feat: Add API Key authentication support BIPS-21958 (#39)

* feat: add API Key to action

* docs: add API key to action docs

* refactor: split dev and runtime requirements

* fix: remove unused dependency

* fix: removed redundant entrypoint

* feat: defined .gitignore config

* feat: add api_key to readme

* fix: tests is a module

* refactor: code and docstrings

* chore: test code format

* chore: Dockerfile cleaning

* test: temporary use Dockerfile in action.yml for testing purposes

* fix: absolute path for app entry point

.gitignore

@@ -0,0 +1,119 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# VS Code settings
+.vscode/

Dockerfile

@@ -2,8 +2,8 @@
 FROM python:3.11-alpine
 
 # setup environment variable  
-ENV PYTHONDONTWRITEBYTECODE=1
-ENV PYTHONUNBUFFERED=1
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
 
 RUN python -m pip install --upgrade pip
 
@@ -12,20 +12,9 @@ RUN apk update && apk upgrade -i -a --update-cache
 WORKDIR /usr/src/app
 
 # Installing requirements from requirements.txt file
-# COPY requirements.txt /usr/src/app
-# RUN pip install -r requirements.txt
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
 
-# Installing secrets_safe library
-# COPY secrets_safe /usr/src/app/secrets_safe
+COPY src/ .
 
-# Installing requirements from requirements.txt file
-COPY requirements.txt /usr/src/app
-RUN pip install -r requirements.txt
-
-
-
-COPY src /src
-
-COPY main.py /main.py
-
-ENTRYPOINT ["python", "/main.py"]
+ENTRYPOINT ["python", "/usr/src/app/main.py"]

README.md

@@ -19,6 +19,10 @@ Runners must use a Linux operating system. Additionally, self-hosted runners wil
 
 ## Inputs
 
+### `api_key`
+
+**Optional:** The API Key configured in BeyondInsight for your application. If not set, then client credentials must be provided.
+
 ### `client_id`
 
 **Required:** API OAuth Client ID.
@@ -31,7 +35,7 @@ Runners must use a Linux operating system. Additionally, self-hosted runners wil
 
 **Required:** BeyondTrust Password Safe API URL.
 ```
-https://example.com:443/beyondtrust/api/public/V3
+https://example.com:443/BeyondTrust/api/public/v3
 ```
 
 ### `secret_path`

action.yml

@@ -2,13 +2,17 @@ name: 'Secrets Safe Action'
 author: 'BeyondTrust Corporation'
 description: 'This custom action allows for the retrieval of ASCII secrets from an instance of Secrets Safe.'
 inputs:
+  api_key:
+    description: 'The API Key configured in BeyondInsight for your application. If not set, then client credentials must be provided.'
+    required: false
+    default: ''
   client_id:
     description: 'The API OAuth Client ID is configured in BeyondInsight for your application. For use when authenticating to Secrets Safe'
-    required: true
+    required: false
     default: ''
   client_secret:
     description: 'The API OAuth Client Secret is configured in BeyondInsight for your application. For use when authenticating to Secrets Safe.'
-    required: true
+    required: false
     default: ''
   api_url:
     description: 'The API URL for the Secrets Safe instance from which to request a secret.'
@@ -47,8 +51,9 @@ outputs:
     description: 'The action stores the retrieved secrets in output variables defined by the end user. The <output_id> must be a unique identifier within the outputs object. The <output_id> must start with a letter or _ and contain only alphanumeric characters, -, or _.'
 runs:
   using: 'docker'
-  image: 'docker://beyondtrust/secrets-github-action:1.0.1'
+  image: 'Dockerfile'
   args:
+    - ${{ inputs.api_key }}
     - ${{ inputs.client_id }}
     - ${{ inputs.client_secret }}
     - ${{ inputs.api_url }}

requirements-dev.txt

@@ -0,0 +1,2 @@
+-r requirements.txt
+coverage==7.3.1

requirements.txt

@@ -1,6 +1,4 @@
 requests==2.32.3
 retry-requests==2.0.0
 github_action_utils==1.1.0
-coverage==7.3.1
-cryptography==43.0.1
-my-secrets-safe-library==2.0
+beyondtrust-bips-library~=1.0