mirror of
https://github.com/hashicorp/vault-action.git
synced 2026-04-16 08:45:44 +00:00
Make optional instead of always, in case of untrusted steps
This commit is contained in:
Thomas
parent
e92c0909f9
commit
f93ffc6726
4 changed files with 23 additions and 18 deletions
|
|
@ -12,6 +12,7 @@ async function exportSecrets() {
|
|||
const vaultNamespace = core.getInput('namespace', { required: false });
|
||||
const extraHeaders = parseHeadersInput('extraHeaders', { required: false });
|
||||
const exportEnv = core.getInput('exportEnv', { required: false }) != 'false';
|
||||
const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false';
|
||||
const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false';
|
||||
|
||||
const secretsInput = core.getInput('secrets', { required: false });
|
||||
|
|
@ -70,7 +71,9 @@ async function exportSecrets() {
|
|||
const client = got.extend(defaultOptions);
|
||||
|
||||
command.issue('add-mask', vaultToken);
|
||||
core.setOutput('vault_token', `${vaultToken}`);
|
||||
if (outputToken === true) {
|
||||
core.setOutput('vault_token', `${vaultToken}`);
|
||||
}
|
||||
if (exportToken === true) {
|
||||
core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -184,6 +184,12 @@ describe('exportSecrets', () => {
|
|||
.mockReturnValueOnce(doExport);
|
||||
}
|
||||
|
||||
function mockOutputToken(doOutput) {
|
||||
when(core.getInput)
|
||||
.calledWith('outputToken', expect.anything())
|
||||
.mockReturnValueOnce(doOutput);
|
||||
}
|
||||
|
||||
it('simple secret retrieval', async () => {
|
||||
mockInput('test key');
|
||||
mockVaultData({
|
||||
|
|
@ -194,7 +200,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('intl secret retrieval', async () => {
|
||||
|
|
@ -207,7 +212,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('mapped secret retrieval', async () => {
|
||||
|
|
@ -220,7 +224,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval from K/V v1', async () => {
|
||||
|
|
@ -238,7 +241,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval with extra headers', async () => {
|
||||
|
|
@ -254,7 +256,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('nested secret retrieval', async () => {
|
||||
|
|
@ -267,7 +268,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key__value', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('export Vault token', async () => {
|
||||
|
|
@ -284,7 +284,6 @@ describe('exportSecrets', () => {
|
|||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('not export Vault token', async () => {
|
||||
|
|
@ -300,7 +299,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('single-line secret gets masked', async () => {
|
||||
|
|
@ -316,7 +314,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('key', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('multi-line secret gets masked for each line', async () => {
|
||||
|
|
@ -338,7 +335,6 @@ with blank lines
|
|||
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
|
||||
expect(core.setOutput).toBeCalledWith('key', multiLineString);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('export only Vault token, no secrets', async () => {
|
||||
|
|
@ -348,6 +344,14 @@ with blank lines
|
|||
|
||||
expect(core.exportVariable).toBeCalledTimes(1);
|
||||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('output only Vault token, no secrets', async () => {
|
||||
mockOutputToken("true")
|
||||
|
||||
await exportSecrets();
|
||||
|
||||
expect(core.setOutput).toBeCalledTimes(1);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue