vault-redux/command/token_revoke.go

package command

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/meta"
)

// TokenRevokeCommand is a Command that mounts a new mount.
type TokenRevokeCommand struct {
	meta.Meta
}

func (c *TokenRevokeCommand) Run(args []string) int {
	var mode string
	var accessor bool
	var self bool
	var token string
	flags := c.Meta.FlagSet("token-revoke", meta.FlagSetDefault)
	flags.BoolVar(&accessor, "accessor", false, "")
	flags.BoolVar(&self, "self", false, "")
	flags.StringVar(&mode, "mode", "", "")
	flags.Usage = func() { c.Ui.Error(c.Help()) }
	if err := flags.Parse(args); err != nil {
		return 1
	}

	args = flags.Args()
	switch {
	case len(args) == 1 && !self:
		token = args[0]
	case len(args) != 0 && self:
		flags.Usage()
		c.Ui.Error(fmt.Sprintf(
			"\ntoken-revoke expects no arguments when revoking self"))
		return 1
	case len(args) != 1 && !self:
		flags.Usage()
		c.Ui.Error(fmt.Sprintf(
			"\ntoken-revoke expects one argument or the 'self' flag"))
		return 1
	}

	client, err := c.Client()
	if err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error initializing client: %s", err))
		return 2
	}

	var fn func(string) error
	// Handle all 6 possible combinations
	switch {
	case !accessor && self && mode == "":
		fn = client.Auth().Token().RevokeSelf
	case !accessor && !self && mode == "":
		fn = client.Auth().Token().RevokeTree
	case !accessor && !self && mode == "orphan":
		fn = client.Auth().Token().RevokeOrphan
	case !accessor && !self && mode == "path":
		fn = client.Sys().RevokePrefix
	case accessor && !self && mode == "":
		fn = client.Auth().Token().RevokeAccessor
	case accessor && self:
		c.Ui.Error("token-revoke cannot be run on self when 'accessor' flag is set")
		return 1
	case self && mode != "":
		c.Ui.Error("token-revoke cannot be run on self when 'mode' flag is set")
		return 1
	case accessor && mode == "orphan":
		c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
		return 1
	case accessor && mode == "path":
		c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
		return 1
	}

	if err := fn(token); err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error revoking token: %s", err))
		return 2
	}

	c.Ui.Output("Success! Token revoked if it existed.")
	return 0
}

func (c *TokenRevokeCommand) Synopsis() string {
	return "Revoke one or more auth tokens"
}

func (c *TokenRevokeCommand) Help() string {
	helpText := `
Usage: vault token-revoke [options] [token|accessor]

  Revoke one or more auth tokens.

  This command revokes auth tokens. Use the "revoke" command for
  revoking secrets.

  Depending on the flags used, auth tokens can be revoked in multiple ways
  depending on the "-mode" flag:

    * Without any value, the token specified and all of its children
      will be revoked.

    * With the "orphan" value, only the specific token will be revoked.
      All of its children will be orphaned.

    * With the "path" value, tokens created from the given auth path
      prefix will be deleted, along with all their children. In this case
      the "token" arg above is actually a "path". This mode does *not*
      work with token values or parts of token values.

  Token can be revoked using the token accessor. This can be done by
  setting the '-accessor' flag. Note that when '-accessor' flag is set,
  '-mode' should not be set for 'orphan' or 'path'. This is because,
  a token accessor always revokes the token along with its child tokens.

General Options:
` + meta.GeneralOptionsUsage() + `
Token Options:

  -accessor               A boolean flag, if set, treats the argument as an accessor of the token.
                          Note that accessor can also be used for looking up the token properties
                          via '/auth/token/lookup-accessor/<accessor>' endpoint.
                          Accessor is used when there is no access to token ID.

  -self                   A boolean flag, if set, the operation is performed on the currently
                          authenticated token i.e. lookup-self.

  -mode=value             The type of revocation to do. See the documentation
                          above for more information.

`
	return strings.TrimSpace(helpText)
}
command/token-revoke 2015-04-08 00:36:17 +03:00			`package command`

			`import (`
			`"fmt"`
			`"strings"`
Move meta into its own package 2016-04-01 20:16:05 +03:00
			`"github.com/hashicorp/vault/meta"`
command/token-revoke 2015-04-08 00:36:17 +03:00			`)`

			`// TokenRevokeCommand is a Command that mounts a new mount.`
			`type TokenRevokeCommand struct {`
Move meta into its own package 2016-04-01 20:16:05 +03:00			`meta.Meta`
command/token-revoke 2015-04-08 00:36:17 +03:00			`}`

			`func (c *TokenRevokeCommand) Run(args []string) int {`
			`var mode string`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`var accessor bool`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`var self bool`
			`var token string`
Move meta into its own package 2016-04-01 20:16:05 +03:00			`flags := c.Meta.FlagSet("token-revoke", meta.FlagSetDefault)`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`flags.BoolVar(&accessor, "accessor", false, "")`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`flags.BoolVar(&self, "self", false, "")`
command/token-revoke 2015-04-08 00:36:17 +03:00			`flags.StringVar(&mode, "mode", "", "")`
			`flags.Usage = func() { c.Ui.Error(c.Help()) }`
			`if err := flags.Parse(args); err != nil {`
			`return 1`
			`}`

