luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Added accessor flag to token-revoke CLI

This commit is contained in:
vishalnayak 2016-03-10 17:04:04 -05:00
parent 266af2a5e2
commit 0486fa1a3a
3 changed files with 44 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
api/auth_token.go
View File

@ -110,6 +110,19 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
return ParseSecret(resp.Body) return ParseSecret(resp.Body)
} }
// RevokeAccessor revokes a token associated with the given accessor
// along with all the child tokens.
func (c *TokenAuth) RevokeAccessor(accessor string) error {
r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
resp, err := c.c.RawRequest(r)
if err != nil {
return err
}
defer resp.Body.Close()
return nil
}
// RevokeOrphan revokes a token without revoking the tree underneath it (so // RevokeOrphan revokes a token without revoking the tree underneath it (so
// child tokens are orphaned rather than revoked) // child tokens are orphaned rather than revoked)
func (c *TokenAuth) RevokeOrphan(token string) error { func (c *TokenAuth) RevokeOrphan(token string) error {
@ -136,18 +149,6 @@ func (c *TokenAuth) RevokePrefix(token string) error {
return nil return nil
} }
// RevokeSelf revokes the token making the call
func (c *TokenAuth) RevokeSelf() error {
r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
resp, err := c.c.RawRequest(r)
if err != nil {
return err
}
defer resp.Body.Close()
return nil
}
// RevokeTree is the "normal" revoke operation that revokes the given token and // RevokeTree is the "normal" revoke operation that revokes the given token and
// the entire tree underneath -- all of its child tokens, their child tokens, // the entire tree underneath -- all of its child tokens, their child tokens,
// etc. // etc.

10
command/token_lookup.go
View File

@ -76,12 +76,12 @@ func (c *TokenLookupCommand) Synopsis() string {
func (c *TokenLookupCommand) Help() string { func (c *TokenLookupCommand) Help() string {
helpText := ` helpText := `
Usage: vault token-lookup [options] [token] Usage: vault token-lookup [options] [token|accessor]
Displays information about the specified token. If no token is specified, Displays information about the specified token. If no token is specified, the
the operation is performed on the currently authenticated token i.e. lookup-self. operation is performed on the currently authenticated token i.e. lookup-self.
Information about the token can also be retrieved using the token accessor Information about the token can be retrieved using the token accessor via the
by setting the '-accessor' flag. '-accessor' flag.
General Options: General Options:

34
command/token_revoke.go
View File

@ -12,7 +12,9 @@ type TokenRevokeCommand struct {
func (c *TokenRevokeCommand) Run(args []string) int { func (c *TokenRevokeCommand) Run(args []string) int {
var mode string var mode string
var accessor bool
flags := c.Meta.FlagSet("token-revoke", FlagSetDefault) flags := c.Meta.FlagSet("token-revoke", FlagSetDefault)
flags.BoolVar(&accessor, "accessor", false, "")
flags.StringVar(&mode, "mode", "", "") flags.StringVar(&mode, "mode", "", "")
flags.Usage = func() { c.Ui.Error(c.Help()) } flags.Usage = func() { c.Ui.Error(c.Help()) }
if err := flags.Parse(args); err != nil { if err := flags.Parse(args); err != nil {
@ -37,16 +39,21 @@ func (c *TokenRevokeCommand) Run(args []string) int {
} }
var fn func(string) error var fn func(string) error
switch mode { // Handle all 6 possible combinations
case "": switch {
case !accessor && mode == "":
fn = client.Auth().Token().RevokeTree fn = client.Auth().Token().RevokeTree
case "orphan": case !accessor && mode == "orphan":
fn = client.Auth().Token().RevokeOrphan fn = client.Auth().Token().RevokeOrphan
case "path": case !accessor && mode == "path":
fn = client.Auth().Token().RevokePrefix fn = client.Auth().Token().RevokePrefix
default: case accessor && mode == "":
c.Ui.Error(fmt.Sprintf( fn = client.Auth().Token().RevokeAccessor
"Unknown revocation mode: %s", mode)) case accessor && mode == "orphan":
c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
return 1
case accessor && mode == "path":
c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
return 1 return 1
} }
@ -66,7 +73,7 @@ func (c *TokenRevokeCommand) Synopsis() string {
func (c *TokenRevokeCommand) Help() string { func (c *TokenRevokeCommand) Help() string {
helpText := ` helpText := `
Usage: vault token-revoke [options] token Usage: vault token-revoke [options] [token|accessor]
Revoke one or more auth tokens. Revoke one or more auth tokens.
@ -86,12 +93,23 @@ Usage: vault token-revoke [options] token
prefix will be deleted, along with all their children. In this case prefix will be deleted, along with all their children. In this case
the "token" arg above is actually a "path". the "token" arg above is actually a "path".
Token can be revoked using the token accessor. This can be done by
setting the '-accessor' flag. Note that when '-accessor' flag is set,
'-mode' should not be set for 'orphan' or 'path'. This is because,
a token accessor always revokes the token along with it's child tokens.
General Options: General Options:
` + generalOptionsUsage() + ` ` + generalOptionsUsage() + `
Token Options: Token Options:
-accessor A boolean flag, if set, treats the argument as an accessor of the token.
Note that accessor can also be used for looking up the token properties
via '/auth/token/lookup-accessor/<accessor>' endpoint.
Accessor is used when there is no access to token ID.
-mode=value The type of revocation to do. See the documentation -mode=value The type of revocation to do. See the documentation
above for more information. above for more information.