feat: support for KV version 1 and custom-named engines (#12)

* feat: kv v1 and engine path * doc: add custom version and engine path usage docs Co-authored-by: Richard Simpson <richardsimpson@outlook.com>
2026-04-15 16:25:43 +00:00 · 2020-02-04 12:40:55 -03:00 · 2020-02-04 12:40:55 -03:00 · f229481670
commit f229481670
parent 3b9239de79
9 changed files with 465 additions and 139 deletions
--- a/integrationTests/basic/integration.test.js
+++ b/integrationTests/basic/integration.test.js
@ -39,6 +39,46 @@ describe('integration', () => {
                data: {
                    otherSecret: 'OTHERSUPERSECRET',
                },
+            }
+        });
+
+        // Enable custom secret engine
+        try {
+            await got(`${vaultUrl}/v1/sys/mounts/my-secret`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': 'testtoken',
+                },
+                json: {
+                    type: 'kv'
+                }
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                // Engine might already be enabled from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        await got(`${vaultUrl}/v1/my-secret/test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                secret: 'CUSTOMSECRET',
+            }
+        });
+
+        await got(`${vaultUrl}/v1/my-secret/nested/test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                otherSecret: 'OTHERCUSTOMSECRET',
            },
        });
    });
@ -48,17 +88,29 @@ describe('integration', () => {

        when(core.getInput)
            .calledWith('url')
-            .mockReturnValue(`${vaultUrl}`);
+            .mockReturnValueOnce(`${vaultUrl}`);

        when(core.getInput)
            .calledWith('token')
-            .mockReturnValue('testtoken');
+            .mockReturnValueOnce('testtoken');
    });

    function mockInput(secrets) {
        when(core.getInput)
            .calledWith('secrets')
-            .mockReturnValue(secrets);
+            .mockReturnValueOnce(secrets);
+    }
+
+    function mockEngineName(name) {
+        when(core.getInput)
+            .calledWith('path')
+            .mockReturnValueOnce(name);
+    }
+
+    function mockVersion(version) {
+        when(core.getInput)
+            .calledWith('kv-version')
+            .mockReturnValueOnce(version);
    }

    it('get simple secret', async () => {
@ -99,4 +151,24 @@ describe('integration', () => {
        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
        expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET');
    });
+
+    it('get secret from K/V v1', async () => {
+        mockInput('test secret');
+        mockEngineName('my-secret');
+        mockVersion('1');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET');
+    });
+
+    it('get nested secret from K/V v1', async () => {
+        mockInput('nested/test otherSecret');
+        mockEngineName('my-secret');
+        mockVersion('1');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET');
+    });
 });
--- a/integrationTests/e2e/e2e.test.js
+++ b/integrationTests/e2e/e2e.test.js
@ -3,5 +3,8 @@ describe('e2e', () => {
        expect(process.env.SECRET).toBe("SUPERSECRET");
        expect(process.env.NAMED_SECRET).toBe("SUPERSECRET");
        expect(process.env.OTHERSECRET).toBe("OTHERSUPERSECRET");
+        expect(process.env.ALTSECRET).toBe("CUSTOMSECRET");
+        expect(process.env.NAMED_ALTSECRET).toBe("CUSTOMSECRET");
+        expect(process.env.OTHERALTSECRET).toBe("OTHERCUSTOMSECRET");
    });
-});
+});
--- a/integrationTests/e2e/setup.js
+++ b/integrationTests/e2e/setup.js
@ -1,15 +1,17 @@
 const got = require('got');

+const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
+
 (async () => {
    try {
        // Verify Connection
-        await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/config`, {
+        await got(`http://${vaultUrl}/v1/secret/config`, {
            headers: {
                'X-Vault-Token': 'testtoken',
            },
        });

-        await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/data/test`, {
+        await got(`http://${vaultUrl}/v1/secret/data/test`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': 'testtoken',
@ -21,7 +23,7 @@ const got = require('got');
            },
        });

