command/token-revoke
This commit is contained in:
Mitchell Hashimoto
parent
1ccf891cf2
commit
160aeccb03
111
command/token_revoke.go
Normal file
111
command/token_revoke.go
Normal file
@ -0,0 +1,111 @@
|
||||
package command
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// TokenRevokeCommand is a Command that mounts a new mount.
|
||||
type TokenRevokeCommand struct {
|
||||
Meta
|
||||
}
|
||||
|
||||
func (c *TokenRevokeCommand) Run(args []string) int {
|
||||
var mode string
|
||||
flags := c.Meta.FlagSet("token-revoke", FlagSetDefault)
|
||||
flags.StringVar(&mode, "mode", "", "")
|
||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||
if err := flags.Parse(args); err != nil {
|
||||
return 1
|
||||
}
|
||||
|
||||
args = flags.Args()
|
||||
if len(args) != 1 {
|
||||
flags.Usage()
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"\ntoken-revoke expects one argument"))
|
||||
return 1
|
||||
}
|
||||
|
||||
token := args[0]
|
||||
|
||||
client, err := c.Client()
|
||||
if err != nil {
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"Error initializing client: %s", err))
|
||||
return 2
|
||||
}
|
||||
|
||||
var fn func(string) error
|
||||
switch mode {
|
||||
case "":
|
||||
fn = client.Auth().Token().RevokeTree
|
||||
case "orphan":
|
||||
fn = client.Auth().Token().RevokeOrphan
|
||||
case "path":
|
||||
fn = client.Auth().Token().RevokePrefix
|
||||
default:
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"Unknown revocation mode: %s", mode))
|
||||
return 1
|
||||
}
|
||||
|
||||
if err := fn(token); err != nil {
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"Error revoking token: %s", err))
|
||||
return 2
|
||||
}
|
||||
|
||||
c.Ui.Output("Revocation successful.")
|
||||
return 0
|
||||
}
|
||||
|
||||
func (c *TokenRevokeCommand) Synopsis() string {
|
||||
return "Revoke one or more auth tokens"
|
||||
}
|
||||
|
||||
func (c *TokenRevokeCommand) Help() string {
|
||||
helpText := `
|
||||
Usage: vault token-revoke [options] token
|
||||
|
||||
Revoke one or more auth tokens.
|
||||
|
||||
This command revokes auth tokens. Use the "revoke" command for
|
||||
revoking secrets.
|
||||
|
||||
Depending on the flags used, auth tokens can be revoked in multiple ways
|
||||
depending on the "-mode" flag:
|
||||
|
||||
* Without any value, the token specified and all of its children
|
||||
will be revoked.
|
||||
|
||||
* With the "orphan" value, only the specific token will be revoked.
|
||||
All of its children will be orphaned.
|
||||
|
||||
* With the "path" value, tokens created from the given auth path
|
||||
prefix will be deleted, along with all their children. In this case
|
||||
the "token" arg above is actually a "path".
|
||||
|
||||
General Options:
|
||||
|
||||
-address=TODO The address of the Vault server.
|
||||
|
||||
-ca-cert=path Path to a PEM encoded CA cert file to use to
|
||||
verify the Vault server SSL certificate.
|
||||
|
||||
-ca-path=path Path to a directory of PEM encoded CA cert files
|
||||
to verify the Vault server SSL certificate. If both
|
||||
-ca-cert and -ca-path are specified, -ca-path is used.
|
||||
|
||||
-insecure Do not verify TLS certificate. This is highly
|
||||
not recommended. This is especially not recommended
|
||||
for unsealing a vault.
|
||||
|
||||
Token Options:
|
||||
|
||||
-mode=value The type of revocation to do. See the documentation
|
||||
above for more information.
|
||||
|
||||
`
|
||||
return strings.TrimSpace(helpText)
|
||||
}
|
||||
46
command/token_revoke_test.go
Normal file
46
command/token_revoke_test.go
Normal file
@ -0,0 +1,46 @@
|
||||
package command
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/vault/http"
|
||||
"github.com/hashicorp/vault/vault"
|
||||
"github.com/mitchellh/cli"
|
||||
)
|
||||
|
||||
func TestTokenRevoke(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
c := &TokenRevokeCommand{
|
||||
Meta: Meta{
|
||||
ClientToken: token,
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
}
|
||||
|
||||
// Run it once for client
|
||||
c.Run(args)
|
||||
|
||||
// Create a token
|
||||
client, err := c.Client()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err := client.Auth().Token().Create(nil)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
// Verify it worked
|
||||
args = append(args, resp.Auth.ClientToken)
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
}
|
||||
@ -165,6 +165,12 @@ func init() {
|
||||
}, nil
|
||||
},
|
||||
|
||||
"token-revoke": func() (cli.Command, error) {
|
||||
return &command.TokenRevokeCommand{
|
||||
Meta: meta,
|
||||
}, nil
|
||||
},
|
||||
|
||||
"version": func() (cli.Command, error) {
|
||||
ver := Version
|
||||
rel := VersionPrerelease
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package http
|
||||
|
||||
import (
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
@ -41,7 +42,12 @@ func handleLogical(core *vault.Core) http.Handler {
|
||||
// Parse the request if we can
|
||||
var req map[string]interface{}
|
||||
if op == logical.WriteOperation {
|
||||
if err := parseRequest(r, &req); err != nil {
|
||||
err := parseRequest(r, &req)
|
||||
if err == io.EOF {
|
||||
req = nil
|
||||
err = nil
|
||||
}
|
||||
if err != nil {
|
||||
respondError(w, http.StatusBadRequest, err)
|
||||
return
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user