feat(authenticate): add approle auth method (#10)

* feat(authenticate): add approle auth method * docs(readme): update readme * fix: update index.js * fix: update got to 10.2.2 to fix ncc * chore: clean up code slightly * chore: update tests to use got correctly * chore(test): fix integration tests * chore: streamline method logic * chore: make role and secret required in approle Co-authored-by: Sébastien FAUVART <[email protected]> Co-authored-by: Richard Simpson <[email protected]>
hashicorp · Jan 29, 2020 · 3b9239d · 3b9239d
1 parent 7a96342
commit 3b9239d
Show file tree

Hide file tree

Showing 9 changed files with 2,903 additions and 2,081 deletions.
diff --git a/README.md b/README.md
@@ -22,6 +22,26 @@ jobs:
             # ...
 ```
 
+## Authentication method
+
+The `method` parameter can have these value :
+- **token**: (by default) you must provide a token parameter
+```yaml
+...
+with:
+  url: https://vault.mycompany.com:8200
+  token: ${{ secrets.VaultToken }}
+```
+- **approle**: you must provide a roleId & secretId parameter
+```yaml
+...
+with:
+  url: https://vault.mycompany.com:8200
+  method: approle
+  roleId: ${{ secrets.roleId }}
+  secretId : ${{ secrets.secretId }}
+```
+
 ## Key Syntax
 
 The `secrets` parameter is a set of multiple secret requests separated by the `;` character.
@@ -84,6 +104,7 @@ steps:
       uses: RichiCoder1/vault-action
       with:
         url: https://vault-enterprise.mycompany.com:8200
+        method: token
         token: ${{ secrets.VaultToken }}
         namespace: ns1
         secrets: |

diff --git a/action.js b/action.js
@@ -2,23 +2,58 @@ const core = require('@actions/core');
 const command = require('@actions/core/lib/command');
 const got = require('got');
 
+const AUTH_METHODS = ['approle', 'token'];
 async function exportSecrets() {
     const vaultUrl = core.getInput('url', { required: true });
-    const vaultToken = core.getInput('token', { required: true });
     const vaultNamespace = core.getInput('namespace', { required: false });
 
     const secretsInput = core.getInput('secrets', { required: true });
     const secrets = parseSecretsInput(secretsInput);
 
+    const vaultMethod = core.getInput('method', { required: false }) || 'token';
+    if (!AUTH_METHODS.includes(vaultMethod)) {
+        throw Error(`Sorry, the authentication method ${vaultMethod} is not currently supported.`);
+    }
+
+    let vaultToken = null;
+    switch (vaultMethod) {
+        case 'approle':
+            const vaultRoleId = core.getInput('roleId', { required: true });
+            const vaultSecretId = core.getInput('secretId', { required: true });
+            core.debug('Try to retrieve Vault Token from approle');
+            var options = { 
+                headers: {}, 
+                json: { role_id: vaultRoleId, secret_id: vaultSecretId }, 
+                responseType: 'json' 
+            };
+
+            if (vaultNamespace != null) {
+                options.headers["X-Vault-Namespace"] = vaultNamespace;
+            }
+
+            const result = await got.post(`${vaultUrl}/v1/auth/approle/login`, options);
+            if (result && result.body && result.body.auth && result.body.auth.client_token) {
+                vaultToken = result.body.auth.client_token;
+                core.debug('✔ Vault Token has retrieved from approle');
+            } else {
+                throw Error(`No token was retrieved with the role_id and secret_id provided.`);
+            }
+            break;
+        default:
+            vaultToken = core.getInput('token', { required: true });
+            break;
+    }
+
     for (const secret of secrets) {
         const { secretPath, outputName, secretKey } = secret;
         const requestOptions = {
             headers: {
                 'X-Vault-Token': vaultToken
-            }};
+            },
+        };
 
-        if (vaultNamespace != null){
-            requestOptions.headers["X-Vault-Namespace"] = vaultNamespace
+        if (vaultNamespace != null) {
+            requestOptions.headers["X-Vault-Namespace"] = vaultNamespace;
         }
 
         const result = await got(`${vaultUrl}/v1/secret/data/${secretPath}`, requestOptions);
@@ -35,7 +70,7 @@ async function exportSecrets() {
 
 /**
  * Parses a secrets input string into key paths and their resulting environment variable name.
- * @param {string} secretsInput 
+ * @param {string} secretsInput
  */
 function parseSecretsInput(secretsInput) {
     const secrets = secretsInput
@@ -86,7 +121,7 @@ function parseSecretsInput(secretsInput) {
 }
 
 /**
- * Replaces any forward-slash characters to 
+ * Replaces any forward-slash characters to
  * @param {string} dataKey
  */
 function normalizeOutputKey(dataKey) {