vault: Adding sys/revoke
This commit is contained in:
Armon Dadgar
parent
57b4f970d2
commit
f08659aaaa
|
|
@ -30,6 +30,7 @@ func PassthroughBackendFactory(map[string]string) (logical.Backend, error) {
|
|||
logical.WriteOperation: b.handleWrite,
|
||||
logical.DeleteOperation: b.handleDelete,
|
||||
logical.ListOperation: b.handleList,
|
||||
logical.RevokeOperation: b.handleRevoke,
|
||||
},
|
||||
|
||||
HelpSynopsis: strings.TrimSpace(passthroughHelpSynopsis),
|
||||
|
|
@ -45,6 +46,12 @@ func PassthroughBackendFactory(map[string]string) (logical.Backend, error) {
|
|||
// fancy.
|
||||
type PassthroughBackend struct{}
|
||||
|
||||
func (b *PassthroughBackend) handleRevoke(
|
||||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
// This is a no-op
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (b *PassthroughBackend) handleRead(
|
||||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
// Read the path
|
||||
|
|
|
|||
|
|
@ -89,6 +89,24 @@ func NewSystemBackend(core *Core) logical.Backend {
|
|||
HelpSynopsis: strings.TrimSpace(sysHelp["renew"][0]),
|
||||
HelpDescription: strings.TrimSpace(sysHelp["renew"][1]),
|
||||
},
|
||||
|
||||
&framework.Path{
|
||||
Pattern: "revoke/(?P<vault_id>.+)",
|
||||
|
||||
Fields: map[string]*framework.FieldSchema{
|
||||
"vault_id": &framework.FieldSchema{
|
||||
Type: framework.TypeString,
|
||||
Description: strings.TrimSpace(sysHelp["vault_id"][0]),
|
||||
},
|
||||
},
|
||||
|
||||
Callbacks: map[logical.Operation]framework.OperationFunc{
|
||||
logical.WriteOperation: b.handleRevoke,
|
||||
},
|
||||
|
||||
HelpSynopsis: strings.TrimSpace(sysHelp["revoke"][0]),
|
||||
HelpDescription: strings.TrimSpace(sysHelp["revoke"][1]),
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
@ -210,6 +228,19 @@ func (b *SystemBackend) handleRenew(
|
|||
return resp, err
|
||||
}
|
||||
|
||||
// handleRevoke is used to revoke a given VaultID
|
||||
func (b *SystemBackend) handleRevoke(
|
||||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
// Get all the options
|
||||
vaultID := data.Get("vault_id").(string)
|
||||
|
||||
// Invoke the expiration manager directly
|
||||
if err := b.Core.expiration.Revoke(vaultID); err != nil {
|
||||
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// sysHelp is all the help text for the sys backend.
|
||||
var sysHelp = map[string][2]string{
|
||||
"mounts": {
|
||||
|
|
@ -271,4 +302,14 @@ lease and to prevent an automatic revocation.
|
|||
"The desired increment in seconds to the lease",
|
||||
"",
|
||||
},
|
||||
|
||||
"revoke": {
|
||||
"Revoke a leased secret immediately",
|
||||
`
|
||||
When a secret is generated with a lease, it is automatically revoked
|
||||
at the end of the lease period if not renewed. However, in some cases
|
||||
you may want to force an immediate revocation. This endpoint can be
|
||||
used to revoke the secret with the given Vault ID.
|
||||
`,
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -198,6 +198,56 @@ func TestSystemBackend_renew_invalidID(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestSystemBackend_revoke(t *testing.T) {
|
||||
core, b := testCoreSystemBackend(t)
|
||||
|
||||
// Create a key with a lease
|
||||
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
||||
req.Data["foo"] = "bar"
|
||||
req.Data["lease"] = "1h"
|
||||
resp, err := core.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if resp != nil {
|
||||
t.Fatalf("bad: %#v", resp)
|
||||
}
|
||||
|
||||
// Read a key with a VaultID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
resp, err = core.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
|
||||
t.Fatalf("bad: %#v", resp)
|
||||
}
|
||||
|
||||
// Attempt renew
|
||||
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Lease.VaultID)
|
||||
resp2, err := b.HandleRequest(req2)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v %#v", err, resp2)
|
||||
}
|
||||
if resp2 != nil {
|
||||
t.Fatalf("bad: %#v", resp)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSystemBackend_revoke_invalidID(t *testing.T) {
|
||||
b := testSystemBackend(t)
|
||||
|
||||
// Attempt renew
|
||||
req := logical.TestRequest(t, logical.WriteOperation, "revoke/foobarbaz")
|
||||
resp, err := b.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if resp != nil {
|
||||
t.Fatalf("bad: %v", resp)
|
||||
}
|
||||
}
|
||||
|
||||
func testSystemBackend(t *testing.T) logical.Backend {
|
||||
c, _ := TestCoreUnsealed(t)
|
||||
return NewSystemBackend(c)
|
||||
|
|
|
|||
Loading…
Reference in New Issue