Added accessor flag to token-revoke CLI

2016-03-10 17:04:04 -05:00 · 2016-03-10 17:04:04 -05:00 · 1612dfaa1f
commit 1612dfaa1f
parent 084cbb2fc9
3 changed files with 44 additions and 25 deletions
--- a/api/auth_token.go
+++ b/api/auth_token.go
@ -110,6 +110,19 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }

+// RevokeAccessor revokes a token associated with the given accessor
+// along with all the child tokens.
+func (c *TokenAuth) RevokeAccessor(accessor string) error {
+	r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
 // RevokeOrphan revokes a token without revoking the tree underneath it (so
 // child tokens are orphaned rather than revoked)
 func (c *TokenAuth) RevokeOrphan(token string) error {
@ -136,18 +149,6 @@ func (c *TokenAuth) RevokePrefix(token string) error {
 	return nil
 }

-// RevokeSelf revokes the token making the call
-func (c *TokenAuth) RevokeSelf() error {
-	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
-	resp, err := c.c.RawRequest(r)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	return nil
-}
-
 // RevokeTree is the "normal" revoke operation that revokes the given token and
 // the entire tree underneath -- all of its child tokens, their child tokens,
 // etc.
--- a/command/token_lookup.go
+++ b/command/token_lookup.go
@ -76,12 +76,12 @@ func (c *TokenLookupCommand) Synopsis() string {

 func (c *TokenLookupCommand) Help() string {
 	helpText := `
-Usage: vault token-lookup [options] [token]
+Usage: vault token-lookup [options] [token|accessor]

-  Displays information about the specified token. If no token is specified,
-  the operation is performed on the currently authenticated token i.e. lookup-self.
-  Information about the token can also be retrieved using the token accessor
-  by setting the '-accessor' flag.
+  Displays information about the specified token. If no token is specified, the
+  operation is performed on the currently authenticated token i.e. lookup-self.
+  Information about the token can be retrieved using the token accessor via the 
+  '-accessor' flag.

 General Options:

--- a/command/token_revoke.go
+++ b/command/token_revoke.go
@ -12,7 +12,9 @@ type TokenRevokeCommand struct {

 func (c *TokenRevokeCommand) Run(args []string) int {
 	var mode string
+	var accessor bool
 	flags := c.Meta.FlagSet("token-revoke", FlagSetDefault)
+	flags.BoolVar(&accessor, "accessor", false, "")
 	flags.StringVar(&mode, "mode", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
@ -37,16 +39,21 @@ func (c *TokenRevokeCommand) Run(args []string) int {
 	}

 	var fn func(string) error
-	switch mode {
-	case "":
+	// Handle all 6 possible combinations
+	switch {
+	case !accessor && mode == "":
 		fn = client.Auth().Token().RevokeTree
-	case "orphan":
+	case !accessor && mode == "orphan":
 		fn = client.Auth().Token().RevokeOrphan
-	case "path":
+	case !accessor && mode == "path":
 		fn = client.Auth().Token().RevokePrefix
-	default:
-		c.Ui.Error(fmt.Sprintf(
-			"Unknown revocation mode: %s", mode))
+	case accessor && mode == "":
+		fn = client.Auth().Token().RevokeAccessor
+	case accessor && mode == "orphan":
+		c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
+		return 1
+	case accessor && mode == "path":
+		c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
 		return 1
 	}

@ -66,7 +73,7 @@ func (c *TokenRevokeCommand) Synopsis() string {

 func (c *TokenRevokeCommand) Help() string {
 	helpText := `
-Usage: vault token-revoke [options] token
+Usage: vault token-revoke [options] [token|accessor]

  Revoke one or more auth tokens.

@ -86,12 +93,23 @@ Usage: vault token-revoke [options] token
      prefix will be deleted, along with all their children. In this case
      the "token" arg above is actually a "path".

+  Token can be revoked using the token accessor. This can be done by
+  setting the '-accessor' flag. Note that when '-accessor' flag is set,
+  '-mode' should not be set for 'orphan' or 'path'. This is because,
+  a token accessor always revokes the token along with it's child tokens.
+
 General Options:

  ` + generalOptionsUsage() + `

 Token Options:

+  -accessor               A boolean flag, if set, treats the argument as an accessor of the token.
+                          Note that accessor can also be used for looking up the token properties
+                          via '/auth/token/lookup-accessor/<accessor>' endpoint.
+                          Accessor is used when there is no access to token ID.
+
+
  -mode=value             The type of revocation to do. See the documentation
                          above for more information.