-        await got(`http://${process.env.VAULT_HOST}:${process.env.VAULT_PORT}/v1/secret/data/nested/test`, {
+        await got(`http://${vaultUrl}/v1/secret/data/nested/test`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': 'testtoken',
@ -30,6 +32,36 @@ const got = require('got');
                data: {
                    otherSecret: 'OTHERSUPERSECRET',
                },
+            }
+        });
+
+        await got(`http://${vaultUrl}/v1/sys/mounts/my-secret`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                type: 'kv'
+            }
+        });
+
+        await got(`http://${vaultUrl}/v1/my-secret/test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                altSecret: 'CUSTOMSECRET',
+            }
+        });
+
+        await got(`http://${vaultUrl}/v1/my-secret/nested/test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            },
+            json: {
+                otherAltSecret: 'OTHERCUSTOMSECRET',
            },
        });
    } catch (error) {
--- a/integrationTests/enterprise/enterprise.test.js
+++ b/integrationTests/enterprise/enterprise.test.js
@ -20,48 +20,19 @@ describe('integration', () => {
            });

            // Create namespace
-            await got(`${vaultUrl}/v1/sys/namespaces/ns1`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                }
-            });
+            await enableNamespace('ns1');

-            // Enable secret engine
-            await got(`${vaultUrl}/v1/sys/mounts/secret`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns1',
-                },
-                json: { path: 'secret', type: 'kv', config: {}, options: { version: 2 }, generate_signing_key: true },
-            });
+            // Enable K/V v2 secret engine at 'secret/'
+            await enableEngine('secret', 'ns1', 2);

-            await got(`${vaultUrl}/v1/secret/data/test`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns1',
-                },
-                json: {
-                    data: {
-                        secret: 'SUPERSECRET_IN_NAMESPACE',
-                    },
-                },
-            });
+            await writeSecret('secret', 'test', 'ns1', 2, {secret: 'SUPERSECRET_IN_NAMESPACE'})
+            await writeSecret('secret', 'nested/test', 'ns1', 2, {otherSecret: 'OTHERSUPERSECRET_IN_NAMESPACE'})

-            await got(`${vaultUrl}/v1/secret/data/nested/test`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns1',
-                },
-                json: {
-                    data: {
-                        otherSecret: 'OTHERSUPERSECRET_IN_NAMESPACE',
-                    },
-                },
-            });
+            // Enable K/V v1 secret engine at 'my-secret/'
+            await enableEngine('my-secret', 'ns1', 1);
+
+            await writeSecret('my-secret', 'test', 'ns1', 1, {secret: 'CUSTOMSECRET_IN_NAMESPACE'})
+            await writeSecret('my-secret', 'nested/test', 'ns1', 1, {otherSecret: 'OTHERCUSTOMSECRET_IN_NAMESPACE'})
        } catch (e) {
            console.error('Failed to setup test', e);
            throw e;
@ -73,23 +44,17 @@ describe('integration', () => {

        when(core.getInput)
            .calledWith('url')
-            .mockReturnValue(`${vaultUrl}`);
+            .mockReturnValueOnce(`${vaultUrl}`);

        when(core.getInput)
            .calledWith('token')
-            .mockReturnValue('testtoken');
+            .mockReturnValueOnce('testtoken');

        when(core.getInput)
            .calledWith('namespace')
-            .mockReturnValue('ns1');
+            .mockReturnValueOnce('ns1');
    });

-    function mockInput(secrets) {
-        when(core.getInput)
-            .calledWith('secrets')
-            .mockReturnValue(secrets);
-    }
-
    it('get simple secret', async () => {
        mockInput('test secret');

@ -128,6 +93,26 @@ describe('integration', () => {
        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET_IN_NAMESPACE');
        expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERSUPERSECRET_IN_NAMESPACE');
    });
+
+    it('get secret from K/V v1', async () => {
+        mockInput('test secret');
+        mockEngineName('my-secret');
+        mockVersion('1');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
+    });
+
+    it('get nested secret from K/V v1', async () => {
+        mockInput('nested/test otherSecret');
+        mockEngineName('my-secret');
+        mockVersion('1');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('OTHERSECRET', 'OTHERCUSTOMSECRET_IN_NAMESPACE');
+    });
 });

 describe('authenticate with approle', () => {
@ -143,48 +128,34 @@ describe('authenticate with approle', () => {
            });

            // Create namespace
-            await got(`${vaultUrl}/v1/sys/namespaces/ns2`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                },
-            });
+            await enableNamespace("ns2");

-            // Enable secret engine
-            await got(`${vaultUrl}/v1/sys/mounts/secret`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns2',
-                },
-                json: { path: 'secret', type: 'kv', config: {}, options: { version: 2 }, generate_signing_key: true },
-            });
+            // Enable K/V v2 secret engine at 'secret/'
+            await enableEngine("secret", "ns2", 2);

