Add accessor flag to token-lookup command and add lookup-accessor client API

api/auth_token.go

@@ -52,6 +52,18 @@ func (c *TokenAuth) Lookup(token string) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
+	r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor/"+accessor)
+
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
 func (c *TokenAuth) LookupSelf() (*Secret, error) {
 	r := c.c.NewRequest("GET", "/v1/auth/token/lookup-self")
 

command/token_lookup.go

@@ -2,8 +2,9 @@ package command
 
 import (
 	"fmt"
-	"github.com/hashicorp/vault/api"
 	"strings"
+
+	"github.com/hashicorp/vault/api"
 )
 
 // TokenLookupCommand is a Command that outputs details about the
@@ -14,7 +15,9 @@ type TokenLookupCommand struct {
 
 func (c *TokenLookupCommand) Run(args []string) int {
 	var format string
+	var accessor bool
 	flags := c.Meta.FlagSet("token-lookup", FlagSetDefault)
+	flags.BoolVar(&accessor, "accessor", false, "")
 	flags.StringVar(&format, "format", "table", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
@@ -32,14 +35,27 @@ func (c *TokenLookupCommand) Run(args []string) int {
 	client, err := c.Client()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
-			"Error initializing client: %s", err))
+			"error initializing client: %s", err))
 		return 2
 	}
 
-	secret, err := doTokenLookup(args, client)
+	var secret *api.Secret
+	switch {
+	case !accessor && len(args) == 0:
+		secret, err = client.Auth().Token().LookupSelf()
+	case !accessor && len(args) == 1:
+		secret, err = client.Auth().Token().Lookup(args[0])
+	case accessor && len(args) == 1:
+		secret, err = client.Auth().Token().LookupAccessor(args[0])
+	default:
+		// This happens only when accessor is set and no argument is passed
+		c.Ui.Error(fmt.Sprintf("token-lookup expects an argument when accessor flag is set"))
+		return 1
+	}
+
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
-			"Error looking up token: %s", err))
+			"error looking up token: %s", err))
 		return 1
 	}
 	return OutputSecret(c.Ui, format, secret)
@@ -62,15 +78,20 @@ func (c *TokenLookupCommand) Help() string {
 	helpText := `
 Usage: vault token-lookup [options] [token]
 
-  Displays information about the specified token.
-  If no token is specified, the operation is performed on the currently
-  authenticated token i.e. lookup-self.
+  Displays information about the specified token. If no token is specified,
+  the operation is performed on the currently authenticated token i.e. lookup-self.
+  Information about the token can also be retrieved using the token accessor
+  by setting the '-accessor' flag.
 
 General Options:
 
   ` + generalOptionsUsage() + `
 
 Token Lookup Options:
+  -accessor               A boolean flag, if set, treats the argument as an accessor of the token.
+                          Note that the response of the command when this is set, will not contain
+                          the token ID. Accessor is only meant for looking up the token properties
+                          (and for revocation via '/auth/token/revoke-accessor/<accessor>' endpoint).
 
   -format=table           The format for output. By default it is a whitespace-
                           delimited table. This can also be json or yaml.