Add read:self and delete:self to auth tokens and add logout command

CHANGELOG.md

@@ -4,6 +4,16 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ## Next
 
+### Deprecations/Changes
+
+* Permissions in new scope default roles have been updated to include support
+  for `list`, `read:self`, and `delete:self` on `auth-token` resources. This
+  allows a user to list and manage their own authentication tokens. (As is the
+  case with other resources, `list` will still be limited to returning tokens on
+  which the user has authorization to perform actions, so granting this
+  capability does not automatically give user the ability to list other users'
+  authentication tokens.)
+
 ### New and Improved
 
 * actions: The new `no-op` action allows a grant to be given to a principals
@@ -13,17 +23,23 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   `read` or other capabilities on the resources. The default scope permissions
   have been updated to convey `no-op,list` instead of `read,list`.
   [PR](https://github.com/hashicorp/boundary/pull/1138)
-* cli/api/sdk: User resources have new attributes for: 
+* cli/api/sdk: User resources have new attributes for:
   * Primary Account ID
   * Login Name
-  * Full Name 
-  * Email    
-
+  * Full Name
+  * Email
   These new user attributes correspond to attributes from the user's primary
-  auth method account.  These attributes will be empty when the user has no
+  auth method account. These attributes will be empty when the user has no
   account in the primary auth method for their scope, or there is no designated
-  primary auth method for their scope. 
-
+  primary auth method for their scope.
+* cli: Support for reading and deleting the user's own token via the new
+  `read:self` and `delete:self` actions on auth tokens. If no token ID is
+  provided, the stored token's ID will be used (after prompting), or `"self"`
+  can be set to the ID to trigger this behavior without prompting.
+  ([PR](https://github.com/hashicorp/boundary/pull/1162))
+* cli: New `logout` command deletes the current token in Boundary and forgets it
+  from the local system credential store
+  ([PR](https://github.com/hashicorp/boundary/pull/1134))
 
 ### Bug Fixes
 
@@ -253,10 +269,11 @@ database migrate` command.
 
 * controller/worker: Require names to be all lowercase. This removes ambiguity
   or accidental mismatching when using upcoming filtering features.
-* api/cli: Due to visibility changes on collection listing, a list
-  will not include any resources if the user only has `list` as an authorized action.
-  As a result `scope list`, which is used by the UI to populate the login scope dropdown, 
-  will be empty if the role granting the `u_anon` user `list` privileges is not updated to also contain a `read` action
+* api/cli: Due to visibility changes on collection listing, a list will not
+  include any resources if the user only has `list` as an authorized action. As
+  a result `scope list`, which is used by the UI to populate the login scope
+  dropdown, will be empty if the role granting the `u_anon` user `list`
+  privileges is not updated to also contain a `read` action
 
 ### New and Improved
 
@@ -269,13 +286,14 @@ database migrate` command.
 * api/cli: Most resource types now support recursive listing, allowing listing
   to occur down a scope tree
   ([PR](https://github.com/hashicorp/boundary/pull/885))
-* cli: Add a `database migrate` command which updates a database's schema to 
-  the version supported by the boundary binary ([PR](https://github.com/hashicorp/boundary/pull/872)).
+* cli: Add a `database migrate` command which updates a database's schema to the
+  version supported by the boundary binary
+  ([PR](https://github.com/hashicorp/boundary/pull/872)).
 
