open-vault/api/auth_token.go

package api

// TokenAuth is used to perform token backend operations on Vault
type TokenAuth struct {
	c *Client
}

// Token is used to return the client for token-backend API calls
func (a *Auth) Token() *TokenAuth {
	return &TokenAuth{c: a.c}
}

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
	r := c.c.NewRequest("POST", "/v1/auth/token/create")
	if err := r.SetJSONBody(opts); err != nil {
		return nil, err
	}

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) {
	r := c.c.NewRequest("POST", "/v1/auth/token/create/"+roleName)
	if err := r.SetJSONBody(opts); err != nil {
		return nil, err
	}

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) Lookup(token string) (*Secret, error) {
	r := c.c.NewRequest("GET", "/v1/auth/token/lookup/"+token)

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
	r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor/"+accessor)

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) LookupSelf() (*Secret, error) {
	r := c.c.NewRequest("GET", "/v1/auth/token/lookup-self")

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
	r := c.c.NewRequest("PUT", "/v1/auth/token/renew/"+token)

	body := map[string]interface{}{"increment": increment}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
	r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")

	body := map[string]interface{}{"increment": increment}
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	resp, err := c.c.RawRequest(r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return ParseSecret(resp.Body)
}

// RevokeAccessor revokes a token associated with the given accessor
// along with all the child tokens.
func (c *TokenAuth) RevokeAccessor(accessor string) error {
	r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
	resp, err := c.c.RawRequest(r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeOrphan revokes a token without revoking the tree underneath it (so
// child tokens are orphaned rather than revoked)
func (c *TokenAuth) RevokeOrphan(token string) error {
	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan/"+token)
	resp, err := c.c.RawRequest(r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeSelf revokes the token making the call
func (c *TokenAuth) RevokeSelf(token string) error {
	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
	resp, err := c.c.RawRequest(r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// RevokeTree is the "normal" revoke operation that revokes the given token and
// the entire tree underneath -- all of its child tokens, their child tokens,
// etc.
func (c *TokenAuth) RevokeTree(token string) error {
	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke/"+token)
	resp, err := c.c.RawRequest(r)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	return nil
}

// TokenCreateRequest is the options structure for creating a token.
type TokenCreateRequest struct {
	ID              string            `json:"id,omitempty"`
	Policies        []string          `json:"policies,omitempty"`
	Metadata        map[string]string `json:"meta,omitempty"`
	Lease           string            `json:"lease,omitempty"`
	TTL             string            `json:"ttl,omitempty"`
	NoParent        bool              `json:"no_parent,omitempty"`
	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
	DisplayName     string            `json:"display_name"`
	NumUses         int               `json:"num_uses"`
}
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`package api`

Remove RevokePrefix from the API too as we simply do not support it any longer. 2016-04-05 15:00:12 +00:00			`// TokenAuth is used to perform token backend operations on Vault`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`type TokenAuth struct {`
			`c *Client`
			`}`

Remove RevokePrefix from the API too as we simply do not support it any longer. 2016-04-05 15:00:12 +00:00			`// Token is used to return the client for token-backend API calls`
api: make API a bit nicer 2015-04-05 00:54:16 +00:00			`func (a Auth) Token() TokenAuth {`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`return &TokenAuth{c: a.c}`
			`}`

			`func (c TokenAuth) Create(opts TokenCreateRequest) (*Secret, error) {`
			`r := c.c.NewRequest("POST", "/v1/auth/token/create")`
			`if err := r.SetJSONBody(opts); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

Initial work on token roles 2016-02-29 18:27:31 +00:00			`func (c TokenAuth) CreateWithRole(opts TokenCreateRequest, roleName string) (*Secret, error) {`
			`r := c.c.NewRequest("POST", "/v1/auth/token/create/"+roleName)`
			`if err := r.SetJSONBody(opts); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00			`func (c TokenAuth) Lookup(token string) (Secret, error) {`
			`r := c.c.NewRequest("GET", "/v1/auth/token/lookup/"+token)`

Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 20:09:16 +00:00			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

			`func (c TokenAuth) LookupAccessor(accessor string) (Secret, error) {`
			`r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor/"+accessor)`

Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

Implement LookupSelf, RevokeSelf, and RenewSelf in the API client Fixes #739 2015-10-30 21:27:33 +00:00			`func (c TokenAuth) LookupSelf() (Secret, error) {`
Corrected HTTP Method for api.TokenAuth.LookupSelf() method 2015-12-28 00:05:15 +00:00			`r := c.c.NewRequest("GET", "/v1/auth/token/lookup-self")`
Implement LookupSelf, RevokeSelf, and RenewSelf in the API client Fixes #739 2015-10-30 21:27:33 +00:00
			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

command/token-renew 2015-04-20 01:04:01 +00:00			`func (c TokenAuth) Renew(token string, increment int) (Secret, error) {`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`r := c.c.NewRequest("PUT", "/v1/auth/token/renew/"+token)`
command/token-renew 2015-04-20 01:04:01 +00:00
			`body := map[string]interface{}{"increment": increment}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return nil, err`
			`}`

api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
command/token-renew 2015-04-20 01:04:01 +00:00			`return nil, err`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`}`
			`defer resp.Body.Close()`

command/token-renew 2015-04-20 01:04:01 +00:00			`return ParseSecret(resp.Body)`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`}`

Implement LookupSelf, RevokeSelf, and RenewSelf in the API client Fixes #739 2015-10-30 21:27:33 +00:00			`func (c TokenAuth) RenewSelf(increment int) (Secret, error) {`
			`r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")`

			`body := map[string]interface{}{"increment": increment}`
			`if err := r.SetJSONBody(body); err != nil {`
			`return nil, err`
			`}`

			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`return ParseSecret(resp.Body)`
			`}`

Added accessor flag to token-revoke CLI 2016-03-10 22:04:04 +00:00			`// RevokeAccessor revokes a token associated with the given accessor`
			`// along with all the child tokens.`
			`func (c *TokenAuth) RevokeAccessor(accessor string) error {`
			`r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

Added accessor flag to token-revoke CLI 2016-03-10 22:04:04 +00:00			`// RevokeOrphan revokes a token without revoking the tree underneath it (so`
			`// child tokens are orphaned rather than revoked)`
			`func (c *TokenAuth) RevokeOrphan(token string) error {`
			`r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan/"+token)`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

Restore RevokeSelf API 2016-03-11 11:30:45 +00:00			`// RevokeSelf revokes the token making the call`
			`func (c *TokenAuth) RevokeSelf(token string) error {`
			`r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")`
			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

Add some documentation to the API revoke functions 2016-02-03 16:42:13 +00:00			`// RevokeTree is the "normal" revoke operation that revokes the given token and`
			`// the entire tree underneath -- all of its child tokens, their child tokens,`
			`// etc.`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`func (c *TokenAuth) RevokeTree(token string) error {`
			`r := c.c.NewRequest("PUT", "/v1/auth/token/revoke/"+token)`
			`resp, err := c.c.RawRequest(r)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`return nil`
			`}`

			`// TokenCreateRequest is the options structure for creating a token.`
			`type TokenCreateRequest struct {`
Add no-default-policy flag and API parameter to allow exclusion of the default policy from a token create command. 2015-11-09 22:30:50 +00:00			ID string `json:"id,omitempty"`
			Policies []string `json:"policies,omitempty"`
			Metadata map[string]string `json:"meta,omitempty"`
			Lease string `json:"lease,omitempty"`
			TTL string `json:"ttl,omitempty"`
			NoParent bool `json:"no_parent,omitempty"`
			NoDefaultPolicy bool `json:"no_default_policy,omitempty"`
			DisplayName string `json:"display_name"`
			NumUses int `json:"num_uses"`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`}`