fix secrets stored in JSON format (#473)

* fix secrets stored in JSON format * add more tests * fix lint and pass token to build * add test cases * add debug * fix ordering of build steps * fix test string format * update test check * fix test string format * final cleanup * remove comment * remove unused var assignment * simplify more * simplify code and add more comments
2026-04-07 12:39:26 +00:00 · 2023-07-06 10:51:26 -05:00 · 2023-07-06 10:51:26 -05:00 · b138504969
commit b138504969
parent e926631bb2
7 changed files with 153 additions and 6 deletions
--- a/src/action.test.js
+++ b/src/action.test.js
@ -220,6 +220,58 @@ describe('exportSecrets', () => {
        expect(core.setOutput).toBeCalledWith('key', '1');
    });

+    it('JSON data secret retrieval', async () => {
+        const jsonData = {"x":1,"y":2};
+
+        // for secrets stored in Vault as pure JSON, we call stringify twice
+        // and remove the surrounding quotes
+        let result = JSON.stringify(JSON.stringify(jsonData));
+        result = result.substring(1, result.length - 1);
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonData,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', result);
+        expect(core.setOutput).toBeCalledWith('key', result);
+    });
+
+    it('JSON string secret retrieval', async () => {
+        const jsonString = '{"x":1,"y":2}';
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonString,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
+        expect(core.setOutput).toBeCalledWith('key', jsonString);
+    });
+
+    it('multi-line JSON string secret retrieval', async () => {
+        const jsonString = `
+        {
+            "x":1,
+            "y":"bar"
+        }
+        `;
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonString,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
+        expect(core.setOutput).toBeCalledWith('key', jsonString);
+    });
+
    it('intl secret retrieval', async () => {
        mockInput('测试 测试');
        mockVaultData({
@ -334,7 +386,30 @@ describe('exportSecrets', () => {
        expect(core.setOutput).toBeCalledWith('key', 'secret');
    })

-    it('multi-line secret gets masked for each line', async () => {
+    it('multi-line secret', async () => {
+        const multiLineString = `ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
+GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
+Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
+NrRFi9wrf+M7Q==`;
+
+        mockInput('test key');
+        mockVaultData({
+            key: multiLineString
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(core.setSecret).toBeCalledTimes(5); // 1 for each non-empty line + VAULT_TOKEN
+
+        expect(core.setSecret).toBeCalledWith("ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU");
+        expect(core.setSecret).toBeCalledWith("GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3");
+        expect(core.setSecret).toBeCalledWith("Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA");
+        expect(core.setSecret).toBeCalledWith("NrRFi9wrf+M7Q==");
+        expect(core.setOutput).toBeCalledWith('key', multiLineString);
+    })
+
+    it('multi-line secret gets masked for each non-empty line', async () => {
        const multiLineString = `a multi-line string

 with blank lines
--- a/src/retries.test.js
+++ b/src/retries.test.js
@ -66,4 +66,4 @@ describe('exportSecrets retries', () => {
            done();
        });
    });
-});
+});
--- a/src/secrets.js
+++ b/src/secrets.js
@ -67,12 +67,13 @@ async function getSecrets(secretRequests, client) {

 /**
 * Uses a Jsonata selector retrieve a bit of data from the result
- * @param {object} data 
- * @param {string} selector 
+ * @param {object} data
+ * @param {string} selector
 */
 async function selectData(data, selector) {
    const ata = jsonata(selector);
    let result = JSON.stringify(await ata.evaluate(data));
+
    // Compat for custom engines
    if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) {
        result = JSON.stringify(await jsonata(`data.${selector}`).evaluate(data));
@ -81,7 +82,18 @@ async function selectData(data, selector) {
    }

    if (result.startsWith(`"`)) {
+        // Support multi-line secrets like JSON strings and ssh keys, see https://github.com/hashicorp/vault-action/pull/173
+        // Deserialize the value so that newlines and special characters are
+        // not escaped in our return value.
        result = JSON.parse(result);
+    } else {
+        // Support secrets stored in Vault as pure JSON, see https://github.com/hashicorp/vault-action/issues/194
+        // Serialize the value so that any special characters in the data are
+        // properly escaped.
+        result = JSON.stringify(result);
+        // strip the surrounding quotes added by stringify because the data did
+        // not have them in the first place
+        result = result.substring(1, result.length - 1);
    }
    return result;
 }
@ -89,4 +101,4 @@ async function selectData(data, selector) {
 module.exports = {
    getSecrets,
    selectData
-}
+}