Add ability to disable an entity

helper/identity/types.proto

@@ -110,6 +110,10 @@ message Entity {
 	// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
 	// method configuration.
 	//map<string, mfa.Secret> mfa_secrets = 10;
+
+	// Disabled indicates whether tokens associated with the account should not
+	// be able to be used
+	bool disabled = 11;
 }
 
 // Alias represents the alias that gets stored inside of the

logical/request.go

@@ -273,6 +273,10 @@ var (
 	// ErrPermissionDenied is returned if the client is not authorized
 	ErrPermissionDenied = errors.New("permission denied")
 
+	// ErrDisabledEntity is returned if the entity tied to a token is marked as
+	// disabled
+	ErrEntityDisabled = errors.New("entity associated with token is disabled")
+
 	// ErrMultiAuthzPending is returned if the the request needs more
 	// authorizations
 	ErrMultiAuthzPending = errors.New("request needs further approval")

vault/core.go

@@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 		}
 	}
 
+	if entity != nil && entity.Disabled {
+		return nil, te, logical.ErrEntityDisabled
+	}
+
 	// Check if this is a root protected path
 	rootPath := c.router.RootPath(req.Path)
 
@@ -1319,6 +1323,13 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 
+	if c.standby {
+		c.logger.Error("vault cannot seal when in standby mode; please restart instead")
+		retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Validate the token is a root token
 	acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken)
 	if err != nil {
@@ -1327,12 +1338,6 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		// for validation and the operation should be performed. But for now,
 		// just returning with an error and recommending a vault restart, which
 		// essentially does the same thing.
-		if c.standby {
-			c.logger.Error("vault cannot seal when in standby mode; please restart instead")
-			retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
-			c.stateLock.RUnlock()
-			return retErr
-		}
 		retErr = multierror.Append(retErr, err)
 		c.stateLock.RUnlock()
 		return retErr
@@ -1358,6 +1363,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 
+	if entity != nil && entity.Disabled {
+		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Attempt to use the token (decrement num_uses)
 	// On error bail out; if the token has been revoked, bail out too
 	if te != nil {
@@ -1466,6 +1477,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 		return retErr
 	}
 
+	if entity != nil && entity.Disabled {
+		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Attempt to use the token (decrement num_uses)
 	if te != nil {
 		te, err = c.tokenStore.UseToken(ctx, te)

vault/identity_store_entities.go

@@ -45,6 +45,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
+				"disabled": {
+					Type:        framework.TypeBool,
+					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
+				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityRegister(),
@@ -76,6 +80,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
+				"disabled": {
+					Type:        framework.TypeBool,
+					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
+				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityIDUpdate(),
@@ -354,6 +362,11 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew
 		entity.Policies = entityPoliciesRaw.([]string)
 	}
 
+	disabledRaw, ok := d.GetOk("disabled")
+	if ok {
+		entity.Disabled = disabledRaw.(bool)
+	}
+
 	// Get the name
 	entityName := d.Get("name").(string)
 	if entityName != "" {
@@ -434,6 +447,7 @@ func (i *IdentityStore) handleEntityReadCommon(entity *identity.Entity) (*logica
 	respData["metadata"] = entity.Metadata
 	respData["merged_entity_ids"] = entity.MergedEntityIDs
 	respData["policies"] = entity.Policies
+	respData["disabled"] = entity.Disabled
 
 	// Convert protobuf timestamp into RFC3339 format
 	respData["creation_time"] = ptypes.TimestampString(entity.CreationTime)