From 3234eca8fdf1565f94883d3ff5e44bbe2df1d22e Mon Sep 17 00:00:00 2001
From: Andreas Schmidt <aschmidt75@users.noreply.github.com>
Date: Wed, 20 Sep 2023 18:51:15 +0000
Subject: [PATCH] add: Revoke token by id and accessor; add: tests; update:
 workflow to include feat branches

---
 .github/workflows/dev-ci.yaml          |  1 +
 src/public/Revoke-HCVaultToken.ps1     | 69 ++++++++++++++++++++++++++
 src/public/Revoke-HCVaultTokenSelf.ps1 |  2 +-
 src/public/Test-HCVaultToken.ps1       |  2 +
 src/public/Test-HCVaultTokenSelf.ps1   |  2 +
 tests/Token.Tests.ps1                  | 15 ++++++
 6 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 src/public/Revoke-HCVaultToken.ps1

diff --git a/.github/workflows/dev-ci.yaml b/.github/workflows/dev-ci.yaml
index a9ecc3a..a818cc3 100644
--- a/.github/workflows/dev-ci.yaml
+++ b/.github/workflows/dev-ci.yaml
@@ -5,6 +5,7 @@ on:
     branches:
       - dev
       - feature/*
+      - feat/*
   pull_request:
     branches:
       - dev
diff --git a/src/public/Revoke-HCVaultToken.ps1 b/src/public/Revoke-HCVaultToken.ps1
new file mode 100644
index 0000000..6abdeb3
--- /dev/null
+++ b/src/public/Revoke-HCVaultToken.ps1
@@ -0,0 +1,69 @@
+Function Revoke-HCVaultToken {
+    <#
+    .SYNOPSIS
+        Revokes a token by token string or its accessor
+
+    .DESCRIPTION
+        Uses the /auth/token/revoke or revoke-accessor endpoint to revoke a token.
+
+    .EXAMPLE
+        Revoke-HCVaultToken -Token <some_token>
+        Test-HCVaultToken -Token <some_token>       # returns error "bad token"
+
+    .EXAMPLE
+        Revoke-HCVaultToken -Accessor <some_accessor>
+        Test-HCVaultToken -Token <some_token>             # returns error "bad token"
+        Test-HCVaultToken -Accessor <some_accessor>       # returns error "invalid accessor"
+
+    .LINK
+        https://developer.hashicorp.com/vault/api-docs/auth/token#revoke-a-token
+        https://developer.hashicorp.com/vault/api-docs/auth/token#revoke-a-token-accessor
+    #>
+    [CmdletBinding(DefaultParameterSetName="token")]
+    param (
+        [Parameter(Mandatory = $false, ParameterSetName = "token")]
+        [ValidateNotNullOrEmpty()]
+        [securestring]$Token,
+
+        [Parameter(Mandatory = $true, ParameterSetName = "accessor")]
+        [ValidateNotNullOrEmpty()]
+        [string]$Accessor
+    )
+
+    $Ctx = GetContextOrErr
+    
+    $req = NewHCVaultAPIRequest -Method "POST" -Path "/auth/token/revoke-self"
+    if ($PSBoundParameters.ContainsKey('token')) {
+        $req = NewHCVaultAPIRequest -Method "POST" -Path  "/auth/token/revoke"
+        $req.Body = @{
+            "token" = ConvertFrom-SecureString -AsPlainText $Token
+        }
+    }
+    if ($PSBoundParameters.ContainsKey('accessor')) {
+        $req = NewHCVaultAPIRequest -Method "POST" -Path "/auth/token/revoke-accessor"
+        $req.Body = @{
+            "accessor" = $Accessor
+        }
+    }
+
+    $res = $None
+
+    try {
+        $res = InvokeHCVaultAPI -ctx $Ctx -req $req 
+    } catch {
+        $msg = "Unable to revoke token: statusCode={0},Message={1}" -f $_.TargetObject.statusCode, $_.TargetObject.Exception.Message
+        throw [ErrorRecord]::new( 
+            [InvalidOperationException]::new($msg), 
+            'L1-{0}' -f $_.FullyQualifiedErrorId, 
+            [ErrorCategory]::InvalidOperation, 
+            $_
+        )     
+    }
+
+    if ($res.StatusCode -eq 200) {
+        return $res.Body
+    }
+
+    return $None
+
+}
diff --git a/src/public/Revoke-HCVaultTokenSelf.ps1 b/src/public/Revoke-HCVaultTokenSelf.ps1
index 2bbce7a..fa5be8c 100644
--- a/src/public/Revoke-HCVaultTokenSelf.ps1
+++ b/src/public/Revoke-HCVaultTokenSelf.ps1
@@ -4,7 +4,7 @@ Function Revoke-HCVaultTokenSelf {
         Revokes the token in the current context
 
     .DESCRIPTION
-        Uses the /auth/token/revoke endpoint to revoke the token from the current context.
+        Uses the /auth/token/revoke-self endpoint to revoke the token from the current context.
 
     .EXAMPLE
         > Revoke-HCVaultTokenSelf
diff --git a/src/public/Test-HCVaultToken.ps1 b/src/public/Test-HCVaultToken.ps1
index 13be021..04a923a 100644
--- a/src/public/Test-HCVaultToken.ps1
+++ b/src/public/Test-HCVaultToken.ps1
@@ -66,6 +66,8 @@ Function Test-HCVaultToken {
     }
 
     if ($res.StatusCode -eq 200) {
+        # TODO: if ìd` is given, make it a SecureString
+
         return $res.Body.data
     }
 
diff --git a/src/public/Test-HCVaultTokenSelf.ps1 b/src/public/Test-HCVaultTokenSelf.ps1
index 8981163..e0b26c8 100644
--- a/src/public/Test-HCVaultTokenSelf.ps1
+++ b/src/public/Test-HCVaultTokenSelf.ps1
@@ -33,6 +33,8 @@ Function Test-HCVaultTokenSelf {
     }
 
     if ($res.StatusCode -eq 200) {
+        # TODO: if ìd` is given, make it a SecureString
+
         return $res.Body.data
     }
 
diff --git a/tests/Token.Tests.ps1 b/tests/Token.Tests.ps1
index 9c3ff14..096d10d 100644
--- a/tests/Token.Tests.ps1
+++ b/tests/Token.Tests.ps1
@@ -96,3 +96,18 @@ Describe 'Token Lifecycle' {
     }
 
 }
+
+Describe 'Token Revocation Variants' {
+    It 'should successfully revoke token by id' {
+        $tk3 = New-HCVaultToken -Ttl 10m -Role "Default"
+        Revoke-HCVaultToken -Token $tk3.Token
+        ( Test-HCVaultToken -Token $tk3.Token ) | Should -Throw
+    }
+
+    It 'should successfully revoke token by accessor' {
+        $tk4 = New-HCVaultToken -Ttl 10m -Role "Default"
+        Revoke-HCVaultToken -Accessor $tk4.Accessor
+        ( Test-HCVaultToken -Token $tk4.Token ) | Should -Throw
+        ( Test-HCVaultToken -Accessor $tk4.Accessor ) | Should -Throw
+    }
+}