Add revoke-self endpoint.

Fixes #620.
2026-04-15 22:19:27 -04:00 · 2015-09-17 13:22:30 -04:00 · 2015-09-17 13:22:30 -04:00 · 913989e4b0
commit 913989e4b0
parent 91b9acf34b
3 changed files with 95 additions and 1 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -128,6 +128,17 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 				HelpDescription: strings.TrimSpace(tokenLookupHelp),
 			},

+			&framework.Path{
+				Pattern: "revoke-self",
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.WriteOperation: t.handleRevokeSelf,
+				},
+
+				HelpSynopsis:    strings.TrimSpace(tokenRevokeSelfHelp),
+				HelpDescription: strings.TrimSpace(tokenRevokeSelfHelp),
+			},
+
 			&framework.Path{
 				Pattern: "revoke/(?P<token>.+)",

@ -579,6 +590,18 @@ func (ts *TokenStore) handleCreate(
 	return resp, nil
 }

+// handleRevokeSelf handles the auth/token/revoke-self path for revocation of tokens
+// in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
+// the token and all children anyways, but that is only available when there is a lease.
+func (ts *TokenStore) handleRevokeSelf(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	// Revoke the token and its children
+	if err := ts.RevokeTree(req.ClientToken); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+	return nil, nil
+}
+
 // handleRevokeTree handles the auth/token/revoke/id path for revocation of tokens
 // in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
 // the token and all children anyways, but that is only available when there is a lease.
@ -737,7 +760,8 @@ which are enforced on every request. This backend also allows for generating sub
 as revocation of tokens. The tokens are renewable if associated with a lease.`
 	tokenCreateHelp       = `The token create path is used to create new tokens.`
 	tokenLookupHelp       = `This endpoint will lookup a token and its properties.`
-	tokenRevokeHelp       = `This endpoint will delete the token and all of its child tokens.`
+	tokenRevokeHelp       = `This endpoint will delete the given token and all of its child tokens.`
+	tokenRevokeSelfHelp   = `This endpoint will delete the token used to call it and all of its child tokens.`
 	tokenRevokeOrphanHelp = `This endpoint will delete the token and orphan its child tokens.`
 	tokenRevokePrefixHelp = `This endpoint will delete all tokens generated under a prefix with their child tokens.`
 	tokenRenewHelp        = `This endpoint will renew the token and prevent expiration.`
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -346,6 +346,49 @@ func TestTokenStore_RevokeTree(t *testing.T) {
 	}
 }

+func TestTokenStore_RevokeSelf(t *testing.T) {
+	_, ts, _ := mockTokenStore(t)
+
+	ent1 := &TokenEntry{}
+	if err := ts.Create(ent1); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	ent2 := &TokenEntry{Parent: ent1.ID}
+	if err := ts.Create(ent2); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	ent3 := &TokenEntry{Parent: ent2.ID}
+	if err := ts.Create(ent3); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	ent4 := &TokenEntry{Parent: ent2.ID}
+	if err := ts.Create(ent4); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.WriteOperation, "revoke-self")
+	req.ClientToken = ent1.ID
+
+	resp, err := ts.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+
+	lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
+	for _, id := range lookup {
+		out, err := ts.Lookup(id)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if out != nil {
+			t.Fatalf("bad: %#v", out)
+		}
+	}
+}
+
 func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
 	_, ts, root := mockTokenStore(t)

--- a/website/source/docs/auth/token.html.md
+++ b/website/source/docs/auth/token.html.md
@ -225,6 +225,33 @@ of the header should be "X-Vault-Token" and the value should be the token.
  </dd>
 </dl>

+### /auth/token/revoke-self/
+#### POST
+
+<dl class="api">
+  <dt>Description</dt>
+  <dd>
+    Revokes the token used to call it and all child tokens.
+    When the token is revoked, all secrets generated with
+    it are also revoked.
+  </dd>
+
+  <dt>Method</dt>
+  <dd>POST</dd>
+
+  <dt>URL</dt>
+  <dd>`/auth/token/revoke-self`</dd>
+
+  <dt>Parameters</dt>
+  <dd>
+    None
+  </dd>
+
+  <dt>Returns</dt>
+  <dd>`204` response code.
+  </dd>
+</dl>
+
 ### /auth/token/revoke-orphan/
 #### POST