diff --git a/vault/expiration.go b/vault/expiration.go index a164b34a0435..f0f885edbd81 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -395,7 +395,7 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log } // Check if the lease is renewable - if err := le.renewableErr(); err != nil { + if _, err := le.renewable(); err != nil { return nil, err } @@ -450,7 +450,7 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke // Check if the lease is renewable. Note that this also checks for a nil // lease and errors in that case as well. - if err := le.renewableErr(); err != nil { + if _, err := le.renewable(); err != nil { return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } @@ -845,32 +845,26 @@ func (le *leaseEntry) encode() ([]byte, error) { return json.Marshal(le) } -func (le *leaseEntry) renewable() bool { - if err := le.renewableErr(); err == nil { - return true - } - return false -} - -func (le *leaseEntry) renewableErr() error { +func (le *leaseEntry) renewable() (bool, error) { + var err error + switch { // If there is no entry, cannot review - if le == nil || le.ExpireTime.IsZero() { - return fmt.Errorf("lease not found or lease is not renewable") - } - + case le == nil || le.ExpireTime.IsZero(): + err = fmt.Errorf("lease not found or lease is not renewable") // Determine if the lease is expired - if le.ExpireTime.Before(time.Now()) { - return fmt.Errorf("lease expired") - } - + case le.ExpireTime.Before(time.Now()): + err = fmt.Errorf("lease expired") // Determine if the lease is renewable - if le.Secret != nil && !le.Secret.Renewable { - return fmt.Errorf("lease is not renewable") + case le.Secret != nil && !le.Secret.Renewable: + err = fmt.Errorf("lease is not renewable") + case le.Auth != nil && !le.Auth.Renewable: + err = fmt.Errorf("lease is not renewable") } - if le.Auth != nil && !le.Auth.Renewable { - return fmt.Errorf("lease is not renewable") + + if err != nil { + return false, err } - return nil + return true, nil } func (le *leaseEntry) ttl() int64 { diff --git a/vault/expiration_test.go b/vault/expiration_test.go index b8255b3e9d6b..ced6b42318f7 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -1075,7 +1075,8 @@ func TestLeaseEntry(t *testing.T) { }, Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - TTL: time.Minute, + TTL: time.Minute, + Renewable: true, }, }, IssueTime: time.Now(), @@ -1095,6 +1096,37 @@ func TestLeaseEntry(t *testing.T) { if !reflect.DeepEqual(out.Data, le.Data) { t.Fatalf("got: %#v, expect %#v", out, le) } + + // Test renewability + le.ExpireTime = time.Time{} + if r, _ := le.renewable(); r { + t.Fatal("lease with zero expire time is not renewable") + } + le.ExpireTime = time.Now().Add(-1 * time.Hour) + if r, _ := le.renewable(); r { + t.Fatal("lease with expire time in the past is not renewable") + } + le.ExpireTime = time.Now().Add(1 * time.Hour) + if r, err := le.renewable(); !r { + t.Fatalf("lease with future expire time is renewable, err: %v", err) + } + le.Secret.LeaseOptions.Renewable = false + if r, _ := le.renewable(); r { + t.Fatal("secret is set to not be renewable but returns as renewable") + } + le.Secret = nil + le.Auth = &logical.Auth{ + LeaseOptions: logical.LeaseOptions{ + Renewable: true, + }, + } + if r, err := le.renewable(); !r { + t.Fatalf("auth is renewable but is set to not be, err: %v", err) + } + le.Auth.LeaseOptions.Renewable = false + if r, _ := le.renewable(); r { + t.Fatal("auth is set to not be renewable but returns as renewable") + } } func TestExpiration_RevokeForce(t *testing.T) { diff --git a/vault/logical_system.go b/vault/logical_system.go index 076442d63984..df154e56d6c0 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -62,8 +62,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen "replication/reindex", "rotate", "config/auditing/*", - "lease/lookup*", - "lease/revoke-prefix/*", + "leases/revoke-prefix/*", "revoke-prefix/*", }, @@ -301,7 +300,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen }, &framework.Path{ - Pattern: "lease/lookup" + framework.OptionalParamRegex("prefix"), + Pattern: "leases/lookup(/)?" + framework.OptionalParamRegex("prefix"), Fields: map[string]*framework.FieldSchema{ "lease_id": &framework.FieldSchema{ @@ -324,7 +323,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen }, &framework.Path{ - Pattern: "(lease/)?renew" + framework.OptionalParamRegex("url_lease_id"), + Pattern: "(leases/)?renew" + framework.OptionalParamRegex("url_lease_id"), Fields: map[string]*framework.FieldSchema{ "url_lease_id": &framework.FieldSchema{ @@ -350,7 +349,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen }, &framework.Path{ - Pattern: "(lease/)?revoke" + framework.OptionalParamRegex("url_lease_id"), + Pattern: "(leases/)?revoke" + framework.OptionalParamRegex("url_lease_id"), Fields: map[string]*framework.FieldSchema{ "url_lease_id": &framework.FieldSchema{ @@ -372,7 +371,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen }, &framework.Path{ - Pattern: "(lease/)?revoke-force/(?P.+)", + Pattern: "(leases/)?revoke-force/(?P.+)", Fields: map[string]*framework.FieldSchema{ "prefix": &framework.FieldSchema{ @@ -390,7 +389,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen }, &framework.Path{ - Pattern: "(lease/)?revoke-prefix/(?P.+)", + Pattern: "(leases/)?revoke-prefix/(?P.+)", Fields: map[string]*framework.FieldSchema{ "prefix": &framework.FieldSchema{ @@ -1300,7 +1299,7 @@ func (b *SystemBackend) handleTuneWriteCommon( return nil, nil } -// handleLeasse is use to view the metadata for a given LeaseID +// handleLease is use to view the metadata for a given LeaseID func (b *SystemBackend) handleLeaseLookup( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { leaseID := data.Get("lease_id").(string) @@ -1320,13 +1319,18 @@ func (b *SystemBackend) handleLeaseLookup( resp := &logical.Response{ Data: map[string]interface{}{ - "id": leaseID, - "creation_time": leaseTimes.IssueTime, - "renewable": leaseTimes.renewable(), + "id": leaseID, + "issue_time": leaseTimes.IssueTime, + "expire_time": nil, + "last_renewal_time": nil, + "ttl": int64(0), }, } + renewable, _ := leaseTimes.renewable() + resp.Data["renewable"] = renewable + if !leaseTimes.LastRenewalTime.IsZero() { - resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime + resp.Data["last_renewal"] = leaseTimes.LastRenewalTime } if !leaseTimes.ExpireTime.IsZero() { resp.Data["expire_time"] = leaseTimes.ExpireTime @@ -1338,9 +1342,10 @@ func (b *SystemBackend) handleLeaseLookup( func (b *SystemBackend) handleLeaseLookupList( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { prefix := data.Get("prefix").(string) - if !strings.HasSuffix(prefix, "/") { + if prefix != "" && !strings.HasSuffix(prefix, "/") { prefix = prefix + "/" } + prefix = strings.TrimPrefix(prefix, "/") keys, err := b.Core.expiration.idView.List(prefix) if err != nil { diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index f022ab5244d9..b1ca28733044 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -25,8 +25,7 @@ func TestSystemBackend_RootPaths(t *testing.T) { "replication/reindex", "rotate", "config/auditing/*", - "lease/lookup*", - "lease/revoke-prefix/*", + "leases/revoke-prefix/*", "revoke-prefix/*", } @@ -345,7 +344,7 @@ func TestSystemBackend_lease(t *testing.T) { } // Read lease - req = logical.TestRequest(t, logical.UpdateOperation, "lease/lookup") + req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup") req.Data["lease_id"] = resp.Secret.LeaseID resp, err = b.HandleRequest(req) if err != nil { @@ -356,7 +355,7 @@ func TestSystemBackend_lease(t *testing.T) { } // Invalid lease - req = logical.TestRequest(t, logical.UpdateOperation, "lease/lookup") + req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup") req.Data["lease_id"] = "invalid" resp, err = b.HandleRequest(req) if err != logical.ErrInvalidRequest { @@ -391,7 +390,7 @@ func TestSystemBackend_lease_list(t *testing.T) { } // List lease - req = logical.TestRequest(t, logical.ListOperation, "lease/lookup/secret/foo") + req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo") resp, err = b.HandleRequest(req) if err != nil { t.Fatalf("err: %v", err) @@ -429,7 +428,7 @@ func TestSystemBackend_lease_list(t *testing.T) { t.Fatalf("bad: %#v", resp) } - req = logical.TestRequest(t, logical.ListOperation, "lease/lookup/secret/foo") + req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo") resp, err = b.HandleRequest(req) if err != nil { t.Fatalf("err: %v", err) @@ -468,7 +467,7 @@ func TestSystemBackend_lease_list(t *testing.T) { t.Fatalf("bad: %#v", resp) } - req = logical.TestRequest(t, logical.ListOperation, "lease/lookup/secret") + req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret") resp, err = b.HandleRequest(req) if err != nil { t.Fatalf("err: %v", err) @@ -517,7 +516,7 @@ func TestSystemBackend_renew(t *testing.T) { } // Attempt renew - req2 := logical.TestRequest(t, logical.UpdateOperation, "lease/renew/"+resp.Secret.LeaseID) + req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID) resp2, err := b.HandleRequest(req2) if err != logical.ErrInvalidRequest { t.Fatalf("err: %v", err) @@ -553,7 +552,7 @@ func TestSystemBackend_renew(t *testing.T) { } // Attempt renew - req2 = logical.TestRequest(t, logical.UpdateOperation, "lease/renew/"+resp.Secret.LeaseID) + req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID) resp2, err = b.HandleRequest(req2) if err != nil { t.Fatalf("err: %v", err) @@ -569,7 +568,7 @@ func TestSystemBackend_renew(t *testing.T) { } // Test the other route path - req2 = logical.TestRequest(t, logical.UpdateOperation, "lease/renew") + req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew") req2.Data["lease_id"] = resp.Secret.LeaseID resp2, err = b.HandleRequest(req2) if err != nil { @@ -607,7 +606,7 @@ func TestSystemBackend_renew_invalidID(t *testing.T) { b := testSystemBackend(t) // Attempt renew - req := logical.TestRequest(t, logical.UpdateOperation, "lease/renew/foobarbaz") + req := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/foobarbaz") resp, err := b.HandleRequest(req) if err != logical.ErrInvalidRequest { t.Fatalf("err: %v", err) @@ -617,7 +616,7 @@ func TestSystemBackend_renew_invalidID(t *testing.T) { } // Attempt renew with other method - req = logical.TestRequest(t, logical.UpdateOperation, "lease/renew") + req = logical.TestRequest(t, logical.UpdateOperation, "leases/renew") req.Data["lease_id"] = "foobarbaz" resp, err = b.HandleRequest(req) if err != logical.ErrInvalidRequest { @@ -734,7 +733,7 @@ func TestSystemBackend_revoke(t *testing.T) { } // Test the other route path - req2 = logical.TestRequest(t, logical.UpdateOperation, "lease/revoke") + req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke") req2.Data["lease_id"] = resp.Secret.LeaseID resp2, err = b.HandleRequest(req2) if err != nil { @@ -749,7 +748,7 @@ func TestSystemBackend_revoke_invalidID(t *testing.T) { b := testSystemBackend(t) // Attempt revoke - req := logical.TestRequest(t, logical.UpdateOperation, "lease/revoke/foobarbaz") + req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke/foobarbaz") resp, err := b.HandleRequest(req) if err != nil { t.Fatalf("err: %v", err) @@ -759,7 +758,7 @@ func TestSystemBackend_revoke_invalidID(t *testing.T) { } // Attempt revoke with other method - req = logical.TestRequest(t, logical.UpdateOperation, "lease/revoke") + req = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke") req.Data["lease_id"] = "foobarbaz" resp, err = b.HandleRequest(req) if err != nil { @@ -823,7 +822,7 @@ func