2015-04-05 00:53:59 +00:00
|
|
|
package api
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
import "context"
|
|
|
|
|
2016-04-05 15:00:12 +00:00
|
|
|
// TokenAuth is used to perform token backend operations on Vault
|
2015-04-05 00:53:59 +00:00
|
|
|
type TokenAuth struct {
|
|
|
|
c *Client
|
|
|
|
}
|
|
|
|
|
2016-04-05 15:00:12 +00:00
|
|
|
// Token is used to return the client for token-backend API calls
|
2015-04-05 00:54:16 +00:00
|
|
|
func (a *Auth) Token() *TokenAuth {
|
2015-04-05 00:53:59 +00:00
|
|
|
return &TokenAuth{c: a.c}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/create")
|
|
|
|
if err := r.SetJSONBody(opts); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-04-05 00:53:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2016-09-01 19:39:44 +00:00
|
|
|
func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/create-orphan")
|
|
|
|
if err := r.SetJSONBody(opts); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2016-09-01 19:39:44 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2016-02-29 18:27:31 +00:00
|
|
|
func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/create/"+roleName)
|
|
|
|
if err := r.SetJSONBody(opts); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2016-02-29 18:27:31 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2015-12-29 20:18:59 +00:00
|
|
|
func (c *TokenAuth) Lookup(token string) (*Secret, error) {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/lookup")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"token": token,
|
|
|
|
}); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-12-29 20:18:59 +00:00
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2016-03-10 20:09:16 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"accessor": accessor,
|
|
|
|
}); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-12-29 20:18:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2015-10-30 21:27:33 +00:00
|
|
|
func (c *TokenAuth) LookupSelf() (*Secret, error) {
|
2015-12-28 00:05:15 +00:00
|
|
|
r := c.c.NewRequest("GET", "/v1/auth/token/lookup-self")
|
2015-10-30 21:27:33 +00:00
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-10-30 21:27:33 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2015-04-20 01:04:01 +00:00
|
|
|
func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/renew")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"token": token,
|
|
|
|
"increment": increment,
|
|
|
|
}); err != nil {
|
2015-04-20 01:04:01 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-04-05 00:53:59 +00:00
|
|
|
if err != nil {
|
2015-04-20 01:04:01 +00:00
|
|
|
return nil, err
|
2015-04-05 00:53:59 +00:00
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
2015-04-20 01:04:01 +00:00
|
|
|
return ParseSecret(resp.Body)
|
2015-04-05 00:53:59 +00:00
|
|
|
}
|
|
|
|
|
2015-10-30 21:27:33 +00:00
|
|
|
func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
|
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")
|
|
|
|
|
|
|
|
body := map[string]interface{}{"increment": increment}
|
|
|
|
if err := r.SetJSONBody(body); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-10-30 21:27:33 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2017-06-20 22:52:40 +00:00
|
|
|
// RenewTokenAsSelf behaves like renew-self, but authenticates using a provided
|
2017-06-19 15:10:09 +00:00
|
|
|
// token instead of the token attached to the client.
|
2017-06-20 22:52:40 +00:00
|
|
|
func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error) {
|
2017-06-19 15:10:09 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")
|
|
|
|
r.ClientToken = token
|
|
|
|
|
|
|
|
body := map[string]interface{}{"increment": increment}
|
|
|
|
if err := r.SetJSONBody(body); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2017-06-19 15:10:09 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return ParseSecret(resp.Body)
|
|
|
|
}
|
|
|
|
|
2016-03-10 22:04:04 +00:00
|
|
|
// RevokeAccessor revokes a token associated with the given accessor
|
|
|
|
// along with all the child tokens.
|
|
|
|
func (c *TokenAuth) RevokeAccessor(accessor string) error {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"accessor": accessor,
|
|
|
|
}); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-04-05 00:53:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-03-10 22:04:04 +00:00
|
|
|
// RevokeOrphan revokes a token without revoking the tree underneath it (so
|
|
|
|
// child tokens are orphaned rather than revoked)
|
|
|
|
func (c *TokenAuth) RevokeOrphan(token string) error {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"token": token,
|
|
|
|
}); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-04-05 00:53:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-09-13 15:03:05 +00:00
|
|
|
// RevokeSelf revokes the token making the call. The `token` parameter is kept
|
|
|
|
// for backwards compatibility but is ignored; only the client's set token has
|
|
|
|
// an effect.
|
|
|
|
func (c *TokenAuth) RevokeSelf(token string) error {
|
2016-03-11 11:30:45 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
|
2018-07-24 22:49:55 +00:00
|
|
|
|
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2016-03-11 11:30:45 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-02-03 16:42:13 +00:00
|
|
|
// RevokeTree is the "normal" revoke operation that revokes the given token and
|
|
|
|
// the entire tree underneath -- all of its child tokens, their child tokens,
|
|
|
|
// etc.
|
2015-04-05 00:53:59 +00:00
|
|
|
func (c *TokenAuth) RevokeTree(token string) error {
|
2016-08-24 19:59:43 +00:00
|
|
|
r := c.c.NewRequest("PUT", "/v1/auth/token/revoke")
|
|
|
|
if err := r.SetJSONBody(map[string]interface{}{
|
|
|
|
"token": token,
|
|
|
|
}); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-07-24 22:49:55 +00:00
|
|
|
ctx, cancelFunc := context.WithCancel(context.Background())
|
|
|
|
defer cancelFunc()
|
|
|
|
resp, err := c.c.RawRequestWithContext(ctx, r)
|
2015-04-05 00:53:59 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// TokenCreateRequest is the options structure for creating a token.
|
|
|
|
type TokenCreateRequest struct {
|
2015-11-09 22:30:50 +00:00
|
|
|
ID string `json:"id,omitempty"`
|
|
|
|
Policies []string `json:"policies,omitempty"`
|
|
|
|
Metadata map[string]string `json:"meta,omitempty"`
|
|
|
|
Lease string `json:"lease,omitempty"`
|
|
|
|
TTL string `json:"ttl,omitempty"`
|
2016-06-08 18:49:48 +00:00
|
|
|
ExplicitMaxTTL string `json:"explicit_max_ttl,omitempty"`
|
2016-08-13 01:01:30 +00:00
|
|
|
Period string `json:"period,omitempty"`
|
2015-11-09 22:30:50 +00:00
|
|
|
NoParent bool `json:"no_parent,omitempty"`
|
|
|
|
NoDefaultPolicy bool `json:"no_default_policy,omitempty"`
|
|
|
|
DisplayName string `json:"display_name"`
|
|
|
|
NumUses int `json:"num_uses"`
|
2016-06-08 15:14:30 +00:00
|
|
|
Renewable *bool `json:"renewable,omitempty"`
|
2015-04-05 00:53:59 +00:00
|
|
|
}
|