Add revoke-self command (#5)

* Add `revoke-self` command

* Change machine type

* fix YAML

* add `when: always` to `revoke-self` command

Author: smaeda-ks

.circleci/test-deploy.yml

@@ -9,7 +9,8 @@ filters: &filters
 
 jobs:
   integration-test:
-    machine: true
+    machine:
+      image: ubuntu-2004:current
     steps:
       - checkout
       - run:
@@ -53,7 +54,18 @@ jobs:
       - orb-hashicorp-vault-cli/auth-oidc:
           vault-address: "http://localhost:8200"
           vault-role: "circleci-orb-dev"
-      - run: vault kv get -field=test secret/circleci/orb
+      - run:
+          name: Get secret
+          command: vault kv get -field=test secret/circleci/orb
+      - orb-hashicorp-vault-cli/revoke-self
+      - run:
+          name: Get secret (should fail)
+          command: |
+              ret=$(set -e; vault kv get -field=test secret/circleci/orb &&:) &&:
+              if [ $? -eq 0 ]; then
+                exit 1
+              fi
+              exit 0
 workflows:
   test-deploy:
     jobs:

README.md

@@ -5,12 +5,13 @@
 
 A custom CircleCI Orb for HashiCorp Vault CLI.
 
-This Orb provides two [commands](https://circleci.com/docs/2.0/orb-concepts/#commands) as below:
+This Orb provides a few [commands](https://circleci.com/docs/2.0/orb-concepts/#commands) as below:
 
 | Command | Description | Documentation |
 | ---| --- | --- |
 | `install`   | Install Vault binary to the current executor environment. | [link](https://circleci.com/developer/orbs/orb/smaeda-ks/orb-hashicorp-vault-cli#commands-install) |
 | `auth-oidc` | Authenticate with Vault using OIDC and obtain a token. Upon successful authentication, the obtained token will be set to the `VAULT_TOKEN` environment variable using `$BASH_ENV`. | [link](https://circleci.com/developer/orbs/orb/smaeda-ks/orb-hashicorp-vault-cli#commands-auth-oidc) |
+| `revoke-self`   | Revoke the token set to the `VAULT_TOKEN` environment variable against the Vault instance set to the `VAULT_ADDR` environment variable. | [link](https://circleci.com/developer/orbs/orb/smaeda-ks/orb-hashicorp-vault-cli#commands-revoke-self) |
 
 ## Example Orb usage
 
@@ -40,6 +41,8 @@ usage:
               # so it can be referenced by subsequent steps within the job
               FOO=$(vault kv get -field=password secret/circleci/dev)
               echo "export SECRET_FOO=${FOO}" >> $BASH_ENV
+        # Revoke Vault token after finishing all steps
+        - orb-hashicorp-vault-cli/revoke-self
   workflows:
     use-my-orb:
       jobs:

src/commands/revoke-self.yml

@@ -0,0 +1,14 @@
+description: |
+  Revoke a Token (Self).
+  This command attempts to revoke the token set to the `VAULT_TOKEN` environment variable against the Vault instance set to the `VAULT_ADDR` environment variable. These environment variables are assumed to be already set by the `auth-oidc` command in the previous steps. When the token is revoked, all dynamic secrets generated with it are also revoked.
+steps:
+  - run:
+      when: always
+      name: Revoke Vault token
+      command: |
+        if [ ! "$(which vault)" ]; then
+            echo "vault is not installed. Please use install command first."
+            exit 1
+        fi
+
+        vault token revoke -self

src/examples/auth-oidc.yml

@@ -23,6 +23,8 @@ usage:
               # so it can be referenced by subsequent steps within the job
               FOO=$(vault kv get -field=foo secret/circleci/orb)
               echo "export SECRET_FOO=${FOO}" >> $BASH_ENV
+        # Revoke Vault token after finishing all steps
+        - orb-hashicorp-vault-cli/revoke-self
   workflows:
     use-my-orb:
       jobs: