Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.

2016-03-31 18:04:05 -04:00 · 2016-03-31 18:04:05 -04:00 · 2fd02b8dca
parent 7a6df4a8ab
commit 2fd02b8dca
3 changed files with 59 additions and 87 deletions
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@ -456,6 +456,65 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
 	}
 }

+func TestSystemBackend_revokePrefixAuth(t *testing.T) {
+	core, ts, _, _ := TestCoreWithTokenStore(t)
+	bc := &logical.BackendConfig{
+		Logger: core.logger,
+		System: logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour * 24,
+			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		},
+	}
+	b := NewSystemBackend(core, bc)
+	exp := ts.expiration
+
+	te := &TokenEntry{
+		ID:   "foo",
+		Path: "auth/github/login/bar",
+	}
+	err := ts.create(te)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	te, err = ts.Lookup("foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te == nil {
+		t.Fatal("token entry was nil")
+	}
+
+	// Create a new token
+	auth := &logical.Auth{
+		ClientToken: te.ID,
+		LeaseOptions: logical.LeaseOptions{
+			TTL: time.Hour,
+		},
+	}
+	err = exp.RegisterAuth(te.Path, auth)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
+	resp, err := b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	te, err = ts.Lookup(te.ID)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if te != nil {
+		t.Fatalf("bad: %v", te)
+	}
+}
+
 func TestSystemBackend_authTable(t *testing.T) {
 	b := testSystemBackend(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "auth")
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -92,7 +92,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)

 		PathsSpecial: &logical.Paths{
 			Root: []string{
-				"revoke-prefix/*",
 				"revoke-orphan/*",
 			},
 		},
@ -315,24 +314,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 				HelpDescription: strings.TrimSpace(tokenRevokeOrphanHelp),
 			},

-			&framework.Path{
-				Pattern: "revoke-prefix" + framework.OptionalParamRegex("prefix"),
-
-				Fields: map[string]*framework.FieldSchema{
-					"prefix": &framework.FieldSchema{
-						Type:        framework.TypeString,
-						Description: "Token source prefix to revoke",
-					},
-				},
-
-				Callbacks: map[logical.Operation]framework.OperationFunc{
-					logical.UpdateOperation: t.handleRevokePrefix,
-				},
-
-				HelpSynopsis:    strings.TrimSpace(tokenRevokePrefixHelp),
-				HelpDescription: strings.TrimSpace(tokenRevokePrefixHelp),
-			},
-
 			&framework.Path{
 				Pattern: "renew-self$",

@ -1099,27 +1080,6 @@ func (ts *TokenStore) handleRevokeOrphan(
 	return nil, nil
 }

-// handleRevokePrefix handles the auth/token/revoke-prefix/path for revocation of tokens
-// generated by a given path.
-func (ts *TokenStore) handleRevokePrefix(
-	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Parse the prefix
-	prefix := data.Get("prefix").(string)
-	if prefix == "" {
-		return logical.ErrorResponse("missing source prefix"), logical.ErrInvalidRequest
-	}
-
-	if !strings.HasPrefix(prefix, "auth/") {
-		return logical.ErrorResponse("prefix to revoke must begin with 'auth/'"), logical.ErrInvalidRequest
-	}
-
-	// Revoke using the prefix
-	if err := ts.expiration.RevokePrefix(prefix); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-	return nil, nil
-}
-
 // handleLookup handles the auth/token/lookup/id path for querying information about
 // a particular token. This can be used to see which policies are applicable.
 func (ts *TokenStore) handleLookup(
@ -1428,7 +1388,6 @@ as revocation of tokens. The tokens are renewable if associated with a lease.`
 	tokenRevokeHelp          = `This endpoint will delete the given token and all of its child tokens.`
 	tokenRevokeSelfHelp      = `This endpoint will delete the token used to call it and all of its child tokens.`
 	tokenRevokeOrphanHelp    = `This endpoint will delete the token and orphan its child tokens.`
-	tokenRevokePrefixHelp    = `This endpoint will delete all tokens generated under a prefix with their child tokens.`
 	tokenRenewHelp           = `This endpoint will renew the given token and prevent expiration.`
 	tokenRenewSelfHelp       = `This endpoint will renew the token used to call it and prevent expiration.`
 	tokenAllowedPoliciesHelp = `If set, tokens created via this role
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -1041,52 +1041,6 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 	}
 }

-func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) {
-	exp := mockExpiration(t)
-	ts := exp.tokenStore
-
-	// Create new token
-	root, err := ts.rootToken()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Create a new token
-	auth := &logical.Auth{
-		ClientToken: root.ID,
-		LeaseOptions: logical.LeaseOptions{
-			TTL: time.Hour,
-		},
-	}
-	err = exp.RegisterAuth("auth/github/login", auth)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/github/")
-	resp, err := ts.HandleRequest(req)
-	if err == nil {
-		t.Fatalf("expected error since prefix does not start with 'auth/'")
-	}
-
-	req = logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
-	resp, err = ts.HandleRequest(req)
-	if err != nil {
-		t.Fatalf("err: %v %v", err, resp)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	out, err := ts.Lookup(root.ID)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if out != nil {
-		t.Fatalf("bad: %v", out)
-	}
-}
-
 func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 	_, ts, _, root := TestCoreWithTokenStore(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")