add: Revoke token by id and accessor;

add: tests; update: workflow to include feat branches
aschmidt75 · Sep 20, 2023 · 3234eca · 3234eca
1 parent 2c7d84f
commit 3234eca
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 1 deletion.
diff --git a/.github/workflows/dev-ci.yaml b/.github/workflows/dev-ci.yaml
@@ -5,6 +5,7 @@ on:
     branches:
       - dev
       - feature/*
+      - feat/*
   pull_request:
     branches:
       - dev

diff --git a/src/public/Revoke-HCVaultToken.ps1 b/src/public/Revoke-HCVaultToken.ps1
@@ -0,0 +1,69 @@
+Function Revoke-HCVaultToken {
+    <#
+    .SYNOPSIS
+        Revokes a token by token string or its accessor
+
+    .DESCRIPTION
+        Uses the /auth/token/revoke or revoke-accessor endpoint to revoke a token.
+
+    .EXAMPLE
+        Revoke-HCVaultToken -Token <some_token>
+        Test-HCVaultToken -Token <some_token>       # returns error "bad token"
+
+    .EXAMPLE
+        Revoke-HCVaultToken -Accessor <some_accessor>
+        Test-HCVaultToken -Token <some_token>             # returns error "bad token"
+        Test-HCVaultToken -Accessor <some_accessor>       # returns error "invalid accessor"
+
+    .LINK
+        https://developer.hashicorp.com/vault/api-docs/auth/token#revoke-a-token
+        https://developer.hashicorp.com/vault/api-docs/auth/token#revoke-a-token-accessor
+    #>
+    [CmdletBinding(DefaultParameterSetName="token")]
+    param (
+        [Parameter(Mandatory = $false, ParameterSetName = "token")]
+        [ValidateNotNullOrEmpty()]
+        [securestring]$Token,
+
+        [Parameter(Mandatory = $true, ParameterSetName = "accessor")]
+        [ValidateNotNullOrEmpty()]
+        [string]$Accessor
+    )
+
+    $Ctx = GetContextOrErr
+
+    $req = NewHCVaultAPIRequest -Method "POST" -Path "/auth/token/revoke-self"
+    if ($PSBoundParameters.ContainsKey('token')) {
+        $req = NewHCVaultAPIRequest -Method "POST" -Path  "/auth/token/revoke"
+        $req.Body = @{
+            "token" = ConvertFrom-SecureString -AsPlainText $Token
+        }
+    }
+    if ($PSBoundParameters.ContainsKey('accessor')) {
+        $req = NewHCVaultAPIRequest -Method "POST" -Path "/auth/token/revoke-accessor"
+        $req.Body = @{
+            "accessor" = $Accessor
+        }
+    }
+
+    $res = $None
+
+    try {
+        $res = InvokeHCVaultAPI -ctx $Ctx -req $req 
+    } catch {
+        $msg = "Unable to revoke token: statusCode={0},Message={1}" -f $_.TargetObject.statusCode, $_.TargetObject.Exception.Message
+        throw [ErrorRecord]::new( 
+            [InvalidOperationException]::new($msg), 
+            'L1-{0}' -f $_.FullyQualifiedErrorId, 
+            [ErrorCategory]::InvalidOperation, 
+            $_
+        )     
+    }
+
+    if ($res.StatusCode -eq 200) {
+        return $res.Body
+    }
+
+    return $None
+
+}
diff --git a/src/public/Revoke-HCVaultTokenSelf.ps1 b/src/public/Revoke-HCVaultTokenSelf.ps1
@@ -4,7 +4,7 @@ Function Revoke-HCVaultTokenSelf {
         Revokes the token in the current context
 
     .DESCRIPTION
-        Uses the /auth/token/revoke endpoint to revoke the token from the current context.
+        Uses the /auth/token/revoke-self endpoint to revoke the token from the current context.
 
     .EXAMPLE
         > Revoke-HCVaultTokenSelf

diff --git a/src/public/Test-HCVaultToken.ps1 b/src/public/Test-HCVaultToken.ps1
@@ -66,6 +66,8 @@ Function Test-HCVaultToken {
     }
 
     if ($res.StatusCode -eq 200) {
+        # TODO: if ìd` is given, make it a SecureString
+
         return $res.Body.data
     }
 

diff --git a/src/public/Test-HCVaultTokenSelf.ps1 b/src/public/Test-HCVaultTokenSelf.ps1
@@ -33,6 +33,8 @@ Function Test-HCVaultTokenSelf {
     }
 
     if ($res.StatusCode -eq 200) {
+        # TODO: if ìd` is given, make it a SecureString
+
         return $res.Body.data
     }
 

diff --git a/tests/Token.Tests.ps1 b/tests/Token.Tests.ps1
@@ -96,3 +96,18 @@ Describe 'Token Lifecycle' {
     }
 
 }
+
+Describe 'Token Revocation Variants' {
+    It 'should successfully revoke token by id' {
+        $tk3 = New-HCVaultToken -Ttl 10m -Role "Default"
+        Revoke-HCVaultToken -Token $tk3.Token
+        ( Test-HCVaultToken -Token $tk3.Token ) | Should -Throw
+    }
+
+    It 'should successfully revoke token by accessor' {
+        $tk4 = New-HCVaultToken -Ttl 10m -Role "Default"
+        Revoke-HCVaultToken -Accessor $tk4.Accessor
+        ( Test-HCVaultToken -Token $tk4.Token ) | Should -Throw
+        ( Test-HCVaultToken -Accessor $tk4.Accessor ) | Should -Throw
+    }
+}