Make single-lease revocation behave like expiration (#4883)

This change makes it so that if a lease is revoked through user action, we set the expiration time to now and update pending, just as we do with tokens. This allows the normal retry logic to apply in these cases as well, instead of just erroring out immediately. The idea being that once you tell Vault to revoke something it should keep doing its darndest to actually make that happen.
2025-11-01 19:17:58 +00:00 · 2018-07-11 15:45:09 -04:00
parent eed9ef9391
commit a831fb4c5a
20 changed files with 392 additions and 101 deletions
--- a/api/sys_leases.go
+++ b/api/sys_leases.go
@@ -1,5 +1,7 @@
 package api

+import "errors"
+
 func (c *Sys) Renew(id string, increment int) (*Secret, error) {
 	r := c.c.NewRequest("PUT", "/v1/sys/leases/renew")

@@ -46,3 +48,42 @@ func (c *Sys) RevokeForce(id string) error {
 	}
 	return err
 }
+
+func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error {
+	if opts == nil {
+		return errors.New("nil options provided")
+	}
+
+	// Construct path
+	path := "/v1/sys/leases/revoke/"
+	switch {
+	case opts.Force:
+		path = "/v1/sys/leases/revoke-force/"
+	case opts.Prefix:
+		path = "/v1/sys/leases/revoke-prefix/"
+	}
+	path += opts.LeaseID
+
+	r := c.c.NewRequest("PUT", path)
+	if !opts.Force {
+		body := map[string]interface{}{
+			"sync": opts.Sync,
+		}
+		if err := r.SetJSONBody(body); err != nil {
+			return err
+		}
+	}
+
+	resp, err := c.c.RawRequest(r)
+	if err == nil {
+		defer resp.Body.Close()
+	}
+	return err
+}
+
+type RevokeOptions struct {
+	LeaseID string
+	Force   bool
+	Prefix  bool
+	Sync    bool
+}