			`args = flags.Args()`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`switch {`
			`case len(args) == 1 && !self:`
			`token = args[0]`
			`case len(args) != 0 && self:`
			`flags.Usage()`
			`c.Ui.Error(fmt.Sprintf(`
			`"\ntoken-revoke expects no arguments when revoking self"))`
			`return 1`
			`case len(args) != 1 && !self:`
command/token-revoke 2015-04-08 00:36:17 +03:00			`flags.Usage()`
			`c.Ui.Error(fmt.Sprintf(`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`"\ntoken-revoke expects one argument or the 'self' flag"))`
command/token-revoke 2015-04-08 00:36:17 +03:00			`return 1`
			`}`

			`client, err := c.Client()`
			`if err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error initializing client: %s", err))`
			`return 2`
			`}`

			`var fn func(string) error`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`// Handle all 6 possible combinations`
			`switch {`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`case !accessor && self && mode == "":`
			`fn = client.Auth().Token().RevokeSelf`
			`case !accessor && !self && mode == "":`
command/token-revoke 2015-04-08 00:36:17 +03:00			`fn = client.Auth().Token().RevokeTree`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`case !accessor && !self && mode == "orphan":`
command/token-revoke 2015-04-08 00:36:17 +03:00			`fn = client.Auth().Token().RevokeOrphan`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`case !accessor && !self && mode == "path":`
Remove RevokePrefix from the API too as we simply do not support it any longer. 2016-04-05 18:00:12 +03:00			`fn = client.Sys().RevokePrefix`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`case accessor && !self && mode == "":`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`fn = client.Auth().Token().RevokeAccessor`
Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`case accessor && self:`
			`c.Ui.Error("token-revoke cannot be run on self when 'accessor' flag is set")`
			`return 1`
			`case self && mode != "":`
			`c.Ui.Error("token-revoke cannot be run on self when 'mode' flag is set")`
			`return 1`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`case accessor && mode == "orphan":`
			`c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")`
			`return 1`
			`case accessor && mode == "path":`
			`c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")`
command/token-revoke 2015-04-08 00:36:17 +03:00			`return 1`
			`}`

			`if err := fn(token); err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error revoking token: %s", err))`
			`return 2`
			`}`

Provide clarity for output statements of idempotent calls. 2016-04-14 18:46:45 +03:00			`c.Ui.Output("Success! Token revoked if it existed.")`
command/token-revoke 2015-04-08 00:36:17 +03:00			`return 0`
			`}`

			`func (c *TokenRevokeCommand) Synopsis() string {`
			`return "Revoke one or more auth tokens"`
			`}`

			`func (c *TokenRevokeCommand) Help() string {`
			helpText := `
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`Usage: vault token-revoke [options] [token\|accessor]`
command/token-revoke 2015-04-08 00:36:17 +03:00
			`Revoke one or more auth tokens.`

			`This command revokes auth tokens. Use the "revoke" command for`
			`revoking secrets.`

			`Depending on the flags used, auth tokens can be revoked in multiple ways`
			`depending on the "-mode" flag:`

			`* Without any value, the token specified and all of its children`
			`will be revoked.`

			`* With the "orphan" value, only the specific token will be revoked.`
			`All of its children will be orphaned.`

			`* With the "path" value, tokens created from the given auth path`
			`prefix will be deleted, along with all their children. In this case`
Remove RevokePrefix from the API too as we simply do not support it any longer. 2016-04-05 18:00:12 +03:00			`the "token" arg above is actually a "path". This mode does not`
			`work with token values or parts of token values.`
command/token-revoke 2015-04-08 00:36:17 +03:00
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`Token can be revoked using the token accessor. This can be done by`
			`setting the '-accessor' flag. Note that when '-accessor' flag is set,`
			`'-mode' should not be set for 'orphan' or 'path'. This is because,`
Typo corrections and tweaks to commands' help info * Normalize "X arguments expected" messages * Use "Vault" when referring to the product and "vault" when referring to an instance of the product * Various minor tweaks to improve readability and/or provide clarity 2017-03-25 20:51:12 +03:00			`a token accessor always revokes the token along with its child tokens.`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00
command/token-revoke 2015-04-08 00:36:17 +03:00			`General Options:`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 23:50:12 +03:00			` + meta.GeneralOptionsUsage() + `
command/token-revoke 2015-04-08 00:36:17 +03:00			`Token Options:`

Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00			`-accessor A boolean flag, if set, treats the argument as an accessor of the token.`
			`Note that accessor can also be used for looking up the token properties`
			`via '/auth/token/lookup-accessor/<accessor>' endpoint.`
			`Accessor is used when there is no access to token ID.`

Add -self flag to token-revoke (#2596) 2017-04-17 19:40:51 +03:00			`-self A boolean flag, if set, the operation is performed on the currently`
			`authenticated token i.e. lookup-self.`
Added accessor flag to token-revoke CLI 2016-03-11 01:04:04 +03:00
command/token-revoke 2015-04-08 00:36:17 +03:00			`-mode=value The type of revocation to do. See the documentation`
			`above for more information.`

			`
			`return strings.TrimSpace(helpText)`
			`}`