TestSystemBackend_revokePrefix(t *testing.T) { } // Attempt revoke - req2 := logical.TestRequest(t, logical.UpdateOperation, "lease/revoke-prefix/secret/") + req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/secret/") resp2, err := b.HandleRequest(req2) if err != nil { t.Fatalf("err: %v %#v", err, resp2) @@ -833,7 +832,7 @@ func TestSystemBackend_revokePrefix(t *testing.T) { } // Attempt renew - req3 := logical.TestRequest(t, logical.UpdateOperation, "lease/renew/"+resp.Secret.LeaseID) + req3 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID) resp3, err := b.HandleRequest(req3) if err != logical.ErrInvalidRequest { t.Fatalf("err: %v", err) @@ -936,7 +935,7 @@ func TestSystemBackend_revokePrefixAuth(t *testing.T) { t.Fatalf("err: %v", err) } - req := logical.TestRequest(t, logical.UpdateOperation, "lease/revoke-prefix/auth/github/") + req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/auth/github/") resp, err := b.HandleRequest(req) if err != nil { t.Fatalf("err: %v %v", err, resp) diff --git a/vault/token_store.go b/vault/token_store.go index 323137e6dfce..ed68f128b180 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1858,6 +1858,7 @@ func (ts *TokenStore) handleLookup( "orphan": false, "creation_time": int64(out.CreationTime), "creation_ttl": int64(out.TTL.Seconds()), + "expire_time": nil, "ttl": int64(0), "explicit_max_ttl": int64(out.ExplicitMaxTTL.Seconds()), }, @@ -1887,7 +1888,8 @@ func (ts *TokenStore) handleLookup( resp.Data["expire_time"] = leaseTimes.ExpireTime resp.Data["ttl"] = leaseTimes.ttl() } - resp.Data["renewable"] = leaseTimes.renewable() + renewable, _ := leaseTimes.renewable() + resp.Data["renewable"] = renewable resp.Data["issue_time"] = leaseTimes.IssueTime } diff --git a/website/source/api/system/lease.html.md b/website/source/api/system/lease.html.md deleted file mode 100644 index afa0c2706a8e..000000000000 --- a/website/source/api/system/lease.html.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -layout: "api" -page_title: "/sys/lease - HTTP API" -sidebar_current: "docs-http-system-lease" -description: |- - The `/sys/lease` endpoint is used to view and manage leases. ---- - -# `/sys/lease/renew` - -The `/sys/lease/renew` endpoint is used to renew secrets. - -## Renew Secret - -This endpoint renews a secret, requesting to extend the lease. - -| Method | Path | Produces | -| :------- | :--------------------------- | :--------------------- | -| `PUT` | `/sys/lease/renew` | `200 application/json` | - -### Parameters - -- `lease_id` `(string: )` – Specifies the ID of the lease to extend. - This can be specified as part of the URL or as part of the request body. - -- `increment` `(int: 0)` – Specifies the requested amount of time (in seconds) - to extend the lease. - -### Sample Payload - -```json -{ - "lease_id": "aws/creds/deploy/abcd-1234...", - "increment": 1800 -} -``` - -### Sample Request - -``` -$ curl \ - --header "X-Vault-Token: ..." \ - --request PUT \ - --data @payload.json \ - https://vault.rocks/v1/sys/lease/renew -``` - -### Sample Response - -```json -{ - "lease_id": "aws/creds/deploy/abcd-1234...", - "renewable": true, - "lease_duration": 2764790 -} -``` - -# `/sys/lease/revoke` - -The `/sys/lease/revoke` endpoint is used to revoke secrets. - -## Revoke Secret - -This endpoint revokes a secret immediately. - -| Method | Path | Produces | -| :------- | :--------------------------- | :--------------------- | -| `PUT` | `/sys/lease/revoke` | `204 (empty body)` | - -### Parameters - -- `lease_id` `(string: )` – Specifies the ID of the lease to revoke. - -### Sample Payload - -```json -{ - "lease_id": "postgresql/creds/readonly/abcd-1234..." -} -``` - -### Sample Request - -``` -$ curl \ - --header "X-Vault-Token: ..." \ - --request PUT \ - --data @payload.json \ - https://vault.rocks/v1/sys/lease/revoke -``` - -# `/sys/lease/revoke-force` - -The `/sys/lease/revoke-force` endpoint is used to revoke secrets or tokens -based on prefix while ignoring backend errors. - -## Revoke Force - -This endpoint revokes all secrets or tokens generated under a given prefix -immediately. Unlike `/sys/lease/revoke-prefix`, this path ignores backend errors -encountered during revocation. This is _potentially very dangerous_ and should -only be used in specific emergency situations where errors in the backend or the -connected backend service prevent normal revocation. - -By ignoring these errors, Vault abdicates responsibility for ensuring that the -issued credentials or secrets are properly revoked and/or cleaned up. Access to -this endpoint should be tightly controlled. - -| Method | Path | Produces | -| :------- | :--------------------------------- | :--------------------- | -| `PUT` | `/sys/lease/revoke-force/:prefix` | `204 (empty body)` | - -### Parameters - -- `prefix` `(string: )` – Specifies the prefix to revoke. This is - specified as part of the URL. - -### Sample Request - -``` -$ curl \ - --header "X-Vault-Token: ..." \ - --request PUT \ - https://vault.rocks/v1/sys/lease/revoke-force/aws/creds -``` - -# `/sys/lease/revoke-prefix` - -The `/sys/lease/revoke-prefix` endpoint is used to revoke secrets or tokens based on -prefix. - -## Revoke Prefix - -This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the -tokens' path property) generated under a given prefix immediately. This requires -`sudo` capability and access to it should be tightly controlled as it can be -used to revoke very large numbers of secrets/tokens at once. - -| Method | Path | Produces | -| :------- | :--------------------------------- | :--------------------- | -| `PUT` | `/sys/lease/revoke-prefix/:prefix` | `204 (empty body)` | - -### Parameters - -- `prefix` `(string: )` – Specifies the prefix to revoke. This is - specified as part of the URL. - -### Sample Request - -``` -$ curl \ - --header "X-Vault-Token: ..." \ - --request PUT \ - https://vault.rocks/v1/sys/lease/revoke-prefix/aws/creds -``` diff --git a/website/source/api/system/leases.html.md b/website/source/api/system/leases.html.md new file mode 100644 index 000000000000..84eb9a14bec2 --- /dev/null +++ b/website/source/api/system/leases.html.md @@ -0,0 +1,237 @@ +--- +layout: "api" +page_title: "/sys/leases - HTTP API" +sidebar_current: "docs-http-system-leases" +description: |- + The `/sys/leases` endpoints are used to view and manage leases. +--- + +# `/sys/leases/lookup` + +The `/sys/leases/lookup` endpoint is used to lookup metadata related to +leases. + +## Read Lease + +This endpoint retrieve lease metadata. + +| Method | Path | Produces | +| :------- | :---------------------------- | :--------------------- | +| `PUT` | `/sys/leases/lookup` | `200 application/json` | + +### Parameters + +- `lease_id` `(string: )` – Specifies the ID of the lease to lookup. + +### Sample Payload + +```json +{ + "lease_id": "aws/creds/deploy/abcd-1234..." +} +``` + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request PUT \ + --data @payload.json \ + https://vault.rocks/v1/sys/leases/lookup +``` + +### Sample Response + +```json +{ + + + + + + + + +} +``` + +## List Leases + +This endpoint returns a list of lease ids. + +| Method | Path | Produces | +| :------- | :--------------------------- | :--------------------- | +| `LIST` | `/sys/leases/lookup/:prefix` | `200 application/json` | + + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request LIST \ + https://vault.rocks/v1/sys/leases/lookup/aws/creds/deploy/ +``` + +### Sample Response + +```json +{ + "data":{ + "keys":[ + "abcd-1234...", + "efgh-1234...", + "ijkl-1234..." + ] + } +} +``` + +# `/sys/leases/renew` + +The `/sys/leases/renew` endpoint is used to renew secrets. + +## Renew Secret + +This