 ### Bug Fixes
 
-* controller/db: Correctly check if db init previously completed successfully 
-  when starting a controller or when running `database init` 
+* controller/db: Correctly check if db init previously completed successfully
+  when starting a controller or when running `database init`
   ([Issue](https://github.com/hashicorp/boundary/issues/805))
   ([PR](https://github.com/hashicorp/boundary/pull/842))
 * cli: When `output-curl-string` is used with `update` or `add-/remove-/set-`
@@ -284,8 +302,8 @@ database migrate` command.
   fetches the current version
   ([Issue](https://github.com/hashicorp/boundary/issues/856))
   ([PR](https://github.com/hashicorp/boundary/pull/858))
-* db: Fix panic in `database init` when controller config block is missing 
-  ([Issue](https://github.com/hashicorp/boundary/issues/819)) 
+* db: Fix panic in `database init` when controller config block is missing
+  ([Issue](https://github.com/hashicorp/boundary/issues/819))
   ([PR](https://github.com/hashicorp/boundary/pull/851))
 
 ## 0.1.4 (2021/01/05)
@@ -325,8 +343,8 @@ database migrate` command.
   ([PR](https://github.com/hashicorp/boundary/pull/831))
 * controller: Improved error handling in hosts, host catalog and host set
   ([PR](https://github.com/hashicorp/boundary/pull/786))
-* controller: Relax account login name constraints to allow dash as valid character 
-  ([Issue](https://github.com/hashicorp/boundary/issues/759))
+* controller: Relax account login name constraints to allow dash as valid
+  character ([Issue](https://github.com/hashicorp/boundary/issues/759))
   ([PR](https://github.com/hashicorp/boundary/pull/806))
 * cli/connect/http: Pass endpoint address through to allow setting TLS server
   name directly in most cases

internal/cmd/base/base.go

@@ -3,28 +3,22 @@ package base
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
-	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/signal"
 	"regexp"
-	"runtime"
 	"strings"
 	"sync"
 	"syscall"
 
 	"github.com/hashicorp/boundary/api"
-	"github.com/hashicorp/boundary/api/authtokens"
 	"github.com/hashicorp/boundary/sdk/wrapper"
-	nkeyring "github.com/jefferai/keyring"
 	"github.com/mitchellh/cli"
 	"github.com/pkg/errors"
 	"github.com/posener/complete"
-	zkeyring "github.com/zalando/go-keyring"
 )
 
 const (
@@ -126,7 +120,7 @@ func MakeShutdownCh() chan struct{} {
 // Client returns the HTTP API client. The client is cached on the command to
 // save performance on future calls.
 func (c *Command) Client(opt ...Option) (*api.Client, error) {
-	// Read the test client if present
+	// Read the cached client if present
 	if c.client != nil {
 		return c.client, nil
 	}
@@ -242,143 +236,6 @@ func (c *Command) Client(opt ...Option) (*api.Client, error) {
 	return c.client, nil
 }
 
