vault: Adding sys/revoke

vault/logical_passthrough.go

@@ -30,6 +30,7 @@ func PassthroughBackendFactory(map[string]string) (logical.Backend, error) {
 					logical.WriteOperation:  b.handleWrite,
 					logical.DeleteOperation: b.handleDelete,
 					logical.ListOperation:   b.handleList,
+					logical.RevokeOperation: b.handleRevoke,
 				},
 
 				HelpSynopsis:    strings.TrimSpace(passthroughHelpSynopsis),
@@ -45,6 +46,12 @@ func PassthroughBackendFactory(map[string]string) (logical.Backend, error) {
 // fancy.
 type PassthroughBackend struct{}
 
+func (b *PassthroughBackend) handleRevoke(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// This is a no-op
+	return nil, nil
+}
+
 func (b *PassthroughBackend) handleRead(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	// Read the path

vault/logical_system.go

@@ -89,6 +89,24 @@ func NewSystemBackend(core *Core) logical.Backend {
 				HelpSynopsis:    strings.TrimSpace(sysHelp["renew"][0]),
 				HelpDescription: strings.TrimSpace(sysHelp["renew"][1]),
 			},
+
+			&framework.Path{
+				Pattern: "revoke/(?P<vault_id>.+)",
+
+				Fields: map[string]*framework.FieldSchema{
+					"vault_id": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: strings.TrimSpace(sysHelp["vault_id"][0]),
+					},
+				},
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.WriteOperation: b.handleRevoke,
+				},
+
+				HelpSynopsis:    strings.TrimSpace(sysHelp["revoke"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["revoke"][1]),
+			},
 		},
 	}
 }
@@ -210,6 +228,19 @@ func (b *SystemBackend) handleRenew(
 	return resp, err
 }
 
+// handleRevoke is used to revoke a given VaultID
+func (b *SystemBackend) handleRevoke(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Get all the options
+	vaultID := data.Get("vault_id").(string)
+
+	// Invoke the expiration manager directly
+	if err := b.Core.expiration.Revoke(vaultID); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+	return nil, nil
+}
+
 // sysHelp is all the help text for the sys backend.
 var sysHelp = map[string][2]string{
 	"mounts": {
@@ -271,4 +302,14 @@ lease and to prevent an automatic revocation.
 		"The desired increment in seconds to the lease",
 		"",
 	},
+
+	"revoke": {
+		"Revoke a leased secret immediately",
+		`
+When a secret is generated with a lease, it is automatically revoked
+at the end of the lease period if not renewed. However, in some cases
+you may want to force an immediate revocation. This endpoint can be
+used to revoke the secret with the given Vault ID.
+		`,
+	},
 }

vault/logical_system_test.go

@@ -198,6 +198,56 @@ func TestSystemBackend_renew_invalidID(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_revoke(t *testing.T) {
+	core, b := testCoreSystemBackend(t)
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.Data["lease"] = "1h"
+	resp, err := core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a VaultID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Attempt renew
+	req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Lease.VaultID)
+	resp2, err := b.HandleRequest(req2)
+	if err != nil {
+		t.Fatalf("err: %v %#v", err, resp2)
+	}
+	if resp2 != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+}
+
+func TestSystemBackend_revoke_invalidID(t *testing.T) {
+	b := testSystemBackend(t)
+
+	// Attempt renew
+	req := logical.TestRequest(t, logical.WriteOperation, "revoke/foobarbaz")
+	resp, err := b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
 func testSystemBackend(t *testing.T) logical.Backend {
 	c, _ := TestCoreUnsealed(t)
 	return NewSystemBackend(c)