arcodange-org/vault-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement kubernetes auth / Add customizable auth path (#218)

Browse Source 
* Implement kubernetes auth / Add customizable auth path

* Fix typo

* Apply suggestions from code review

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
This commit is contained in:
Falcon Taylor-Carter
2021-06-03 10:59:51 -04:00
committed by GitHub
parent 0cf3bd6a39
commit 72c7a899ca
5 changed files with 139 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/auth.js
View File

@@ -1,22 +1,26 @@
// @ts-check
const core = require('@actions/core');
const rsasign = require('jsrsasign');
const fs = require('fs');
const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
/***
* Authenticate with Vault and retrieve a Vault token that can be used for requests.
* @param {string} method
* @param {import('got').Got} client
*/
async function retrieveToken(method, client) {
const path = core.getInput('path', { required: false }) || method;
switch (method) {
case 'approle': {
const vaultRoleId = core.getInput('roleId', { required: true });
const vaultSecretId = core.getInput('secretId', { required: true });
return await getClientToken(client, method, { role_id: vaultRoleId, secret_id: vaultSecretId });
return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
}
case 'github': {
const githubToken = core.getInput('githubToken', { required: true });
return await getClientToken(client, method, { token: githubToken });
return await getClientToken(client, method, path, { token: githubToken });
}
case 'jwt': {
const role = core.getInput('role', { required: true });
@@ -25,8 +29,18 @@ async function retrieveToken(method, client) {
const keyPassword = core.getInput('jwtKeyPassword', { required: false });
const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
return await getClientToken(client, method, { jwt: jwt, role: role });
return await getClientToken(client, method, path, { jwt: jwt, role: role });
}
case 'kubernetes': {
const role = core.getInput('role', { required: true })
const tokenPath = core.getInput('kubernetesTokenPath', { required: false }) || defaultKubernetesTokenPath
const data = fs.readFileSync(tokenPath, 'utf8')
if (!(role && data) && data != "") {
throw new Error("Role Name must be set and a kubernetes token must set")
}
return await getClientToken(client, method, path, { jwt: data, role: role })
}
default: {
if (!method || method === 'token') {
return core.getInput('token', { required: true });
@@ -36,7 +50,7 @@ async function retrieveToken(method, client) {
if (!payload) {
throw Error('When using a custom authentication method, you must provide the payload');
}
return await getClientToken(client, method, JSON.parse(payload.trim()));
return await getClientToken(client, method, path, JSON.parse(payload.trim()));
}
}
}
@@ -72,9 +86,10 @@ function generateJwt(privateKey, keyPassword, ttl) {
* Call the appropriate login endpoint and parse out the token in the response.
* @param {import('got').Got} client
* @param {string} method
* @param {string} path
* @param {any} payload
*/
async function getClientToken(client, method, payload) {
async function getClientToken(client, method, path, payload) {
/** @type {'json'} */
const responseType = 'json';
var options = {
@@ -82,10 +97,10 @@ async function getClientToken(client, method, payload) {
responseType,
};
core.debug(`Retrieving Vault Token from v1/auth/${method}/login endpoint`);
core.debug(`Retrieving Vault Token from v1/auth/${path}/login endpoint`);
/** @type {import('got').Response<VaultLoginResponse>} */
const response = await client.post(`v1/auth/${method}/login`, options);
const response = await client.post(`v1/auth/${path}/login`, options);
if (response && response.body && response.body.auth && response.body.auth.client_token) {
core.debug('✔ Vault Token successfully retrieved');