open-vault/command/token_create.go

package command

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/helper/flag-kv"
	"github.com/hashicorp/vault/helper/flag-slice"
	"github.com/hashicorp/vault/meta"
)

// TokenCreateCommand is a Command that mounts a new mount.
type TokenCreateCommand struct {
	meta.Meta
}

func (c *TokenCreateCommand) Run(args []string) int {
	var format string
	var id, displayName, lease, ttl, explicitMaxTTL, period, role string
	var orphan, noDefaultPolicy, renewable bool
	var metadata map[string]string
	var numUses int
	var policies []string
	flags := c.Meta.FlagSet("mount", meta.FlagSetDefault)
	flags.StringVar(&format, "format", "table", "")
	flags.StringVar(&displayName, "display-name", "", "")
	flags.StringVar(&id, "id", "", "")
	flags.StringVar(&lease, "lease", "", "")
	flags.StringVar(&ttl, "ttl", "", "")
	flags.StringVar(&explicitMaxTTL, "explicit-max-ttl", "", "")
	flags.StringVar(&period, "period", "", "")
	flags.StringVar(&role, "role", "", "")
	flags.BoolVar(&orphan, "orphan", false, "")
	flags.BoolVar(&renewable, "renewable", true, "")
	flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")
	flags.IntVar(&numUses, "use-limit", 0, "")
	flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")
	flags.Var((*sliceflag.StringFlag)(&policies), "policy", "")
	flags.Usage = func() { c.Ui.Error(c.Help()) }
	if err := flags.Parse(args); err != nil {
		return 1
	}

	args = flags.Args()
	if len(args) != 0 {
		flags.Usage()
		c.Ui.Error(fmt.Sprintf(
			"\ntoken-create expects no arguments"))
		return 1
	}

	client, err := c.Client()
	if err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error initializing client: %s", err))
		return 2
	}

	if ttl == "" {
		ttl = lease
	}

	tcr := &api.TokenCreateRequest{
		ID:              id,
		Policies:        policies,
		Metadata:        metadata,
		TTL:             ttl,
		NoParent:        orphan,
		NoDefaultPolicy: noDefaultPolicy,
		DisplayName:     displayName,
		NumUses:         numUses,
		Renewable:       new(bool),
		ExplicitMaxTTL:  explicitMaxTTL,
		Period:          period,
	}
	*tcr.Renewable = renewable

	var secret *api.Secret
	if role != "" {
		secret, err = client.Auth().Token().CreateWithRole(tcr, role)
	} else {
		secret, err = client.Auth().Token().Create(tcr)
	}

	if err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error creating token: %s", err))
		return 2
	}

	return OutputSecret(c.Ui, format, secret)
}

func (c *TokenCreateCommand) Synopsis() string {
	return "Create a new auth token"
}

func (c *TokenCreateCommand) Help() string {
	helpText := `
Usage: vault token-create [options]

  Create a new auth token.

  This command creates a new token that can be used for authentication.
  This token will be created as a child of your token. The created token
  will inherit your policies, or can be assigned a subset of your policies.

  A lease can also be associated with the token. If a lease is not associated
  with the token, then it cannot be renewed. If a lease is associated with
  the token, it will expire after that amount of time unless it is renewed.

  Metadata associated with the token (specified with "-metadata") is
  written to the audit log when the token is used.

  If a role is specified, the role may override parameters specified here.

General Options:
` + meta.GeneralOptionsUsage() + `
Token Options:

  -id="7699125c-d8...."   The token value that clients will use to authenticate
                          with Vault. If not provided this defaults to a 36
                          character UUID. A root token is required to specify
                          the ID of a token.

  -display-name="name"    A display name to associate with this token. This
                          is a non-security sensitive value used to help
                          identify created secrets, i.e. prefixes.

  -ttl="1h"               Initial TTL to associate with the token; renewals can
                          extend this value.

  -explicit-max-ttl="1h"  An explicit maximum lifetime for the token. Unlike
                          normal token TTLs, which can be renewed up until the
                          maximum TTL set on the auth/token mount or the system
                          configuration file, this lifetime is a hard limit set
                          on the token itself and cannot be exceeded.

