diff --git a/src/VaultSharp/IVaultClient.cs b/src/VaultSharp/IVaultClient.cs
index 26bbcb84..98599723 100644
--- a/src/VaultSharp/IVaultClient.cs
+++ b/src/VaultSharp/IVaultClient.cs
@@ -331,6 +331,35 @@ public interface IVaultClient
///
Task DeletePolicyAsync(string policyName);
+ ///
+ /// Gets the capabilities of the token on the given path.
+ ///
+ /// [required]
+ /// Token for which capabilities are being queried.
+ /// [required]
+ /// Path on which the token's capabilities will be checked.
+ /// The list of capabilities.
+ Task> GetTokenCapabilitiesAsync(string token, string path);
+
+ ///
+ /// Gets the capabilities of client token on the given path.
+ /// Client token is the Vault token with which this API call is made.
+ ///
+ /// [required]
+ /// Path on which the token's capabilities will be checked.
+ /// The list of capabilities.
+ Task> GetCallingTokenCapabilitiesAsync(string path);
+
+ ///
+ /// Gets the capabilities of the token associated with an accessor, on the given path.
+ ///
+ /// [required]
+ /// Token accessor for which capabilities are being queried.
+ /// [required]
+ /// Path on which the token's capabilities will be checked.
+ /// The list of capabilities.
+ Task> GetTokenAccessorCapabilitiesAsync(string tokenAccessor, string path);
+
///
/// Gets all the enabled audit backends.
///
diff --git a/src/VaultSharp/VaultClient.cs b/src/VaultSharp/VaultClient.cs
index f91b3e88..9e4eb209 100644
--- a/src/VaultSharp/VaultClient.cs
+++ b/src/VaultSharp/VaultClient.cs
@@ -326,6 +326,53 @@ public async Task DeletePolicyAsync(string policyName)
await MakeVaultApiRequest("sys/policy/" + policyName, HttpMethod.Delete).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext);
}
+ public async Task> GetTokenCapabilitiesAsync(string token, string path)
+ {
+ Checker.NotNull(token, "token");
+ Checker.NotNull(path, "path");
+
+ var requestData = new {token = token, path = path};
+ var response = await MakeVaultApiRequest("sys/capabilities", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext);
+
+ if (response != null && response.capabilities != null)
+ {
+ return response.capabilities.ToObject>();
+ }
+
+ return Enumerable.Empty();
+ }
+
+ public async Task> GetCallingTokenCapabilitiesAsync(string path)
+ {
+ Checker.NotNull(path, "path");
+
+ var requestData = new { path = path };
+ var response = await MakeVaultApiRequest("sys/capabilities-self", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext);
+
+ if (response != null && response.capabilities != null)
+ {
+ return response.capabilities.ToObject>();
+ }
+
+ return Enumerable.Empty();
+ }
+
+ public async Task> GetTokenAccessorCapabilitiesAsync(string tokenAccessor, string path)
+ {
+ Checker.NotNull(tokenAccessor, "tokenAccessor");
+ Checker.NotNull(path, "path");
+
+ var requestData = new { accessor = tokenAccessor, path = path };
+ var response = await MakeVaultApiRequest("sys/capabilities-accessor", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext);
+
+ if (response != null && response.capabilities != null)
+ {
+ return response.capabilities.ToObject>();
+ }
+
+ return Enumerable.Empty();
+ }
+
public async Task> GetAllEnabledAuditBackendsAsync()
{
var response = await MakeVaultApiRequest>("sys/audit", HttpMethod.Get).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext);
diff --git a/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs b/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs
index dc19aadf..03c8ba21 100644
--- a/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs
+++ b/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs
@@ -44,7 +44,8 @@ public async Task AllTests()
// await GithubAuthenticationProviderTests();
}
- await _authenticatedClient.StepDownActiveNodeAsync();
+ await TokenTests();
+ // await _authenticatedClient.StepDownActiveNodeAsync();
await EncryptStrongTests();
await MountedSecretBackendTests();
@@ -52,7 +53,6 @@ public async Task AllTests()
await PoliciesTests();
await AuditBackendsTests();
await SecretTests();
- await TokenTests();
await EncryptTests();
await AppIdAuthenticationProviderTests();
await UsernamePasswordAuthenticationProviderTests();
@@ -658,6 +658,14 @@ private async Task TokenTests()
var secret1 = await _authenticatedClient.CreateTokenAsync();
Assert.NotNull(secret1);
+ // capabilities.
+ var caps =
+ await _authenticatedClient.GetTokenCapabilitiesAsync(secret1.AuthorizationInfo.ClientToken, "sys");
+ Assert.NotNull(caps);
+
+ var caps2 = await _authenticatedClient.GetCallingTokenCapabilitiesAsync("sys");
+ Assert.NotNull(caps2);
+
var secret2 = await _authenticatedClient.CreateTokenAsync(new TokenCreationOptions { NoParent = true });
Assert.NotNull(secret2);