            // Add secret
-            await got(`${vaultUrl}/v1/secret/data/test`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns2',
-                },
-                json: {
-                    data: {
-                        secret: 'SUPERSECRET_WITH_APPROLE',
-                    },
-                },
-            });
+            await writeSecret('secret', 'test', 'ns2', 2, {secret: 'SUPERSECRET_WITH_APPROLE'})

            // Enable approle
-            await got(`${vaultUrl}/v1/sys/auth/approle`, {
-                method: 'POST',
-                headers: {
-                    'X-Vault-Token': 'testtoken',
-                    'X-Vault-Namespace': 'ns2',
-                },
-                json: {
-                    type: 'approle'
-                },
-            });
+            try {
+                await got(`${vaultUrl}/v1/sys/auth/approle`, {
+                    method: 'POST',
+                    headers: {
+                        'X-Vault-Token': 'testtoken',
+                        'X-Vault-Namespace': 'ns2',
+                    },
+                    json: {
+                        type: 'approle'
+                    },
+                });
+            } catch (error) {
+                const {response} = error;
+                if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                    // Approle might already be enabled from previous test runs
+                } else {
+                    throw error;
+                }
+            }

            // Create policies
            await got(`${vaultUrl}/v1/sys/policies/acl/test`, {
@ -232,7 +203,7 @@ describe('authenticate with approle', () => {
            });
            secretId = secretIdResponse.body.data.secret_id;
        } catch(err) {
-            console.warn('Create approle', err);
+            console.warn('Create approle', err.response.body);
            throw err;
        }
    });
@ -242,27 +213,21 @@ describe('authenticate with approle', () => {

        when(core.getInput)
            .calledWith('method')
-            .mockReturnValue('approle');
+            .mockReturnValueOnce('approle');
        when(core.getInput)
            .calledWith('roleId')
-            .mockReturnValue(roleId);
+            .mockReturnValueOnce(roleId);
        when(core.getInput)
            .calledWith('secretId')
-            .mockReturnValue(secretId);
+            .mockReturnValueOnce(secretId);
        when(core.getInput)
            .calledWith('url')
-            .mockReturnValue(`${vaultUrl}`);
+            .mockReturnValueOnce(`${vaultUrl}`);
        when(core.getInput)
            .calledWith('namespace')
-            .mockReturnValue('ns2');
+            .mockReturnValueOnce('ns2');
    });

-    function mockInput(secrets) {
-        when(core.getInput)
-            .calledWith('secrets')
-            .mockReturnValue(secrets);
-    }
-
    it('authenticate with approle', async()=> {
        mockInput('test secret');

@ -270,4 +235,73 @@ describe('authenticate with approle', () => {

        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_WITH_APPROLE');
    })
-});
+});
+
+async function enableNamespace(name) {
+    try {
+        await got(`${vaultUrl}/v1/sys/namespaces/${name}`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+            }
+        });
+    } catch (error) {
+        const {response} = error;
+        if (response.statusCode === 400 && response.body.includes("already exists")) {
+            // Namespace might already be enabled from previous test runs
+        } else {
+            throw error;
+        }
+    }
+}
+
+async function enableEngine(path, namespace, version) {
+    try {
+        await got(`${vaultUrl}/v1/sys/mounts/${path}`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': 'testtoken',
+                'X-Vault-Namespace': namespace,
+            },
+            json: { type: 'kv', config: {}, options: { version }, generate_signing_key: true },
+        });
+    } catch (error) {
+        const {response} = error;
+        if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+            // Engine might already be enabled from previous test runs
+        } else {
+            throw error;
+        }
+    }
+}
+
+async function writeSecret(engine, path, namespace, version, data) {
+    const secretPath = (version == 1) ? (`${engine}/${path}`) : (`${engine}/data/${path}`);
+    const secretPayload = (version == 1) ? (data) : ({data});
+    await got(`${vaultUrl}/v1/${secretPath}`, {
+        method: 'POST',
+        headers: {
+            'X-Vault-Token': 'testtoken',
+            'X-Vault-Namespace': namespace,
+        },
+        json: secretPayload
+    });
+}
+
+function mockInput(secrets) {
+    when(core.getInput)
+        .calledWith('secrets')
+        .mockReturnValueOnce(secrets);
+}
+
+function mockEngineName(name) {
+    when(core.getInput)
+        .calledWith('path')
+        .mockReturnValueOnce(name);
+}
+
+function mockVersion(version) {
+    when(core.getInput)
+        .calledWith('kv-version')
+        .mockReturnValueOnce(version);
+}