open-vault/builtin/credential/github/backend.go

package github

import (
	"context"

	"github.com/google/go-github/github"
	"github.com/hashicorp/go-cleanhttp"
	"github.com/hashicorp/vault/helper/mfa"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	"golang.org/x/oauth2"
)

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
	b := Backend()
	if err := b.Setup(ctx, conf); err != nil {
		return nil, err
	}
	return b, nil
}

func Backend() *backend {
	var b backend
	b.TeamMap = &framework.PolicyMap{
		PathMap: framework.PathMap{
			Name: "teams",
		},
		DefaultKey: "default",
	}

	b.UserMap = &framework.PolicyMap{
		PathMap: framework.PathMap{
			Name: "users",
		},
		DefaultKey: "default",
	}

	allPaths := append(b.TeamMap.Paths(), b.UserMap.Paths()...)
	b.Backend = &framework.Backend{
		Help: backendHelp,

		PathsSpecial: &logical.Paths{
			Root: mfa.MFARootPaths(),
			Unauthenticated: []string{
				"login",
			},
		},

		Paths: append([]*framework.Path{
			pathConfig(&b),
		}, append(allPaths, mfa.MFAPaths(b.Backend, pathLogin(&b))...)...),
		AuthRenew:   b.pathLoginRenew,
		BackendType: logical.TypeCredential,
	}

	return &b
}

type backend struct {
	*framework.Backend

	TeamMap *framework.PolicyMap

	UserMap *framework.PolicyMap
}

// Client returns the GitHub client to communicate to GitHub via the
// configured settings.
func (b *backend) Client(token string) (*github.Client, error) {
	tc := cleanhttp.DefaultClient()
	if token != "" {
		ctx := context.WithValue(context.Background(), oauth2.HTTPClient, tc)
		tc = oauth2.NewClient(ctx, &tokenSource{Value: token})
	}

	return github.NewClient(tc), nil
}

// tokenSource is an oauth2.TokenSource implementation.
type tokenSource struct {
	Value string
}

func (t *tokenSource) Token() (*oauth2.Token, error) {
	return &oauth2.Token{AccessToken: t.Value}, nil
}

const backendHelp = `
The GitHub credential provider allows authentication via GitHub.

Users provide a personal access token to log in, and the credential
provider verifies they're part of the correct organization and then
maps the user to a set of Vault policies according to the teams they're
part of.

After enabling the credential provider, use the "config" route to
configure it.
`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`package github`

			`import (`
Use the oauth2 context ability to specify a clean http client. (#2808) Hopefully fixes #2793 2017-06-05 16:27:01 +00:00			`"context"`

credential/github: auth with github 2015-04-01 22:46:21 +00:00			`"github.com/google/go-github/github"`
Use cleanhttp instead of bare http.Client 2015-10-22 18:37:12 +00:00			`"github.com/hashicorp/go-cleanhttp"`
Add Duo MFA to the Github backend (#3696) 2017-12-18 14:59:17 +00:00			`"github.com/hashicorp/vault/helper/mfa"`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`"golang.org/x/oauth2"`
			`)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {`
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`b := Backend()`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := b.Setup(ctx, conf); err != nil {`
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`return nil, err`
			`}`
			`return b, nil`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`}`

Backend() functions should return 'backend' objects. If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested. 2016-06-10 19:53:02 +00:00			`func Backend() *backend {`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`var b backend`
Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 21:21:14 +00:00			`b.TeamMap = &framework.PolicyMap{`
credential/github: case insensitive mappings 2015-05-11 17:24:39 +00:00			`PathMap: framework.PathMap{`
logical/framework: PathMap is case insensitive by default 2015-05-11 17:27:04 +00:00			`Name: "teams",`
credential/github: case insensitive mappings 2015-05-11 17:24:39 +00:00			`},`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`DefaultKey: "default",`
			`}`
Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 21:21:14 +00:00
			`b.UserMap = &framework.PolicyMap{`
			`PathMap: framework.PathMap{`
			`Name: "users",`
			`},`
			`DefaultKey: "default",`
			`}`

			`allPaths := append(b.TeamMap.Paths(), b.UserMap.Paths()...)`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`b.Backend = &framework.Backend{`
credential/github: improve help 2015-04-04 19:18:33 +00:00			`Help: backendHelp,`

credential/github: auth with github 2015-04-01 22:46:21 +00:00			`PathsSpecial: &logical.Paths{`
Add Duo MFA to the Github backend (#3696) 2017-12-18 14:59:17 +00:00			`Root: mfa.MFARootPaths(),`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`Unauthenticated: []string{`
			`"login",`
			`},`
			`},`

			`Paths: append([]*framework.Path{`
Github backend: enable auth renewals 2015-10-02 17:33:19 +00:00			`pathConfig(&b),`
Add Duo MFA to the Github backend (#3696) 2017-12-18 14:59:17 +00:00			`}, append(allPaths, mfa.MFAPaths(b.Backend, pathLogin(&b))...)...),`
Add BackendType to existing backends (#3078) 2017-07-28 18:04:46 +00:00			`AuthRenew: b.pathLoginRenew,`
			`BackendType: logical.TypeCredential,`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`}`

Backend() functions should return 'backend' objects. If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested. 2016-06-10 19:53:02 +00:00			`return &b`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`}`

			`type backend struct {`
			`*framework.Backend`

Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 21:21:14 +00:00			`TeamMap *framework.PolicyMap`

			`UserMap *framework.PolicyMap`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`}`

			`// Client returns the GitHub client to communicate to GitHub via the`
			`// configured settings.`
			`func (b backend) Client(token string) (github.Client, error) {`
Use cleanhttp instead of bare http.Client 2015-10-22 18:37:12 +00:00			`tc := cleanhttp.DefaultClient()`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`if token != "" {`
Use the oauth2 context ability to specify a clean http client. (#2808) Hopefully fixes #2793 2017-06-05 16:27:01 +00:00			`ctx := context.WithValue(context.Background(), oauth2.HTTPClient, tc)`
			`tc = oauth2.NewClient(ctx, &tokenSource{Value: token})`
credential/github: auth with github 2015-04-01 22:46:21 +00:00			`}`

			`return github.NewClient(tc), nil`
			`}`

			`// tokenSource is an oauth2.TokenSource implementation.`
			`type tokenSource struct {`
			`Value string`
			`}`

			`func (t tokenSource) Token() (oauth2.Token, error) {`
			`return &oauth2.Token{AccessToken: t.Value}, nil`
			`}`
credential/github: improve help 2015-04-04 19:18:33 +00:00
			const backendHelp = `
			`The GitHub credential provider allows authentication via GitHub.`

			`Users provide a personal access token to log in, and the credential`
			`provider verifies they're part of the correct organization and then`
			`maps the user to a set of Vault policies according to the teams they're`
			`part of.`

			`After enabling the credential provider, use the "config" route to`
			`configure it.`
			`