mirror of
https://github.com/hashicorp/vault.git
synced 2026-04-15 22:19:27 -04:00
parent
91b9acf34b
commit
913989e4b0
3 changed files with 95 additions and 1 deletions
|
|
@ -128,6 +128,17 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
|
|||
HelpDescription: strings.TrimSpace(tokenLookupHelp),
|
||||
},
|
||||
|
||||
&framework.Path{
|
||||
Pattern: "revoke-self",
|
||||
|
||||
Callbacks: map[logical.Operation]framework.OperationFunc{
|
||||
logical.WriteOperation: t.handleRevokeSelf,
|
||||
},
|
||||
|
||||
HelpSynopsis: strings.TrimSpace(tokenRevokeSelfHelp),
|
||||
HelpDescription: strings.TrimSpace(tokenRevokeSelfHelp),
|
||||
},
|
||||
|
||||
&framework.Path{
|
||||
Pattern: "revoke/(?P<token>.+)",
|
||||
|
||||
|
|
@ -579,6 +590,18 @@ func (ts *TokenStore) handleCreate(
|
|||
return resp, nil
|
||||
}
|
||||
|
||||
// handleRevokeSelf handles the auth/token/revoke-self path for revocation of tokens
|
||||
// in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
|
||||
// the token and all children anyways, but that is only available when there is a lease.
|
||||
func (ts *TokenStore) handleRevokeSelf(
|
||||
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
// Revoke the token and its children
|
||||
if err := ts.RevokeTree(req.ClientToken); err != nil {
|
||||
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// handleRevokeTree handles the auth/token/revoke/id path for revocation of tokens
|
||||
// in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
|
||||
// the token and all children anyways, but that is only available when there is a lease.
|
||||
|
|
@ -737,7 +760,8 @@ which are enforced on every request. This backend also allows for generating sub
|
|||
as revocation of tokens. The tokens are renewable if associated with a lease.`
|
||||
tokenCreateHelp = `The token create path is used to create new tokens.`
|
||||
tokenLookupHelp = `This endpoint will lookup a token and its properties.`
|
||||
tokenRevokeHelp = `This endpoint will delete the token and all of its child tokens.`
|
||||
tokenRevokeHelp = `This endpoint will delete the given token and all of its child tokens.`
|
||||
tokenRevokeSelfHelp = `This endpoint will delete the token used to call it and all of its child tokens.`
|
||||
tokenRevokeOrphanHelp = `This endpoint will delete the token and orphan its child tokens.`
|
||||
tokenRevokePrefixHelp = `This endpoint will delete all tokens generated under a prefix with their child tokens.`
|
||||
tokenRenewHelp = `This endpoint will renew the token and prevent expiration.`
|
||||
|
|
|
|||
|
|
@ -346,6 +346,49 @@ func TestTokenStore_RevokeTree(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestTokenStore_RevokeSelf(t *testing.T) {
|
||||
_, ts, _ := mockTokenStore(t)
|
||||
|
||||
ent1 := &TokenEntry{}
|
||||
if err := ts.Create(ent1); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
ent2 := &TokenEntry{Parent: ent1.ID}
|
||||
if err := ts.Create(ent2); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
ent3 := &TokenEntry{Parent: ent2.ID}
|
||||
if err := ts.Create(ent3); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
ent4 := &TokenEntry{Parent: ent2.ID}
|
||||
if err := ts.Create(ent4); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
req := logical.TestRequest(t, logical.WriteOperation, "revoke-self")
|
||||
req.ClientToken = ent1.ID
|
||||
|
||||
resp, err := ts.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v %v", err, resp)
|
||||
}
|
||||
|
||||
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
|
||||
for _, id := range lookup {
|
||||
out, err := ts.Lookup(id)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if out != nil {
|
||||
t.Fatalf("bad: %#v", out)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
|
||||
_, ts, root := mockTokenStore(t)
|
||||
|
||||
|
|
|
|||
|
|
@ -225,6 +225,33 @@ of the header should be "X-Vault-Token" and the value should be the token.
|
|||
</dd>
|
||||
</dl>
|
||||
|
||||
### /auth/token/revoke-self/
|
||||
#### POST
|
||||
|
||||
<dl class="api">
|
||||
<dt>Description</dt>
|
||||
<dd>
|
||||
Revokes the token used to call it and all child tokens.
|
||||
When the token is revoked, all secrets generated with
|
||||
it are also revoked.
|
||||
</dd>
|
||||
|
||||
<dt>Method</dt>
|
||||
<dd>POST</dd>
|
||||
|
||||
<dt>URL</dt>
|
||||
<dd>`/auth/token/revoke-self`</dd>
|
||||
|
||||
<dt>Parameters</dt>
|
||||
<dd>
|
||||
None
|
||||
</dd>
|
||||
|
||||
<dt>Returns</dt>
|
||||
<dd>`204` response code.
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
### /auth/token/revoke-orphan/
|
||||
#### POST
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue