CLI: add an option for renew command fail on non-fullfillable request…

… to allow command chaining Signed-off-by: saiaunghlyanhtet <[email protected]>
hashicorp · Jan 1, 2025 · 06a493c · 06a493c
1 parent fd00bbf
commit 06a493c
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 2 deletions.
diff --git a/changelog/29060.txt b/changelog/29060.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+CLI: adds an optional flag (--fail-if-not-fullfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions.
+```
diff --git a/command/token_renew.go b/command/token_renew.go
@@ -21,8 +21,9 @@ var (
 type TokenRenewCommand struct {
 	*BaseCommand
 
-	flagAccessor  bool
-	flagIncrement time.Duration
+	flagAccessor           bool
+	flagIncrement          time.Duration
+	flagFailIfNotFulfilled bool
 }
 
 func (c *TokenRenewCommand) Synopsis() string {
@@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets {
 			"numeric string with suffix like \"30s\" or \"5m\".",
 	})
 
+	f.BoolVar(&BoolVar{
+		Name:       "fail-if-not-fulfilled",
+		Target:     &c.flagFailIfNotFulfilled,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Fail if the requested TTL increment cannot be fully fulfilled.",
+	})
+
 	return set
 }
 
@@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int {
 		return 2
 	}
 
+	if c.flagFailIfNotFulfilled && secret.LeaseDuration < int(increment.Seconds()) {
+		c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled")
+		return 1
+	}
+
 	return OutputSecret(c.UI, secret)
 }
diff --git a/command/token_renew_test.go b/command/token_renew_test.go
@@ -31,30 +31,42 @@ func TestTokenRenewCommand_Run(t *testing.T) {
 		args []string
 		out  string
 		code int
+		fail bool
 	}{
 		{
 			"too_many_args",
 			[]string{"foo", "bar", "baz"},
 			"Too many arguments",
 			1,
+			false,
 		},
 		{
 			"default",
 			nil,
 			"",
 			0,
+			false,
 		},
 		{
 			"increment",
 			[]string{"-increment", "60s"},
 			"",
 			0,
+			false,
 		},
 		{
 			"increment_no_suffix",
 			[]string{"-increment", "60"},
 			"",
 			0,
+			false,
+		},
+		{
+			"fail_if_not_fulfilled",
+			[]string{"-increment", "30m", "--fail-if-not-fulfilled"},
+			"Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled",
+			1,
+			true,
 		},
 	}
 
@@ -77,6 +89,10 @@ func TestTokenRenewCommand_Run(t *testing.T) {
 				ui, cmd := testTokenRenewCommand(t)
 				cmd.client = client
 
+				if tc.fail {
+					client.Auth().Token().Renew(token, 1)
+				}
+
 				code := cmd.Run(tc.args)
 				if code != tc.code {
 					t.Errorf("expected %d to be %d", code, tc.code)

diff --git a/website/content/docs/commands/token/renew.mdx b/website/content/docs/commands/token/renew.mdx
@@ -36,6 +36,12 @@ Renew a token requesting a specific increment value:
 $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
 ```
 
+Allow command chaining after renew command fail:
+
+```shell-session
+$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled | vault login
+```
+
 ## Usage
 
 The following flags are available in addition to the [standard set of
@@ -53,3 +59,7 @@ flags](/vault/docs/commands) included on all commands.
   Vault will not honor this request for periodic tokens. If not supplied, Vault will use
   the default TTL. This is specified as a numeric string with suffix like "30s"
   or "5m". This is aliased as "-i".
+
+- `--fail-if-not-fulfilled` - Allow command chaining after renew request fail.
+Vault will allow token renewal request completion with capped duration even if renew request fails.
+And Vault will also allow command chaining after renew command.