From 34fdfbd8f54223454781283de227c4aefc0d8674 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 31 Mar 2016 18:04:05 -0400
Subject: [PATCH 1/2] Remove auth/token/revoke-prefix in favor of
 sys/revoke-prefix.

---
 vault/logical_system_test.go | 59 ++++++++++++++++++++++++++++++++++++
 vault/token_store.go         | 41 -------------------------
 vault/token_store_test.go    | 46 ----------------------------
 3 files changed, 59 insertions(+), 87 deletions(-)

diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
index 904e1b2579171..bcedc471a636a 100644
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -456,6 +456,65 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_revokePrefixAuth(t *testing.T) {
+	core, ts, _, _ := TestCoreWithTokenStore(t)
+	bc := &logical.BackendConfig{
+		Logger: core.logger,
+		System: logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour * 24,
+			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		},
+	}
+	b := NewSystemBackend(core, bc)
+	exp := ts.expiration
+
+	te := &TokenEntry{
+		ID:   "foo",
+		Path: "auth/github/login/bar",
+	}
+	err := ts.create(te)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	te, err = ts.Lookup("foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if te == nil {
+		t.Fatal("token entry was nil")
+	}
+
+	// Create a new token
+	auth := &logical.Auth{
+		ClientToken: te.ID,
+		LeaseOptions: logical.LeaseOptions{
+			TTL: time.Hour,
+		},
+	}
+	err = exp.RegisterAuth(te.Path, auth)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
+	resp, err := b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	te, err = ts.Lookup(te.ID)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if te != nil {
+		t.Fatalf("bad: %v", te)
+	}
+}
+
 func TestSystemBackend_authTable(t *testing.T) {
 	b := testSystemBackend(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "auth")
diff --git a/vault/token_store.go b/vault/token_store.go
index 12489bd8c310f..6daa651f1e248 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -92,7 +92,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 
 		PathsSpecial: &logical.Paths{
 			Root: []string{
-				"revoke-prefix/*",
 				"revoke-orphan/*",
 			},
 		},
@@ -315,24 +314,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 				HelpDescription: strings.TrimSpace(tokenRevokeOrphanHelp),
 			},
 
-			&framework.Path{
-				Pattern: "revoke-prefix" + framework.OptionalParamRegex("prefix"),
-
-				Fields: map[string]*framework.FieldSchema{
-					"prefix": &framework.FieldSchema{
-						Type:        framework.TypeString,
-						Description: "Token source prefix to revoke",
-					},
-				},
-
-				Callbacks: map[logical.Operation]framework.OperationFunc{
-					logical.UpdateOperation: t.handleRevokePrefix,
-				},
-
-				HelpSynopsis:    strings.TrimSpace(tokenRevokePrefixHelp),
-				HelpDescription: strings.TrimSpace(tokenRevokePrefixHelp),
-			},
-
 			&framework.Path{
 				Pattern: "renew-self$",
 
@@ -1099,27 +1080,6 @@ func (ts *TokenStore) handleRevokeOrphan(
 	return nil, nil
 }
 
-// handleRevokePrefix handles the auth/token/revoke-prefix/path for revocation of tokens
-// generated by a given path.
-func (ts *TokenStore) handleRevokePrefix(
-	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Parse the prefix
-	prefix := data.Get("prefix").(string)
-	if prefix == "" {
-		return logical.ErrorResponse("missing source prefix"), logical.ErrInvalidRequest
-	}
-
-	if !strings.HasPrefix(prefix, "auth/") {
-		return logical.ErrorResponse("prefix to revoke must begin with 'auth/'"), logical.ErrInvalidRequest
-	}
-
-	// Revoke using the prefix
-	if err := ts.expiration.RevokePrefix(prefix); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-	return nil, nil
-}
-
 // handleLookup handles the auth/token/lookup/id path for querying information about
 // a particular token. This can be used to see which policies are applicable.
 func (ts *TokenStore) handleLookup(
@@ -1428,7 +1388,6 @@ as revocation of tokens. The tokens are renewable if associated with a lease.`
 	tokenRevokeHelp          = `This endpoint will delete the given token and all of its child tokens.`
 	tokenRevokeSelfHelp      = `This endpoint will delete the token used to call it and all of its child tokens.`
 	tokenRevokeOrphanHelp    = `This endpoint will delete the token and orphan its child tokens.`
-	tokenRevokePrefixHelp    = `This endpoint will delete all tokens generated under a prefix with their child tokens.`
 	tokenRenewHelp           = `This endpoint will renew the given token and prevent expiration.`
 	tokenRenewSelfHelp       = `This endpoint will renew the token used to call it and prevent expiration.`
 	tokenAllowedPoliciesHelp = `If set, tokens created via this role
diff --git a/vault/token_store_test.go b/vault/token_store_test.go
index ef7ec3ae30460..53ae09bd4b7ff 100644
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -1041,52 +1041,6 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 	}
 }
 
