vault: token store allows specifying display_name

vault/core_test.go

@@ -975,6 +975,7 @@ func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
 		Parent:      root,
 		Policies:    []string{"foo"},
 		Path:        "auth/token/create",
+		DisplayName: "token",
 	}
 	if !reflect.DeepEqual(te, expect) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)

vault/token_store.go

@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -34,6 +35,11 @@ const (
 	tokenSubPath = "token/"
 )
 
+var (
+	// displayNameSanitize is used to sanitize a display name given to a token.
+	displayNameSanitize = regexp.MustCompile("[^a-zA-Z0-9-]")
+)
+
 // TokenStore is used to manage client tokens. Tokens are used for
 // clients to authenticate, and each token is mapped to an applicable
 // set of policy which is used for authorization.
@@ -249,6 +255,7 @@ func (ts *TokenStore) RootToken() (*TokenEntry, error) {
 	te := &TokenEntry{
 		Policies:    []string{"root"},
 		Path:        "auth/token/root",
+		DisplayName: "root",
 	}
 	if err := ts.Create(te); err != nil {
 		return nil, err
@@ -440,6 +447,7 @@ func (ts *TokenStore) handleCreate(
 		Metadata    map[string]string `mapstructure:"meta"`
 		NoParent    bool              `mapstructure:"no_parent"`
 		Lease       string
+		DisplayName string `mapstructure:"display_name"`
 	}
 	if err := mapstructure.WeakDecode(req.Data, &data); err != nil {
 		return logical.ErrorResponse(fmt.Sprintf(
@@ -451,6 +459,15 @@ func (ts *TokenStore) handleCreate(
 		Parent:      req.ClientToken,
 		Path:        "auth/token/create",
 		Meta:        data.Metadata,
+		DisplayName: "token",
+	}
+
+	// Attach the given display name if any
+	if data.DisplayName != "" {
+		full := "token-" + data.DisplayName
+		full = displayNameSanitize.ReplaceAllString(full, "-")
+		full = strings.TrimSuffix(full, "-")
+		te.DisplayName = full
 	}
 
 	// Allow specifying the ID of the token if the client is root
@@ -597,6 +614,7 @@ func (ts *TokenStore) handleLookup(
 			"policies":     out.Policies,
 			"path":         out.Path,
 			"meta":         out.Meta,
+			"display_name": out.DisplayName,
 		},
 	}
 	return resp, nil

vault/token_store_test.go

@@ -269,6 +269,34 @@ func TestTokenStore_RevokeTree(t *testing.T) {
 	}
 }
 
+func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
+	_, ts, root := mockTokenStore(t)
+
+	req := logical.TestRequest(t, logical.WriteOperation, "create")
+	req.ClientToken = root
+	req.Data["display_name"] = "foo_bar.baz!"
+
+	resp, err := ts.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+
+	expected := &TokenEntry{
+		ID:          resp.Auth.ClientToken,
+		Parent:      root,
+		Policies:    []string{"root"},
+		Path:        "auth/token/create",
+		DisplayName: "token-foo-bar-baz",
+	}
+	out, err := ts.Lookup(resp.Auth.ClientToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !reflect.DeepEqual(out, expected) {
+		t.Fatalf("bad: %#v", out)
+	}
+}
+
 func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
 	_, ts, root := mockTokenStore(t)
 
@@ -285,6 +313,7 @@ func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
 		Parent:      root,
 		Policies:    []string{"root"},
 		Path:        "auth/token/create",
+		DisplayName: "token",
 	}
 	out, err := ts.Lookup(resp.Auth.ClientToken)
 	if err != nil {
@@ -564,6 +593,7 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 		"policies":     []string{"root"},
 		"path":         "auth/token/root",
 		"meta":         map[string]string(nil),
+		"display_name": "root",
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("bad: %#v exp: %#v", resp.Data, exp)
@@ -627,6 +657,7 @@ func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 		"policies":     []string{"root"},
 		"path":         "auth/token/root",
 		"meta":         map[string]string(nil),
+		"display_name": "root",
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("bad: %#v exp: %#v", resp.Data, exp)