Allow revoking a list of accessors or tokens

[jefferai]

Ref #2576 (comment)

Should be easy to do with TypeStringSlice!

[jefferai]

(Note to Vault team: probably will be worked on by an outside contributor, don't address this for now.)

[ikhahmedov]

What is preferred way of handling API changes in current situation?
Should we keep compatability, if so, how?

1. When revoking only one accessor/token behave as in old API (old api returns empty response), but add warning like this API will be deprecated, please use "accessors|tokens" field with one or multiple comma separated values instead of "accessor|token" field

2. Break compatibility and return which accessors/tokens are revoked successfully which are not.

[ 
  { "token":"a-b-c-d",  "error": "error text" }, 
  { "token" : "a-b-c-e" } 
]

(if JSON object doesnt contain "error" field, that means revocation is successful)

3. Fail immediately when one of the token couldn't be revoked with error showing which token failed to revoke "error": "1 errors \n\n token a-b-c-d permission denied". This is maybe not convenient in some cases, worst case is permission denied for all tokens, user should call revoke N times, every time decreasing number of tokens given as an argument

[jefferai]

At the HTTP layer we don't need to have an API change, because the field data can be of type TypeCommaStringSlice which will handle single values, a slice of values, or a comma-delineated string.

For the Go API we could add plural versions of the functions.

I think if a single value fails to be revoked we should note it and continue, trying to revoke as many items as possible. I'm not sure what we should return though. Some possibilities are the counts of revoked/not revoked values; another is the list of values that failed to be revoked, to make it efficient to try again.

[pldmgg]

For anyone who stumbles across this thread like I did, I wrote some PowerShell functions that can accomplish this. Obviously whatever a real contributor or Vault team adds to the Go code will be a better solution, but in the meantime, this should be fine (especially since it seems like you're supposed to use LDAP, etc for auth to Vault instead of tokens).

To load my Get-VaultTokens and Revoke-VaultToken functions:

PS C:\Users\testadmin> Invoke-WebRequest -Uri "https://gist.githubusercontent.com/pldmgg/6b8b0fb9b17670ee6375c3af22f1f63e/raw/d1748bc262177e293b66e766bc026bcd0395b710/VaultTokenManagement.ps1" -OutFile "$HOME\Downloads\VaultTokenManagement.ps1"
PS C:\Users\testadmin> . "$HOME\Downloads\VaultTokenManagement.ps1"

Sample Usage:
Scenario - Remove all tokens except root

PS C:\Users\testadmin> $VaultBaseUri = "http://192.168.2.12:8200/v1"
PS C:\Users\testadmin> $VaultAuthToken = "myroot"
PS C:\Users\testadmin> $VaultTokensToRemove = Get-VaultTokens -VaultBaseUri $VaultBaseUri -VaultAuthToken $VaultAuthToken | Where-Object {$_.id -ne $VaultAuthToken}
PS C:\Users\testadmin> $RevokeTokensResult = Revoke-VaultToken -VaultBaseUri $VaultBaseUri -VaultAuthToken $VaultAuthToken -TokensToDelete $VaultTokensToRemove.Id
PS C:\Users\testadmin> $RevokeTokensResult | Format-List *

Hope this can help some folks.