cli: plumbed vault token from job revert command through API call

api/api.go

@@ -26,7 +26,7 @@ var (
 	ClientConnTimeout = 1 * time.Second
 )
 
-// QueryOptions are used to parameterize a query
+// QueryOptions are used to parametrize a query
 type QueryOptions struct {
 	// Providing a datacenter overwrites the region provided
 	// by the Config
@@ -57,7 +57,7 @@ type QueryOptions struct {
 	AuthToken string
 }
 
-// WriteOptions are used to parameterize a write
+// WriteOptions are used to parametrize a write
 type WriteOptions struct {
 	// Providing a datacenter overwrites the region provided
 	// by the Config

api/jobs.go

@@ -321,13 +321,14 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string,
 // enforceVersion is set, the job is only reverted if the current version is at
 // the passed version.
 func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64,
-	q *WriteOptions) (*JobRegisterResponse, *WriteMeta, error) {
+	q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
 
 	var resp JobRegisterResponse
 	req := &JobRevertRequest{
 		JobID:               jobID,
 		JobVersion:          version,
 		EnforcePriorVersion: enforcePriorVersion,
+		VaultToken:          vaultToken,
 	}
 	wm, err := j.client.write("/v1/job/"+jobID+"/revert", req, &resp, q)
 	if err != nil {
@@ -930,6 +931,12 @@ type JobRevertRequest struct {
 	// version before reverting.
 	EnforcePriorVersion *uint64
 
+	// VaultToken is the Vault token that proves the submitter of the job revert
+	// has access to any Vault policies specified in the targeted job version. This
+	// field is only used to transfer the token and is not stored after the Job
+	// revert.
+	VaultToken string `json:",omitempty"`
+
 	WriteRequest
 }
 

api/jobs_test.go

@@ -716,13 +716,13 @@ func TestJobs_Revert(t *testing.T) {
 	assertWriteMeta(t, wm)
 
 	// Fail revert at incorrect enforce
-	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil)
+	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "")
 	if err == nil || !strings.Contains(err.Error(), "enforcing version") {
 		t.Fatalf("expected enforcement error: %v", err)
 	}
 
 	// Works at correct index
-	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil)
+	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}

command/job_revert.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/hashicorp/nomad/api/contexts"
@@ -32,6 +33,10 @@ Revert Options:
 
   -verbose
     Display full information.
+
+  -vault-token 
+   The Vault token used to verify that the caller has access to the Vault 
+   policies i the targeted version of the job.
 `
 	return strings.TrimSpace(helpText)
 }
@@ -67,11 +72,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" }
 
 func (c *JobRevertCommand) Run(args []string) int {
 	var detach, verbose bool
+	var vaultToken string
 
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.BoolVar(&detach, "detach", false, "")
 	flags.BoolVar(&verbose, "verbose", false, "")
+	flags.StringVar(&vaultToken, "vault-token", "", "")
 
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -98,6 +105,12 @@ func (c *JobRevertCommand) Run(args []string) int {
 		return 1
 	}
 
+	// Parse the Vault token
+	if vaultToken == "" {
+		// Check the environment variable
+		vaultToken = os.Getenv("VAULT_TOKEN")
+	}
+
 	jobID := args[0]
 	revertVersion, ok, err := parseVersion(args[1])
 	if !ok {
@@ -125,7 +138,7 @@ func (c *JobRevertCommand) Run(args []string) int {
 	}
 
 	// Prefix lookup matched a single job
-	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil)
+	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err))
 		return 1