Accessor paths for lookup and revocation of tokens

api/secret.go

@@ -28,6 +28,7 @@ type Secret struct {
 // SecretAuth is the structure containing auth information if we have it.
 type SecretAuth struct {
 	ClientToken string            `json:"client_token"`
+	Accessor    string            `json:"accessor"`
 	Policies    []string          `json:"policies"`
 	Metadata    map[string]string `json:"metadata"`
 

command/format.go

@@ -143,6 +143,7 @@ func (t TableFormatter) OutputSecret(ui cli.Ui, secret, s *api.Secret) error {
 
 	if s.Auth != nil {
 		input = append(input, fmt.Sprintf("token %s %s", config.Delim, s.Auth.ClientToken))
+		input = append(input, fmt.Sprintf("token_accessor %s %s", config.Delim, s.Auth.Accessor))
 		input = append(input, fmt.Sprintf("token_duration %s %d", config.Delim, s.Auth.LeaseDuration))
 		input = append(input, fmt.Sprintf("token_renewable %s %v", config.Delim, s.Auth.Renewable))
 		input = append(input, fmt.Sprintf("token_policies %s %v", config.Delim, s.Auth.Policies))

http/handler.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
@@ -34,6 +35,7 @@ func Handler(core *vault.Core) http.Handler {
 	mux.Handle("/v1/sys/rekey/update", handleSysRekeyUpdate(core))
 	mux.Handle("/v1/sys/capabilities", handleSysCapabilities(core))
 	mux.Handle("/v1/sys/capabilities-self", handleSysCapabilities(core))
+	mux.Handle("/v1/sys/capabilities-accessor", handleSysCapabilitiesAccessor(core))
 	mux.Handle("/v1/sys/", handleLogical(core, true))
 	mux.Handle("/v1/", handleLogical(core, false))
 
@@ -79,7 +81,7 @@ func request(core *vault.Core, w http.ResponseWriter, rawReq *http.Request, r *l
 		return resp, false
 	}
 	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
+		respondErrorStatus(w, err)
 		return resp, false
 	}
 
@@ -139,6 +141,18 @@ func requestAuth(r *http.Request, req *logical.Request) *logical.Request {
 	return req
 }
 
+// Determines the type of the error being returned and sets the HTTP
+// status code appropriately
+func respondErrorStatus(w http.ResponseWriter, err error) {
+	status := http.StatusInternalServerError
+	switch {
+	// Keep adding more error types here to appropriate the status codes
+	case errwrap.ContainsType(err, new(vault.StatusBadRequest)):
+		status = http.StatusBadRequest
+	}
+	respondError(w, status, err)
+}
+
 func respondError(w http.ResponseWriter, status int, err error) {
 	// Adjust status code when sealed
 	if err == vault.ErrSealed {

http/logical.go

@@ -124,6 +124,7 @@ func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnl
 		if resp.Auth != nil {
 			logicalResp.Auth = &Auth{
 				ClientToken:   resp.Auth.ClientToken,
+				Accessor:      resp.Auth.Accessor,
 				Policies:      resp.Auth.Policies,
 				Metadata:      resp.Auth.Metadata,
 				LeaseDuration: int(resp.Auth.TTL.Seconds()),
@@ -218,6 +219,7 @@ type LogicalResponse struct {
 
 type Auth struct {
 	ClientToken   string            `json:"client_token"`
+	Accessor      string            `json:"accessor"`
 	Policies      []string          `json:"policies"`
 	Metadata      map[string]string `json:"metadata"`
 	LeaseDuration int               `json:"lease_duration"`

http/logical_test.go

@@ -140,6 +140,7 @@ func TestLogical_StandbyRedirect(t *testing.T) {
 	testResponseBody(t, resp, &actual)
 	actualDataMap := actual["data"].(map[string]interface{})
 	delete(actualDataMap, "creation_time")
+	delete(actualDataMap, "accessor")
 	actual["data"] = actualDataMap
 	delete(actual, "lease_id")
 	if !reflect.DeepEqual(actual, expected) {
@@ -180,6 +181,7 @@ func TestLogical_CreateToken(t *testing.T) {
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
 	delete(actual["auth"].(map[string]interface{}), "client_token")
+	delete(actual["auth"].(map[string]interface{}), "accessor")
 	if !reflect.DeepEqual(actual, expected) {
 		t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
 	}

http/sys_capabilities.go

@@ -4,12 +4,11 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
 
-func handleSysCapabilities(core *vault.Core) http.Handler {
+func handleSysCapabilitiesAccessor(core *vault.Core) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.Method {
 		case "PUT":
@@ -19,8 +18,35 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 			return
 		}
 
-		// Get the auth for the request so we can access the token directly
-		req := requestAuth(r, &logical.Request{})
+		// Parse the request if we can
+		var data capabilitiesAccessorRequest
+		if err := parseRequest(r, &data); err != nil {
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
+
+		capabilities, err := core.CapabilitiesAccessor(data.Accessor, data.Path)
+		if err != nil {
+			respondErrorStatus(w, err)
+			return
+		}
+
+		respondOk(w, &capabilitiesResponse{
+			Capabilities: capabilities,
+		})
+	})
+
+}
+
+func handleSysCapabilities(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case "PUT":
+		case "POST":
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
 
