From f44a34434e62b60e3c71f70934e3e6d08ebd616e Mon Sep 17 00:00:00 2001
From: Keshav <anil.keshav@sap.com>
Date: Thu, 2 May 2024 14:58:38 +0200
Subject: [PATCH 1/4] not allowing batch token revoke

---
 pkg/vault/client.go | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/pkg/vault/client.go b/pkg/vault/client.go
index 76e1018c3d..abc12324cd 100644
--- a/pkg/vault/client.go
+++ b/pkg/vault/client.go
@@ -281,9 +281,26 @@ func (v Client) RevokeToken() error {
 // MustRevokeToken same as RevokeToken but the programm is terminated with an error if this fails.
 // Should be used in defer statements only.
 func (v Client) MustRevokeToken() {
-	if err := v.RevokeToken(); err != nil {
-		log.Entry().WithError(err).Fatal("Could not revoke token")
+
+	// only service tokens should be revoked and not batch tokens, the below will lookup the token and depends on the token prefix hvs. for service token
+	lookupPath := "auth/token/lookup-self"
+	secret, err := v.GetSecret("auth/token/lookup-self")
+
+	if err != nil {
+		log.Entry().Warnf("Could not lookup token at %s, not continuing to revoke", lookupPath)
+	} else {
+		if id, ok := secret.Data["id"]; ok {
+			if strings.HasPrefix(id.(string), "hvs.") {
+				if err := v.RevokeToken(); err != nil {
+					log.Entry().WithError(err).Fatal("Could not revoke token")
+				}
+			}
+			log.Entry().Warnf("Could not lookup token.Data at %s, not continuing to revoke", lookupPath)
+		} else {
+			log.Entry().Warnf("Could not lookup token.Data.id at %s, not continuing to revoke", lookupPath)
+		}
 	}
+
 }
 
 // GetAppRoleName returns the AppRole role name which was used to authenticate.

From f506129d6efc7d1053ded81e44a9191bd42c7def Mon Sep 17 00:00:00 2001
From: Keshav <anil.keshav@sap.com>
Date: Thu, 29 Aug 2024 11:54:38 +0200
Subject: [PATCH 2/4] chaging values to hold variable name

---
 pkg/vault/client.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/vault/client.go b/pkg/vault/client.go
index 2492a01757..352610e025 100644
--- a/pkg/vault/client.go
+++ b/pkg/vault/client.go
@@ -290,13 +290,14 @@ func (v Client) MustRevokeToken() {
 
 	// only service tokens should be revoked and not batch tokens, the below will lookup the token and depends on the token prefix hvs. for service token
 	lookupPath := "auth/token/lookup-self"
-	secret, err := v.GetSecret("auth/token/lookup-self")
+	const serviceTokenPrefix string = "hvs."
+	secret, err := v.GetSecret(lookupPath)
 
 	if err != nil {
 		log.Entry().Warnf("Could not lookup token at %s, not continuing to revoke", lookupPath)
 	} else {
 		if id, ok := secret.Data["id"]; ok {
-			if strings.HasPrefix(id.(string), "hvs.") {
+			if strings.HasPrefix(id.(string), serviceTokenPrefix) {
 				if err := v.RevokeToken(); err != nil {
 					log.Entry().WithError(err).Fatal("Could not revoke token")
 				}

From d25d6b20c8c2b3ffd68ef8ccdf75ac07b8ef0333 Mon Sep 17 00:00:00 2001
From: Keshav <anil.keshav@sap.com>
Date: Thu, 29 Aug 2024 12:03:01 +0200
Subject: [PATCH 3/4] error message when identifying service token

---
 pkg/vault/client.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/vault/client.go b/pkg/vault/client.go
index 352610e025..204697ce55 100644
--- a/pkg/vault/client.go
+++ b/pkg/vault/client.go
@@ -301,8 +301,9 @@ func (v Client) MustRevokeToken() {
 				if err := v.RevokeToken(); err != nil {
 					log.Entry().WithError(err).Fatal("Could not revoke token")
 				}
+			} else {
+				log.Entry().Warnf("Service token not identified at %s, not continuing to revoke", lookupPath)
 			}
-			log.Entry().Warnf("Could not lookup token.Data at %s, not continuing to revoke", lookupPath)
 		} else {
 			log.Entry().Warnf("Could not lookup token.Data.id at %s, not continuing to revoke", lookupPath)
 		}

From b84a8a69c6a1bee672dadab7fb18853c3f9fd32d Mon Sep 17 00:00:00 2001
From: Googlom <alimovgb@gmail.com>
Date: Tue, 22 Oct 2024 13:38:25 +0500
Subject: [PATCH 4/4] refactor

---
 pkg/vault/vault.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/vault/vault.go b/pkg/vault/vault.go
index 5943b31c19..4d916230b3 100644
--- a/pkg/vault/vault.go
+++ b/pkg/vault/vault.go
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"path"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -181,7 +182,27 @@ func (c *Client) RevokeToken() error {
 // MustRevokeToken same as RevokeToken but the program is terminated with an error if this fails.
 // Should be used in defer statements only.
 func (c *Client) MustRevokeToken() {
-	if err := c.RevokeToken(); err != nil {
+	lookupPath := "auth/token/lookup-self"
+	const serviceTokenPrefix = "hvs."
+
+	secret, err := c.GetSecret(lookupPath)
+	if err != nil {
+		log.Entry().Warnf("Could not lookup token at %s, not continuing to revoke: %v", lookupPath, err)
+		return
+	}
+
+	tokenID, ok := secret.Data["id"].(string)
+	if !ok {
+		log.Entry().Warnf("Could not lookup token.Data.id at %s, not continuing to revoke", lookupPath)
+		return
+	}
+
+	if !strings.HasPrefix(tokenID, serviceTokenPrefix) {
+		log.Entry().Warnf("Service token not identified at %s, not continuing to revoke", lookupPath)
+		return
+	}
+
+	if err = c.RevokeToken(); err != nil {
 		log.Entry().WithError(err).Fatal("Could not revoke token")
 	}
 }