luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

use github token env var if present when fetching org id (#19244)

This commit is contained in:
Raymond Ho 2023-02-21 12:17:35 -08:00 committed by GitHub
parent 95bdeafb3e
commit 57ff9835f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
builtin/credential/github/path_config.go
View File

@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"net/url" "net/url"
"os"
"strings" "strings"
"time" "time"
@ -94,7 +95,8 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
} }
if c.OrganizationID == 0 { if c.OrganizationID == 0 {
client, err := b.Client("") githubToken := os.Getenv("VAULT_AUTH_CONFIG_GITHUB_TOKEN")
client, err := b.Client(githubToken)
if err != nil { if err != nil {
return nil, err return nil, err
} }

38
builtin/credential/github/path_config_test.go
View File

@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"strings" "strings"
"testing" "testing"
@ -120,6 +121,43 @@ func TestGitHub_WriteReadConfig_OrgID(t *testing.T) {
assert.Equal(t, "foo-org", resp.Data["organization"]) assert.Equal(t, "foo-org", resp.Data["organization"])
} }
// TestGitHub_WriteReadConfig_Token tests that we can successfully read and
// write the github auth config with a token environment variable
func TestGitHub_WriteReadConfig_Token(t *testing.T) {
b, s := createBackendWithStorage(t)
// use a test server to return our mock GH org info
ts := setupTestServer(t)
defer ts.Close()
err := os.Setenv("VAULT_AUTH_CONFIG_GITHUB_TOKEN", "foobar")
assert.NoError(t, err)
resp, err := b.HandleRequest(context.Background(), &logical.Request{
Path: "config",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"organization": "foo-org",
"base_url": ts.URL, // base_url will call the test server
},
Storage: s,
})
assert.NoError(t, err)
assert.Nil(t, resp)
assert.NoError(t, resp.Error())
// Read the config
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "config",
Operation: logical.ReadOperation,
Storage: s,
})
assert.NoError(t, err)
assert.NoError(t, resp.Error())
// the token should not be returned in the read config response.
assert.Nil(t, resp.Data["token"])
}
// TestGitHub_ErrorNoOrgID tests that an error is returned when we cannot fetch // TestGitHub_ErrorNoOrgID tests that an error is returned when we cannot fetch
// the org ID for the given org name // the org ID for the given org name
func TestGitHub_ErrorNoOrgID(t *testing.T) { func TestGitHub_ErrorNoOrgID(t *testing.T) {

4
changelog/19244.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:improvement
auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config
```

6
website/content/api-docs/auth/github.mdx
View File

@ -32,6 +32,12 @@ distinction between the `create` and `update` capabilities inside ACL policies.
- `base_url` `(string: "")` - The API endpoint to use. Useful if you are running - `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
GitHub Enterprise or an API-compatible authentication server. GitHub Enterprise or an API-compatible authentication server.
### Environment variables
- `VAULT_AUTH_CONFIG_GITHUB_TOKEN` `(string: "")` - An optional GitHub token used to make
authenticated GitHub API requests. This can be useful for bypassing GitHub's
rate-limiting during automation flows when the `organization_id` is not provided.
We encourage you to provide the `organization_id` instead of relying on this environment variable.
@include 'tokenfields.mdx' @include 'tokenfields.mdx'
### Sample Payload ### Sample Payload