Add htgettoken --novaulttoken and htdestroytoken -f

htdestroytoken

@@ -1,21 +1,67 @@
 #!/bin/bash
 
-VERBOSE=true
-if [ "$1" = "-q" ]; then
-    VERBOSE=false
-    shift
-fi
+ME=htdestroytoken
 
-if [ $# != 0 ]; then
-    echo "Usage: htdestroytoken [-q]" >&2
-    echo "Removes bearer and vault tokens" >&2
-    echo "-q means to do it silently" >&2
+usage()
+{
+    echo "Usage: $ME [-h] [-q] [-f [htgettoken options]]"
+    echo "Removes bearer and vault tokens if present"
+    echo "  -h prints this help message and exits"
+    echo "  -q do removals silently"
+    echo "  -f first force removal of refresh token from vault, if vault token is valid."
+    echo "     Runs htgettoken to find the vault path so requires sufficient htgettoken"
+    echo "     options on command line or in \$HTGETTOKENOPTS."
+    echo "The location of the bearer token can be set by \$BEARER_TOKEN_FILE"
+    echo "  and the location of the vault token can be set by \$VAULT_TOKEN_FILE."
     exit 2
-fi
+} >&2
+
+VERBOSE=true
+RMREFRESH=false
+HTGETOPTS=""
+for ARG; do
+    case $ARG in
+        -h) usage;;
+        -q) VERBOSE=false; HTGETOPTS="$HTGETOPTS -q";;
+        -f) RMREFRESH=true;;
+        *)  if $RMREFRESH; then
+                HTGETOPTS="$HTGETOPTS $ARG"
+            else
+                usage
+            fi;;
+    esac
+done
 
 # UID is a standard bash variable
+VTFILE="/tmp/vt_u$UID"
+if [ -n "$VAULT_TOKEN_FILE" ]; then
+    VTFILE="$VAULT_TOKEN_FILE"
+    HTGETOPTS="$HTGETOPTS --vaulttokenfile=$VTFILE"
+fi
+if $RMREFRESH && [ -f "$VTFILE" ]; then
+    if ( [ -z "$HTGETOPTS" ] || [ "$HTGETOPTS" = "-q" ] ) \
+                && [ -z "$HTGETTOKENOPTS" ]; then
+        echo "$ME: no htgettoken options were given" >&2
+        usage
+    fi
+    BEARERURL="$(htgettoken $HTGETOPTS --novaulttoken --nobearertoken --showbearerurl)"
+    if [ -z "$BEARERURL" ]; then
+        echo "$ME: Unable to obtain vault URL to remove refresh token" >&2
+        exit 3
+    fi
+    if $VERBOSE; then
+        echo "Deleting refresh token"
+        echo "  at path $BEARERURL"
+    fi
+    # be careful to not let the vault token show up in a ps list; send to stdin
+    if ! (echo -n "X-Vault-Token: ";cat $VTFILE) | \
+                curl -q -f -m 5 -H @- -X DELETE "$BEARERURL"; then
+        echo "$ME: Unable to delete refresh token" >&2
+        exit 3
+    fi
+fi
 TOKENFILE="${BEARER_TOKEN_FILE:-${XDG_RUNTIME_DIR:-/tmp}/bt_u$UID}"
-for FILE in $TOKENFILE /tmp/vt_u$UID*; do
+for FILE in $TOKENFILE ${VTFILE}; do
     if [ -f "$FILE" ]; then
         if $VERBOSE; then
             echo "Removing $FILE"

htdestroytoken.1

@@ -4,29 +4,53 @@ htdestroytoken \- remove bearer and vault tokens
 
 .SH SYNOPSIS
 .B htdestroytoken
-[-q]
-
+[-h] [-q] [-f [htgettoken options]]"
 .SH DESCRIPTION
 .B htdestroytoken
-removes a bearer token found by WLCG Bearer Token Discovery and also
-removes a vault token found in the default location used by 
-.BR htgettoken.
-
-Note that the vault server additionally caches bearer tokens, so the
-next time that
+by default removes a bearer token found by WLCG Bearer Token Discovery and
+also removes a vault token found either by the environment variable
+$VAULT_TOKEN_FILE or in the default location used by 
+.BR htgettoken .
+.PP
+Note that the vault server additionally caches refresh tokens and bearer
+tokens, so this alone does not completely clear them.  The
+.I -f
+option (described below) can remove the refresh token to force a new
+oidc authentication.
+If that is not used and
+.B htgettoken
+is subsequently run and gets a new vault token with one of the non-oidc
+authentication methods, it is possible that the same bearer token might
+be returned from the vault cache unless a new one is forced to be
+retrieved with an
 .B htgettoken
-is run the same bearer token might be returned unless a new one is 
-forced to be retrieved with either oidc authentication or with an
-htgettoken
 .I \-\-minsecs
 option.
 
