mirror of
https://github.com/hashicorp/vault-action.git
synced 2026-04-09 05:30:05 +00:00
Merge branch 'main' into fix/env-case-option
This commit is contained in:
John-Michael Faircloth
GitHub
commit
f720f822f4
16 changed files with 1282 additions and 482 deletions
|
|
@ -112,6 +112,69 @@ describe('integration', () => {
|
|||
"other-Secret-dash": 'OTHERCUSTOMSECRET',
|
||||
},
|
||||
});
|
||||
|
||||
// Enable pki engine
|
||||
try {
|
||||
await got(`${vaultUrl}/v1/sys/mounts/pki`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
type: 'pki'
|
||||
}
|
||||
});
|
||||
} catch (error) {
|
||||
const {response} = error;
|
||||
if (response.statusCode === 400 && response.body.includes("path is already in use")) {
|
||||
// Engine might already be enabled from previous test runs
|
||||
} else {
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
|
||||
// Configure Root CA
|
||||
try {
|
||||
await got(`${vaultUrl}/v1/pki/root/generate/internal`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
common_name: 'test',
|
||||
ttl: '24h',
|
||||
},
|
||||
});
|
||||
} catch (error) {
|
||||
const {response} = error;
|
||||
if (response.statusCode === 400 && response.body.includes("already exists")) {
|
||||
// Root CA might already be configured from previous test runs
|
||||
} else {
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
|
||||
// Configure PKI Role
|
||||
try {
|
||||
await got(`${vaultUrl}/v1/pki/roles/Test`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
allowed_domains: ['test'],
|
||||
allow_bare_domains: true,
|
||||
max_ttl: '1h',
|
||||
},
|
||||
});
|
||||
} catch (error) {
|
||||
const {response} = error;
|
||||
if (response.statusCode === 400 && response.body.includes("already exists")) {
|
||||
// Role might already be configured from previous test runs
|
||||
} else {
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
|
|
@ -132,6 +195,12 @@ describe('integration', () => {
|
|||
.mockReturnValueOnce(secrets);
|
||||
}
|
||||
|
||||
function mockPkiInput(pki) {
|
||||
when(core.getInput)
|
||||
.calledWith('pki', expect.anything())
|
||||
.mockReturnValueOnce(pki);
|
||||
}
|
||||
|
||||
function mockIgnoreNotFound(shouldIgnore) {
|
||||
when(core.getInput)
|
||||
.calledWith('ignoreNotFound', expect.anything())
|
||||
|
|
@ -162,6 +231,19 @@ describe('integration', () => {
|
|||
expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
|
||||
})
|
||||
|
||||
it('gets a pki certificate', async () => {
|
||||
mockPkiInput('pki/issue/Test {"common_name":"test","ttl":"1h"}');
|
||||
|
||||
await exportSecrets();
|
||||
|
||||
expect(core.exportVariable).toBeCalledTimes(4);
|
||||
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_KEY', expect.anything());
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_CERT', expect.anything());
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_CA', expect.anything());
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_CA_CHAIN', expect.anything());
|
||||
});
|
||||
|
||||
it('get simple secret', async () => {
|
||||
mockInput('secret/data/test secret');
|
||||
|
||||
|
|
|
|||
|
|
@ -97,6 +97,8 @@ describe('jwt auth', () => {
|
|||
}
|
||||
});
|
||||
|
||||
// write the jwt config, the jwt role will be written on a per-test
|
||||
// basis since the audience may vary
|
||||
await got(`${vaultUrl}/v1/auth/jwt/config`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -108,22 +110,6 @@ describe('jwt auth', () => {
|
|||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/secret/data/test`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -138,6 +124,24 @@ describe('jwt auth', () => {
|
|||
});
|
||||
|
||||
describe('authenticate with private key', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
jest.resetAllMocks();
|
||||
|
||||
|
|
@ -170,6 +174,22 @@ describe('jwt auth', () => {
|
|||
|
||||
describe('authenticate with Github OIDC', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: 'https://github.com/hashicorp/vault-action',
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -177,7 +197,7 @@ describe('jwt auth', () => {
|
|||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_audiences: 'sigstore',
|
||||
bound_claims: {
|
||||
iss: 'vault-action',
|
||||
aud: 'sigstore',
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue