package github import ( "context" "github.com/google/go-github/github" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/vault/helper/mfa" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" "golang.org/x/oauth2" ) func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) { b := Backend() if err := b.Setup(ctx, conf); err != nil { return nil, err } return b, nil } func Backend() *backend { var b backend b.TeamMap = &framework.PolicyMap{ PathMap: framework.PathMap{ Name: "teams", }, DefaultKey: "default", } b.UserMap = &framework.PolicyMap{ PathMap: framework.PathMap{ Name: "users", }, DefaultKey: "default", } allPaths := append(b.TeamMap.Paths(), b.UserMap.Paths()...) b.Backend = &framework.Backend{ Help: backendHelp, PathsSpecial: &logical.Paths{ Root: mfa.MFARootPaths(), Unauthenticated: []string{ "login", }, }, Paths: append([]*framework.Path{ pathConfig(&b), }, append(allPaths, mfa.MFAPaths(b.Backend, pathLogin(&b))...)...), AuthRenew: b.pathLoginRenew, BackendType: logical.TypeCredential, } return &b } type backend struct { *framework.Backend TeamMap *framework.PolicyMap UserMap *framework.PolicyMap } // Client returns the GitHub client to communicate to GitHub via the // configured settings. func (b *backend) Client(token string) (*github.Client, error) { tc := cleanhttp.DefaultClient() if token != "" { ctx := context.WithValue(context.Background(), oauth2.HTTPClient, tc) tc = oauth2.NewClient(ctx, &tokenSource{Value: token}) } return github.NewClient(tc), nil } // tokenSource is an oauth2.TokenSource implementation. type tokenSource struct { Value string } func (t *tokenSource) Token() (*oauth2.Token, error) { return &oauth2.Token{AccessToken: t.Value}, nil } const backendHelp = ` The GitHub credential provider allows authentication via GitHub. Users provide a personal access token to log in, and the credential provider verifies they're part of the correct organization and then maps the user to a set of Vault policies according to the teams they're part of. After enabling the credential provider, use the "config" route to configure it. `