  -period="1h"            If specified, the token will be periodic; it will
                          have no maximum TTL (unless an "explicit-max-ttl" is
                          also set) but every renewal will use the given
                          period. Requires a root/sudo token to use.

  -renewable=true         Whether or not the token is renewable to extend its
                          TTL up to Vault's configured maximum TTL for tokens.
                          This defaults to true; set to false to disable
                          renewal of this token.

  -metadata="key=value"   Metadata to associate with the token. This shows
                          up in the audit log. This can be specified multiple
                          times.

  -orphan                 If specified, the token will have no parent. This
                          prevents the new token from being revoked with
                          your token. Requires a root/sudo token to use.

  -no-default-policy      If specified, the token will not have the "default"
                          policy included in its policy set.

  -policy="name"          Policy to associate with this token. This can be
                          specified multiple times.

  -use-limit=5            The number of times this token can be used until
                          it is automatically revoked.

  -format=table           The format for output. By default it is a whitespace-
                          delimited table. This can also be json or yaml.

  -role=name              If set, the token will be created against the named
                          role. The role may override other parameters. This
                          requires the client to have permissions on the
                          appropriate endpoint (auth/token/create/<name>).
`
	return strings.TrimSpace(helpText)
}
command/token-create 2015-04-07 21:20:18 +00:00			`package command`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/hashicorp/vault/api"`
			`"github.com/hashicorp/vault/helper/flag-kv"`
			`"github.com/hashicorp/vault/helper/flag-slice"`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`"github.com/hashicorp/vault/meta"`
command/token-create 2015-04-07 21:20:18 +00:00			`)`

			`// TokenCreateCommand is a Command that mounts a new mount.`
			`type TokenCreateCommand struct {`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`meta.Meta`
command/token-create 2015-04-07 21:20:18 +00:00			`}`

			`func (c *TokenCreateCommand) Run(args []string) int {`
command/token-create: provide more useful output. Fixes #337 2015-06-17 23:59:50 +00:00			`var format string`
Add periodic support for root/sudo tokens to auth/token/create 2016-08-13 01:01:30 +00:00			`var id, displayName, lease, ttl, explicitMaxTTL, period, role string`
Add renewable flag and API setting for token creation 2016-06-08 15:14:30 +00:00			`var orphan, noDefaultPolicy, renewable bool`
command/token-create 2015-04-07 21:20:18 +00:00			`var metadata map[string]string`
command/token-create: add display name and one time use 2015-04-20 01:08:08 +00:00			`var numUses int`
command/token-create 2015-04-07 21:20:18 +00:00			`var policies []string`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`flags := c.Meta.FlagSet("mount", meta.FlagSetDefault)`
command/token-create: provide more useful output. Fixes #337 2015-06-17 23:59:50 +00:00			`flags.StringVar(&format, "format", "table", "")`
command/token-create: add display name and one time use 2015-04-20 01:08:08 +00:00			`flags.StringVar(&displayName, "display-name", "", "")`
Allow the `vault token-create` command to specify the token's id 2015-08-06 16:38:26 +00:00			`flags.StringVar(&id, "id", "", "")`
command/token-create 2015-04-07 21:20:18 +00:00			`flags.StringVar(&lease, "lease", "", "")`
Support and use TTL instead of lease for token creation 2015-10-09 23:52:13 +00:00			`flags.StringVar(&ttl, "ttl", "", "")`
Add explicit max TTL capability to token creation API 2016-06-08 18:49:48 +00:00			`flags.StringVar(&explicitMaxTTL, "explicit-max-ttl", "", "")`
Add periodic support for root/sudo tokens to auth/token/create 2016-08-13 01:01:30 +00:00			`flags.StringVar(&period, "period", "", "")`
Initial work on token roles 2016-02-29 18:27:31 +00:00			`flags.StringVar(&role, "role", "", "")`
command/token-create 2015-04-07 21:20:18 +00:00			`flags.BoolVar(&orphan, "orphan", false, "")`
Add renewable flag and API setting for token creation 2016-06-08 15:14:30 +00:00			`flags.BoolVar(&renewable, "renewable", true, "")`
Add no-default-policy flag and API parameter to allow exclusion of the default policy from a token create command. 2015-11-09 22:30:50 +00:00			`flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")`
command/token-create: add display name and one time use 2015-04-20 01:08:08 +00:00			`flags.IntVar(&numUses, "use-limit", 0, "")`
command/token-create 2015-04-07 21:20:18 +00:00			`flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")`
			`flags.Var((*sliceflag.StringFlag)(&policies), "policy", "")`
			`flags.Usage = func() { c.Ui.Error(c.Help()) }`
			`if err := flags.Parse(args); err != nil {`
			`return 1`
			`}`

