diff --git a/command/auth_disable.go b/command/auth_disable.go new file mode 100644 index 0000000000..d740ad0653 --- /dev/null +++ b/command/auth_disable.go @@ -0,0 +1,81 @@ +package command + +import ( + "fmt" + "strings" +) + +// AuthDisableCommand is a Command that enables a new endpoint. +type AuthDisableCommand struct { + Meta +} + +func (c *AuthDisableCommand) Run(args []string) int { + flags := c.Meta.FlagSet("auth-disable", FlagSetDefault) + flags.Usage = func() { c.Ui.Error(c.Help()) } + if err := flags.Parse(args); err != nil { + return 1 + } + + args = flags.Args() + if len(args) != 1 { + flags.Usage() + c.Ui.Error(fmt.Sprintf( + "\nauth-disable expects one argument: the path to disable.")) + return 1 + } + + path := args[0] + + client, err := c.Client() + if err != nil { + c.Ui.Error(fmt.Sprintf( + "Error initializing client: %s", err)) + return 2 + } + + if err := client.Sys().DisableAuth(path); err != nil { + c.Ui.Error(fmt.Sprintf( + "Error: %s", err)) + return 2 + } + + c.Ui.Output(fmt.Sprintf( + "Disabled auth provider at path '%s'!", path)) + + return 0 +} + +func (c *AuthDisableCommand) Synopsis() string { + return "Disable an auth provider" +} + +func (c *AuthDisableCommand) Help() string { + helpText := ` +Usage: vault auth-disable [options] path + + Disable an already-enabled auth provider. + + Once the auth provider is disabled, that path cannot be used anymore + to authenticate. All access tokens generated via the disabled auth provider + will be revoked. This command will block until all tokens are revoked. + If the command is exited early, the tokens will still be revoked. + +General Options: + + -address=TODO The address of the Vault server. + + -ca-cert=path Path to a PEM encoded CA cert file to use to + verify the Vault server SSL certificate. + + -ca-path=path Path to a directory of PEM encoded CA cert files + to verify the Vault server SSL certificate. If both + -ca-cert and -ca-path are specified, -ca-path is used. + + -insecure Do not verify TLS certificate. This is highly + not recommended. This is especially not recommended + for unsealing a vault. + +` + return strings.TrimSpace(helpText) +} diff --git a/command/auth_disable_test.go b/command/auth_disable_test.go new file mode 100644 index 0000000000..b08dec900b --- /dev/null +++ b/command/auth_disable_test.go @@ -0,0 +1,53 @@ +package command + +import ( + "testing" + + "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/vault" + "github.com/mitchellh/cli" +) + +func TestAuthDisable(t *testing.T) { + core, _, token := vault.TestCoreUnsealed(t) + ln, addr := http.TestServer(t, core) + defer ln.Close() + + ui := new(cli.MockUi) + c := &AuthDisableCommand{ + Meta: Meta{ + ClientToken: token, + Ui: ui, + }, + } + + args := []string{ + "-address", addr, + "noop", + } + + // Run the command once to setup the client, it will fail + c.Run(args) + + client, err := c.Client() + if err != nil { + t.Fatalf("err: %s", err) + } + + if err := client.Sys().EnableAuth("noop", "noop", ""); err != nil { + t.Fatalf("err: %s", err) + } + + if code := c.Run(args); code != 0 { + t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String()) + } + + mounts, err := client.Sys().ListAuth() + if err != nil { + t.Fatalf("err: %s", err) + } + + if _, ok := mounts["noop"]; ok { + t.Fatal("should not have noop mount") + } +} diff --git a/commands.go b/commands.go index a72ff3a969..3fe715d9c7 100644 --- a/commands.go +++ b/commands.go @@ -37,6 +37,12 @@ func init() { }, nil }, + "auth-disable": func() (cli.Command, error) { + return &command.AuthDisableCommand{ + Meta: meta, + }, nil + }, + "read": func() (cli.Command, error) { return &command.ReadCommand{ Meta: meta,