2015-04-01 02:21:02 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
2016-04-01 17:16:05 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/meta"
|
2015-04-01 02:21:02 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// RevokeCommand is a Command that mounts a new mount.
|
|
|
|
|
type RevokeCommand struct {
|
2016-04-01 17:16:05 +00:00
|
|
|
meta.Meta
|
2015-04-01 02:21:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *RevokeCommand) Run(args []string) int {
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
var prefix, force bool
|
2016-04-01 17:16:05 +00:00
|
|
|
flags := c.Meta.FlagSet("revoke", meta.FlagSetDefault)
|
2015-04-01 02:21:02 +00:00
|
|
|
flags.BoolVar(&prefix, "prefix", false, "")
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
flags.BoolVar(&force, "force", false, "")
|
2015-04-01 02:21:02 +00:00
|
|
|
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
|
|
|
|
if err := flags.Parse(args); err != nil {
|
|
|
|
|
return 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args = flags.Args()
|
|
|
|
|
if len(args) != 1 {
|
|
|
|
|
flags.Usage()
|
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
|
"\nRevoke expects one argument: the ID to revoke"))
|
|
|
|
|
return 1
|
|
|
|
|
}
|
2015-04-11 03:49:10 +00:00
|
|
|
leaseId := args[0]
|
2015-04-01 02:21:02 +00:00
|
|
|
|
|
|
|
|
client, err := c.Client()
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
|
"Error initializing client: %s", err))
|
|
|
|
|
return 2
|
|
|
|
|
}
|
|
|
|
|
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
switch {
|
|
|
|
|
case force && !prefix:
|
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
|
"-force requires -prefix"))
|
|
|
|
|
return 1
|
|
|
|
|
case force && prefix:
|
|
|
|
|
err = client.Sys().RevokeForce(leaseId)
|
|
|
|
|
case prefix:
|
2015-04-11 03:49:10 +00:00
|
|
|
err = client.Sys().RevokePrefix(leaseId)
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
default:
|
2015-04-11 03:49:10 +00:00
|
|
|
err = client.Sys().Revoke(leaseId)
|
2015-04-01 02:33:16 +00:00
|
|
|
}
|
|
|
|
|
if err != nil {
|
2015-04-01 02:21:02 +00:00
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
|
"Revoke error: %s", err))
|
|
|
|
|
return 1
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-14 15:46:45 +00:00
|
|
|
c.Ui.Output(fmt.Sprintf("Success! Revoked the secret with ID '%s', if it existed.", leaseId))
|
2015-04-01 02:21:02 +00:00
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *RevokeCommand) Synopsis() string {
|
|
|
|
|
return "Revoke a secret."
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *RevokeCommand) Help() string {
|
|
|
|
|
helpText := `
|
|
|
|
|
Usage: vault revoke [options] id
|
|
|
|
|
|
2015-04-11 03:35:14 +00:00
|
|
|
Revoke a secret by its lease ID.
|
2015-04-01 02:21:02 +00:00
|
|
|
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
This command revokes a secret by its lease ID that was returned with it. Once
|
|
|
|
|
the key is revoked, it is no longer valid.
|
|
|
|
|
|
|
|
|
|
With the -prefix flag, the revoke is done by prefix: any secret prefixed with
|
|
|
|
|
the given partial ID is revoked. Lease IDs are structured in such a way to
|
|
|
|
|
make revocation of prefixes useful.
|
2015-04-01 02:21:02 +00:00
|
|
|
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
With the -force flag, the lease is removed from Vault even if the revocation
|
|
|
|
|
fails. This is meant for certain recovery scenarios and should not be used
|
|
|
|
|
lightly. This option requires -prefix.
|
2015-04-01 02:21:02 +00:00
|
|
|
|
|
|
|
|
General Options:
|
2016-04-01 20:50:12 +00:00
|
|
|
` + meta.GeneralOptionsUsage() + `
|
2015-04-01 02:21:02 +00:00
|
|
|
Revoke Options:
|
|
|
|
|
|
|
|
|
|
-prefix=true Revoke all secrets with the matching prefix. This
|
|
|
|
|
defaults to false: an exact revocation.
|
|
|
|
|
|
Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 01:26:38 +00:00
|
|
|
-force=true Delete the lease even if the actual revocation
|
|
|
|
|
operation fails.
|
2015-04-01 02:21:02 +00:00
|
|
|
`
|
|
|
|
|
return strings.TrimSpace(helpText)
|
|
|
|
|
}
|
