diff --git a/api/auth.go b/api/auth.go index fa8422e41a..da870c111c 100644 --- a/api/auth.go +++ b/api/auth.go @@ -5,7 +5,7 @@ type Auth struct { c *Client } -// Auth is used to return the client for logical-backend API calls. +// Auth is used to return the client for credential-backend API calls. func (c *Client) Auth() *Auth { return &Auth{c: c} } diff --git a/api/auth_token.go b/api/auth_token.go index 2fecd3de45..3f52f59a93 100644 --- a/api/auth_token.go +++ b/api/auth_token.go @@ -1,11 +1,11 @@ package api -// TokenAuth is used to perform token backend operations on Vault. +// TokenAuth is used to perform token backend operations on Vault type TokenAuth struct { c *Client } -// Token is used to return the client for logical-backend API calls. +// Token is used to return the client for token-backend API calls func (a *Auth) Token() *TokenAuth { return &TokenAuth{c: a.c} } @@ -136,19 +136,6 @@ func (c *TokenAuth) RevokeOrphan(token string) error { return nil } -// RevokePrefix revokes a token based on a prefix, which can be used to revoke -// e.g. all tokens issued by a certain credential mount -func (c *TokenAuth) RevokePrefix(token string) error { - r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-prefix/"+token) - resp, err := c.c.RawRequest(r) - if err != nil { - return err - } - defer resp.Body.Close() - - return nil -} - // RevokeSelf revokes the token making the call func (c *TokenAuth) RevokeSelf(token string) error { r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self") diff --git a/command/token_revoke.go b/command/token_revoke.go index 0398010e2c..38eca3560e 100644 --- a/command/token_revoke.go +++ b/command/token_revoke.go @@ -48,7 +48,7 @@ func (c *TokenRevokeCommand) Run(args []string) int { case !accessor && mode == "orphan": fn = client.Auth().Token().RevokeOrphan case !accessor && mode == "path": - fn = client.Auth().Token().RevokePrefix + fn = client.Sys().RevokePrefix case accessor && mode == "": fn = client.Auth().Token().RevokeAccessor case accessor && mode == "orphan": @@ -93,7 +93,8 @@ Usage: vault token-revoke [options] [token|accessor] * With the "path" value, tokens created from the given auth path prefix will be deleted, along with all their children. In this case - the "token" arg above is actually a "path". + the "token" arg above is actually a "path". This mode does *not* + work with token values or parts of token values. Token can be revoked using the token accessor. This can be done by setting the '-accessor' flag. Note that when '-accessor' flag is set,