deb.open-vault/api/auth_token.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package api

import (
	"context"
	"net/http"
)

// TokenAuth is used to perform token backend operations on Vault
type TokenAuth struct {
	c *Client
}

// Token is used to return the client for token-backend API calls
func (a *Auth) Token() *TokenAuth {
	return &TokenAuth{c: a.c}
}

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
	return c.CreateWithContext(context.Background(), opts)
}

func (c *TokenAuth) CreateWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create")
	if err := r.SetJSONBody(opts); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error) {
	return c.CreateOrphanWithContext(context.Background(), opts)
}

func (c *TokenAuth) CreateOrphanWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create-orphan")
	if err := r.SetJSONBody(opts); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) {
	return c.CreateWithRoleWithContext(context.Background(), opts, roleName)
}

func (c *TokenAuth) CreateWithRoleWithContext(ctx context.Context, opts *TokenCreateRequest, roleName string) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create/"+roleName)
	if err := r.SetJSONBody(opts); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) Lookup(token string) (*Secret, error) {
	return c.LookupWithContext(context.Background(), token)
}

func (c *TokenAuth) LookupWithContext(ctx context.Context, token string) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/lookup")
	if err := r.SetJSONBody(map[string]interface{}{
		"token": token,
	}); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
	return c.LookupAccessorWithContext(context.Background(), accessor)
}

func (c *TokenAuth) LookupAccessorWithContext(ctx context.Context, accessor string) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/lookup-accessor")
	if err := r.SetJSONBody(map[string]interface{}{
		"accessor": accessor,
	}); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) LookupSelf() (*Secret, error) {
	return c.LookupSelfWithContext(context.Background())
}

func (c *TokenAuth) LookupSelfWithContext(ctx context.Context) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodGet, "/v1/auth/token/lookup-self")

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) RenewAccessor(accessor string, increment int) (*Secret, error) {
	return c.RenewAccessorWithContext(context.Background(), accessor, increment)
}

func (c *TokenAuth) RenewAccessorWithContext(ctx context.Context, accessor string, increment int) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/renew-accessor")
	if err := r.SetJSONBody(map[string]interface{}{
		"accessor":  accessor,
		"increment": increment,
	}); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
	return c.RenewWithContext(context.Background(), token, increment)
}

func (c *TokenAuth) RenewWithContext(ctx context.Context, token string, increment int) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew")
	if err := r.SetJSONBody(map[string]interface{}{
		"token":     token,
		"increment": increment,
	}); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
	return c.RenewSelfWithContext(context.Background(), increment)
}

func (c *TokenAuth) RenewSelfWithContext(ctx context.Context, increment int) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew-self")

	body := map[string]interface{}{"increment": increment}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

// RenewTokenAsSelf wraps RenewTokenAsSelfWithContext using context.Background.
func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error) {
	return c.RenewTokenAsSelfWithContext(context.Background(), token, increment)
}

// RenewTokenAsSelfWithContext behaves like renew-self, but authenticates using a provided
// token instead of the token attached to the client.
func (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew-self")
	r.ClientToken = token

	body := map[string]interface{}{"increment": increment}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

// RevokeAccessor wraps RevokeAccessorWithContext using context.Background.
func (c *TokenAuth) RevokeAccessor(accessor string) error {
	return c.RevokeAccessorWithContext(context.Background(), accessor)
}

// RevokeAccessorWithContext revokes a token associated with the given accessor
// along with all the child tokens.
func (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, accessor string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/revoke-accessor")
	if err := r.SetJSONBody(map[string]interface{}{
		"accessor": accessor,
	}); err != nil {
		return err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeOrphan wraps RevokeOrphanWithContext using context.Background.
func (c *TokenAuth) RevokeOrphan(token string) error {
	return c.RevokeOrphanWithContext(context.Background(), token)
}

// RevokeOrphanWithContext revokes a token without revoking the tree underneath it (so
// child tokens are orphaned rather than revoked)
func (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke-orphan")
	if err := r.SetJSONBody(map[string]interface{}{
		"token": token,
	}); err != nil {
		return err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeSelf wraps RevokeSelfWithContext using context.Background.
func (c *TokenAuth) RevokeSelf(token string) error {
	return c.RevokeSelfWithContext(context.Background(), token)
}

// RevokeSelfWithContext revokes the token making the call. The `token` parameter is kept
// for backwards compatibility but is ignored; only the client's set token has
// an effect.
func (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke-self")

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeTree wraps RevokeTreeWithContext using context.Background.
func (c *TokenAuth) RevokeTree(token string) error {
	return c.RevokeTreeWithContext(context.Background(), token)
}

// RevokeTreeWithContext is the "normal" revoke operation that revokes the given token and
// the entire tree underneath -- all of its child tokens, their child tokens,
// etc.
func (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke")
	if err := r.SetJSONBody(map[string]interface{}{
		"token": token,
	}); err != nil {
		return err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// TokenCreateRequest is the options structure for creating a token.
type TokenCreateRequest struct {
	ID              string            `json:"id,omitempty"`
	Policies        []string          `json:"policies,omitempty"`
	Metadata        map[string]string `json:"meta,omitempty"`
	Lease           string            `json:"lease,omitempty"`
	TTL             string            `json:"ttl,omitempty"`
	ExplicitMaxTTL  string            `json:"explicit_max_ttl,omitempty"`
	Period          string            `json:"period,omitempty"`
	NoParent        bool              `json:"no_parent,omitempty"`
	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
	DisplayName     string            `json:"display_name"`
	NumUses         int               `json:"num_uses"`
	Renewable       *bool             `json:"renewable,omitempty"`
	Type            string            `json:"type"`
	EntityAlias     string            `json:"entity_alias"`
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package api`

			`import (`
			`"context"`
			`"net/http"`
			`)`

			`// TokenAuth is used to perform token backend operations on Vault`
			`type TokenAuth struct {`
			`c *Client`
			`}`

			`// Token is used to return the client for token-backend API calls`
			`func (a Auth) Token() TokenAuth {`
			`return &TokenAuth{c: a.c}`
			`}`

			`func (c TokenAuth) Create(opts TokenCreateRequest) (*Secret, error) {`
			`return c.CreateWithContext(context.Background(), opts)`
			`}`

			`func (c TokenAuth) CreateWithContext(ctx context.Context, opts TokenCreateRequest) (*Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create")`
			`if err := r.SetJSONBody(opts); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) CreateOrphan(opts TokenCreateRequest) (*Secret, error) {`
			`return c.CreateOrphanWithContext(context.Background(), opts)`
			`}`

			`func (c TokenAuth) CreateOrphanWithContext(ctx context.Context, opts TokenCreateRequest) (*Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create-orphan")`
			`if err := r.SetJSONBody(opts); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) CreateWithRole(opts TokenCreateRequest, roleName string) (*Secret, error) {`
			`return c.CreateWithRoleWithContext(context.Background(), opts, roleName)`
			`}`

			`func (c TokenAuth) CreateWithRoleWithContext(ctx context.Context, opts TokenCreateRequest, roleName string) (*Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/create/"+roleName)`
			`if err := r.SetJSONBody(opts); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) Lookup(token string) (Secret, error) {`
			`return c.LookupWithContext(context.Background(), token)`
			`}`

			`func (c TokenAuth) LookupWithContext(ctx context.Context, token string) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/lookup")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"token": token,`
			`}); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) LookupAccessor(accessor string) (Secret, error) {`
			`return c.LookupAccessorWithContext(context.Background(), accessor)`
			`}`

			`func (c TokenAuth) LookupAccessorWithContext(ctx context.Context, accessor string) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/lookup-accessor")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"accessor": accessor,`
			`}); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) LookupSelf() (Secret, error) {`
			`return c.LookupSelfWithContext(context.Background())`
			`}`

			`func (c TokenAuth) LookupSelfWithContext(ctx context.Context) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodGet, "/v1/auth/token/lookup-self")`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) RenewAccessor(accessor string, increment int) (Secret, error) {`
			`return c.RenewAccessorWithContext(context.Background(), accessor, increment)`
			`}`

			`func (c TokenAuth) RenewAccessorWithContext(ctx context.Context, accessor string, increment int) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/renew-accessor")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"accessor": accessor,`
			`"increment": increment,`
			`}); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) Renew(token string, increment int) (Secret, error) {`
			`return c.RenewWithContext(context.Background(), token, increment)`
			`}`

