Vault: GitHub Auth Backend - Enterprise Support

The docs are unfortunately incomplete; you can set the base_url parameter at the /config endpoint to set the API endpoint.

Ok, thanks!

Can some one share what the syntax should look like? organization + base_url

@scottbrumley You can find further information on it in the Enterprise API docs.

The base_url is just passed through to go-github; I don't have a Vault instance that I can test on at the moment, but I'm pretty sure that it's expected to be in the form http(s)://hostname/ - with a trailing slash, and without the api/v3/.

Yeah I've read all those docs and that looks correct. I wanted to make
sure my syntax was correct.

Something like:

vault write auth/github/config organization=hashicorp base_url=
https://github.mydomain.com/api/v3/
or
vault write auth/github/config organization=hashicorp
vault write auth/github/config base_url=https://github.mydomain.com/api/v3/
or
vault write auth/github/config organization=hashicorp base_url="
https://github.mydomain.com/api/v3/"

On Tue, Jan 26, 2016 at 4:03 PM, Jason Antman [email protected]
wrote:

@scottbrumley https://github.com/scottbrumley You can find further
information on it in the Enterprise API docs
https://developer.github.com/v3/enterprise/.

The base_url is just passed through to go-github
https://github.com/google/go-github; I don't have a Vault instance that
I can test on at the moment, but I'm pretty sure that it's expected to be
in the form http(s)://hostname/ - with a trailing slash, and without the
api/v3/.

—
Reply to this email directly or view it on GitHub
https://github.com/hashicorp/vault/issues/716#issuecomment-175229075.

Sincerely,

Scott Brumley
Wireless Network Architect
Aruba Certified Mobility Professional

Wireless Town

Cell: (678) 820-9434
Work: 678-436-5535 ext 100

http://www.wireless-town.com

I also can't test it, since I don't have GitHub Enterprise to test with, but @jantman suggested that it should be _without_ the api/v3/ at the end.

Is the vault syntax on one line or multiple lines?

Sincerely,
Scott Brumley - mobile
Aruba Certified Mobility Professional

Network Strategies, Inc

On Jan 27, 2016, at 11:01 AM, Jeff Mitchell [email protected] wrote:

I also can't test it, since I don't have GitHub Enterprise to test with, but @jantman suggested that it should be without the api/v3/ at the end.

—
Reply to this email directly or view it on GitHub.

Like any other command, it can be on one line, or you can split it across multiple lines with appropriate shell markers.

Ah ok wasn't sure if it mattered. Do quotes need to be on the values?

Sincerely,
Scott Brumley - mobile
Aruba Certified Mobility Professional

Network Strategies, Inc

On Jan 27, 2016, at 11:44 AM, Jeff Mitchell [email protected] wrote:

Like any other command, it can be on one line, or you can split it across multiple lines with appropriate shell markers.

—
Reply to this email directly or view it on GitHub.

Depends what the value are. It never hurts, though.

Haven't been able to get vault auth -method=github token=$t to work. If I:

vault write auth/github/config base_url=https://github.mycorp.com/api/v3/

Then it errors:

Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/github/login
Code: 400. Errors:

* configure the github credential backend first

If I:

vault write auth/github/config base_url=https://github.mycorp.com

Then it errors:

URL: PUT http://127.0.0.1:8200/v1/auth/github/login
Code: 500. Errors:

* GET https://api.github.com/user: 401 Bad credentials []

As you can see it's trying to hit api.github.com instead of my enterprise api.

Apparently I need to set organization and base_url all in one statement instead of two, or the 2nd one will overwrite the first?

So if I do:

vault write auth/github/config base_url="https://github.mycorp.com" organization="foo"

Then it errors:

Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/github/login
Code: 500. Errors:

* invalid character '<' looking for beginning of value

No clue what that's about since my token doesn't contain a <.

Ideas? Using Vault v0.5.0.

@devth Correct, in most cases values set at a particular configuration endpoint must all be set at once.

As for the other error, can you please post the actual command you're sending, with the token value blanked out?

Thanks!

@jefferai the command I'm sending in all of those cases is vault auth -method=github token=$t

Ignore the first two errors since those were due to not setting all config at the same time. I'm just stuck on the last error.

What version of Vault is this?

