Skip to content

Commit

Permalink
WIP: One function to run the all?
Browse files Browse the repository at this point in the history
  • Loading branch information
andreaso committed Apr 1, 2024
1 parent 71cb165 commit 1b4898f
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 58 deletions.
34 changes: 6 additions & 28 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,48 +27,26 @@ inputs:
outputs:
cert_path:
description: Full path to the generated SSH certificate
value: ${{ steps.generator.outputs.cert_path }}
value: ${{ steps.run_action.outputs.cert_path }}
key_path:
description: Full path to the corresponding private SSH key
value: ${{ steps.generator.outputs.key_path }}
value: ${{ steps.run_action.outputs.key_path }}

runs:
using: composite
steps:
- name: Use GitHub OIDC to authenticate towards Vault
id: vault_auth
- name: Run Action
id: run_action
shell: python
run: |
from vault_oidc_ssh_cert_action import github_vault_auth
github_vault_auth()
import vault_oidc_ssh_cert_action
vault_oidc_ssh_cert_action.run()
env:
PYTHONPATH: ${{ github.action_path }}
JWT_AUDIENCE: ${{ inputs.jwt_audience }}
OIDC_BACKEND_PATH: ${{ inputs.oidc_backend_path }}
OIDC_ROLE: ${{ inputs.oidc_role }}
VAULT_SERVER: ${{ inputs.vault_server }}

- name: Generate and sign SSH client certificate
id: generator
shell: python
run: |
from vault_oidc_ssh_cert_action import generate_and_sign
generate_and_sign()
env:
PYTHONPATH: ${{ github.action_path }}
SSH_BACKEND_PATH: ${{ inputs.ssh_backend_path }}
SSH_ROLE: ${{ inputs.ssh_role }}
VAULT_SERVER: ${{ inputs.vault_server }}
VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
TMPDIR: ${{ runner.temp }}

- name: Revoke Vault token
if: success() || steps.generator.conclusion == 'failure'
shell: python
run: |
from vault_oidc_ssh_cert_action import revoke_token
revoke_token()
env:
PYTHONPATH: ${{ github.action_path }}
VAULT_SERVER: ${{ inputs.vault_server }}
VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
63 changes: 33 additions & 30 deletions vault_oidc_ssh_cert_action.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ def _issue_vault_token(
raise VoscaError(title) from request_error

vault_token: str = response.json()["auth"]["client_token"]
_mask_value(vault_token)
return vault_token


Expand All @@ -103,29 +104,9 @@ def _issue_ssh_cert(
return ssh_cert


def github_vault_auth() -> None:
input_audience = os.environ["JWT_AUDIENCE"].strip()
oidc_role = os.environ["OIDC_ROLE"].strip()
oidc_backend = os.environ["OIDC_BACKEND"].strip("/ ")
vault_server = os.environ["VAULT_SERVER"].strip("/ ")

jwt_aud: str = _determine_audience(input_audience, vault_server)
jwt_token: str = _issue_github_jwt(jwt_aud)
vault_token: str = _issue_vault_token(
vault_server, oidc_backend, oidc_role, jwt_token
)

_mask_value(vault_token)
with open(os.environ["GITHUB_OUTPUT"], mode="a", encoding="utf-8") as ghof:
ghof.write(f"vault_token={vault_token}\n")


def generate_and_sign() -> None:
ssh_role = os.environ["SSH_ROLE"].strip()
ssh_backend = os.environ["SSH_BACKEND"].strip("/ ")
vault_server = os.environ["VAULT_SERVER"].strip("/ ")
vault_token = os.environ["VAULT_TOKEN"].strip()

def _generate_and_sign(
vault_server: str, vault_token: str, ssh_backend: str, ssh_role: str
) -> tuple[str, str]:
key_fname = "id_github"
cert_fname = f"{key_fname}-cert.pub"

Expand Down Expand Up @@ -155,15 +136,10 @@ def generate_and_sign() -> None:
os.rename(work_key_path, out_key_path)
os.rename(work_cert_path, out_cert_path)

with open(os.environ["GITHUB_OUTPUT"], mode="a", encoding="utf-8") as ghof:
ghof.write(f"cert_path={out_cert_path}\n")
ghof.write(f"key_path={out_key_path}\n")

return out_cert_path, out_key_path

def revoke_token() -> None:
vault_server = os.environ["VAULT_SERVER"].strip("/ ")
vault_token = os.environ["VAULT_TOKEN"].strip()

def _revoke_token(vault_server: str, vault_token: str) -> None:
revoke_url = f"{vault_server}/v1/auth/token/revoke-self"
headers = {"X-Vault-Token": vault_token}

Expand All @@ -174,3 +150,30 @@ def revoke_token() -> None:
title = "Vault token revoke failure"
message = f"{type(request_error).__name__}: {str(request_error)}"
_set_warning_message(title, message)


def run() -> None:
input_audience = os.environ["JWT_AUDIENCE"].strip()
oidc_role = os.environ["OIDC_ROLE"].strip()
oidc_backend = os.environ["OIDC_BACKEND_ROLE"].strip("/ ")
ssh_role = os.environ["SSH_ROLE"].strip()
ssh_backend = os.environ["SSH_BACKEND_PATH"].strip("/ ")
vault_server = os.environ["VAULT_SERVER"].strip("/ ")

jwt_aud: str = _determine_audience(input_audience, vault_server)
jwt_token: str = _issue_github_jwt(jwt_aud)
vault_token: str = _issue_vault_token(
vault_server, oidc_backend, oidc_role, jwt_token
)

cert_path: str
key_path: str
cert_path, key_path = _generate_and_sign(
vault_server, vault_token, ssh_backend, ssh_role
)

with open(os.environ["GITHUB_OUTPUT"], mode="a", encoding="utf-8") as ghof:
ghof.write(f"cert_path={cert_path}\n")
ghof.write(f"key_path={key_path}\n")

_revoke_token(vault_server, vault_token)

0 comments on commit 1b4898f

Please sign in to comment.