-func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) {
-	exp := mockExpiration(t)
-	ts := exp.tokenStore
-
-	// Create new token
-	root, err := ts.rootToken()
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	// Create a new token
-	auth := &logical.Auth{
-		ClientToken: root.ID,
-		LeaseOptions: logical.LeaseOptions{
-			TTL: time.Hour,
-		},
-	}
-	err = exp.RegisterAuth("auth/github/login", auth)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/github/")
-	resp, err := ts.HandleRequest(req)
-	if err == nil {
-		t.Fatalf("expected error since prefix does not start with 'auth/'")
-	}
-
-	req = logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
-	resp, err = ts.HandleRequest(req)
-	if err != nil {
-		t.Fatalf("err: %v %v", err, resp)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %#v", resp)
-	}
-
-	out, err := ts.Lookup(root.ID)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if out != nil {
-		t.Fatalf("bad: %v", out)
-	}
-}
-
 func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 	_, ts, _, root := TestCoreWithTokenStore(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")

From de5bba41628053ddfcb33f251f7ad9145c592b7a Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 31 Mar 2016 18:07:43 -0400
Subject: [PATCH 2/2] Documentation update

---
 website/source/docs/auth/token.html.md | 38 ++------------------------
 1 file changed, 2 insertions(+), 36 deletions(-)

diff --git a/website/source/docs/auth/token.html.md b/website/source/docs/auth/token.html.md
index 1bc488e4c02ea..fc8e4fe96cb8d 100644
--- a/website/source/docs/auth/token.html.md
+++ b/website/source/docs/auth/token.html.md
@@ -459,40 +459,6 @@ of the header should be "X-Vault-Token" and the value should be the token.
   </dd>
 </dl>
 
-### /auth/token/revoke-prefix[/prefix]
-#### POST
-
-<dl class="api">
-  <dt>Description</dt>
-  <dd>
-    Revokes all tokens generated at a given prefix, along with child tokens,
-    and all secrets generated using those tokens. Uses include revoking all
-    tokens generated by a credential backend during a suspected compromise.
-    This is a root-protected endpoint.
-  </dd>
-
-  <dt>Method</dt>
-  <dd>POST</dd>
-
-  <dt>URL</dt>
-  <dd>`/auth/token/revoke-prefix</prefix>`</dd>
-
-  <dt>Parameters</dt>
-  <dd>
-    <ul>
-      <li>
-        <span class="param">token</span>
-        <span class="param-flags">required</span>
-            Token source prefix to revoke. This can be part of the URL or the body.
-      </li>
-    </ul>
-  </dd>
-
-  <dt>Returns</dt>
-  <dd>`204` response code.
-  </dd>
-</dl>
-
 ### /auth/token/roles/[role_name]
 
 #### DELETE 
@@ -599,7 +565,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
     available or would require `sudo`/root privileges to access. Role
     parameters, when set, override any provided options to the `create`
     endpoints. The role name is also included in the token path, allowing all
-    tokens created against a role to be revoked using the `revoke-prefix`
+    tokens created against a role to be revoked using the `sys/revoke-prefix`
     endpoint.
   </dd>
 
@@ -645,7 +611,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
         revoking all tokens created against it before some point in time. The
         suffix can be changed, allowing new callers to have the new suffix as
         part of their path, and then tokens with the old suffix can be revoked
-        via `revoke-prefix`.
+        via `sys/revoke-prefix`.
       </li>
     </ul>
   </dd>