			`args = flags.Args()`
			`if len(args) != 0 {`
			`flags.Usage()`
			`c.Ui.Error(fmt.Sprintf(`
			`"\ntoken-create expects no arguments"))`
			`return 1`
			`}`

			`client, err := c.Client()`
			`if err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error initializing client: %s", err))`
			`return 2`
			`}`

Support and use TTL instead of lease for token creation 2015-10-09 23:52:13 +00:00			`if ttl == "" {`
			`ttl = lease`
			`}`
Initial work on token roles 2016-02-29 18:27:31 +00:00
			`tcr := &api.TokenCreateRequest{`
Add no-default-policy flag and API parameter to allow exclusion of the default policy from a token create command. 2015-11-09 22:30:50 +00:00			`ID: id,`
			`Policies: policies,`
			`Metadata: metadata,`
			`TTL: ttl,`
			`NoParent: orphan,`
			`NoDefaultPolicy: noDefaultPolicy,`
			`DisplayName: displayName,`
			`NumUses: numUses,`
Add renewable flag and API setting for token creation 2016-06-08 15:14:30 +00:00			`Renewable: new(bool),`
Add explicit max TTL capability to token creation API 2016-06-08 18:49:48 +00:00			`ExplicitMaxTTL: explicitMaxTTL,`
Add periodic support for root/sudo tokens to auth/token/create 2016-08-13 01:01:30 +00:00			`Period: period,`
Initial work on token roles 2016-02-29 18:27:31 +00:00			`}`
Add renewable flag and API setting for token creation 2016-06-08 15:14:30 +00:00			`*tcr.Renewable = renewable`
Initial work on token roles 2016-02-29 18:27:31 +00:00
			`var secret *api.Secret`
			`if role != "" {`
			`secret, err = client.Auth().Token().CreateWithRole(tcr, role)`
			`} else {`
			`secret, err = client.Auth().Token().Create(tcr)`
			`}`
Support and use TTL instead of lease for token creation 2015-10-09 23:52:13 +00:00
command/token-create 2015-04-07 21:20:18 +00:00			`if err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error creating token: %s", err))`
			`return 2`
			`}`

command/token-create: provide more useful output. Fixes #337 2015-06-17 23:59:50 +00:00			`return OutputSecret(c.Ui, format, secret)`
command/token-create 2015-04-07 21:20:18 +00:00			`}`

			`func (c *TokenCreateCommand) Synopsis() string {`
			`return "Create a new auth token"`
			`}`

			`func (c *TokenCreateCommand) Help() string {`
			helpText := `
			`Usage: vault token-create [options]`

			`Create a new auth token.`

			`This command creates a new token that can be used for authentication.`
			`This token will be created as a child of your token. The created token`
			`will inherit your policies, or can be assigned a subset of your policies.`

Improve documentation of token renewal 2015-09-12 01:08:32 +00:00			`A lease can also be associated with the token. If a lease is not associated`
Typo fix 2015-09-12 01:36:20 +00:00			`with the token, then it cannot be renewed. If a lease is associated with`
Improve documentation of token renewal 2015-09-12 01:08:32 +00:00			`the token, it will expire after that amount of time unless it is renewed.`
command/token-create 2015-04-07 21:20:18 +00:00
			`Metadata associated with the token (specified with "-metadata") is`
			`written to the audit log when the token is used.`

Add command and token store documentation for roles 2016-03-01 18:02:40 +00:00			`If a role is specified, the role may override parameters specified here.`

command/token-create 2015-04-07 21:20:18 +00:00			`General Options:`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 20:50:12 +00:00			` + meta.GeneralOptionsUsage() + `
command/token-create 2015-04-07 21:20:18 +00:00			`Token Options:`

