make "role" input optional (#291)

* make "role" input optional Per Vault documentation it doesn't have to be provided, and the auth provider's "default_role" parameter is required precisely for this case. https://www.vaultproject.io/api/auth/jwt
2022-04-07 16:34:46 +02:00
parent 25c4aec690
commit 2f64a97498
2 changed files with 27 additions and 10 deletions
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@@ -51,6 +51,9 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action"
    return rsasign.KJUR.jws.JWS.sign(alg, JSON.stringify(header), JSON.stringify(payload), decryptedKey);
 }

+// The sign call inside this function takes a while to run, so cache the default JWT in a constant.
+const defaultGithubJwt = mockGithubOIDCResponse();
+
 describe('jwt auth', () => {
    beforeAll(async () => {
        // Verify Connection
@@ -99,7 +102,8 @@ describe('jwt auth', () => {
                'X-Vault-Token': 'testtoken',
            },
            json: {
-                jwt_validation_pubkeys: publicRsaKey
+                jwt_validation_pubkeys: publicRsaKey,
+                default_role: "default"
            }
        });

@@ -198,20 +202,20 @@ describe('jwt auth', () => {
                .calledWith('jwtPrivateKey')
                .mockReturnValueOnce('');

-            when(core.getInput)
-                .calledWith('role')
-                .mockReturnValueOnce('default');
-
            when(core.getInput)
                .calledWith('secrets')
                .mockReturnValueOnce('secret/data/test secret');
-
-            when(core.getIDToken)
-                .calledWith()
-                .mockReturnValueOnce(mockGithubOIDCResponse());
        });

        it('successfully authenticates', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce('default');
+
+            when(core.getIDToken)
+                .calledWith()
+                .mockReturnValueOnce(defaultGithubJwt);
+
            await exportSecrets();
            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
        });
@@ -233,6 +237,19 @@ describe('jwt auth', () => {
            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
        })

+        it('successfully authenticates as default role without specifying it', async () => {
+            when(core.getInput)
+                .calledWith('role')
+                .mockReturnValueOnce(null);
+
+            when(core.getIDToken)
+                .calledWith()
+                .mockReturnValueOnce(defaultGithubJwt);
+
+            await exportSecrets();
+            expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        })
+
    });

 });