			`func (c TokenAuth) RenewWithContext(ctx context.Context, token string, increment int) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"token": token,`
			`"increment": increment,`
			`}); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) RenewSelf(increment int) (Secret, error) {`
			`return c.RenewSelfWithContext(context.Background(), increment)`
			`}`

			`func (c TokenAuth) RenewSelfWithContext(ctx context.Context, increment int) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew-self")`

			`body := map[string]interface{}{"increment": increment}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`// RenewTokenAsSelf wraps RenewTokenAsSelfWithContext using context.Background.`
			`func (c TokenAuth) RenewTokenAsSelf(token string, increment int) (Secret, error) {`
			`return c.RenewTokenAsSelfWithContext(context.Background(), token, increment)`
			`}`

			`// RenewTokenAsSelfWithContext behaves like renew-self, but authenticates using a provided`
			`// token instead of the token attached to the client.`
			`func (c TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/renew-self")`
			`r.ClientToken = token`

			`body := map[string]interface{}{"increment": increment}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`// RevokeAccessor wraps RevokeAccessorWithContext using context.Background.`
			`func (c *TokenAuth) RevokeAccessor(accessor string) error {`
			`return c.RevokeAccessorWithContext(context.Background(), accessor)`
			`}`

			`// RevokeAccessorWithContext revokes a token associated with the given accessor`
			`// along with all the child tokens.`
			`func (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, accessor string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPost, "/v1/auth/token/revoke-accessor")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"accessor": accessor,`
			`}); err != nil {`
			`return err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

			`// RevokeOrphan wraps RevokeOrphanWithContext using context.Background.`
			`func (c *TokenAuth) RevokeOrphan(token string) error {`
			`return c.RevokeOrphanWithContext(context.Background(), token)`
			`}`

			`// RevokeOrphanWithContext revokes a token without revoking the tree underneath it (so`
			`// child tokens are orphaned rather than revoked)`
			`func (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke-orphan")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"token": token,`
			`}); err != nil {`
			`return err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

			`// RevokeSelf wraps RevokeSelfWithContext using context.Background.`
			`func (c *TokenAuth) RevokeSelf(token string) error {`
			`return c.RevokeSelfWithContext(context.Background(), token)`
			`}`

			// RevokeSelfWithContext revokes the token making the call. The `token` parameter is kept
			`// for backwards compatibility but is ignored; only the client's set token has`
			`// an effect.`
			`func (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke-self")`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

			`// RevokeTree wraps RevokeTreeWithContext using context.Background.`
			`func (c *TokenAuth) RevokeTree(token string) error {`
			`return c.RevokeTreeWithContext(context.Background(), token)`
			`}`

			`// RevokeTreeWithContext is the "normal" revoke operation that revokes the given token and`
			`// the entire tree underneath -- all of its child tokens, their child tokens,`
			`// etc.`
			`func (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

			`r := c.c.NewRequest(http.MethodPut, "/v1/auth/token/revoke")`
			`if err := r.SetJSONBody(map[string]interface{}{`
			`"token": token,`
			`}); err != nil {`
			`return err`
			`}`

			`resp, err := c.c.rawRequestWithContext(ctx, r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

			`// TokenCreateRequest is the options structure for creating a token.`
			`type TokenCreateRequest struct {`
			ID string `json:"id,omitempty"`
			Policies []string `json:"policies,omitempty"`
			Metadata map[string]string `json:"meta,omitempty"`
			Lease string `json:"lease,omitempty"`
			TTL string `json:"ttl,omitempty"`
			ExplicitMaxTTL string `json:"explicit_max_ttl,omitempty"`
			Period string `json:"period,omitempty"`
			NoParent bool `json:"no_parent,omitempty"`
			NoDefaultPolicy bool `json:"no_default_policy,omitempty"`
			DisplayName string `json:"display_name"`
			NumUses int `json:"num_uses"`
			Renewable *bool `json:"renewable,omitempty"`
			Type string `json:"type"`
			EntityAlias string `json:"entity_alias"`
			`}`