Skip to content

Commit

Permalink
backport of commit 77e80a8 (#19618)
Browse files Browse the repository at this point in the history
Co-authored-by: Raymond Ho <[email protected]>
  • Loading branch information
1 parent 42210c0 commit b866a36
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 1 deletion.
4 changes: 3 additions & 1 deletion builtin/credential/github/path_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"fmt"
"net/url"
"os"
"strings"
"time"

Expand Down Expand Up @@ -94,7 +95,8 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
}

if c.OrganizationID == 0 {
client, err := b.Client("")
githubToken := os.Getenv("VAULT_AUTH_CONFIG_GITHUB_TOKEN")
client, err := b.Client(githubToken)
if err != nil {
return nil, err
}
Expand Down
38 changes: 38 additions & 0 deletions builtin/credential/github/path_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"
"net/http"
"net/http/httptest"
"os"
"strings"
"testing"

Expand Down Expand Up @@ -120,6 +121,43 @@ func TestGitHub_WriteReadConfig_OrgID(t *testing.T) {
assert.Equal(t, "foo-org", resp.Data["organization"])
}

// TestGitHub_WriteReadConfig_Token tests that we can successfully read and
// write the github auth config with a token environment variable
func TestGitHub_WriteReadConfig_Token(t *testing.T) {
b, s := createBackendWithStorage(t)
// use a test server to return our mock GH org info
ts := setupTestServer(t)
defer ts.Close()

err := os.Setenv("VAULT_AUTH_CONFIG_GITHUB_TOKEN", "foobar")
assert.NoError(t, err)

resp, err := b.HandleRequest(context.Background(), &logical.Request{
Path: "config",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"organization": "foo-org",
"base_url": ts.URL, // base_url will call the test server
},
Storage: s,
})
assert.NoError(t, err)
assert.Nil(t, resp)
assert.NoError(t, resp.Error())

// Read the config
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "config",
Operation: logical.ReadOperation,
Storage: s,
})
assert.NoError(t, err)
assert.NoError(t, resp.Error())

// the token should not be returned in the read config response.
assert.Nil(t, resp.Data["token"])
}

// TestGitHub_ErrorNoOrgID tests that an error is returned when we cannot fetch
// the org ID for the given org name
func TestGitHub_ErrorNoOrgID(t *testing.T) {
Expand Down
4 changes: 4 additions & 0 deletions changelog/19244.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
```release-note:improvement
auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for `VAULT_AUTH_CONFIG_GITHUB_TOKEN` environment variable when writing Github config
```
6 changes: 6 additions & 0 deletions website/content/api-docs/auth/github.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ distinction between the `create` and `update` capabilities inside ACL policies.
- `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
GitHub Enterprise or an API-compatible authentication server.

### Environment variables
- `VAULT_AUTH_CONFIG_GITHUB_TOKEN` `(string: "")` - An optional GitHub token used to make
authenticated GitHub API requests. This can be useful for bypassing GitHub's
rate-limiting during automation flows when the `organization_id` is not provided.
We encourage you to provide the `organization_id` instead of relying on this environment variable.

@include 'tokenfields.mdx'

### Sample Payload
Expand Down

0 comments on commit b866a36

Please sign in to comment.