-func (c *Command) DiscoverKeyringTokenInfo() (string, string, error) {
-	tokenName := "default"
-
-	if c.FlagTokenName != "" {
-		tokenName = c.FlagTokenName
-	}
-
-	if tokenName == "none" {
-		c.UI.Warn(`"-token-name=none" is deprecated, please use "-keyring-type=none"`)
-		c.FlagKeyringType = "none"
-	}
-
-	if c.FlagKeyringType == "none" {
-		return "", "", nil
-	}
-
-	// Set so we can look it up later when printing out curl strings
-	os.Setenv(EnvTokenName, tokenName)
-
-	var foundKeyringType bool
-	keyringType := c.FlagKeyringType
-	switch runtime.GOOS {
-	case "windows":
-		switch keyringType {
-		case "auto", "wincred", "pass":
-			foundKeyringType = true
-			if keyringType == "auto" {
-				keyringType = "wincred"
-			}
-		}
-	case "darwin":
-		switch keyringType {
-		case "auto", "keychain", "pass":
-			foundKeyringType = true
-			if keyringType == "auto" {
-				keyringType = "keychain"
-			}
-		}
-	default:
-		switch keyringType {
-		case "auto", "secret-service", "pass":
-			foundKeyringType = true
-			if keyringType == "auto" {
-				keyringType = "pass"
-			}
-		}
-	}
-
-	if !foundKeyringType {
-		return "", "", fmt.Errorf("Given keyring type %q is not valid, or not valid for this platform", c.FlagKeyringType)
-	}
-
-	var available bool
-	switch keyringType {
-	case "wincred", "keychain":
-		available = true
-	case "pass", "secret-service":
-		avail := nkeyring.AvailableBackends()
-		for _, a := range avail {
-			if keyringType == string(a) {
-				available = true
-			}
-		}
-	}
-
-	if !available {
-		return "", "", fmt.Errorf("Keyring type %q is not available on this machine. For help with setting up keyrings, see https://www.boundaryproject.io/docs/api-clients/cli.", keyringType)
-	}
-
-	os.Setenv(EnvKeyringType, keyringType)
-
-	return keyringType, tokenName, nil
-}
-
-func (c *Command) ReadTokenFromKeyring(keyringType, tokenName string) *authtokens.AuthToken {
-	var token string
-	var err error
-
-	switch keyringType {
-	case "none":
-		return nil
-
-	case "wincred", "keychain":
-		token, err = zkeyring.Get(StoredTokenName, tokenName)
-		if err != nil {
-			if err == zkeyring.ErrNotFound {
-				c.UI.Error("No saved credential found, continuing without")
-			} else {
-				c.UI.Error(fmt.Sprintf("Error reading auth token from keyring: %s", err))
-				c.UI.Warn("Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.")
-			}
-			token = ""
-		}
-
-	default:
-		krConfig := nkeyring.Config{
-			LibSecretCollectionName: "login",
-			PassPrefix:              "HashiCorp_Boundary",
-			AllowedBackends:         []nkeyring.BackendType{nkeyring.BackendType(keyringType)},
-		}
-
-		kr, err := nkeyring.Open(krConfig)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error opening keyring: %s", err))
-			c.UI.Warn("Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.")
-			break
-		}
-
-		item, err := kr.Get(tokenName)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error fetching token from keyring: %s", err))
-			c.UI.Warn("Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.")
-			break
-		}
-
-		token = string(item.Data)
-	}
-
-	if token != "" {
-		tokenBytes, err := base64.RawStdEncoding.DecodeString(token)
-		switch {
-		case err != nil:
-			c.UI.Error(fmt.Errorf("Error base64-unmarshaling stored token from system credential store: %w", err).Error())
-		case len(tokenBytes) == 0:
-			c.UI.Error("Zero length token after decoding stored token from system credential store")
-		default:
-			var authToken authtokens.AuthToken
-			if err := json.Unmarshal(tokenBytes, &authToken); err != nil {
-				c.UI.Error(fmt.Sprintf("Error unmarshaling stored token information after reading from system credential store: %s", err))
-			} else {
-				return &authToken
-			}
-		}
-	}
-	return nil
-}
-
 type FlagSetBit uint
 
 const (

internal/cmd/base/initial_resources.go

@@ -62,6 +62,7 @@ func (b *Server) CreateInitialLoginRole(ctx context.Context) (*iam.Role, error)
 		"id=*;type=scope;actions=list,no-op",
 		"id=*;type=auth-method;actions=authenticate,list",
 		"id={{account.id}};actions=read,change-password",
+		"id=*;type=auth-token;actions=list,read:self,delete:self",
 	}); err != nil {
 		return nil, fmt.Errorf("error creating grant for default generated grants: %w", err)
 	}
@@ -517,7 +518,8 @@ func (b *Server) CreateInitialTarget(ctx context.Context) (target.Target, error)
 	b.Info["generated target id"] = b.DevTargetId
 
 	// If we have an unprivileged dev user, add user to the role that grants
-	// list/read:self/cancel:self, and an authorize-session role
+	// list/read:self/cancel:self on sessions, read:self/delete:self/list on
+	// tokens, and an authorize-session role
 	if b.DevUnprivilegedUserId != "" {
 		iamRepo, err := iam.NewRepository(rw, rw, kmsCache, iam.WithRandomReader(b.SecureRandomReader))
 		if err != nil {