open-vault/api/sys_leases.go

package api

import (
	"context"
	"errors"
	"net/http"
)

func (c *Sys) Renew(id string, increment int) (*Secret, error) {
	return c.RenewWithContext(context.Background(), id, increment)
}

func (c *Sys) RenewWithContext(ctx context.Context, id string, increment int) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/renew")

	body := map[string]interface{}{
		"increment": increment,
		"lease_id":  id,
	}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *Sys) Lookup(id string) (*Secret, error) {
	return c.LookupWithContext(context.Background(), id)
}

func (c *Sys) LookupWithContext(ctx context.Context, id string) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/lookup")

	body := map[string]interface{}{
		"lease_id": id,
	}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *Sys) Revoke(id string) error {
	return c.RevokeWithContext(context.Background(), id)
}

func (c *Sys) RevokeWithContext(ctx context.Context, id string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke")
	body := map[string]interface{}{
		"lease_id": id,
	}
	if err := r.SetJSONBody(body); err != nil {
		return err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err == nil {
		defer resp.Body.Close()
	}
	return err
}

func (c *Sys) RevokePrefix(id string) error {
	return c.RevokePrefixWithContext(context.Background(), id)
}

func (c *Sys) RevokePrefixWithContext(ctx context.Context, id string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke-prefix/"+id)

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err == nil {
		defer resp.Body.Close()
	}
	return err
}

func (c *Sys) RevokeForce(id string) error {
	return c.RevokeForceWithContext(context.Background(), id)
}

func (c *Sys) RevokeForceWithContext(ctx context.Context, id string) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke-force/"+id)

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err == nil {
		defer resp.Body.Close()
	}
	return err
}

func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error {
	return c.RevokeWithOptionsWithContext(context.Background(), opts)
}

func (c *Sys) RevokeWithOptionsWithContext(ctx context.Context, opts *RevokeOptions) error {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	if opts == nil {
		return errors.New("nil options provided")
	}

	// Construct path
	path := "/v1/sys/leases/revoke/"
	switch {
	case opts.Force:
		path = "/v1/sys/leases/revoke-force/"
	case opts.Prefix:
		path = "/v1/sys/leases/revoke-prefix/"
	}
	path += opts.LeaseID

	r := c.c.NewRequest(http.MethodPut, path)
	if !opts.Force {
		body := map[string]interface{}{
			"sync": opts.Sync,
		}
		if err := r.SetJSONBody(body); err != nil {
			return err
		}
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if err == nil {
		defer resp.Body.Close()
	}
	return err
}

type RevokeOptions struct {
	LeaseID string
	Force   bool
	Prefix  bool
	Sync    bool
}
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`package api`

API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`import (`
			`"context"`
			`"errors"`
Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`"net/http"`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`)`
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen. 2018-07-11 19:45:09 +00:00
command/renew 2015-04-14 00:37:39 +00:00			`func (c Sys) Renew(id string, increment int) (Secret, error) {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.RenewWithContext(context.Background(), id, increment)`
			`}`

			`func (c Sys) RenewWithContext(ctx context.Context, id string, increment int) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/renew")`
command/renew 2015-04-14 00:37:39 +00:00
Add ability to specify renew lease ID in POST body. 2016-08-08 22:00:44 +00:00			`body := map[string]interface{}{`
			`"increment": increment,`
			`"lease_id": id,`
			`}`
command/renew 2015-04-14 00:37:39 +00:00			`if err := r.SetJSONBody(body); err != nil {`
Add command to look up a lease by ID (#11129) * snapshot * basic test * update command and add documentation * update help text * typo * add changelog for lease lookup command * run go mod vendor * remove tabs from help output 2021-03-18 16:11:09 +00:00			`return nil, err`
			`}`

Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`resp, err := c.c.rawRequestWithContext(ctx, r)`
Add command to look up a lease by ID (#11129) * snapshot * basic test * update command and add documentation * update help text * typo * add changelog for lease lookup command * run go mod vendor * remove tabs from help output 2021-03-18 16:11:09 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c Sys) Lookup(id string) (Secret, error) {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.LookupWithContext(context.Background(), id)`
			`}`

			`func (c Sys) LookupWithContext(ctx context.Context, id string) (Secret, error) {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/lookup")`
Add command to look up a lease by ID (#11129) * snapshot * basic test * update command and add documentation * update help text * typo * add changelog for lease lookup command * run go mod vendor * remove tabs from help output 2021-03-18 16:11:09 +00:00
			`body := map[string]interface{}{`
			`"lease_id": id,`
			`}`
			`if err := r.SetJSONBody(body); err != nil {`
command/renew 2015-04-14 00:37:39 +00:00			`return nil, err`
			`}`

Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`resp, err := c.c.rawRequestWithContext(ctx, r)`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

api: lease renew should parse the secret 2015-03-12 00:47:47 +00:00			`return ParseSecret(resp.Body)`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`}`

			`func (c *Sys) Revoke(id string) error {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.RevokeWithContext(context.Background(), id)`
			`}`