Allow the `vault token-create` command to specify the token's id 2015-08-06 16:38:26 +00:00			`-id="7699125c-d8...." The token value that clients will use to authenticate`
Typo corrections and tweaks to commands' help info * Normalize "X arguments expected" messages * Use "Vault" when referring to the product and "vault" when referring to an instance of the product * Various minor tweaks to improve readability and/or provide clarity 2017-03-25 17:51:12 +00:00			`with Vault. If not provided this defaults to a 36`
Fix output of token-create help to use ttl instead of lease 2015-10-09 23:40:30 +00:00			`character UUID. A root token is required to specify`
Allow the `vault token-create` command to specify the token's id 2015-08-06 16:38:26 +00:00			`the ID of a token.`

command/token-create: add display name and one time use 2015-04-20 01:08:08 +00:00			`-display-name="name" A display name to associate with this token. This`
			`is a non-security sensitive value used to help`
			`identify created secrets, i.e. prefixes.`

Make token renewable status work properly on lookup 2016-06-08 13:19:39 +00:00			`-ttl="1h" Initial TTL to associate with the token; renewals can`
			`extend this value.`
command/token-create 2015-04-07 21:20:18 +00:00
Add explicit max TTL capability to token creation API 2016-06-08 18:49:48 +00:00			`-explicit-max-ttl="1h" An explicit maximum lifetime for the token. Unlike`
			`normal token TTLs, which can be renewed up until the`
			`maximum TTL set on the auth/token mount or the system`
			`configuration file, this lifetime is a hard limit set`
			`on the token itself and cannot be exceeded.`

Add periodic support for root/sudo tokens to auth/token/create 2016-08-13 01:01:30 +00:00			`-period="1h" If specified, the token will be periodic; it will`
			`have no maximum TTL (unless an "explicit-max-ttl" is`
			`also set) but every renewal will use the given`
			`period. Requires a root/sudo token to use.`

Add renewable flag and API setting for token creation 2016-06-08 15:14:30 +00:00			`-renewable=true Whether or not the token is renewable to extend its`
			`TTL up to Vault's configured maximum TTL for tokens.`
			`This defaults to true; set to false to disable`
			`renewal of this token.`

command/token-create 2015-04-07 21:20:18 +00:00			`-metadata="key=value" Metadata to associate with the token. This shows`
			`up in the audit log. This can be specified multiple`
			`times.`

Typo corrections and tweaks to commands' help info * Normalize "X arguments expected" messages * Use "Vault" when referring to the product and "vault" when referring to an instance of the product * Various minor tweaks to improve readability and/or provide clarity 2017-03-25 17:51:12 +00:00			`-orphan If specified, the token will have no parent. This`
			`prevents the new token from being revoked with`
Add periodic support for root/sudo tokens to auth/token/create 2016-08-13 01:01:30 +00:00			`your token. Requires a root/sudo token to use.`
command/token-create 2015-04-07 21:20:18 +00:00
Add no-default-policy flag and API parameter to allow exclusion of the default policy from a token create command. 2015-11-09 22:30:50 +00:00			`-no-default-policy If specified, the token will not have the "default"`
			`policy included in its policy set.`

command/token-create 2015-04-07 21:20:18 +00:00			`-policy="name" Policy to associate with this token. This can be`
			`specified multiple times.`

command/token-create: add display name and one time use 2015-04-20 01:08:08 +00:00			`-use-limit=5 The number of times this token can be used until`
			`it is automatically revoked.`
command/token-create: provide more useful output. Fixes #337 2015-06-17 23:59:50 +00:00
			`-format=table The format for output. By default it is a whitespace-`
Allow to output secrets in YAML format This can be done with https://github.com/ghodss/yaml, which reuses existing JSON struct tags for YAML. 2015-12-10 10:32:31 +00:00			`delimited table. This can also be json or yaml.`
command/token-create: provide more useful output. Fixes #337 2015-06-17 23:59:50 +00:00
Add command and token store documentation for roles 2016-03-01 18:02:40 +00:00			`-role=name If set, the token will be created against the named`
			`role. The role may override other parameters. This`
			`requires the client to have permissions on the`
			`appropriate endpoint (auth/token/create/<name>).`
command/token-create 2015-04-07 21:20:18 +00:00			`
			`return strings.TrimSpace(helpText)`
			`}`