I did just do this myself recently; I did export GITHUB_TOKEN="abcd1234" followed by vault auth -method=github token=$GITHUB_TOKEN. That was against 0.4.1.

At first I was using 0.4.1, then I upgraded to 0.5.0.

I don't suppose you are fine building Vault on your own? I wonder if this error is truly coming from your token/login request as opposed to some error communicating with GitHub Enterprise's API. It'd be useful to track down where in the code this is coming from and what value is trying to be parsed.

I'm fine with that. I have go installed (but almost 0 exp with it).

I was looking for a verbose option but didn't find one. I'd watch the network traffic except it's over SSL so can't.

So the good/bad news is that I can auth just fine against a 0.5 Vault, which means this isn't a regression. The bad news is that I can't replicate it easily, so we'll have to do this the hard way.

Unfortunately I have to jet for today but can work this through with you tomorrow. However, if you have time to dig in before then, what you want to do is look for places in builtin/credential/github/path_login.go where there is a return from the pathLogin function. As a first pass, try putting the following line before each of those lines:

panic("")

This will cause a stack trace to happen at whatever point you were hitting that error. Once we have a better idea _where_ things are erroring out, I can help you with what debug statements to put in to examine the data at that point.

Once you have put in those statements, just do "make dev" from the top level Vault dir, which will put a binary in the bin/ directory. That's the one you'll want to run to test your changes. You can do bin/vault server -dev to get a dev instance, if you script up the calls you need to set up your github backend.

Thanks @jefferai. I won't have a chance to get to this till later this afternoon. Will post back with my findings today or tomorrow. I'm hanging out on #vault-tool too.

@devth OK!

Problem was on my end! I had swapped the v3 and api fragments, which makes GitHub 302 with an HTML body, hence the invalid character '<' looking for beginning of value error. :dizzy_face:

Oh shucks. That does make sense. I was really scratching my head trying to figure out where on earth a '<' would be coming from. Glad to hear it's fixed!

I ended up here, too, getting the invalid character error. While https://github.com/hashicorp/vault/issues/716#issuecomment-175707961 suggests to leave out the /api/v3 part from the configuration, I found it to be strictly necessary, as of 0.6.1:

curl -H "X-Vault-Token:$VAULT_TOKEN" \
    -X POST http://0.0.0.0:8200/v1/auth/github/config \
    --data '{"organization":"foo", "base_url":"https://git.mycorp.com/"}'

curl -H "X-Vault-Token:$VAULT_TOKEN" \
    -X POST http://0.0.0.0:8200/v1/auth/github/login \
    --data '{"token":"abc123"}'

{"errors":["invalid character '\u003c' looking for beginning of value"]}

Works fine with /api/v3, though:

curl -H "X-Vault-Token:$VAULT_TOKEN" \
    -X POST http://0.0.0.0:8200/v1/auth/github/config \
    --data '{"organization":"foo", "base_url":"https://git.mycorp.com/api/v3/"}'

curl -H "X-Vault-Token:$VAULT_TOKEN" \
    -X POST http://0.0.0.0:8200/v1/auth/github/login \
    --data '{"token":"abc123"}'

{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"abc123","accessor":"bcd234","policies":["foo","default"],"metadata":{"org":"bar","username":"baz"},"lease_duration":2592000,"renewable":true}}

That sounds like the underlying library we use for GitHub integration changed their behavior at some point.

From @devth's mention of api and v3in https://github.com/hashicorp/vault/issues/716#issuecomment-183171092, I'd infer that the change in the library's behaviour must have occurred before February then. Worth adding to the docs.

I'm getting following error when I try to get vault enable for Github Enterprise. My Github Enterprise requires SAML auth. Could that be an issue?

vault write auth/github/config organization=myorg base_url="https://github.MYCORP.com"

Error writing data to auth/github/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/github/config
Code: 404. Errors:

@abratnap It could be needing to add the /api/v3 at the end. But I don't believe we support SAML auth. Usually that can be disabled for service accounts.

@abratnap and @jefferai I just ran into this issue it seems like you need the trailing slash as shown below:

vault write auth/github/config organization=foobar base_url="https://github.MYCORP.com/api/v3/"

Note: the trailing slash /api/v3/ and not /api/v3