			`func (c *Sys) RevokeWithContext(ctx context.Context, id string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke")`
Update API to use lease_id in body of sys/leases/revoke call (#7777) We didn't make this change earlier because not everyone would have had an updated version of Vault with this API change but it's definitely time. Fixes https://github.com/hashicorp/vault-ssh-helper/issues/40 2019-11-05 21:14:28 +00:00			`body := map[string]interface{}{`
			`"lease_id": id,`
			`}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return err`
			`}`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`resp, err := c.c.rawRequestWithContext(ctx, r)`
command/revoke: revoke 2015-04-01 02:21:02 +00:00			`if err == nil {`
			`defer resp.Body.Close()`
			`}`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`return err`
			`}`
api: RevokePrefix 2015-04-01 02:23:52 +00:00
			`func (c *Sys) RevokePrefix(id string) error {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.RevokePrefixWithContext(context.Background(), id)`
			`}`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`func (c *Sys) RevokePrefixWithContext(ctx context.Context, id string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`defer cancelFunc()`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00
Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke-prefix/"+id)`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00
			`resp, err := c.c.rawRequestWithContext(ctx, r)`
api: RevokePrefix 2015-04-01 02:23:52 +00:00			`if err == nil {`
			`defer resp.Body.Close()`
			`}`
			`return err`
			`}`
Add forced revocation. In some situations, it can be impossible to revoke leases (for instance, if someone has gone and manually removed users created by Vault). This can not only cause Vault to cycle trying to revoke them, but it also prevents mounts from being unmounted, leaving them in a tainted state where the only operations allowed are to revoke (or rollback), which will never successfully complete. This adds a new endpoint that works similarly to `revoke-prefix` but ignores errors coming from a backend upon revocation (it does not ignore errors coming from within the expiration manager, such as errors accessing the data store). This can be used to force Vault to abandon leases. Like `revoke-prefix`, this is a very sensitive operation and requires `sudo`. It is implemented as a separate endpoint, rather than an argument to `revoke-prefix`, to ensure that control can be delegated appropriately, as even most administrators should not normally have this privilege. Fixes #1135 2016-03-03 01:26:38 +00:00
			`func (c *Sys) RevokeForce(id string) error {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.RevokeForceWithContext(context.Background(), id)`
			`}`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`func (c *Sys) RevokeForceWithContext(ctx context.Context, id string) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`defer cancelFunc()`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00
Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, "/v1/sys/leases/revoke-force/"+id)`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00
			`resp, err := c.c.rawRequestWithContext(ctx, r)`
Add forced revocation. In some situations, it can be impossible to revoke leases (for instance, if someone has gone and manually removed users created by Vault). This can not only cause Vault to cycle trying to revoke them, but it also prevents mounts from being unmounted, leaving them in a tainted state where the only operations allowed are to revoke (or rollback), which will never successfully complete. This adds a new endpoint that works similarly to `revoke-prefix` but ignores errors coming from a backend upon revocation (it does not ignore errors coming from within the expiration manager, such as errors accessing the data store). This can be used to force Vault to abandon leases. Like `revoke-prefix`, this is a very sensitive operation and requires `sudo`. It is implemented as a separate endpoint, rather than an argument to `revoke-prefix`, to ensure that control can be delegated appropriately, as even most administrators should not normally have this privilege. Fixes #1135 2016-03-03 01:26:38 +00:00			`if err == nil {`
			`defer resp.Body.Close()`
			`}`
			`return err`
			`}`
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen. 2018-07-11 19:45:09 +00:00
			`func (c Sys) RevokeWithOptions(opts RevokeOptions) error {`
Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`return c.RevokeWithOptionsWithContext(context.Background(), opts)`
			`}`

			`func (c Sys) RevokeWithOptionsWithContext(ctx context.Context, opts RevokeOptions) error {`
			`ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)`
			`defer cancelFunc()`

Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen. 2018-07-11 19:45:09 +00:00			`if opts == nil {`
			`return errors.New("nil options provided")`
			`}`

			`// Construct path`
			`path := "/v1/sys/leases/revoke/"`
			`switch {`
			`case opts.Force:`
			`path = "/v1/sys/leases/revoke-force/"`
			`case opts.Prefix:`
			`path = "/v1/sys/leases/revoke-prefix/"`
			`}`
			`path += opts.LeaseID`

Replace http method strings with net/http constants (#14677) 2022-03-24 17:58:03 +00:00			`r := c.c.NewRequest(http.MethodPut, path)`
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen. 2018-07-11 19:45:09 +00:00			`if !opts.Force {`
			`body := map[string]interface{}{`
			`"sync": opts.Sync,`
			`}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return err`
			`}`
			`}`

Add context-aware functions to vault/api (#14388) 2022-03-23 21:47:43 +00:00			`resp, err := c.c.rawRequestWithContext(ctx, r)`
Make single-lease revocation behave like expiration (#4883) This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen. 2018-07-11 19:45:09 +00:00			`if err == nil {`
			`defer resp.Body.Close()`
			`}`
			`return err`
			`}`

			`type RevokeOptions struct {`
			`LeaseID string`
			`Force bool`
			`Prefix bool`
			`Sync bool`
			`}`