 		// Parse the request if we can
 		var data capabilitiesRequest
@@ -30,18 +56,15 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 		}
 
 		if strings.HasPrefix(r.URL.Path, "/v1/sys/capabilities-self") {
+			// Get the auth for the request so we can access the token directly
+			req := requestAuth(r, &logical.Request{})
 			data.Token = req.ClientToken
 		}
 
 		capabilities, err := core.Capabilities(data.Token, data.Path)
 		if err != nil {
-			if errwrap.ContainsType(err, new(vault.ErrUserInput)) {
-				respondError(w, http.StatusBadRequest, err)
-				return
-			} else {
-				respondError(w, http.StatusInternalServerError, err)
-				return
-			}
+			respondErrorStatus(w, err)
+			return
 		}
 
 		respondOk(w, &capabilitiesResponse{
@@ -59,3 +82,8 @@ type capabilitiesRequest struct {
 	Token string `json:"token"`
 	Path  string `json:"path"`
 }
+
+type capabilitiesAccessorRequest struct {
+	Accessor string `json:"accessor"`
+	Path     string `json:"path"`
+}

http/sys_capabilities_test.go

@@ -7,6 +7,78 @@ import (
 	"github.com/hashicorp/vault/vault"
 )
 
+func TestSysCapabilitiesAccessor(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Lookup the token properties
+	resp := testHttpGet(t, token, addr+"/v1/auth/token/lookup/"+token)
+	var lookupResp map[string]interface{}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &lookupResp)
+
+	// Retrieve the accessor from the token properties
+	lookupData := lookupResp["data"].(map[string]interface{})
+	accessor := lookupData["accessor"].(string)
+
+	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities-accessor", map[string]interface{}{
+		"accessor": accessor,
+		"path":     "testpath",
+	})
+
+	var actual map[string][]string
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+
+	expected := map[string][]string{
+		"capabilities": []string{"root"},
+	}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+
+	// Testing for non-root token's accessor
+	// Create a policy first
+	resp = testHttpPost(t, token, addr+"/v1/sys/policy/foo", map[string]interface{}{
+		"rules": `path "testpath" {capabilities = ["read","sudo"]}`,
+	})
+	testResponseStatus(t, resp, 204)
+
+	// Create a token against the test policy
+	resp = testHttpPost(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
+		"policies": []string{"foo"},
+	})
+
+	var tokenResp map[string]interface{}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &tokenResp)
+
+	// Check if desired policies are present in the token
+	auth := tokenResp["auth"].(map[string]interface{})
+	actualPolicies := auth["policies"]
+	expectedPolicies := []interface{}{"default", "foo"}
+	if !reflect.DeepEqual(actualPolicies, expectedPolicies) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actualPolicies, expectedPolicies)
+	}
+
+	// Check the capabilities of non-root token using the accessor
+	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities-accessor", map[string]interface{}{
+		"accessor": auth["accessor"],
+		"path":     "testpath",
+	})
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+
+	expected = map[string][]string{
+		"capabilities": []string{"sudo", "read"},
+	}
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
+	}
+}
+
 func TestSysCapabilities(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)

http/sys_generate_root_test.go

@@ -309,6 +309,7 @@ func TestSysGenerateRoot_Update_OTP(t *testing.T) {
 	testResponseBody(t, resp, &actual)
 
 	expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
+	expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
 
 	if !reflect.DeepEqual(actual["data"], expected) {
 		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])
@@ -389,6 +390,7 @@ func TestSysGenerateRoot_Update_PGP(t *testing.T) {
 	testResponseBody(t, resp, &actual)
 
 	expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
+	expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
 
 	if !reflect.DeepEqual(actual["data"], expected) {
 		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])

logical/auth.go

@@ -33,6 +33,13 @@ type Auth struct {
 	// This will be filled in by Vault core when an auth structure is
 	// returned. Setting this manually will have no effect.
 	ClientToken string
+
+	// Accessor is the identifier for the ClientToken. This can be used
+	// to perform management functionalities (especially revocation) when
+	// ClientToken in the audit logs are obfuscated. Accessor can be used
+	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
+	// both without actually knowing the ClientToken.
+	Accessor string
 }
 
 func (a *Auth) GoString() string {

vault/capabilities.go

@@ -3,37 +3,50 @@ package vault
 // Struct to identify user input errors.
 // This is helpful in responding the appropriate status codes to clients
 // from the HTTP endpoints.
-type ErrUserInput struct {
-	Message string
+type StatusBadRequest struct {
+	Err string
 }
 
 // Implementing error interface
-func (e *ErrUserInput) Error() string {
-	return e.Message
+func (s *StatusBadRequest) Error() string {
+	return s.Err
+}
+
+// CapabilitiesAccessor is used to fetch the capabilities of the token
+// which associated with the given accessor on the given path
+func (c *Core) CapabilitiesAccessor(accessor, path string) ([]string, error) {
+	if path == "" {
+		return nil, &StatusBadRequest{Err: "missing path"}
+	}
+
+	if accessor == "" {
+		return nil, &StatusBadRequest{Err: "missing accessor"}
+	}
+
+	token, err := c.tokenStore.lookupByAccessor(accessor)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.Capabilities(token, path)
 }
 
 // Capabilities is used to fetch the capabilities of the given token on the given path
 func (c *Core) Capabilities(token, path string) ([]string, error) {
 	if path == "" {
-		return nil, &ErrUserInput{
-			Message: "missing path",
-		}
+		return nil, &StatusBadRequest{Err: "missing path"}
 	}
 
 	if token == "" {
-		return nil, &ErrUserInput{
-			Message: "missing token",
-		}
+		return nil, &StatusBadRequest{Err: "missing token"}
 	}
 
 	te, err := c.tokenStore.Lookup(token)
 	if err != nil {
 		return nil, err
 	}
 	if te == nil {
-		return nil, &ErrUserInput{
-			Message: "invalid token",
-		}
+		return nil, &StatusBadRequest{Err: "invalid token"}
 	}
 
 	if te.Policies == nil {