From 1612dfaa1f06d4a159f0422287e239e43a343d7d Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Thu, 10 Mar 2016 17:04:04 -0500
Subject: [PATCH] Added accessor flag to token-revoke CLI

---
 api/auth_token.go       | 25 +++++++++++++------------
 command/token_lookup.go | 10 +++++-----
 command/token_revoke.go | 34 ++++++++++++++++++++++++++--------
 3 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/api/auth_token.go b/api/auth_token.go
index 03581723bb..52e227231c 100644
--- a/api/auth_token.go
+++ b/api/auth_token.go
@@ -110,6 +110,19 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+// RevokeAccessor revokes a token associated with the given accessor
+// along with all the child tokens.
+func (c *TokenAuth) RevokeAccessor(accessor string) error {
+	r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
 // RevokeOrphan revokes a token without revoking the tree underneath it (so
 // child tokens are orphaned rather than revoked)
 func (c *TokenAuth) RevokeOrphan(token string) error {
@@ -136,18 +149,6 @@ func (c *TokenAuth) RevokePrefix(token string) error {
 	return nil
 }
 
-// RevokeSelf revokes the token making the call
-func (c *TokenAuth) RevokeSelf() error {
-	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
-	resp, err := c.c.RawRequest(r)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	return nil
-}
-
 // RevokeTree is the "normal" revoke operation that revokes the given token and
 // the entire tree underneath -- all of its child tokens, their child tokens,
 // etc.
diff --git a/command/token_lookup.go b/command/token_lookup.go
index 56cdd91be2..42035e9821 100644
--- a/command/token_lookup.go
+++ b/command/token_lookup.go
@@ -76,12 +76,12 @@ func (c *TokenLookupCommand) Synopsis() string {
 
 func (c *TokenLookupCommand) Help() string {
 	helpText := `
-Usage: vault token-lookup [options] [token]
+Usage: vault token-lookup [options] [token|accessor]
 
-  Displays information about the specified token. If no token is specified,
-  the operation is performed on the currently authenticated token i.e. lookup-self.
-  Information about the token can also be retrieved using the token accessor
-  by setting the '-accessor' flag.
+  Displays information about the specified token. If no token is specified, the
+  operation is performed on the currently authenticated token i.e. lookup-self.
+  Information about the token can be retrieved using the token accessor via the 
+  '-accessor' flag.
 
 General Options:
 
diff --git a/command/token_revoke.go b/command/token_revoke.go
index 76e6370ee1..6149497f61 100644
--- a/command/token_revoke.go
+++ b/command/token_revoke.go
@@ -12,7 +12,9 @@ type TokenRevokeCommand struct {
 
 func (c *TokenRevokeCommand) Run(args []string) int {
 	var mode string
+	var accessor bool
 	flags := c.Meta.FlagSet("token-revoke", FlagSetDefault)
+	flags.BoolVar(&accessor, "accessor", false, "")
 	flags.StringVar(&mode, "mode", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
@@ -37,16 +39,21 @@ func (c *TokenRevokeCommand) Run(args []string) int {
 	}
 
 	var fn func(string) error
-	switch mode {
-	case "":
+	// Handle all 6 possible combinations
+	switch {
+	case !accessor && mode == "":
 		fn = client.Auth().Token().RevokeTree
-	case "orphan":
+	case !accessor && mode == "orphan":
 		fn = client.Auth().Token().RevokeOrphan
-	case "path":
+	case !accessor && mode == "path":
 		fn = client.Auth().Token().RevokePrefix
-	default:
-		c.Ui.Error(fmt.Sprintf(
-			"Unknown revocation mode: %s", mode))
+	case accessor && mode == "":
+		fn = client.Auth().Token().RevokeAccessor
+	case accessor && mode == "orphan":
+		c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
+		return 1
+	case accessor && mode == "path":
+		c.Ui.Error("token-revoke cannot be run for 'path' mode when 'accessor' flag is set")
 		return 1
 	}
 
@@ -66,7 +73,7 @@ func (c *TokenRevokeCommand) Synopsis() string {
 
 func (c *TokenRevokeCommand) Help() string {
 	helpText := `
-Usage: vault token-revoke [options] token
+Usage: vault token-revoke [options] [token|accessor]
 
   Revoke one or more auth tokens.
 
@@ -86,12 +93,23 @@ Usage: vault token-revoke [options] token
       prefix will be deleted, along with all their children. In this case
       the "token" arg above is actually a "path".
 
+  Token can be revoked using the token accessor. This can be done by
+  setting the '-accessor' flag. Note that when '-accessor' flag is set,
+  '-mode' should not be set for 'orphan' or 'path'. This is because,
+  a token accessor always revokes the token along with it's child tokens.
+
 General Options:
 
   ` + generalOptionsUsage() + `
 
 Token Options:
 
+  -accessor               A boolean flag, if set, treats the argument as an accessor of the token.
+                          Note that accessor can also be used for looking up the token properties
+                          via '/auth/token/lookup-accessor/<accessor>' endpoint.
+                          Accessor is used when there is no access to token ID.
+
+
   -mode=value             The type of revocation to do. See the documentation
                           above for more information.