v1.14.6/command/token_revoke.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package command

 import (
 	"fmt"
 	"strings"

 	"github.com/mitchellh/cli"
 	"github.com/posener/complete"
 )

 var (
 	_ cli.Command             = (*TokenRevokeCommand)(nil)
 	_ cli.CommandAutocomplete = (*TokenRevokeCommand)(nil)
 )

 type TokenRevokeCommand struct {
 	*BaseCommand

 	flagAccessor bool
 	flagSelf     bool
 	flagMode     string
 }

 func (c *TokenRevokeCommand) Synopsis() string {
 	return "Revoke a token and its children"
 }

 func (c *TokenRevokeCommand) Help() string {
 	helpText := `
 Usage: vault token revoke [options] [TOKEN | ACCESSOR]

   Revokes authentication tokens and their children. If a TOKEN is not provided,
   the locally authenticated token is used. The "-mode" flag can be used to
   control the behavior of the revocation. See the "-mode" flag documentation
   for more information.

   Revoke a token and all the token's children:

       $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017

   Revoke a token leaving the token's children:

       $ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017

   Revoke a token by accessor:

       $ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da

   For a full list of examples, please see the documentation.

 ` + c.Flags().Help()

 	return strings.TrimSpace(helpText)
 }

 func (c *TokenRevokeCommand) Flags() *FlagSets {
 	set := c.flagSet(FlagSetHTTP)

 	f := set.NewFlagSet("Command Options")

 	f.BoolVar(&BoolVar{
 		Name:       "accessor",
 		Target:     &c.flagAccessor,
 		Default:    false,
 		EnvVar:     "",
 		Completion: complete.PredictNothing,
 		Usage:      "Treat the argument as an accessor instead of a token.",
 	})

 	f.BoolVar(&BoolVar{
 		Name:       "self",
 		Target:     &c.flagSelf,
 		Default:    false,
 		EnvVar:     "",
 		Completion: complete.PredictNothing,
 		Usage:      "Perform the revocation on the currently authenticated token.",
 	})

 	f.StringVar(&StringVar{
 		Name:       "mode",
 		Target:     &c.flagMode,
 		Default:    "",
 		EnvVar:     "",
 		Completion: complete.PredictSet("orphan", "path"),
 		Usage: "Type of revocation to perform. If unspecified, Vault will revoke " +
 			"the token and all of the token's children. If \"orphan\", Vault will " +
 			"revoke only the token, leaving the children as orphans. If \"path\", " +
 			"tokens created from the given authentication path prefix are deleted " +
 			"along with their children.",
 	})

 	return set
 }

 func (c *TokenRevokeCommand) AutocompleteArgs() complete.Predictor {
 	return nil
 }

 func (c *TokenRevokeCommand) AutocompleteFlags() complete.Flags {
 	return c.Flags().Completions()
 }

 func (c *TokenRevokeCommand) Run(args []string) int {
 	f := c.Flags()

 	if err := f.Parse(args); err != nil {
 		c.UI.Error(err.Error())
 		return 1
 	}

 	args = f.Args()
 	token := ""
 	if len(args) > 0 {
 		token = strings.TrimSpace(args[0])
 	}

 	switch c.flagMode {
 	case "", "orphan", "path":
 	default:
 		c.UI.Error(fmt.Sprintf("Invalid mode: %s", c.flagMode))
 		return 1
 	}

 	switch {
 	case c.flagSelf && len(args) > 0:
 		c.UI.Error(fmt.Sprintf("Too many arguments with -self (expected 0, got %d)", len(args)))
 		return 1
 	case !c.flagSelf && len(args) > 1:
 		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or -self, got %d)", len(args)))
 		return 1
 	case !c.flagSelf && len(args) < 1:
 		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or -self, got %d)", len(args)))
 		return 1
 	case c.flagSelf && c.flagAccessor:
 		c.UI.Error("Cannot use -self with -accessor!")
 		return 1
 	case c.flagSelf && c.flagMode != "":
 		c.UI.Error("Cannot use -self with -mode!")
 		return 1
 	case c.flagAccessor && c.flagMode == "orphan":
 		c.UI.Error("Cannot use -accessor with -mode=orphan!")
 		return 1
 	case c.flagAccessor && c.flagMode == "path":
 		c.UI.Error("Cannot use -accessor with -mode=path!")
 		return 1
 	}

 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 2
 	}

 	var revokeFn func(string) error
 	// Handle all 6 possible combinations
 	switch {
 	case !c.flagAccessor && c.flagSelf && c.flagMode == "":
 		revokeFn = client.Auth().Token().RevokeSelf
 	case !c.flagAccessor && !c.flagSelf && c.flagMode == "":
 		revokeFn = client.Auth().Token().RevokeTree
 	case !c.flagAccessor && !c.flagSelf && c.flagMode == "orphan":
 		revokeFn = client.Auth().Token().RevokeOrphan
 	case !c.flagAccessor && !c.flagSelf && c.flagMode == "path":
 		revokeFn = client.Sys().RevokePrefix
 	case c.flagAccessor && !c.flagSelf && c.flagMode == "":
 		revokeFn = client.Auth().Token().RevokeAccessor
 	}

 	if err := revokeFn(token); err != nil {
 		c.UI.Error(fmt.Sprintf("Error revoking token: %s", err))
 		return 2
 	}

 	c.UI.Output("Success! Revoked token (if it existed)")
 	return 0
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package command

	import (
	"fmt"
	"strings"

