open-vault/builtin/credential/github/cli.go

package github

import (
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/sdk/helper/password"
)

type CLIHandler struct {
	// for tests
	testStdout io.Writer
}

func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
	mount, ok := m["mount"]
	if !ok {
		mount = "github"
	}

	// Extract or prompt for token
	token := m["token"]
	if token == "" {
		token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN")
	}
	if token == "" {
		// Override the output
		stdout := h.testStdout
		if stdout == nil {
			stdout = os.Stderr
		}

		var err error
		fmt.Fprintf(stdout, "GitHub Personal Access Token (will be hidden): ")
		token, err = password.Read(os.Stdin)
		fmt.Fprintf(stdout, "\n")
		if err != nil {
			if err == password.ErrInterrupted {
				return nil, fmt.Errorf("user interrupted")
			}

			return nil, errwrap.Wrapf("An error occurred attempting to "+
				"ask for a token. The raw error message is shown below, but usually "+
				"this is because you attempted to pipe a value into the command or "+
				"you are executing outside of a terminal (tty). If you want to pipe "+
				"the value, pass \"-\" as the argument to read from stdin. The raw "+
				"error was: {{err}}", err)
		}
	}

	path := fmt.Sprintf("auth/%s/login", mount)
	secret, err := c.Logical().Write(path, map[string]interface{}{
		"token": strings.TrimSpace(token),
	})
	if err != nil {
		return nil, err
	}
	if secret == nil {
		return nil, fmt.Errorf("empty response from credential provider")
	}

	return secret, nil
}

func (h *CLIHandler) Help() string {
	help := `
Usage: vault login -method=github [CONFIG K=V...]

  The GitHub auth method allows users to authenticate using a GitHub
  personal access token. Users can generate a personal access token from the
  settings page on their GitHub account.

  Authenticate using a GitHub token:

      $ vault login -method=github token=abcd1234

Configuration:

  mount=<string>
      Path where the GitHub credential method is mounted. This is usually
      provided via the -path flag in the "vault login" command, but it can be
      specified here as well. If specified here, it takes precedence over the
      value for -path. The default value is "github".

  token=<string>
      GitHub personal access token to use for authentication. If not provided,
      Vault will prompt for the value.
`

	return strings.TrimSpace(help)
}
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`package github`

			`import (`
			`"fmt"`
Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`"io"`
Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 17:38:46 +00:00			`"os"`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`"strings"`

Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`"github.com/hashicorp/errwrap"`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`"github.com/hashicorp/vault/api"`
Move password to sdk 2019-04-12 22:12:13 +00:00			`"github.com/hashicorp/vault/sdk/helper/password"`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`)`

Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`type CLIHandler struct {`
			`// for tests`
			`testStdout io.Writer`
			`}`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`func (h CLIHandler) Auth(c api.Client, m map[string]string) (*api.Secret, error) {`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`mount, ok := m["mount"]`
			`if !ok {`
			`mount = "github"`
			`}`

Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`// Extract or prompt for token`
			`token := m["token"]`
			`if token == "" {`
			`token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN")`
			`}`
			`if token == "" {`
			`// Override the output`
			`stdout := h.testStdout`
			`if stdout == nil {`
Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 17:14:19 +00:00			`stdout = os.Stderr`
Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`}`

			`var err error`
			`fmt.Fprintf(stdout, "GitHub Personal Access Token (will be hidden): ")`
			`token, err = password.Read(os.Stdin)`
			`fmt.Fprintf(stdout, "\n")`
			`if err != nil {`
			`if err == password.ErrInterrupted {`
			`return nil, fmt.Errorf("user interrupted")`
			`}`

Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("An error occurred attempting to "+`
Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`"ask for a token. The raw error message is shown below, but usually "+`
			`"this is because you attempted to pipe a value into the command or "+`
			`"you are executing outside of a terminal (tty). If you want to pipe "+`
			`"the value, pass \"-\" as the argument to read from stdin. The raw "+`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`"error was: {{err}}", err)`
Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 17:38:46 +00:00			`}`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`}`

			`path := fmt.Sprintf("auth/%s/login", mount)`
			`secret, err := c.Logical().Write(path, map[string]interface{}{`
Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`"token": strings.TrimSpace(token),`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`})`
			`if err != nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, err`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`}`
			`if secret == nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, fmt.Errorf("empty response from credential provider")`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`}`

Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return secret, nil`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00			`}`

			`func (h *CLIHandler) Help() string {`
			help := `
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`Usage: vault login -method=github [CONFIG K=V...]`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`The GitHub auth method allows users to authenticate using a GitHub`
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`personal access token. Users can generate a personal access token from the`
			`settings page on their GitHub account.`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00
Update help output for github auth 2017-09-02 22:50:03 +00:00			`Authenticate using a GitHub token:`
command/auth, github: improve cli docs /cc @sethvargo 2015-06-16 17:05:11 +00:00
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`$ vault login -method=github token=abcd1234`
command/auth, github: improve cli docs /cc @sethvargo 2015-06-16 17:05:11 +00:00
Update help output for github auth 2017-09-02 22:50:03 +00:00			`Configuration:`

			`mount=<string>`
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`Path where the GitHub credential method is mounted. This is usually`
			`provided via the -path flag in the "vault login" command, but it can be`
			`specified here as well. If specified here, it takes precedence over the`
			`value for -path. The default value is "github".`
Update help output for github auth 2017-09-02 22:50:03 +00:00
			`token=<string>`
Prompt for GitHub token if not provided 2017-09-21 16:07:46 +00:00			`GitHub personal access token to use for authentication. If not provided,`
			`Vault will prompt for the value.`
Update help output for github auth 2017-09-02 22:50:03 +00:00			`
credential/github: CLI handler 2015-04-06 16:53:43 +00:00
			`return strings.TrimSpace(help)`
			`}`