From 3ad2628095bf5e162807e428bc84a3601c8a300c Mon Sep 17 00:00:00 2001
From: Anil Keshav <anil.keshav@sap.com>
Date: Tue, 22 Oct 2024 10:50:32 +0200
Subject: [PATCH] feat(vault): not allowing batch token revoke (#4918)

* not allowing batch token revoke

* chaging values to hold variable name

* error message when identifying service token

* refactor

---------

Co-authored-by: Googlom <alimovgb@gmail.com>
---
 pkg/vault/vault.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/vault/vault.go b/pkg/vault/vault.go
index 5943b31c19..4d916230b3 100644
--- a/pkg/vault/vault.go
+++ b/pkg/vault/vault.go
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"path"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -181,7 +182,27 @@ func (c *Client) RevokeToken() error {
 // MustRevokeToken same as RevokeToken but the program is terminated with an error if this fails.
 // Should be used in defer statements only.
 func (c *Client) MustRevokeToken() {
-	if err := c.RevokeToken(); err != nil {
+	lookupPath := "auth/token/lookup-self"
+	const serviceTokenPrefix = "hvs."
+
+	secret, err := c.GetSecret(lookupPath)
+	if err != nil {
+		log.Entry().Warnf("Could not lookup token at %s, not continuing to revoke: %v", lookupPath, err)
+		return
+	}
+
+	tokenID, ok := secret.Data["id"].(string)
+	if !ok {
+		log.Entry().Warnf("Could not lookup token.Data.id at %s, not continuing to revoke", lookupPath)
+		return
+	}
+
+	if !strings.HasPrefix(tokenID, serviceTokenPrefix) {
+		log.Entry().Warnf("Service token not identified at %s, not continuing to revoke", lookupPath)
+		return
+	}
+
+	if err = c.RevokeToken(); err != nil {
 		log.Entry().WithError(err).Fatal("Could not revoke token")
 	}
 }