	"github.com/mitchellh/cli"
	"github.com/posener/complete"
	)

	var (
	_ cli.Command = (*TokenRevokeCommand)(nil)
	_ cli.CommandAutocomplete = (*TokenRevokeCommand)(nil)
	)

	type TokenRevokeCommand struct {
	*BaseCommand

	flagAccessor bool
	flagSelf bool
	flagMode string
	}

	func (c *TokenRevokeCommand) Synopsis() string {
	return "Revoke a token and its children"
	}

	func (c *TokenRevokeCommand) Help() string {
	helpText := `
	Usage: vault token revoke [options] [TOKEN \| ACCESSOR]

	Revokes authentication tokens and their children. If a TOKEN is not provided,
	the locally authenticated token is used. The "-mode" flag can be used to
	control the behavior of the revocation. See the "-mode" flag documentation
	for more information.

	Revoke a token and all the token's children:

	$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017

	Revoke a token leaving the token's children:

	$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017

	Revoke a token by accessor:

	$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da

	For a full list of examples, please see the documentation.

	` + c.Flags().Help()

	return strings.TrimSpace(helpText)
	}

	func (c TokenRevokeCommand) Flags() FlagSets {
	set := c.flagSet(FlagSetHTTP)

	f := set.NewFlagSet("Command Options")

	f.BoolVar(&BoolVar{
	Name: "accessor",
	Target: &c.flagAccessor,
	Default: false,
	EnvVar: "",
	Completion: complete.PredictNothing,
	Usage: "Treat the argument as an accessor instead of a token.",
	})

	f.BoolVar(&BoolVar{
	Name: "self",
	Target: &c.flagSelf,
	Default: false,
	EnvVar: "",
	Completion: complete.PredictNothing,
	Usage: "Perform the revocation on the currently authenticated token.",
	})

	f.StringVar(&StringVar{
	Name: "mode",
	Target: &c.flagMode,
	Default: "",
	EnvVar: "",
	Completion: complete.PredictSet("orphan", "path"),
	Usage: "Type of revocation to perform. If unspecified, Vault will revoke " +
	"the token and all of the token's children. If \"orphan\", Vault will " +
	"revoke only the token, leaving the children as orphans. If \"path\", " +
	"tokens created from the given authentication path prefix are deleted " +
	"along with their children.",
	})

	return set
	}

	func (c *TokenRevokeCommand) AutocompleteArgs() complete.Predictor {
	return nil
	}

	func (c *TokenRevokeCommand) AutocompleteFlags() complete.Flags {
	return c.Flags().Completions()
	}

	func (c *TokenRevokeCommand) Run(args []string) int {
	f := c.Flags()

	if err := f.Parse(args); err != nil {
	c.UI.Error(err.Error())
	return 1
	}

	args = f.Args()
	token := ""
	if len(args) > 0 {
	token = strings.TrimSpace(args[0])
	}

	switch c.flagMode {
	case "", "orphan", "path":
	default:
	c.UI.Error(fmt.Sprintf("Invalid mode: %s", c.flagMode))
	return 1
	}

	switch {
	case c.flagSelf && len(args) > 0:
	c.UI.Error(fmt.Sprintf("Too many arguments with -self (expected 0, got %d)", len(args)))
	return 1
	case !c.flagSelf && len(args) > 1:
	c.UI.Error(fmt.Sprintf("Too many arguments (expected 1 or -self, got %d)", len(args)))
	return 1
	case !c.flagSelf && len(args) < 1:
	c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1 or -self, got %d)", len(args)))
	return 1
	case c.flagSelf && c.flagAccessor:
	c.UI.Error("Cannot use -self with -accessor!")
	return 1
	case c.flagSelf && c.flagMode != "":
	c.UI.Error("Cannot use -self with -mode!")
	return 1
	case c.flagAccessor && c.flagMode == "orphan":
	c.UI.Error("Cannot use -accessor with -mode=orphan!")
	return 1
	case c.flagAccessor && c.flagMode == "path":
	c.UI.Error("Cannot use -accessor with -mode=path!")
	return 1
	}

	client, err := c.Client()
	if err != nil {
	c.UI.Error(err.Error())
	return 2
	}

	var revokeFn func(string) error
	// Handle all 6 possible combinations
	switch {
	case !c.flagAccessor && c.flagSelf && c.flagMode == "":
	revokeFn = client.Auth().Token().RevokeSelf
	case !c.flagAccessor && !c.flagSelf && c.flagMode == "":
	revokeFn = client.Auth().Token().RevokeTree
	case !c.flagAccessor && !c.flagSelf && c.flagMode == "orphan":
	revokeFn = client.Auth().Token().RevokeOrphan
	case !c.flagAccessor && !c.flagSelf && c.flagMode == "path":
	revokeFn = client.Sys().RevokePrefix
	case c.flagAccessor && !c.flagSelf && c.flagMode == "":
	revokeFn = client.Auth().Token().RevokeAccessor
	}

	if err := revokeFn(token); err != nil {
	c.UI.Error(fmt.Sprintf("Error revoking token: %s", err))
	return 2
	}

	c.UI.Output("Success! Revoked token (if it existed)")
	return 0
	}