mirror of
https://github.com/hashicorp/vault-action.git
synced 2026-04-16 08:45:44 +00:00
feat: Always allow scoped access to vault token through outputs
This commit is contained in:
Thomas
parent
ae2f303e37
commit
e92c0909f9
4 changed files with 1515 additions and 776 deletions
|
|
@ -69,8 +69,9 @@ async function exportSecrets() {
|
|||
defaultOptions.headers['X-Vault-Token'] = vaultToken;
|
||||
const client = got.extend(defaultOptions);
|
||||
|
||||
command.issue('add-mask', vaultToken);
|
||||
core.setOutput('vault_token', `${vaultToken}`);
|
||||
if (exportToken === true) {
|
||||
command.issue('add-mask', vaultToken);
|
||||
core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -194,6 +194,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('intl secret retrieval', async () => {
|
||||
|
|
@ -206,6 +207,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('mapped secret retrieval', async () => {
|
||||
|
|
@ -218,6 +220,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval from K/V v1', async () => {
|
||||
|
|
@ -235,6 +238,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval with extra headers', async () => {
|
||||
|
|
@ -250,6 +254,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('nested secret retrieval', async () => {
|
||||
|
|
@ -262,6 +267,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key__value', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('export Vault token', async () => {
|
||||
|
|
@ -278,6 +284,7 @@ describe('exportSecrets', () => {
|
|||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('not export Vault token', async () => {
|
||||
|
|
@ -293,6 +300,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('single-line secret gets masked', async () => {
|
||||
|
|
@ -304,10 +312,11 @@ describe('exportSecrets', () => {
|
|||
|
||||
await exportSecrets();
|
||||
|
||||
expect(command.issue).toBeCalledTimes(1);
|
||||
expect(command.issue).toBeCalledTimes(2);
|
||||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('key', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('multi-line secret gets masked for each line', async () => {
|
||||
|
|
@ -324,11 +333,12 @@ with blank lines
|
|||
|
||||
await exportSecrets();
|
||||
|
||||
expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
|
||||
expect(command.issue).toBeCalledTimes(3); // 1 for each non-empty line.
|
||||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
|
||||
expect(core.setOutput).toBeCalledWith('key', multiLineString);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('export only Vault token, no secrets', async () => {
|
||||
|
|
@ -338,5 +348,6 @@ with blank lines
|
|||
|
||||
expect(core.exportVariable).toBeCalledTimes(1);
|
||||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue