} else if (isJSONString(result)) {
if (storedAsJSONData) {
// Support secrets stored in Vault as pure JSON.
// See https://github.com/hashicorp/vault-action/issues/194 and https://github.com/hashicorp/vault-action/pull/173
result = JSON.stringify(result);
result = result.substring(1, result.length - 1);
} else {
// Support secrets stored in Vault as JSON Strings
result = JSON.stringify(result);
result = JSON.parse(result);
}
}
return result;
}
/**
* isOjbect returns true if target is a Javascript object
* @param {Type} target
*/
function isObject(target) {
return typeof target === 'object' && target !== null;
}
/**
* isJSONString returns true if target parses as a valid JSON string
* @param {Type} target
*/
function isJSONString(target) {
if (typeof target !== "string"){
return false;
}
try {
let o = JSON.parse(target);
} catch (e) {
return false;
}
return true;
}
module.exports = {
getSecrets,
selectData
}
}