 .SH OPTIONS
 The following options are recognized:
 .PP
 .TP
-.BR \-q
-Do removals silently
+.B \-h
+Show help message.
+.TP
+.B \-q
+Do removals silently.
+.TP
+.B \-f [htgettoken options]
+Force a removal of the refresh token in vault before removal of the
+vault token, if the vault token is valid.  This runs
+.B htgettoken
+to locate the path in vault to remove, so sufficient options to locate
+that path such as
+.IR \-a ,
+.I \-i
+and possibly
+.I \-r
+need to either be passed on the rest of the command line or in the
+$HTGETTOKENOPTS environment variable.
+If this option is given and the removal of the refresh token fails,
+the command will exit and not remove the vault or bearer tokens.
 
 .SH AUTHOR
 Dave Dykstra

htgettoken.1

@@ -94,7 +94,7 @@ The name of the issuer role, as configured in the vault server.  The
 default role name is "default".  Different roles for the same issuer
 map to different token scopes as configured in vault.
 .TP
-.BR \ \-\-nokerberos
+.BR \-\-nokerberos
 Do not attempt to use kerberos authentication.
 .TP
 .BR \-\-kerbpath=vaultpath
@@ -115,7 +115,7 @@ command and the "-l" option of the
 .B klist
 command for more information.
 .TP
-.BR \ \-\-nooidc
+.BR \-\-nooidc
 Do not attempt to do OIDC authentication.
 .TP
 .BR \-\-oidcpath=vaultpath
@@ -129,7 +129,7 @@ where %issuer is the value from the
 option.
 .RE
 .TP
-.BR \ \-\-nossh
+.BR \-\-nossh
 Do not attempt to do ssh-agent authentication.
 .TP
 .BR \-\-sshpath=vaultpath
@@ -140,7 +140,7 @@ auth/ssh
 .RE
 .RE
 .TP
-.BR \ \-\-registerssh
+.BR \-\-registerssh
 Register all public keys available from
 .B ssh-agent
 with vault for future use.  This forces OIDC authentication even if a
@@ -149,6 +149,12 @@ then registers the public keys before storing the vault token and access
 token.  Must be allowed in the configuration of the vault server in
 order to work.
 .TP
+.BR \-\-novaulttoken
+Disable all authentication methods that get vault tokens.
+Currently this equivalent to
+.IR \-\-nooidc\ \-\-nokerberos\ \-\-nossh .
+.BR 
+.TP
 .BR \-c\ path , \ \-\-configdir=path
 The path to a directory to save
 .B htgettoken
@@ -238,7 +244,7 @@ Skip getting a bearer token.  Always gets a vault token except in
 combination with 
 .BR \-\-showbearerurl .
 .TP
-.BR \-o\ path , \ \-\-out=path
+.BR \-o\ path , \ \-\-outfile=path
 The path of the file used to store the bearer token on the local
 machine.  The default is $BEARER_TOKEN_FILE.  If that is not set
 but $XDG_RUNTIME_DIR is set, then the default is

htgettoken.spec

@@ -74,8 +74,12 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+# - Add htdestroytoken -f option to force a removal of a refresh token in
+#   vault.
+# - Add htgettoken --novaulttoken option as an alias for --noiodc, --nossh,
+#   and --nokerberos.
 # - Again fix --showbearerurl to work in combination with --nobearertoken.
-#   That was fixed in 1.17 but broken in 1.21 and 2.0.
+#   That was fixed in 1.17 but broke in 1.21 and 2.0.
 
 * Fri Jun 20 2025 Dave Dykstra <dwd@fnal.gov> 2.4-1
 - Add the new -s and -f options to the htdecodetoken usage summary.