endpoint renews a secret, requesting to extend the lease. + +| Method | Path | Produces | +| :------- | :---------------------------- | :--------------------- | +| `PUT` | `/sys/leases/renew` | `200 application/json` | + +### Parameters + +- `lease_id` `(string: )` – Specifies the ID of the lease to extend. + This can be specified as part of the URL or as part of the request body. + +- `increment` `(int: 0)` – Specifies the requested amount of time (in seconds) + to extend the lease. + +### Sample Payload + +```json +{ + "lease_id": "aws/creds/deploy/abcd-1234...", + "increment": 1800 +} +``` + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request PUT \ + --data @payload.json \ + https://vault.rocks/v1/sys/leases/renew +``` + +### Sample Response + +```json +{ + "lease_id": "aws/creds/deploy/abcd-1234...", + "renewable": true, + "lease_duration": 2764790 +} +``` + +# `/sys/leases/revoke` + +The `/sys/leases/revoke` endpoint is used to revoke secrets. + +## Revoke Secret + +This endpoint revokes a secret immediately. + +| Method | Path | Produces | +| :------- | :---------------------------- | :--------------------- | +| `PUT` | `/sys/leases/revoke` | `204 (empty body)` | + +### Parameters + +- `lease_id` `(string: )` – Specifies the ID of the lease to revoke. + +### Sample Payload + +```json +{ + "lease_id": "postgresql/creds/readonly/abcd-1234..." +} +``` + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request PUT \ + --data @payload.json \ + https://vault.rocks/v1/sys/leases/revoke +``` + +# `/sys/leases/revoke-force` + +The `/sys/leases/revoke-force` endpoint is used to revoke secrets or tokens +based on prefix while ignoring backend errors. + +## Revoke Force + +This endpoint revokes all secrets or tokens generated under a given prefix +immediately. Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors +encountered during revocation. This is _potentially very dangerous_ and should +only be used in specific emergency situations where errors in the backend or the +connected backend service prevent normal revocation. + +By ignoring these errors, Vault abdicates responsibility for ensuring that the +issued credentials or secrets are properly revoked and/or cleaned up. Access to +this endpoint should be tightly controlled. + +| Method | Path | Produces | +| :------- | :---------------------------------- | :--------------------- | +| `PUT` | `/sys/leases/revoke-force/:prefix` | `204 (empty body)` | + +### Parameters + +- `prefix` `(string: )` – Specifies the prefix to revoke. This is + specified as part of the URL. + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request PUT \ + https://vault.rocks/v1/sys/leases/revoke-force/aws/creds +``` + +# `/sys/leases/revoke-prefix` + +The `/sys/leases/revoke-prefix` endpoint is used to revoke secrets or tokens based on +prefix. + +## Revoke Prefix + +This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the +tokens' path property) generated under a given prefix immediately. This requires +`sudo` capability and access to it should be tightly controlled as it can be +used to revoke very large numbers of secrets/tokens at once. + +| Method | Path | Produces | +| :------- | :---------------------------------- | :--------------------- | +| `PUT` | `/sys/leases/revoke-prefix/:prefix` | `204 (empty body)` | + +### Parameters + +- `prefix` `(string: )` – Specifies the prefix to revoke. This is + specified as part of the URL. + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request PUT \ + https://vault.rocks/v1/sys/leases/revoke-prefix/aws/creds +``` diff --git a/website/source/layouts/api.erb b/website/source/layouts/api.erb index fe6ec81f9e9a..9c54c2c9e59e 100644 --- a/website/source/layouts/api.erb +++ b/website/source/layouts/api.erb @@ -98,8 +98,8 @@ > /sys/leader - > - /sys/lease + > + /sys/leases > /sys/mounts