open-vault/command/token_renew.go

115 lines
3.0 KiB
Go

package command
import (
"fmt"
"strings"
"time"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/meta"
)
// TokenRenewCommand is a Command that mounts a new mount.
type TokenRenewCommand struct {
meta.Meta
}
func (c *TokenRenewCommand) Run(args []string) int {
var format, increment string
flags := c.Meta.FlagSet("token-renew", meta.FlagSetDefault)
flags.StringVar(&format, "format", "table", "")
flags.StringVar(&increment, "increment", "", "")
flags.Usage = func() { c.Ui.Error(c.Help()) }
if err := flags.Parse(args); err != nil {
return 1
}
args = flags.Args()
if len(args) > 2 {
flags.Usage()
c.Ui.Error(fmt.Sprintf(
"\ntoken-renew expects at most two arguments"))
return 1
}
var token string
if len(args) > 0 {
token = args[0]
}
var inc int
// If both are specified prefer the argument
if len(args) == 2 {
increment = args[1]
}
if increment != "" {
dur, err := time.ParseDuration(increment)
if err != nil {
c.Ui.Error(fmt.Sprintf("Invalid increment: %s", err))
return 1
}
inc = int(dur / time.Second)
}
client, err := c.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error initializing client: %s", err))
return 2
}
// If the given token is the same as the client's, use renew-self instead
// as this is far more likely to be allowed via policy
var secret *api.Secret
if token == "" {
secret, err = client.Auth().Token().RenewSelf(inc)
} else {
secret, err = client.Auth().Token().Renew(token, inc)
}
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error renewing token: %s", err))
return 1
}
return OutputSecret(c.Ui, format, secret)
}
func (c *TokenRenewCommand) Synopsis() string {
return "Renew an auth token if there is an associated lease"
}
func (c *TokenRenewCommand) Help() string {
helpText := `
Usage: vault token-renew [options] [token] [increment]
Renew an auth token, extending the amount of time it can be used. If a token
is given to the command, '/auth/token/renew' will be called with the given
token; otherwise, '/auth/token/renew-self' will be called with the client
token.
This command is similar to "renew", but "renew" is only for leases; this
command is only for tokens.
An optional increment can be given to request a certain number of seconds to
increment the lease. This request is advisory; Vault may not adhere to it at
all. If a token is being passed in on the command line, the increment can as
well; otherwise it must be passed in via the '-increment' flag.
General Options:
` + meta.GeneralOptionsUsage() + `
Token Renew Options:
-increment=3600 The desired increment. If not supplied, Vault will
use the default TTL. If supplied, it may still be
ignored. This can be submitted as an integer number
of seconds or a string duration (e.g. "72h").
-format=table The format for output. By default it is a whitespace-
delimited table. This can also be json or yaml.
`
return strings.TrimSpace(helpText)
}