Merge pull request #1280 from hashicorp/remove-ts-revoke-prefix

Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
hashicorp · Apr 1, 2016 · a0bc0dc · a0bc0dc
2 parents 1c249e2 + de5bba4
commit a0bc0dc
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 123 deletions.
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
@@ -456,6 +456,65 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_revokePrefixAuth(t *testing.T) {
+	core, ts, _, _ := TestCoreWithTokenStore(t)
+	bc := &logical.BackendConfig{
+		Logger: core.logger,
+		System: logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour * 24,
+			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		},
+	}
+	b := NewSystemBackend(core, bc)
+	exp := ts.expiration
+
+	te := &TokenEntry{
+		ID:   "foo",
+		Path: "auth/github/login/bar",
+	}
+	err := ts.create(te)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	te, err = ts.Lookup("foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te == nil {
+		t.Fatal("token entry was nil")
+	}
+
+	// Create a new token
+	auth := &logical.Auth{
+		ClientToken: te.ID,
+		LeaseOptions: logical.LeaseOptions{
+			TTL: time.Hour,
+		},
+	}
+	err = exp.RegisterAuth(te.Path, auth)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
+	resp, err := b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	te, err = ts.Lookup(te.ID)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if te != nil {
+		t.Fatalf("bad: %v", te)
+	}
+}
+
 func TestSystemBackend_authTable(t *testing.T) {
 	b := testSystemBackend(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "auth")

diff --git a/vault/token_store.go b/vault/token_store.go
@@ -92,7 +92,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 
 		PathsSpecial: &logical.Paths{
 			Root: []string{
-				"revoke-prefix/*",
 				"revoke-orphan/*",
 			},
 		},
@@ -315,24 +314,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 				HelpDescription: strings.TrimSpace(tokenRevokeOrphanHelp),
 			},
 
-			&framework.Path{
-				Pattern: "revoke-prefix" + framework.OptionalParamRegex("prefix"),
-
-				Fields: map[string]*framework.FieldSchema{
-					"prefix": &framework.FieldSchema{
-						Type:        framework.TypeString,
-						Description: "Token source prefix to revoke",
-					},
-				},
-
-				Callbacks: map[logical.Operation]framework.OperationFunc{
-					logical.UpdateOperation: t.handleRevokePrefix,
-				},
-
-				HelpSynopsis:    strings.TrimSpace(tokenRevokePrefixHelp),
-				HelpDescription: strings.TrimSpace(tokenRevokePrefixHelp),
-			},
-
 			&framework.Path{
 				Pattern: "renew-self$",
 
@@ -1099,27 +1080,6 @@ func (ts *TokenStore) handleRevokeOrphan(
 	return nil, nil
 }
 
-// handleRevokePrefix handles the auth/token/revoke-prefix/path for revocation of tokens
-// generated by a given path.
-func (ts *TokenStore) handleRevokePrefix(
-	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Parse the prefix
-	prefix := data.Get("prefix").(string)
-	if prefix == "" {
-		return logical.ErrorResponse("missing source prefix"), logical.ErrInvalidRequest
-	}
-
-	if !strings.HasPrefix(prefix, "auth/") {
-		return logical.ErrorResponse("prefix to revoke must begin with 'auth/'"), logical.ErrInvalidRequest
-	}
-
-	// Revoke using the prefix
-	if err := ts.expiration.RevokePrefix(prefix); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-	return nil, nil
-}
-
 // handleLookup handles the auth/token/lookup/id path for querying information about
 // a particular token. This can be used to see which policies are applicable.
 func (ts *TokenStore) handleLookup(
@@ -1428,7 +1388,6 @@ as revocation of tokens. The tokens are renewable if associated with a lease.`
 	tokenRevokeHelp          = `This endpoint will delete the given token and all of its child tokens.`
 	tokenRevokeSelfHelp      = `This endpoint will delete the token used to call it and all of its child tokens.`
 	tokenRevokeOrphanHelp    = `This endpoint will delete the token and orphan its child tokens.`
-	tokenRevokePrefixHelp    = `This endpoint will delete all tokens generated under a prefix with their child tokens.`
 	tokenRenewHelp           = `This endpoint will renew the given token and prevent expiration.`
 	tokenRenewSelfHelp       = `This endpoint will renew the token used to call it and prevent expiration.`
 	tokenAllowedPoliciesHelp = `If set, tokens created via this role

diff --git a/vault/token_store_test.go b/vault/token_store_test.go
@@ -1041,52 +1041,6 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 	}
 }
 
-func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) {
-	exp := mockExpiration(t)
-	ts := exp.tokenStore
-
-	// Create new token
-	root, err := ts.rootToken()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Create a new token
-	auth := &logical.Auth{
-		ClientToken: root.ID,
-		LeaseOptions: logical.LeaseOptions{
-			TTL: time.Hour,
-		},
-	}
-	err = exp.RegisterAuth("auth/github/login", auth)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/github/")
-	resp, err := ts.HandleRequest(req)
-	if err == nil {
-		t.Fatalf("expected error since prefix does not start with 'auth/'")
-	}
-
-	req = logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
-	resp, err = ts.HandleRequest(req)
-	if err != nil {
-		t.Fatalf("err: %v %v", err, resp)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	out, err := ts.Lookup(root.ID)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if out != nil {
-		t.Fatalf("bad: %v", out)
-	}
-}
-
 func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 	_, ts, _, root := TestCoreWithTokenStore(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")

diff --git a/website/source/docs/auth/token.html.md b/website/source/docs/auth/token.html.md
@@ -459,40 +459,6 @@ of the header should be "X-Vault-Token" and the value should be the token.
   </dd>
 </dl>
 
-### /auth/token/revoke-prefix[/prefix]
-#### POST
-
-<dl class="api">
-  <dt>Description</dt>
-  <dd>
-    Revokes all tokens generated at a given prefix, along with child tokens,
-    and all secrets generated using those tokens. Uses include revoking all
-    tokens generated by a credential backend during a suspected compromise.
-    This is a root-protected endpoint.
-  </dd>
-
-  <dt>Method</dt>
-  <dd>POST</dd>
-
-  <dt>URL</dt>
-  <dd>`/auth/token/revoke-prefix</prefix>`</dd>
-
-  <dt>Parameters</dt>
-  <dd>
-    <ul>
-      <li>
-        <span class="param">token</span>
-        <span class="param-flags">required</span>
-            Token source prefix to revoke. This can be part of the URL or the body.
-      </li>
-    </ul>
-  </dd>
-
-  <dt>Returns</dt>
-  <dd>`204` response code.
-  </dd>
-</dl>
-
 ### /auth/token/roles/[role_name]
 
 #### DELETE 
@@ -599,7 +565,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
     available or would require `sudo`/root privileges to access. Role
     parameters, when set, override any provided options to the `create`
     endpoints. The role name is also included in the token path, allowing all
-    tokens created against a role to be revoked using the `revoke-prefix`
+    tokens created against a role to be revoked using the `sys/revoke-prefix`
     endpoint.
   </dd>
 
@@ -645,7 +611,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
         revoking all tokens created against it before some point in time. The
         suffix can be changed, allowing new callers to have the new suffix as
         part of their path, and then tokens with the old suffix can be revoked
-        via `revoke-prefix`.
+        via `sys/revoke-prefix`.
       </li>
     </ul>
   </dd>