scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

CLI: add an option for renew command fail on non-fullfillable request to allow command chaining (#29060)

Browse Source 
Signed-off-by: saiaunghlyanhtet <saiaunghlyanhtet2003@gmail.com>
This commit is contained in:
Sai Aung Hlyan Htet
2025-02-05 04:04:26 +09:00
committed by GitHub
parent 7b40df7b64
commit 16438470f7
4 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/29060.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
CLI: adds an optional flag (--fail-if-not-fulfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions.
```

15
command/token_renew.go
View File

@@ -23,6 +23,7 @@ type TokenRenewCommand struct {
flagAccessor bool flagAccessor bool
flagIncrement time.Duration flagIncrement time.Duration
flagFailIfNotFulfilled bool
} }
func (c *TokenRenewCommand) Synopsis() string { func (c *TokenRenewCommand) Synopsis() string {
@@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets {
"numeric string with suffix like \"30s\" or \"5m\".", "numeric string with suffix like \"30s\" or \"5m\".",
}) })
f.BoolVar(&BoolVar{
Name: "fail-if-not-fulfilled",
Target: &c.flagFailIfNotFulfilled,
Default: false,
EnvVar: "",
Completion: complete.PredictNothing,
Usage: "Fail if the requested TTL increment cannot be fully fulfilled.",
})
return set return set
} }
@@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int {
return 2 return 2
} }
if c.flagFailIfNotFulfilled && secret.Auth.LeaseDuration < int(increment.Seconds()) {
c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled")
return 1
}
return OutputSecret(c.UI, secret) return OutputSecret(c.UI, secret)
} }

12
command/token_renew_test.go
View File

@@ -56,6 +56,18 @@ func TestTokenRenewCommand_Run(t *testing.T) {
"", "",
0, 0,
}, },
{
"fail_if_not_fulfilled_exceeds_max_ttl",
[]string{"-increment", "33d", "--fail-if-not-fulfilled"},
"Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled",
1,
},
{
"fail_if_not_fulfilled_within_max_ttl",
[]string{"-increment", "30m", "--fail-if-not-fulfilled"},
"",
0,
},
} }
t.Run("validations", func(t *testing.T) { t.Run("validations", func(t *testing.T) {

10
website/content/docs/commands/token/renew.mdx
View File

@@ -36,6 +36,12 @@ Renew a token requesting a specific increment value:
$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
``` ```
Fail if the requested TTL increment cannot be fully fulfilled:
```shell-session
$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled || vault login
```
## Usage ## Usage
The following flags are available in addition to the [standard set of The following flags are available in addition to the [standard set of
@@ -56,3 +62,7 @@ flags](/vault/docs/commands) included on all commands.
- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a - `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
token. When this option is selected, the output will NOT include the token. token. When this option is selected, the output will NOT include the token.
- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be
fully fulfilled. Vault allows command chaining and token renewal request
completion with capped duration even if renew request fails.