Skip to content

Commit

Permalink
Reimplement in Python
Browse files Browse the repository at this point in the history
Primarily to facilitate better error handling.
  • Loading branch information
andreaso committed Apr 1, 2024
1 parent fb79faf commit e6adc93
Show file tree
Hide file tree
Showing 7 changed files with 263 additions and 123 deletions.
42 changes: 39 additions & 3 deletions .github/workflows/linter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,45 @@ on:

permissions:
contents: read
statuses: write

jobs:
lint:
python:
name: Python
runs-on: ${{ matrix.os }}

strategy:
matrix:
os:
- ubuntu-20.04
- ubuntu-22.04

steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Setup Python virtualenv
run: |
python3 -m venv .venv
.venv/bin/pip install --upgrade pip setuptools
.venv/bin/pip install ruff mypy types-requests
- name: Check ruff formating
run: .venv/bin/ruff format --diff vault_oidc_ssh_cert_action.py

- name: Check ruff linting
run: .venv/bin/ruff check vault_oidc_ssh_cert_action.py

- name: Check type hints
run: .venv/bin/mypy --strict vault_oidc_ssh_cert_action.py

super:
name: Super-Linter
runs-on: ubuntu-latest

permissions:
contents: read
statuses: write

steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -29,6 +61,10 @@ jobs:
uses: super-linter/super-linter/slim@v6
env:
VALIDATE_ALL_CODEBASE: true
VALIDATE_SHELL_SHFMT: false
VALIDATE_PYTHON_BLACK: false
VALIDATE_PYTHON_FLAKE8: false
VALIDATE_PYTHON_ISORT: false
VALIDATE_PYTHON_MYPY: false
VALIDATE_PYTHON_PYLINT: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
*~
\#*#
.#*

*.pyc
.venv/
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
- name: Generate SSH client certificate
if: github.ref == 'refs/heads/main'
id: ssh_cert
uses: andreaso/vault-oidc-ssh-cert-action@v0.10
uses: andreaso/vault-oidc-ssh-cert-action@v0.11
with:
vault_server: https://vault.example.com:8200
oidc_backend_path: github-oidc
Expand Down
57 changes: 12 additions & 45 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,59 +27,26 @@ inputs:
outputs:
cert_path:
description: Full path to the generated SSH certificate
value: ${{ steps.generator.outputs.cert_path }}
value: ${{ steps.run_action.outputs.cert_path }}
key_path:
description: Full path to the corresponding private SSH key
value: ${{ steps.generator.outputs.key_path }}
value: ${{ steps.run_action.outputs.key_path }}

runs:
using: composite
steps:
- name: Determine JWT audience
id: determine
run: |
import os
from urllib.parse import urlparse
aud = os.environ["JWT_AUDIENCE"].strip()
if not aud:
url = os.environ["VAULT_SERVER"]
fqdn = urlparse(url).netloc.split(":")[0]
aud = fqdn
with open(os.environ["GITHUB_OUTPUT"], "a") as ghof:
ghof.write(f"audience={aud}\n")
- name: Run Action
id: run_action
shell: python
run: |
import vault_oidc_ssh_cert_action
vault_oidc_ssh_cert_action.run()
env:
PYTHONPATH: ${{ github.action_path }}
JWT_AUDIENCE: ${{ inputs.jwt_audience }}
VAULT_SERVER: ${{ inputs.vault_server }}

- name: Use GitHub OIDC to authenticate towards Vault
id: vault_auth
shell: bash
run: "${ACTION_PATH}/github-vault-auth"
env:
ACTION_PATH: ${{ github.action_path }}
AUDIENCE: ${{ steps.determine.outputs.audience }}
BACKEND: ${{ inputs.oidc_backend_path }}
ROLE: ${{ inputs.oidc_role }}
VAULT_SERVER: ${{ inputs.vault_server }}

- name: Generate and sign SSH client certificate
id: generator
shell: bash
run: "${ACTION_PATH}/generate-and-sign"
env:
ACTION_PATH: ${{ github.action_path }}
VAULT_SERVER: ${{ inputs.vault_server }}
VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
SSH_BACKEND: ${{ inputs.ssh_backend_path }}
OIDC_BACKEND_PATH: ${{ inputs.oidc_backend_path }}
OIDC_ROLE: ${{ inputs.oidc_role }}
SSH_BACKEND_PATH: ${{ inputs.ssh_backend_path }}
SSH_ROLE: ${{ inputs.ssh_role }}
TMPDIR: ${{ runner.temp }}

- name: Revoke Vault token
if: success() || steps.generator.conclusion == 'failure'
shell: bash
run: |
curl --fail --silent --show-error --tlsv1.3 --header "X-Vault-Token: ${VAULT_TOKEN}" --data "" "${VAULT_SERVER%/}/v1/auth/token/revoke-self"
env:
VAULT_SERVER: ${{ inputs.vault_server }}
VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
TMPDIR: ${{ runner.temp }}
39 changes: 0 additions & 39 deletions generate-and-sign

This file was deleted.

35 changes: 0 additions & 35 deletions github-vault-auth

This file was deleted.

Loading

0 comments on commit e6adc93

Please sign in to comment.