2015-04-07 21:36:17 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
2016-04-01 17:16:05 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/vault/meta"
|
2015-04-07 21:36:17 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TokenRevokeCommand is a Command that mounts a new mount.
|
|
|
|
type TokenRevokeCommand struct {
|
2016-04-01 17:16:05 +00:00
|
|
|
meta.Meta
|
2015-04-07 21:36:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenRevokeCommand) Run(args []string) int {
|
|
|
|
var mode string
|
2016-03-10 22:04:04 +00:00
|
|
|
var accessor bool
|
2016-04-01 17:16:05 +00:00
|
|
|
flags := c.Meta.FlagSet("token-revoke", meta.FlagSetDefault)
|
2016-03-10 22:04:04 +00:00
|
|
|
flags.BoolVar(&accessor, "accessor", false, "")
|
2015-04-07 21:36:17 +00:00
|
|
|
flags.StringVar(&mode, "mode", "", "")
|
|
|
|
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
|
|
|
if err := flags.Parse(args); err != nil {
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
args = flags.Args()
|
|
|
|
if len(args) != 1 {
|
|
|
|
flags.Usage()
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"\ntoken-revoke expects one argument"))
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
token := args[0]
|
|
|
|
|
|
|
|
client, err := c.Client()
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"Error initializing client: %s", err))
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
|
|
|
var fn func(string) error
|
2016-03-10 22:04:04 +00:00
|
|
|
// Handle all 6 possible combinations
|
|
|
|
switch {
|
|
|
|
case !accessor && mode == "":
|
2015-04-07 21:36:17 +00:00
|
|
|
fn = client.Auth().Token().RevokeTree
|
2016-03-10 22:04:04 +00:00
|
|
|
case !accessor && mode == "orphan":
|
2015-04-07 21:36:17 +00:00
|
|
|
fn = client.Auth().Token().RevokeOrphan
|
2016-03-10 22:04:04 +00:00
|
|
|
case !accessor && mode == "path":
|
2016-04-05 15:00:12 +00:00
|
|
|
fn = client.Sys().RevokePrefix
|
2016-03-10 22:04:04 +00:00
|
|
|
case accessor && mode == "":
|
|
|
|
fn = client.Auth().Token().RevokeAccessor
|
|
|
|
case accessor && mode == "orphan":
|
|
|
|
c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
|
|
|
|
return 1
|
|
|
|
case accessor && mode == "path":
|
|
|
|
c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
|
2015-04-07 21:36:17 +00:00
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := fn(token); err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"Error revoking token: %s", err))
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
2016-04-14 15:46:45 +00:00
|
|
|
c.Ui.Output("Success! Token revoked if it existed.")
|
2015-04-07 21:36:17 +00:00
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenRevokeCommand) Synopsis() string {
|
|
|
|
return "Revoke one or more auth tokens"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenRevokeCommand) Help() string {
|
|
|
|
helpText := `
|
2016-03-10 22:04:04 +00:00
|
|
|
Usage: vault token-revoke [options] [token|accessor]
|
2015-04-07 21:36:17 +00:00
|
|
|
|
|
|
|
Revoke one or more auth tokens.
|
|
|
|
|
|
|
|
This command revokes auth tokens. Use the "revoke" command for
|
|
|
|
revoking secrets.
|
|
|
|
|
|
|
|
Depending on the flags used, auth tokens can be revoked in multiple ways
|
|
|
|
depending on the "-mode" flag:
|
|
|
|
|
|
|
|
* Without any value, the token specified and all of its children
|
|
|
|
will be revoked.
|
|
|
|
|
|
|
|
* With the "orphan" value, only the specific token will be revoked.
|
|
|
|
All of its children will be orphaned.
|
|
|
|
|
|
|
|
* With the "path" value, tokens created from the given auth path
|
|
|
|
prefix will be deleted, along with all their children. In this case
|
2016-04-05 15:00:12 +00:00
|
|
|
the "token" arg above is actually a "path". This mode does *not*
|
|
|
|
work with token values or parts of token values.
|
2015-04-07 21:36:17 +00:00
|
|
|
|
2016-03-10 22:04:04 +00:00
|
|
|
Token can be revoked using the token accessor. This can be done by
|
|
|
|
setting the '-accessor' flag. Note that when '-accessor' flag is set,
|
|
|
|
'-mode' should not be set for 'orphan' or 'path'. This is because,
|
|
|
|
a token accessor always revokes the token along with it's child tokens.
|
|
|
|
|
2015-04-07 21:36:17 +00:00
|
|
|
General Options:
|
2016-04-01 20:50:12 +00:00
|
|
|
` + meta.GeneralOptionsUsage() + `
|
2015-04-07 21:36:17 +00:00
|
|
|
Token Options:
|
|
|
|
|
2016-03-10 22:04:04 +00:00
|
|
|
-accessor A boolean flag, if set, treats the argument as an accessor of the token.
|
|
|
|
Note that accessor can also be used for looking up the token properties
|
|
|
|
via '/auth/token/lookup-accessor/<accessor>' endpoint.
|
|
|
|
Accessor is used when there is no access to token ID.
|
|
|
|
|
|
|
|
|
2015-04-07 21:36:17 +00:00
|
|
|
-mode=value The type of revocation to do. See the documentation
|
|
|
|
above for more information.
|
|
|
|
|
|
|
|
`
|
|
|
|
return strings.TrimSpace(helpText)
|
|
|
|
}
|